This bug was fixed in the package nss - 2:3.35-2ubuntu2.11
---
nss (2:3.35-2ubuntu2.11) bionic-security; urgency=medium
* SECURITY UPDATE: Side-channel attack
- debian/patches/CVE-2020-12400-and-6829-*.patch: use constant-time
P-384 and P-521 in
This bug was fixed in the package nss - 2:3.49.1-1ubuntu1.4
---
nss (2:3.49.1-1ubuntu1.4) focal-security; urgency=medium
* SECURITY UPDATE: Side-channel attack
- debian/patches/CVE-2020-12400-and-6829-*.patch: use constant-time
P-384 and P-521 in
** Tags added: sts-sponsor-dgadomski
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1885562
Title:
[fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Status in nss
I tested libnss3 2:3.49.1-1ubuntu1.3 on focal, however this was not done
in FIPS-mode (as there are no FIPS packages for focal available).
I did not find a way to trigger the signature verification outside FIPS
mode, but in normal usecase (FIPS disabled) everything works as
expected, no
Tested with 2:3.35-2ubuntu2.10 on 18.04:
sudo chronyd -d
2020-07-23T08:40:19Z chronyd version 3.2 starting (+CMDMON +NTP +REFCLOCK +RTC
+PRIVDROP +SCFILTER +SECHASH +SIGND +ASYNCDNS +IPV6 -DEBUG)
2020-07-23T08:40:19Z Frequency -1.068 +/- 0.045 ppm read from
/var/lib/chrony/chrony.drift
(no
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1885562
Title:
[fips]
Hello Dariusz, or anyone else affected,
Accepted nss into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.10
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
Hello Dariusz, or anyone else affected,
Accepted nss into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/nss/2:3.49.1-1ubuntu1.3 in a few
hours, and then in the -proposed repository.
Please help us by testing this new package. See
** Merge proposal unlinked:
https://code.launchpad.net/~sergiodj/ubuntu/+source/nss/+git/nss/+merge/387608
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1885562
Title:
This bug was fixed in the package nss - 2:3.49.1-1ubuntu4
---
nss (2:3.49.1-1ubuntu4) groovy; urgency=medium
* Symlink chk files to fix self-verification in FIPS mode (LP:
#1885562)
-- Dariusz Gadomski Wed, 01 Jul 2020 14:48:13
+0200
** Changed in: nss (Ubuntu Groovy)
** Merge proposal linked:
https://code.launchpad.net/~sergiodj/ubuntu/+source/nss/+git/nss/+merge/387608
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1885562
Title:
** Description changed:
+ [Impact]
+
+ * Prevents using some parts of nss in FIPS mode - e.g.
+ libfreeblpriv3.so (failed asserts). The library during initialization
+ tries to verify it's own binaries against signatures in chk files
+ shipped along with it (created at build time). They are
** Also affects: nss (Ubuntu Groovy)
Importance: Medium
Assignee: Dariusz Gadomski (dgadomski)
Status: In Progress
** Also affects: nss (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: nss (Ubuntu Focal)
Assignee: (unassigned) => Dariusz Gadomski
Reviewed patches and they look good to me.
However, in the future, we should consider another possibility: disable
FIPS mode for libNSS3 by default, since that lib isn't FIPS-certified.
This can prevent customers from mistakenly think the opposite.
--
You received this bug notification because
As discussed with Richard outside LP: we agreed that adding symlinks is
an acceptable solution to this problem.
Debdiffs linked.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
** Changed in: nss (Ubuntu)
Assignee: Richard Maciel Costa (richardmaciel) => Dariusz Gadomski
(dgadomski)
** Changed in: nss (Ubuntu Bionic)
Assignee: Richard Maciel Costa (richardmaciel) => Dariusz Gadomski
(dgadomski)
--
You received this bug notification because you are a member
** Changed in: nss (Ubuntu)
Status: New => In Progress
** Changed in: nss (Ubuntu Bionic)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
@richardmaciel please let me know if I can help you with anything with
regard to this bug.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1885562
Title:
[fips]
** Tags added: patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1885562
Title:
[fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
Status in nss package in
The patches I've uploaded implement the Solution B from the description.
It actually applies only to Bionic, but I believe it's worth having it
in Focal if it gets FIPS certification and for Groovy - to keep it for
the future releases.
--
You received this bug notification because you are a
groovy fix
** Patch added: "groovy.debdiff"
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388751/+files/groovy.debdiff
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
Focal debdiff reupload
** Patch added: "focal.debdiff"
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388755/+files/focal.debdiff
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
SRU proposal for bionic
** Patch removed: "focal.debdiff"
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388752/+files/focal.debdiff
** Patch removed: "groovy.debdiff"
Bionic debdiff reupload
** Patch added: "bionic.debdiff"
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388756/+files/bionic.debdiff
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
Groovy debdiff re-upload
** Patch added: "groovy.debdiff"
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388754/+files/groovy.debdiff
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in
SRU proposal for Focal
May be useful if it gets FIPS-certified.
** Patch added: "focal.debdiff"
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1885562/+attachment/5388752/+files/focal.debdiff
--
You received this bug notification because you are a member of Ubuntu
Touch seeded
** Changed in: nss (Ubuntu)
Assignee: (unassigned) => Richard Maciel Costa (richardmaciel)
** Changed in: nss (Ubuntu Bionic)
Assignee: (unassigned) => Richard Maciel Costa (richardmaciel)
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
** Description changed:
In FIPS mode there are some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped
in the libnss3 package as *.chk files installed in
/usr/lib/$(DEB_HOST_MULTIARCH)/nss. Along with those files are the
libraries
I have briefly analyzed nss code - it uses the nspr library for, inter
alia, file access abstraction. From what I saw in the docs it does not
offer any form of symlink resolution, so it may be nontrivial to safely
implement it in nss code.
--
You received this bug notification because you are a
** Description changed:
- When in FIPS mode there some additional checks performed.
+ In FIPS mode there are some additional checks performed.
They lead to verifying binaries signatures. Those signatures are shipped
in the libnss3 package as *.chk files installed in
** Summary changed:
- freebl_fipsSoftwareIntegrityTest fails in FIPS mode
+ [fips] freebl_fipsSoftwareIntegrityTest fails in FIPS mode
** Tags added: sts
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
31 matches
Mail list logo
