{"affected":[{"ecosystem_specific":{"binaries":[{"libfreebl3":"3.101.2-1.1","libsoftokn3":"3.101.2-1.1","mozilla-nss":"3.101.2-1.1","mozilla-nss-certs":"3.101.2-1.1","mozilla-nss-tools":"3.101.2-1.1"}]},"package":{"ecosystem":"SUSE:Linux Micro 6.0","name":"mozilla-nss","purl":"pkg:rpm/suse/mozilla-nss&distro=SUSE%20Linux%20Micro%206.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.101.2-1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for mozilla-nss fixes the following issues:\n\n- update to NSS 3.101.2\n - ChaChaXor to return after the function\n\n- update to NSS 3.101.1 \n - missing sqlite header.\n - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.\n\n- update to NSS 3.101\n - add diagnostic assertions for SFTKObject refcount.\n - freeing the slot in DeleteCertAndKey if authentication failed\n - fix formatting issues.\n - Add Firmaprofesional CA Root-A Web to NSS.\n - remove invalid acvp fuzz test vectors.\n - pad short P-384 and P-521 signatures gtests.\n - remove unused FreeBL ECC code.\n - pad short P-384 and P-521 signatures.\n - be less strict about ECDSA private key length.\n - Integrate HACL* P-521.\n - Integrate HACL* P-384.\n - memory leak in create_objects_from_handles.\n - ensure all input is consumed in a few places in mozilla::pkix\n - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy\n - clean up escape handling\n - Use lib::pkix as default validator instead of the old-one\n - Need to add high level support for PQ signing.\n - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation\n - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy\n - Allow for non-full length ecdsa signature when using softoken\n - Modification of .taskcluster.yml due to mozlint indent defects\n - Implement support for PBMAC1 in PKCS#12\n - disable VLA warnings for fuzz builds.\n - remove redundant AllocItem implementation.\n - add PK11_ReadDistrustAfterAttribute.\n - Clang-formatting of SEC_GetMgfTypeByOidTag update\n - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure\n - sftk_getParameters(): Fix fallback to default variable after error with configfile.\n - Switch to the mozillareleases/image_builder image\n\n- update to NSS 3.100\n - merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.\n - remove ckcapi.\n - avoid a potential PK11GenericObject memory leak.\n - Remove incomplete ESDH code.\n - Decrypt RSA OAEP encrypted messages.\n - Fix certutil CRLDP URI code.\n - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.\n - Add ability to encrypt and decrypt CMS messages using ECDH.\n - Correct Templates for key agreement in smime/cmsasn.c.\n - Moving the decodedCert allocation to NSS.\n - Allow developers to speed up repeated local execution of NSS tests that depend on certificates.\n\n- update to NSS 3.99\n - Removing check for message len in ed25519\n - add ed25519 to SECU_ecName2params.\n - add EdDSA wycheproof tests.\n - nss/lib layer code for EDDSA.\n - Adding EdDSA implementation.\n - Exporting Certificate Compression types\n - Updating ACVP docker to rust 1.74\n - Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552\n - Add NSS_CMSRecipient_IsSupported.\n\n- update to NSS 3.98\n - CVE-2023-5388: Timing attack against RSA decryption in TLS\n - Certificate Compression: enabling the check that the compression was advertised\n - Move Windows workers to nss-1/b-win2022-alpha\n - Remove Email trust bit from OISTE WISeKey Global Root GC CA\n - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`\n - Certificate Compression: Updating nss_bogo_shim to support Certificate compression\n - TLS Certificate Compression (RFC 8879) Implementation\n - Add valgrind annotations to freebl kyber operations for constant-time execution tests\n - Set nssckbi version number to 2.66\n - Add Telekom Security roots\n - Add D-Trust 2022 S/MIME roots\n - Remove expired Security Communication RootCA1 root\n - move keys to a slot that supports concatenation in PK11_ConcatSymKeys\n - remove unmaintained tls-interop tests\n - bogo: add support for the -ipv6 and -shim-id shim flags\n - bogo: add support for the -curves shim flag and update Kyber expectations\n - bogo: adjust expectation for a key usage bit test\n - mozpkix: add option to ignore invalid subject alternative names\n - Fix selfserv not stripping `publicname:` from -X value\n - take ownership of ecckilla shims\n - add valgrind annotations to freebl/ec.c\n - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip\n - Update zlib to 1.3.1\n\n- update to NSS 3.97\n - make Xyber768d00 opt-in by policy\n - add libssl support for xyber768d00\n - add PK11_ConcatSymKeys\n - add Kyber and a PKCS#11 KEM interface to softoken\n - add a FreeBL API for Kyber\n - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff\n - part 1: add a script for vendoring kyber from pq-crystals repo\n - Removing the calls to RSA Blind from loader.*\n - fix worker type for level3 mac tasks\n - RSA Blind implementation\n - Remove DSA selftests\n - read KWP testvectors from JSON\n - Backed out changeset dcb174139e4f\n - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation\n - Wrap CC shell commands in gyp expansions\n\n- update to NSS 3.96.1\n - Use pypi dependencies for MacOS worker in ./build_gyp.sh\n - p7sign: add -a hash and -u certusage (also p7verify cleanups)\n - add a defensive check for large ssl_DefSend return values\n - Add dependency to the taskcluster script for Darwin\n - Upgrade version of the MacOS worker for the CI\n\n- update to NSS 3.95\n - Bump builtins version number.\n - Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.\n - Remove 4 DigiCert (Symantec/Verisign) Root Certificates\n - Remove 3 TrustCor Root Certificates from NSS.\n - Remove Camerfirma root certificates from NSS.\n - Remove old Autoridad de Certificacion Firmaprofesional Certificate.\n - Add four Commscope root certificates to NSS.\n - Add TrustAsia Global Root CA G3 and G4 root certificates.\n - Include P-384 and P-521 Scalar Validation from HACL*\n - Include P-256 Scalar Validation from HACL*.\n - After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level\n - Add means to provide library parameters to C_Initialize\n - clang format\n - add OSXSAVE and XCR0 tests to AVX2 detection.\n - Typo in ssl3_AppendHandshakeNumber\n - Introducing input check of ssl3_AppendHandshakeNumber\n - Fix Invalid casts in instance.c\n\n- update to NSS 3.94\n - Updated code and commit ID for HACL*\n - update ACVP fuzzed test vector: refuzzed with current NSS\n - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants\n - NSS needs a database tool that can dump the low level representation of the database\n - declare string literals using char in pkixnames_tests.cpp\n - avoid implicit conversion for ByteString\n - update rust version for acvp docker\n - Moving the init function of the mpi_ints before clean-up in ec.c\n - P-256 ECDH and ECDSA from HACL*\n - Add ACVP test vectors to the repository\n - Stop relying on std::basic_string\n - Transpose the PPC_ABI check from Makefile to gyp\n\n- Update to NSS 3.93:\n - Update zlib in NSS to 1.3.\n - softoken: iterate hashUpdate calls for long inputs.\n - regenerate NameConstraints test certificates (bsc#1214980).\n\n- update to NSS 3.92\n - Set nssckbi version number to 2.62\n - Add 4 Atos TrustedRoot Root CA certificates to NSS\n - Add 4 SSL.com Root CA certificates\n - Add Sectigo E46 and R46 Root CA certificates\n - Add LAWtrust Root CA2 (4096)\n - Remove E-Tugra Certification Authority root\n - Remove Camerfirma Chambers of Commerce Root.\n - Remove Hongkong Post Root CA 1\n - Remove E-Tugra Global Root CA ECC v3 and RSA v3\n - Avoid redefining BYTE_ORDER on hppa Linux\n\n- update to NSS 3.91\n - Implementation of the HW support check for ADX instruction\n - Removing the support of Curve25519\n - Fix comment about the addition of ticketSupportsEarlyData\n - Adding args to enable-legacy-db build\n - dbtests.sh failure in \"certutil dump keys with explicit default trust flags\"\n - Initialize flags in slot structures\n - Improve the length check of RSA input to avoid heap overflow\n - Followup Fixes\n - avoid processing unexpected inputs by checking for m_exptmod base sign\n - add a limit check on order_k to avoid infinite loop\n - Update HACL* to commit 5f6051d2\n - add SHA3 to cryptohi and softoken\n - HACL SHA3\n - Disabling ASM C25519 for A but X86_64\n\n- update to NSS 3.90.3\n - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.\n - clean up escape handling.\n - remove redundant AllocItem implementation.\n - Disable ASM support for Curve25519.\n - Disable ASM support for Curve25519 for all but X86_64. \n","id":"SUSE-SU-2025:20030-1","modified":"2025-02-03T08:51:41Z","published":"2025-02-03T08:51:41Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202520030-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1214980"},{"type":"REPORT","url":"https://bugzilla.suse.com/1216198"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222804"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222807"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222811"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222813"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222814"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222821"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222822"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222826"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222828"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222830"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222833"},{"type":"REPORT","url":"https://bugzilla.suse.com/1222834"},{"type":"REPORT","url":"https://bugzilla.suse.com/1223724"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224113"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224115"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224116"},{"type":"REPORT","url":"https://bugzilla.suse.com/1224118"},{"type":"REPORT","url":"https://bugzilla.suse.com/1227918"},{"type":"REPORT","url":"https://bugzilla.suse.com/1325335"},{"type":"REPORT","url":"https://bugzilla.suse.com/1548723"},{"type":"REPORT","url":"https://bugzilla.suse.com/1573097"},{"type":"REPORT","url":"https://bugzilla.suse.com/1615555"},{"type":"REPORT","url":"https://bugzilla.suse.com/1748105"},{"type":"REPORT","url":"https://bugzilla.suse.com/1753026"},{"type":"REPORT","url":"https://bugzilla.suse.com/1757758"},{"type":"REPORT","url":"https://bugzilla.suse.com/1774659"},{"type":"REPORT","url":"https://bugzilla.suse.com/1775046"},{"type":"REPORT","url":"https://bugzilla.suse.com/1780432"},{"type":"REPORT","url":"https://bugzilla.suse.com/1784253"},{"type":"REPORT","url":"https://bugzilla.suse.com/1793811"},{"type":"REPORT","url":"https://bugzilla.suse.com/1813401"},{"type":"REPORT","url":"https://bugzilla.suse.com/1818766"},{"type":"REPORT","url":"https://bugzilla.suse.com/1822450"},{"type":"REPORT","url":"https://bugzilla.suse.com/1822935"},{"type":"REPORT","url":"https://bugzilla.suse.com/1822936"},{"type":"REPORT","url":"https://bugzilla.suse.com/1826451"},{"type":"REPORT","url":"https://bugzilla.suse.com/1826652"},{"type":"REPORT","url":"https://bugzilla.suse.com/1827224"},{"type":"REPORT","url":"https://bugzilla.suse.com/1827303"},{"type":"REPORT","url":"https://bugzilla.suse.com/1827444"},{"type":"REPORT","url":"https://bugzilla.suse.com/1829112"},{"type":"REPORT","url":"https://bugzilla.suse.com/1830415"},{"type":"REPORT","url":"https://bugzilla.suse.com/1830978"},{"type":"REPORT","url":"https://bugzilla.suse.com/1831552"},{"type":"REPORT","url":"https://bugzilla.suse.com/1833270"},{"type":"REPORT","url":"https://bugzilla.suse.com/1834851"},{"type":"REPORT","url":"https://bugzilla.suse.com/1835357"},{"type":"REPORT","url":"https://bugzilla.suse.com/1835425"},{"type":"REPORT","url":"https://bugzilla.suse.com/1835828"},{"type":"REPORT","url":"https://bugzilla.suse.com/1836781"},{"type":"REPORT","url":"https://bugzilla.suse.com/1836925"},{"type":"REPORT","url":"https://bugzilla.suse.com/1837431"},{"type":"REPORT","url":"https://bugzilla.suse.com/1837617"},{"type":"REPORT","url":"https://bugzilla.suse.com/1837987"},{"type":"REPORT","url":"https://bugzilla.suse.com/1839327"},{"type":"REPORT","url":"https://bugzilla.suse.com/1839795"},{"type":"REPORT","url":"https://bugzilla.suse.com/1839992"},{"type":"REPORT","url":"https://bugzilla.suse.com/1840429"},{"type":"REPORT","url":"https://bugzilla.suse.com/1840437"},{"type":"REPORT","url":"https://bugzilla.suse.com/1840505"},{"type":"REPORT","url":"https://bugzilla.suse.com/1840510"},{"type":"REPORT","url":"https://bugzilla.suse.com/1841029"},{"type":"REPORT","url":"https://bugzilla.suse.com/1842928"},{"type":"REPORT","url":"https://bugzilla.suse.com/1842932"},{"type":"REPORT","url":"https://bugzilla.suse.com/1842935"},{"type":"REPORT","url":"https://bugzilla.suse.com/1842937"},{"type":"REPORT","url":"https://bugzilla.suse.com/1847845"},{"type":"REPORT","url":"https://bugzilla.suse.com/1848183"},{"type":"REPORT","url":"https://bugzilla.suse.com/1849077"},{"type":"REPORT","url":"https://bugzilla.suse.com/1849471"},{"type":"REPORT","url":"https://bugzilla.suse.com/1850598"},{"type":"REPORT","url":"https://bugzilla.suse.com/1850982"},{"type":"REPORT","url":"https://bugzilla.suse.com/1851044"},{"type":"REPORT","url":"https://bugzilla.suse.com/1851049"},{"type":"REPORT","url":"https://bugzilla.suse.com/1852011"},{"type":"REPORT","url":"https://bugzilla.suse.com/1852179"},{"type":"REPORT","url":"https://bugzilla.suse.com/1853737"},{"type":"REPORT","url":"https://bugzilla.suse.com/1854438"},{"type":"REPORT","url":"https://bugzilla.suse.com/1854439"},{"type":"REPORT","url":"https://bugzilla.suse.com/1854795"},{"type":"REPORT","url":"https://bugzilla.suse.com/1855318"},{"type":"REPORT","url":"https://bugzilla.suse.com/1858241"},{"type":"REPORT","url":"https://bugzilla.suse.com/1860670"},{"type":"REPORT","url":"https://bugzilla.suse.com/1861265"},{"type":"REPORT","url":"https://bugzilla.suse.com/1861728"},{"type":"REPORT","url":"https://bugzilla.suse.com/1863605"},{"type":"REPORT","url":"https://bugzilla.suse.com/1865450"},{"type":"REPORT","url":"https://bugzilla.suse.com/1867408"},{"type":"REPORT","url":"https://bugzilla.suse.com/1869378"},{"type":"REPORT","url":"https://bugzilla.suse.com/1869408"},{"type":"REPORT","url":"https://bugzilla.suse.com/1869642"},{"type":"REPORT","url":"https://bugzilla.suse.com/1870673"},{"type":"REPORT","url":"https://bugzilla.suse.com/1871152"},{"type":"REPORT","url":"https://bugzilla.suse.com/1871219"},{"type":"REPORT","url":"https://bugzilla.suse.com/1871630"},{"type":"REPORT","url":"https://bugzilla.suse.com/1871631"},{"type":"REPORT","url":"https://bugzilla.suse.com/1873095"},{"type":"REPORT","url":"https://bugzilla.suse.com/1873296"},{"type":"REPORT","url":"https://bugzilla.suse.com/1874017"},{"type":"REPORT","url":"https://bugzilla.suse.com/1874111"},{"type":"REPORT","url":"https://bugzilla.suse.com/1874458"},{"type":"REPORT","url":"https://bugzilla.suse.com/1874937"},{"type":"REPORT","url":"https://bugzilla.suse.com/1875356"},{"type":"REPORT","url":"https://bugzilla.suse.com/1875506"},{"type":"REPORT","url":"https://bugzilla.suse.com/1875965"},{"type":"REPORT","url":"https://bugzilla.suse.com/1876179"},{"type":"REPORT","url":"https://bugzilla.suse.com/1876390"},{"type":"REPORT","url":"https://bugzilla.suse.com/1876800"},{"type":"REPORT","url":"https://bugzilla.suse.com/1877344"},{"type":"REPORT","url":"https://bugzilla.suse.com/1877730"},{"type":"REPORT","url":"https://bugzilla.suse.com/1879513"},{"type":"REPORT","url":"https://bugzilla.suse.com/1879945"},{"type":"REPORT","url":"https://bugzilla.suse.com/1880857"},{"type":"REPORT","url":"https://bugzilla.suse.com/1881027"},{"type":"REPORT","url":"https://bugzilla.suse.com/1884276"},{"type":"REPORT","url":"https://bugzilla.suse.com/1884444"},{"type":"REPORT","url":"https://bugzilla.suse.com/1885404"},{"type":"REPORT","url":"https://bugzilla.suse.com/1887996"},{"type":"REPORT","url":"https://bugzilla.suse.com/1889671"},{"type":"REPORT","url":"https://bugzilla.suse.com/1890069"},{"type":"REPORT","url":"https://bugzilla.suse.com/1893029"},{"type":"REPORT","url":"https://bugzilla.suse.com/1893162"},{"type":"REPORT","url":"https://bugzilla.suse.com/1893334"},{"type":"REPORT","url":"https://bugzilla.suse.com/1893404"},{"type":"REPORT","url":"https://bugzilla.suse.com/1893752"},{"type":"REPORT","url":"https://bugzilla.suse.com/1894572"},{"type":"REPORT","url":"https://bugzilla.suse.com/1895012"},{"type":"REPORT","url":"https://bugzilla.suse.com/1895032"},{"type":"REPORT","url":"https://bugzilla.suse.com/1896353"},{"type":"REPORT","url":"https://bugzilla.suse.com/1897487"},{"type":"REPORT","url":"https://bugzilla.suse.com/1898074"},{"type":"REPORT","url":"https://bugzilla.suse.com/1898627"},{"type":"REPORT","url":"https://bugzilla.suse.com/1898825"},{"type":"REPORT","url":"https://bugzilla.suse.com/1898830"},{"type":"REPORT","url":"https://bugzilla.suse.com/1898858"},{"type":"REPORT","url":"https://bugzilla.suse.com/1899593"},{"type":"REPORT","url":"https://bugzilla.suse.com/1899759"},{"type":"REPORT","url":"https://bugzilla.suse.com/1899883"},{"type":"REPORT","url":"https://bugzilla.suse.com/1900413"},{"type":"REPORT","url":"https://bugzilla.suse.com/1901080"},{"type":"REPORT","url":"https://bugzilla.suse.com/1901932"},{"type":"REPORT","url":"https://bugzilla.suse.com/1905691"},{"type":"REPORT","url":"https://bugzilla.suse.com/215997"},{"type":"REPORT","url":"https://bugzilla.suse.com/671060"},{"type":"REPORT","url":"https://bugzilla.suse.com/676100"},{"type":"REPORT","url":"https://bugzilla.suse.com/676118"},{"type":"REPORT","url":"https://bugzilla.suse.com/864039"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2023-5388"}],"related":["CVE-2023-5388"],"summary":"Security update for mozilla-nss","upstream":["CVE-2023-5388"]}