Bugzilla – Bug 935033
VUL-0: mozilla-nss: The Logjam Attack / weakdh.org
Last modified: 2016-01-11 12:09:59 UTC
+++ This bug was initially created as a clone of Bug #931600 +++ This bug tracks Logjam for Mozilla NSS.
https://bugzilla.mozilla.org/show_bug.cgi?id=1138554 has this patch: https://bug1138554.bugzilla.mozilla.org/attachment.cgi?id=8608384 but it adds a new function in the 3.19.1 namespace.
As NSS updates usually has a promise to keep compatibility I plan to update NSS to 3.19.1 with Firefox 39 within the next 1-2 weeks. It's a requirement anyway for that Firefox version. There are still changes in NSS when it comes to the root certificate store but those are not relevant for openSUSE as the currently shipped NSS already has those. But compared with older NSS versions as shipped e.g. with Firefox 31ESR the truststore is changed. The NSS developers provide the NSS_3_19_1_WITH_CKBI_1_98_RTM tag for distributions who require the truststore to be ESR31 compatible and not changed at this moment.
(In reply to Wolfgang Rosenauer from comment #3) > As NSS updates usually has a promise to keep compatibility I plan to update > NSS to 3.19.1 with Firefox 39 within the next 1-2 weeks. It's a requirement > anyway for that Firefox version. I've burnt myself once already, with FF17 IIRC - the NSS update broke measurable number of https connections. So I'll try to trim the patch from 3.19.1 to a necessary minimum for SLE and stay with 3.18 (we're switching to FF38 anyway).
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-07-07. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62142
SUSE-SU-2015:1268-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 908275,935033,935979 CVE References: CVE-2015-2721,CVE-2015-2722,CVE-2015-2724,CVE-2015-2725,CVE-2015-2726,CVE-2015-2728,CVE-2015-2730,CVE-2015-2733,CVE-2015-2734,CVE-2015-2735,CVE-2015-2736,CVE-2015-2737,CVE-2015-2738,CVE-2015-2739,CVE-2015-2740,CVE-2015-2743,CVE-2015-4000 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1
SUSE-SU-2015:1269-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 856315,935033,935979 CVE References: CVE-2015-2721,CVE-2015-2722,CVE-2015-2724,CVE-2015-2725,CVE-2015-2726,CVE-2015-2728,CVE-2015-2730,CVE-2015-2733,CVE-2015-2734,CVE-2015-2735,CVE-2015-2736,CVE-2015-2737,CVE-2015-2738,CVE-2015-2739,CVE-2015-2740,CVE-2015-2743,CVE-2015-4000 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): MozillaFirefox-31.8.0esr-37.3, mozilla-nspr-4.10.8-3.1, mozilla-nss-3.19.2_CKBI_1.98-21.1 SUSE Linux Enterprise Server 12 (src): MozillaFirefox-31.8.0esr-37.3, mozilla-nspr-4.10.8-3.1, mozilla-nss-3.19.2_CKBI_1.98-21.1 SUSE Linux Enterprise Desktop 12 (src): MozillaFirefox-31.8.0esr-37.3, mozilla-nspr-4.10.8-3.1, mozilla-nss-3.19.2_CKBI_1.98-21.1
SUSE-SU-2015:1268-2: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 908275,935033,935979 CVE References: CVE-2015-2721,CVE-2015-2722,CVE-2015-2724,CVE-2015-2725,CVE-2015-2726,CVE-2015-2728,CVE-2015-2730,CVE-2015-2733,CVE-2015-2734,CVE-2015-2735,CVE-2015-2736,CVE-2015-2737,CVE-2015-2738,CVE-2015-2739,CVE-2015-2740,CVE-2015-2743,CVE-2015-4000 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1 SUSE Linux Enterprise Server 11-SP4 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1 SUSE Linux Enterprise Server 11-SP3 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1 SUSE Linux Enterprise Desktop 11-SP4 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1 SUSE Linux Enterprise Desktop 11-SP3 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): MozillaFirefox-31.8.0esr-0.10.1, mozilla-nspr-4.10.8-0.5.1, mozilla-nss-3.19.2_CKBI_1.98-0.10.1
released
SUSE-SU-2015:1449-1: An update that fixes 31 vulnerabilities is now available. Category: security (important) Bug References: 935033,935979,940806,940918 CVE References: CVE-2015-2721,CVE-2015-2722,CVE-2015-2724,CVE-2015-2725,CVE-2015-2726,CVE-2015-2728,CVE-2015-2730,CVE-2015-2733,CVE-2015-2734,CVE-2015-2735,CVE-2015-2736,CVE-2015-2737,CVE-2015-2738,CVE-2015-2739,CVE-2015-2740,CVE-2015-2743,CVE-2015-4000,CVE-2015-4473,CVE-2015-4474,CVE-2015-4475,CVE-2015-4478,CVE-2015-4479,CVE-2015-4484,CVE-2015-4485,CVE-2015-4486,CVE-2015-4487,CVE-2015-4488,CVE-2015-4489,CVE-2015-4491,CVE-2015-4492,CVE-2015-4495 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): MozillaFirefox-38.2.0esr-10.1, MozillaFirefox-branding-SLED-31.0-0.5.7.11, firefox-gcc47-4.7.2_20130108-0.37.2, mozilla-nss-3.19.2.0-0.7.1 SUSE Linux Enterprise Server 11-SP1-LTSS (src): MozillaFirefox-38.2.0esr-10.1, MozillaFirefox-branding-SLED-31.0-0.5.7.11, firefox-gcc47-4.7.2_20130108-0.37.2, mozilla-nss-3.19.2.0-0.7.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): MozillaFirefox-38.2.0esr-10.1, mozilla-nss-3.19.2.0-0.7.1 SUSE Linux Enterprise Debuginfo 11-SP1 (src): MozillaFirefox-38.2.0esr-10.1, mozilla-nss-3.19.2.0-0.7.1