Bug 23972 - nss new security issue CVE-2018-12404
Summary: nss new security issue CVE-2018-12404
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 23706 23991
  Show dependency treegraph
 
Reported: 2018-12-08 18:36 CET by David Walser
Modified: 2018-12-15 22:30 CET (History)
5 users (show)

See Also:
Source RPM: nss-3.36.5-1.2.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-12-08 18:36:03 CET
NSS 3.36.6 has been released on November 30, fixing a security issue:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.6_release_notes

Updated package uploaded for Mageia 6.

Advisory:
========================

Updated nss packages fix security vulnerability:

Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.6_release_notes
========================

Updated packages in core/updates_testing:
========================
rootcerts-20181108.00-1.mga6
rootcerts-java-20181108.00-1.mga6
nss-3.36.6-1.mga6
nss-doc-3.36.6-1.mga6
libnss3-3.36.6-1.mga6
libnss-devel-3.36.6-1.mga6
libnss-static-devel-3.36.6-1.mga6

from SRPMS:
rootcerts-20181108.00-1.mga6.src.rpm
nss-3.36.6-1.mga6.src.rpm
Comment 1 PC LX 2018-12-09 19:47:46 CET
Installed and tested without issues.

Tested with firefox. Checked with strace to confirm libs were used.

System: Mageia 6, x86_64, Firefox, Plasma, LXQt, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

$ uname -a
Linux marte 4.14.78-desktop-1.mga6 #1 SMP Sun Oct 21 20:31:12 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q firefox
firefox-60.3.0-1.mga6
$ strace -o tmp/strace.log /usr/bin/firefox
<SNIP>
$ egrep -o 'open\("[^"]*"' tmp/strace.log | egrep -o '".*"' | egrep -o '[^"]*' | sort -u > tmp/strace_files.log
$ rpm -ql $(rpm -qa | egrep 'nss.*3.36|rootcert' | sort) > tmp/rpm_files.log
$ for U in $(cat tmp/strace_files.log) ; do grep "$U" tmp/rpm_files.log ; done
/usr/lib64/libfreeblpriv3.so
/usr/lib64/libnss3.so
/usr/lib64/libnssutil3.so
/usr/lib64/libsmime3.so
/usr/lib64/libsoftokn3.so
/usr/lib64/libssl3.so

CC: (none) => mageia

David Walser 2018-12-11 04:12:22 CET

Blocks: (none) => 23991

Nicolas Salguero 2018-12-11 09:47:50 CET

Blocks: (none) => 23706

Comment 2 James Kerr 2018-12-11 11:07:28 CET
on mga6-64  plasma

packages installed cleanly:
rootcerts-20181108.00-1.mga6.noarch           
rootcerts-java-20181108.00-1.mga6.noarch      
lib64nss3-3.36.6-1.mga6.x86_64                
nss-3.36.6-1.mga6.x86_64                      

no regressions observed

looks OK for mga6-64
Comment 3 Herman Viaene 2018-12-11 14:39:04 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Installed cleanly, further tested by installation of Firefox update bug 23991 (which is dependent on this version of nss).

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2018-12-11 17:12:40 CET
(In reply to Herman Viaene from comment #3)
> MGA6-32 MATE on IBM Thinkpad R50e
> No installation issues.
> Installed cleanly, further tested by installation of Firefox update bug
> 23991 (which is dependent on this version of nss).

Did the same on a 64-bit Plasma install on a Probook 6550b, updating Firefox and Thunderbird at the same time. Used QA Repo for the task, being careful to add "64" to library names where appropriate when entering the package list. All packages installed cleanly.

Looks good here on 64-bit.

Validating. Advisory in Description.

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Lewis Smith 2018-12-15 21:36:46 CET
Advisoried from comment 0.

Keywords: (none) => advisory
CC: (none) => lewyssmith

Comment 6 Mageia Robot 2018-12-15 22:30:51 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0482.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.