Back to search

Sun Patch: NSS_NSPR_JSS 3.13.1_x86: NSPR 4.8.9 / NSS 3.13.1 / JSS 4.3.2

Severity CVSS Published Added Modified
9 (AV:N/AC:M/Au:N/C:C/I:C/A:C) August 02, 2009 August 02, 2009 June 23, 2014

Description

From Sun Patch 119212-27

Sun has released a security patch addressing the following issues:

13341290 DIS-TRUST DIGINOTAR ROOT CERTIFICATE 13341314 (CVE-2011-3389) RIZZO/DUONG CHOSEN PLAINTEXT ATTACK (BEAST) ON SSL/TLS 1.0 (from 119212-26) 12301816 SUNBT6989121 ENABLE AES CRYPTO INSTRUCTIONS (AVALABLE IN WESTMERE SYSTEMS) IN NS 12305711 SUNBT7008530 CERTUTIL -T -D "SQL:." DUMPS CORE 12307252 SUNBT7015161 CORE DUMP WHEN TLS SESSION TICKETS ARE ENABLED AND SESSION CACHE IS 12306440 SUNBT7011578 ENHANCEMENT TO MAKE NSS SEARCH FOR A COMPLETE CHAIN THAT WOULD END 12306340 SUNBT7011215 PROBLEM WITH CERTIFICATE IMPORT INTO CERT9.DB AND TRUST FLAGS USING 12307757 SUNBT7017553 SSL_RECONFIGFD TRIES TO ACCESS ELEMENTS OF A NULL POINTER. 12309095 SUNBT7025511 POSSIBLE MINOR MEMORY LEAK IN SNI CODE 12309169 SUNBT7025937 MEMORY LEAK IN SSL_CANBYPASS 12304214 SUNBT7001826 NSS SUPPORT REQUIRED FOR SOCKET DIRECT PROTOCOL OVER INFINIBAND (from 119212-25) 6938843 NSS having CKM_TLS_MASTER_KEY_DERIVE_DH enabled causes SSL/ECDHE to fail 6985467 Certutil is able to read and display a der cert from a file 6985501 (CVE-2010-3170) Browser wildcard certificate validation issue (from 119212-24) 6963575 NSS does not support CKR_PIN_LOCKED from C_Login 6938650 libnssckbi: invalid length for nicknames containing multi-byte characters 6963577 Remove support for Netscape SSL server names (SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME) 6963579 An invalid CRL should not cause all certificates issued by that CA to be considered revoked. 6963580 Unable to build pk11util on OpenSolaris (SunOS 5.11) 6965841 Crash in ServerSessionIDLookup or SSL handshake in client hello (from 119212-23) 6879749 Re-initialization of NSS 3.12.3 dumps core. 6926538 Linux installpatch does not handle 64 bit systems 6929079 Add multiple roots to NSS 3.12.6 6929081 CERT_PKIXVerifyCert considers a certificate revoked if cert_ProcessOCSPResponse fails for any reason 6929082 Support for TLS compression RFC 3749 6929093 Implement new safe SSL3 & TLS renegotiation (RFC 5746) 6929103 NSPR logging timestamp month number is off by one 6919819 Remove unused header file plresolv.h 6929098 PR_StringToNetAddr("255.255.255.255",ptr) fails on platforms that use inet_addr 6929099 PR_StringToNetAddr("", *ptr) behaviour is inconsistent on windows & solaris 6930970 Expose TLS enableRequireSafeNegotiation in JSS (RFC 5746) (from 119212-22) 6899482 NSS fails to load softoken looking for sqlite3.dll 6899486 (CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability 6899542 NSS uses PORT_Memcmp for comparing secret data. 6899543 Timing attack against ssl3ext.c:ssl3_ServerHandleSessionTicketXtn() 6899544 If PK11_ImportCert fails it leaves the certificate undiscoverable by CERT_PKIXVerifyCert 6899546 PK11_ImportAndReturnPrivateKey leaks an arena 6899547 PK11_DEREncodePublicKey leaks a CERTSubjectPublicKeyInfo 6899549 NSS include files key.h and pk11func.h are deprecated 6899561 PR_LoadLibraryWithFlags should have a way to set LOAD_WITH_ALTERED_SEARCH_PATH flag with LoadLibrary 6899565 (CVE-2009-1563) Array indexing error in NSPR's Balloc() leads to floating point memory vulnerability 6899487 Expose Support for SSL & TLS Renegotiation settings in JSS 6899568 Fix leaks in PK11Token.c function make_cert_request() (from 119212-21) 6874694 pkix_HttpCertStore_FindSocketConnection reuses closed socket OCSP fails 6874700 Multiple object leaks reported by tinderbox 6874701 object leak in libpkix library upon error 6874702 Cryptokey framework requires module to implement GenerateKey when they support KeyPairGeneration 6874707 update RSA/DSA powerupself tests to be compliant for 2011 6874708 CERT_PKIXVerifyCert reports wrong error code when EE cert is expired 6874709 Passing NULL as the value of cert_pi_trustAnchors causes a crash in cert_pkixSetParam 6874710 NSS 3.12.3 (and later) doesn't build on AIX 5.1 6874712 crash freeing named CRL entry on shutdown 6874714 Improve DES and SHA512 for x86_64 platform 6874715 During NSS_NoDB_Init(), softoken tries but fails to load libsqlite3.so crash 6874716 cert7.db/cert8.db "corruption" when importing a large certificate (>64K) 6874717 assert if profile path contains cyrillic chars. 6874719 (CVE-2009-2404) Exploitable heap overflow in NSS shell expression (filename globbing) parsing 6874721 When using cert9 (SQLite3) DB, set or change master password fails 6874722 DBM needs to be FIPS certifiable. 6874723 NSS_InitReadWrite("sql:configdir") leaves behind a pkcs11.txu file if libnssckbi.so is in configdir 6874725 Need function to identify the one and only default internal private key slot. 6874726 Need a generic function a la SECMOD_OpenUserDB() that can be used on non-softoken modules. 6874728 NSS_InitReadWrite("sql:dbdir") causes NSS to look for "sql:dbdir/libnssckbi.so" 6874732 (CRLDP) implement crlDistributionPoint extension in libPKIX 6874734 libPKIX returns wrong NSS error code 6874736 NSS_ENABLE_PKIX_VERIFY=1 causes sec_error_unknown_issuer errors 6874737 libpkix ocsp checker should use "date" argument to obtain the time for cert validity verification 6874738 Miscellaneous crashes in signtool on Windows 6874740 PK11_ImportCRL reports SEC_ERROR_CRL_NOT_FOUND when it fails to import a CRL 6853831 utilrename.h referenced in multiple header files in /usr/include/mps missing in Solaris 10 6874742 Calling SSL_SetSockPeerID a second time leaks the previous value 6874745 CERT_NameToAscii reports "Invalid AVA" whenever value exceeds 384 bytes 6874746 crash in certutil or pp when printing cert with empty subject name 6874747 A failure to import a cert from a P12 file leaves error code set to zero 6874748 NSS_RegisterShutdown can return without unlocking nssShutdownList.lock 6874750 crash when PORT_NewArena fails 6874752 IO timeout during cert fetching makes libpkix abort validation 6870083 RH4:NSS3.12.3xDS5.2:error while loading shared libraries: libnssutil3.so: cannot open shared object 6846470 Messaging Server pipe_master program fails after installing NSS patch 119211-20 6874819 Crash or data corruption in NSPR's TransmitFile and SendFile on HPUX 6874820 PR_ExplodeTime() works only if given a PRTime argument between year 1901-2099 (from 119212-20) 6821612 NSS 3.12.x series 6821617 cert name matching: RFC 2818 vs. backwards compatibility (wildcards) 6782276 Error override "trust flags" don't override invalid CA certs in NSS 3.12 6821618 Stop honoring digital signatures in certificates and CRLs based on weak hashes 6799382 CERT_AsciiToName incorrectly parses a name in which an RDN has two or more AVAs separated by '+' 6821620 add environment variable to disable/enable hash algorithms in cert/CRL signatures 6767341 Need to add RPATH to 64-bit libraries on HP-UX 6764022 Using NSS 3.12 makes Directory Server daemon ns-slapd dump core on some Unix platforms 6821630 In prlink.c errStrBuf is not thread-safe. 6821631 ForkAndExec is crashing on Solaris 8/9 due to environ being NULL 6821633 support HmacSHA256, HmacSHA384, and HmacSHA512 6821634 add support to JSS to initialize NSS with more options 6821638 Wrong OIDs for SHA-256, SHA-384, and SHA-512. 6821640 Add SEED support to JSS. 6821643 Expose the TLS session ticket extension (STE) 6821645 JSS doesn't support AES Key unwrapping (from 119212-19) 6737818 Add Entrust root CA certificate(s) to NSS 6737820 Add VeriSign Class 3 Public Primary CA - G5 to NSS 6737821 Add thawte Primary Root CA to NSS 6737822 Add GeoTrust Primary Certification Authority root to NSS 6737826 Add Trustwave Certification Authority certificate to NSS 6737827 Add COMODO Certification Authority certificate to NSS 6737828 Add Network Solutions Certificate Authority root to NSS 6737829 Add DigiNotar Root CA root to NSS 6763177 add network solutions and diginotar root certs to NSS 6763626 Don't send an SNI Client Hello extension bearing an IPv6 address 6737832 Fix PK11_GenerateKeyPair for ECC keys on the 3.11 branch 6737834 Can't import certificate into cert database in FIPS mode (certutil). 6737837 PK11_Authenticate, PK11_DoPassword fail on 3rd party slots if NSS softoken is in FIPS140-2 mode 6737838 Session cache locks not freed at shutdown. 6612960 Assertion failures if SSL_ForceHandshake is called 6737841 threads hanging in nss_InitLock 6737843 memory leak in trustdomain.c 6737846 certutil -L -h token doesn't report token authentication failure 6737848 certutil -K behavior doesn't match usage 6737850 modutil -disable command not disabling modules' slots 6737852 Lock from ssl_InitSymWrapKeysLock not freed at shutdown. 6737854 Certification path validation fails when "Authority Key Identifier" extension contains key identifie 6763630 NSS misbehaves badly in the presence of a disabled PKCS#11 slot 6737862 The primordial thread is attached again in _PR_CleanupIO in PR_Cleanup. 6763248 "RC2/CBC/NoPadding cannot use a null parameter" error message pops up when trying to import a PKCS12 6752510 NSS.pc requires NSPR >= 4.6, but NSPR.pc doesn't exist 6725359 private directory is missing in SUNWprd package for OpenSolaris 6492310 lint warnings in keythi.h (from 119212-18) Revision -19 created to correct metadata. (from 119212-17) 6643071 Installpatch of T121656-16 on linux is failed by dependency error. 6657288 Add Identrust, Truktrust, SwissSign Roots 6657292 key search functions ignore the nickname argument 6657317 Correct NSS error string for SEC_ERROR_OCSP_RESPONDER_CERT_INVALID 6657320 built-in root certs module shows no slot name 6657322 Optstate not freed in ocspclnt. 6657815 get offset from UTC out of NSPR 6657816 PR_ImplodeTime only works with years 1901-2099 6657818 A process created by PR_CreateProcess with an inherited fd can't pass any inheritable fd to a child 6657820 PR_CreateProcess() function drops empty string parameters 6657822 port NSPR to Windows XP / Server 2003 64bit for AMD64 6657823 Unix: clean up NSPR when the NSPR library is unloaded 6657826 PR_GetFileInfo much slower on Windows than native system call 6657829 PR_CallOnce/PR_CallOnceWithArg do not set NSPR error code if once->initialized is TRUE and once->sta 6657830 add capability to parse long command line option names 6657834 memory leak in prcmon.c 6657837 Use getaddrinfo/getnameinfo 6626993 JSS should have a method that states true/false if a token needs login 6630163 spurious javax.crypto.ShortBufferException with SUNWjss (4.0,REV=2004.11.05.02.31) (from 119212-16) 6624319 Add multiple new roots to NSS 6549319 NSS needs a function to indicate bypassability of a private key 6624326 certutil -T crashes if -h <token> specifies a nonexistant token 6624328 NSS allocation functions don't always set SEC_ERROR_NO_MEMORY 6624329 SSL_CanBypass leaks memory 6624331 Bug in PK11_ListPrivKeysInSlot 6624334 OOM crash in softoken 6624335 unexported api calls in p12plcy.h 6624337 unexported api calls in pkcs12.h 6624338 pk12util leaks password strings 6624342 libSSL leaks global array of trusted client auth CA names 6624343 Infinite loop in CERT_CertChainFromCert 6624344 PK11_FindCertFromNickname sets no error code when token not found 6624346 PK11_FindCertByIssuerAndSN must validate input arguments 6624348 Do not send hello extensions when using SSL v3.0 6624350 ssl_GetPrivate can corrupt non-SSL private structures 6624351 two public SSL functions require PRFD* to point to SSL layer 6624352 RSA certificate request succeeds even when underlying pkcs11 module returns error 6624354 Make DEBUG_PKCS11 work for optimized builds, too 6624356 Three root CA certs don't have explicit CKA_TRUST_STEP_UP_APPROVED flags 6580347 PR_Accept() on IPv6 socket returns invalid argument on Windows 6596161 PR_SendFile spins on Solaris due to Solaris sendfile return 0 (to mean sendfile failure) (from 119212-15) 6605712 Revert JSS build to support Java 1.4 again 6526738 Add nspr.pc to SUNWprd and nss.pc to SUNWtlsd (from 119212-14) 6560823 Unauthorized OCSP response error (from 119212-13) 6555587 memory leak in mp_bdivmod 6555589 Export DER_Generalized* and DER_TimeChoice* functions 6547236 crash in certutil when high validity value is specified 6555590 DER_TimeToGeneralizedTimeArena and DER_TimeToUTCTime don't check for valid range and may leak 6555588 bogus PKCS12_KEY_USAGE in secoid table 4926429 PR_vsnprintf can crash with finite precision string specifiers and non-NULL terminated strings 6524809 JSS SSLSocket.close() may be blocked and not interrupting the SSLSocket.read() thread (from 119212-12) 6507762 Two SSL2 security vulnerabilities found in NSS 6507627 overflow in session counter leads to crash 6423970 certutil does not detect and report error when unsupported ONB curve is specified on command line 6524565 Changes in Daylight Savings Time computations 6524651 Update HP-UX IPv6 code (from 119212-11) 6491238 ns-slapd failed to start during upgrade of WS from Jes4 to Jes5 with backend data base errors 6488060 signver and signtool in solaris cannot find libnspr4 libplds4 and libplc4 6493492 64 bit ldap operations fails in HPUX on Build12A (from 119212-10) 6464665 C_VerifyUpdate fails for hmac 6464668 race assigning NSSCertificate fields leaks memory and slot reference 6464671 Race condition in Stan import cert code called from CERT_NewTempCertificate 6464756 curve-limited clients must not negotiate ECC ciphersuites unless they send the supported curve ext 6464673 Continuous RNG test failure does not immediately put the FIPS module in the error state 6464677 PORT_FreeArena NEVER zeros memory before freeing it 6464680 Move the software integrity test into sftk_fipsPowerUpSelfTest 6464767 smime: possible memory corruption when encoding/decoding smime_encryptionkeypref_template 6465317 seckey_put_private_key leaks memory 6464683 Variable ""(cache)->sharedCache"" tracked as NULL was passed to a function that dereferences it. 6468441 OOM crash @ nssArena_Destroy - nssTrustDomain_TraverseCertificatesBySubject/ByNickname(info) 6464752 Multiple NULL ptr dereferences in nss/lib/base/arena.c 6228370 NSS code should not fork netstat 6464757 freebl libraries are always optimized on Sparc 6468410 Regression Assertion failure: 0, at unix_rand.c:149 6464759 mismatch between PK11_FindCertFromNickname and FindCerts 6464762 chain validation returns ambiguous error codes when OCSP enabled 6464764 Coverity 874, NULL cert ptr crash in NSS_CMSRecipientInfo_WrapBulkKey 6464766 Coverity 543, leak after OOM in CMMF_POPODecKeyChallContDecryptChallenge 6467643 HP-UX : protypes.h is not available as part of sun-nspr-devel depot 6468495 PKCS#1 signature DigestInfo parsing problems in NSS 6467033 Security vulnerability in the way NSPR library creates log files (from 119212-09) 6442985 selfserv reports error -12272 SSL_ERROR_BAD_MAC_ALERT in QA stress tests 6442986 PK11_ functions that find objects fail when user not logged in and softoken is in FIPS140 mode 6442988 Reference leak in selfserv in FIPS140-2 mode 6442990 Crash in pk12util on Windows; pk12util and certutil test failures on other platforms 6442993 NSS ECDSA signature length incompatible with other implementations for some curves 6427037 Fix for 4689266 uncovered bug in SSL writev on async socket 6442994 incorrect smime_encryptionkeypref_template leads to QuickDER decoding failure 6442995 Assertion failure in FIPS test (from 119212-08) 4689266 SSL write indicates all data sent when some is buffered 6377957 softoken leaks in nsc_pbe_key_gen 6407468 certutil cannot generate RSA keys larger than 2048 bits 6406845 certutil adds 3 months to user-specified validity period 6374429 patches 119213 and 119214 do not apply via patch automation. These are all released to MOS 6416004 Add rpath for HP-UX on pa-risc 6419586 The SSL session timeout arguments to SSL_ConfigServerSessionIDCache and SSL_ConfigMPServerSIDCache 6419590 Allow NSS to decode certs with unsupported critical extensions 6421471 memory leaks in selfserv with ECC cipher suites (from 119212-07) 6326988 MSVC debug runtime library assertion failures in crlutil 6326994 PK11_ListCertsInSlot crashes in subject_list_sort on a cert with unsupported critical extension 6326998 softoken PKCS#11 version is incorrect 6327000 RSA key size limits are not applied to key pair generation in freebl 6327002 Multipart CKM_DSA_SHA1 signing broken if given large buffer 6242112 certutil crashes when -P is empty 6327004 Some NSS mechanism numbers don't match the PKCS11 6327009 S/MIME message verification fails if cert is signing-only 6327013 PK11_TokenKeyGen should add CKA_UNWRAP and CKA_WRAP attributes to object template3 6253118 Installing a CRL on WS 6.1SP4 (Windows) adds it to the CKLs section in the GUI 6327014 Need CKA_EXTRACTABLE for PK11_GenerateKeyPair 6327018 NSS 3.9.3 not support SHA-512 6210080 libsoftokn3 fails to load libfreebl in setuid programs 6327020 SSL/TLS Client Authentication with 3rd party PKCS#11 module fails with unrecognized token 6327021 NSS tries to call C_WaitForSlotEvent on PKCS#11 2.0 modules 6315463 toString() call in SSLSocket.java does not check for exceptions 6341685 PKCS#11 CKF_PROTECTED_AUTHENTICATION_PATH token flag not supported 6341687 ASN.1 encoder outputs trash for optional may-stream subtemplate 6264996 SSLSocket.GetIPAddress needs to return null, if socket is not connected 6330310 JSS accumulates CLOSE_WAIT sockets due to not closing the SSLSocket when SSLInputStream is closed 6350173 Expose new key generation functions in JSS for key export 6359866 Thread protection needed for getPeerAddress 6362932 JSS 4.1.2 needs to work with NSS 3.9.x (from 119212-05) 6302177 Zlib vulnerability in NSS tools (from 119212-04) 6258052 NSS doesn't fetch CRLs during the first minute of program execution on AIX 6258053 Compile source files with absolute pathnames on AIX 6258055 Add Sonera CA certs (2) to builtin trusted CA list 6258056 Add Go Daddy root certs to NSS 6258057 Add CRL generation to crlutil 6258061 certutil -A reports extension not found if file has extra data 6258062 ssltap creates cert files containing garbage 6258064 Can not encode CRL using classic ASN.1 encoder 6258066 NSC_CopyObject crashes when trying to copy token object 6260111 certutil core dump during installation of Sun Cluster 6260658 certutil crash reading key data base. (from 119212-03) 6250799 SSL_ConfigSecureServer always generates a step-down key for RSA 6250801 NSC_Encrypt with RSA mechanism crashes if len is greater than modulus len 6250802 nss3.10 certutil sees 3.9.x root certs as government issued 6250803 C_Finalize status not checked in SECMOD_CancelWait 6250807 pk11_AnyUnwrapKey does not process error condition correctly 6250808 Make rsaperf use PKCS#11 6250812 Remove PKCS11_USE_THREADS and PK11_USE_THREADS 6250814 Add option for rsaperf to run for a fixed duration, and display ops/s 6250816 PK11Token.c:GenerateCertRequest leaks 'arena' 6251104 Socket.close needs to interrupt threads blocked in I/O (from 119212-02) 6243892 Add Camerfirma CA certificate to NSS 6243894 Add NetLock CA certificates to NSS 6243895 crash in NSS server if server SID cache uninitialized 5045171 Specify 'Subject Alt Name' during CSR creation 6243896 RPATH not set on AMD64 platform for libnss3.so and tools 6243900 certutil -C78 creates invalid cert with two subjAltName extensions 6243905 PK11_HashBuf buffer overflow 6243907 NSS improperly handles sessions for SSL derived keys. 6243909 Remove the PKCS11_STATIC_ATTRIBUTES macro 6243913 pk11_getKeyFromList can call PORT_Alloc instead of PORT_ZAlloc 6243915 Optimize frequently called function pk11_SessionFromHandle 6243916 Make PK11_CreateSymKey static 6243918 certutil has infinite loop in interactive mode for cert extensions (from 119212-01) 6237228 Upgrade to Security 3.10 6237231 Move SVRCORE functionality into NSS

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

sunpatch-solaris-119212

Related Vulnerabilities