[Touch-packages] [Bug 1837734] Re: libnss3 reads fips_enabled flag and automatically switches to FIPS mode
The SRU was originally filed since firefox crashed due to libnss3 automatically entering FIPS mode. Firefox uses bundled nss and hence a fix is being worked into firefox library to address the crash. libnss3 does not need this change. Upon careful examination of code, the code to read "fips_enabled" does not get compiled on Ubuntu. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: libnss3 reads fips_enabled flag and automatically switches to FIPS mode Status in nss package in Ubuntu: Fix Released Status in nss source package in Xenial: Fix Committed Status in nss source package in Bionic: Fix Committed Status in nss source package in Disco: Fix Committed Status in nss source package in Eoan: Fix Released Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1837734] Re: libnss3 reads fips_enabled flag and automatically switches to FIPS mode
** Description changed: [IMPACT] - nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. + nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: libnss3 reads fips_enabled flag and automatically switches to FIPS mode Status in nss package in Ubuntu: Fix Released Status in nss source package in Xenial: Fix Committed Status in nss source package in Bionic: Fix Committed Status in nss source package in Disco: Fix Committed Status in nss source package in Eoan: Fix Released Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who
[Touch-packages] [Bug 1837734] Re: libnss3 reads fips_enabled flag and automatically switches to FIPS mode
** Summary changed: - Firefox crash on a FIPS enabled machine due to libnss3 + libnss3 reads fips_enabled flag and automatically switches to FIPS mode -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: libnss3 reads fips_enabled flag and automatically switches to FIPS mode Status in nss package in Ubuntu: Fix Released Status in nss source package in Xenial: Fix Committed Status in nss source package in Bionic: Fix Committed Status in nss source package in Disco: Fix Committed Status in nss source package in Eoan: Fix Released Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1837734] Re: firefox crash on a FIPS enabled machine due to libnss3
** Description changed: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. + Tested on a xenial and bionic desktop ISO running non-FIPS generic + kernel. firefox worked as expected and no changes were observed. + [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. ** Description changed: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. Tested on a xenial and bionic desktop ISO running non-FIPS generic - kernel. firefox worked as expected and no changes were observed. + kernel. With the patch fix, firefox worked as expected and no changes + were observed. [REGRESSION POTE
[Touch-packages] [Bug 1837734] Re: firefox crash on a FIPS enabled machine due to libnss3
** Attachment added: "debdiff.bionic" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+attachment/5279027/+files/debdiff.bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: firefox crash on a FIPS enabled machine due to libnss3 Status in nss package in Ubuntu: New Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1837734] Re: firefox crash on a FIPS enabled machine due to libnss3
debdiff.disco ** Attachment added: "debdiff.disco" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+attachment/5279026/+files/debdiff.disco -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: firefox crash on a FIPS enabled machine due to libnss3 Status in nss package in Ubuntu: New Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1837734] Re: firefox crash on a FIPS enabled machine due to libnss3
debdiff.xenial ** Attachment added: "debdiff.xenial" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+attachment/5279028/+files/debdiff.xenial ** Description changed: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 - FIX] - This fix proposes to disable libnss3 reading /proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our - fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. + [FIX] + This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. - [TEST] - Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. - Without the patch fix, firefox crashes. + Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. + Without the patch fix, firefox crashes. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: firefox crash on a FIPS enabled machine due to libnss3 Status in nss package in Ubuntu: New Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be readin
[Touch-packages] [Bug 1837734] Re: firefox crash on a FIPS enabled machine due to libnss3
debdiff.eoan ** Attachment added: "debdiff.eoan" https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+attachment/5279025/+files/debdiff.eoan -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: firefox crash on a FIPS enabled machine due to libnss3 Status in nss package in Ubuntu: New Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 [FIX] This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1837734] Re: firefox crash on a FIPS enabled machine due to libnss3
The build log and test runs for eoan build is on my test ppa https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17312645 The build log and test runs for disco build is on my test ppa https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17315636 The build log and test runs for bionic build is on my test ppa https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17311607 The build log and test runs for xenial build is on my test ppa https://launchpad.net/~vineetha/+archive/ubuntu/test-ppa/+build/17311225 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: firefox crash on a FIPS enabled machine due to libnss3 Status in nss package in Ubuntu: New Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 FIX] This fix proposes to disable libnss3 reading /proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness. [TEST] Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. Without the patch fix, firefox crashes. [REGRESSION POTENTIAL] The regression potential for this is small. A FIPS kernel is required to create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1837734] Re: firefox crash on a FIPS enabled machine due to libnss3
** Description changed: [IMPACT] - nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. + nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 + + Version: 2:3.45-1ubuntu1 + + lsb_release -rd + Description: Ubuntu Disco Dingo + Release: 19.04 + + Version: 2:3.42-1ubuntu2 + + lsb_release -rd + Description: Ubuntu Bionic Beaver + Release: 18.04 + + Version: 2:3.35-2ubuntu2.3 + + lsb_release -rd + Description: Ubuntu 16.04.3 LTS + Release: 16.04 + + Version: 2:3.28.4-0ubuntu0.16.04 + + FIX] + This fix proposes to disable libnss3 reading /proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our + fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. + + Users who do want to run the library in FIPS mode can do so by using the + environment variable "NSS_FIPS". We propose to leave it as is so as not + to regress anyone using this. The user who is using this option should + be doing so with the awareness. + + + [TEST] + Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser. + Without the patch fix, firefox crashes. + + [REGRESSION POTENTIAL] + The regression potential for this is small. A FIPS kernel is required to + create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: firefox crash on a FIPS enabled machine due to libnss3 Status in nss package in Ubuntu: New Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 Version: 2:3.45-1ubuntu1 lsb_release -rd Description: Ubuntu Disco Dingo Release: 19.04 Version: 2:3.42-1ubuntu2 lsb_release -rd Description: Ubuntu Bionic Beaver Release: 18.04 Version: 2:3.35-2ubuntu2.3 lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 Version: 2:3.28.4-0ubuntu0.16.04 FIX] This fix proposes to disable libnss3 reading /proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode. Users who do want to run the library in FIPS mode can do so by using
[Touch-packages] [Bug 1837734] [NEW] firefox crash on a FIPS enabled machine due to libnss3
Public bug reported: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description:Ubuntu Eoan Ermine (development branch) Release: 19.10 ** Affects: nss (Ubuntu) Importance: High Assignee: Vineetha Kamath (vineetha) Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1837734 Title: firefox crash on a FIPS enabled machine due to libnss3 Status in nss package in Ubuntu: New Bug description: [IMPACT] nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing. The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it. The issue impacts libnss3 versions in eoan, disco, bionic and xenial. lsb_release -rd Description: Ubuntu Eoan Ermine (development branch) Release: 19.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
