Ubuntu has issued an advisory on January 9: https://usn.ubuntu.com/3850-1/ The issue was fixed upstream in 3.38, but the fix was not included in 3.36.6. Patched package uploaded for Mageia 6. Advisory: ======================== Updated nss packages fix security vulnerability: Keegan Ryan discovered that NSS incorrectly handled ECDSA key generation. A local attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys (CVE-2018-0495). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495 https://usn.ubuntu.com/3850-1/ ======================== Updated packages in core/updates_testing: ======================== nss-3.36.6-1.1.mga6 nss-doc-3.36.6-1.1.mga6 libnss3-3.36.6-1.1.mga6 libnss-devel-3.36.6-1.1.mga6 libnss-static-devel-3.36.6-1.1.mga6 from nss-3.36.6-1.1.mga6.src.rpm
MGA6-32 MATE on IBM Thinkpad R50e No installation issues At CLI: $ strace -o nss.txt firefox I find "open("/lib/libnss3.so", O_RDONLY|O_CLOEXEC) = 4" in the trace, and Firefox works OK. Tried also two commands from the nss package: from bltest help: " bltest -F Run the FIPS self-test" So $ bltest -F CK_RV: 48. and $ certdb_gtest [==========] Running 18 tests from 3 test cases. [----------] Global test environment set-up. [----------] 2 tests from Alg1485Test [ RUN ] Alg1485Test.ShortOIDTest [ OK ] Alg1485Test.ShortOIDTest (0 ms) [ RUN ] Alg1485Test.BrokenOIDTest [ OK ] Alg1485Test.BrokenOIDTest (0 ms) [----------] 2 tests from Alg1485Test (0 ms total) [----------] 11 tests from ParseAVAStrings/Alg1485ParseTest [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/0 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/0 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/1 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/1 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/2 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/2 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/3 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/3 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/4 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/4 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/5 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/5 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/6 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/6 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/7 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/7 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/8 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/8 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/9 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/9 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/10 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/10 (0 ms) [----------] 11 tests from ParseAVAStrings/Alg1485ParseTest (0 ms total) [----------] 5 tests from CompareAVAStrings/Alg1485CompareTest [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/0 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/0 (0 ms) [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/1 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/1 (0 ms) [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/2 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/2 (0 ms) [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/3 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/3 (0 ms) [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/4 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/4 (0 ms) [----------] 5 tests from CompareAVAStrings/Alg1485CompareTest (1 ms total) [----------] Global test environment tear-down [==========] 18 tests from 3 test cases ran. (3 ms total) [ PASSED ] 18 tests. Looks OK for me, taking into account I'm not familiar with this stuff.
Whiteboard: (none) => MGA6-32-OKCC: (none) => herman.viaene
Installed and tested without issues. Did the same tests as Herman Viaene. All tests OK. System: Mageia 6, x86_64, Firefox 60.4.0, Intel CPU. $ /usr/bin/firefox --version Mozilla Firefox 60.4.0 $ strace -o /tmp/firefox_strace.log /usr/bin/firefox <SNIP - ALL OK> $ grep -o 'open[(].*lib.*nss.*[)]' /tmp/firefox_strace.log | sort -u open("/lib64/libnss3.so", O_RDONLY|O_CLOEXEC) open("/lib64/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) open("/lib64/libnss_dns.so.2", O_RDONLY|O_CLOEXEC) open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) open("/lib64/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) open("/lib64/libnssutil3.so", O_RDONLY|O_CLOEXEC) $ bltest -F CK_RV: 48. $ certdb_gtest [==========] Running 18 tests from 3 test cases. [----------] Global test environment set-up. [----------] 2 tests from Alg1485Test [ RUN ] Alg1485Test.ShortOIDTest [ OK ] Alg1485Test.ShortOIDTest (0 ms) [ RUN ] Alg1485Test.BrokenOIDTest [ OK ] Alg1485Test.BrokenOIDTest (0 ms) [----------] 2 tests from Alg1485Test (0 ms total) [----------] 11 tests from ParseAVAStrings/Alg1485ParseTest [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/0 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/0 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/1 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/1 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/2 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/2 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/3 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/3 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/4 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/4 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/5 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/5 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/6 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/6 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/7 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/7 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/8 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/8 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/9 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/9 (0 ms) [ RUN ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/10 [ OK ] ParseAVAStrings/Alg1485ParseTest.TryParsingAVAStrings/10 (0 ms) [----------] 11 tests from ParseAVAStrings/Alg1485ParseTest (0 ms total) [----------] 5 tests from CompareAVAStrings/Alg1485CompareTest [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/0 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/0 (1 ms) [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/1 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/1 (0 ms) [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/2 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/2 (0 ms) [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/3 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/3 (0 ms) [ RUN ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/4 [ OK ] CompareAVAStrings/Alg1485CompareTest.CompareAVAStrings/4 (0 ms) [----------] 5 tests from CompareAVAStrings/Alg1485CompareTest (1 ms total) [----------] Global test environment tear-down [==========] 18 tests from 3 test cases ran. (1 ms total) [ PASSED ] 18 tests.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => mageia
Forgot the packages info: $ rpm -qa | grep nss.*3.36 | sort lib64nss3-3.36.6-1.1.mga6 nss-3.36.6-1.1.mga6
Thanks both testers for rapid work. *Security* advisory done from c0, BUT this update is classified 'bugfix', and cannot see how to correct that.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
QA Contact: (none) => securityComponent: RPM Packages => SecurityCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0038.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED