Public bug reported:
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel,
the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1.
This is an untested configuration and since libnss3 is not a certified library
we propose disabling reading the 'fips_enabled' flag and therefore switching
the library automatically into FIPS mode. A FIPS customer reported firefox
crash on a FIPS enabled system and strace showed it was repeatedly trying to
read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled
flag. The users of the library however can force nss into FIPS mode via
an environment variable. We plan to leave it as is so as not to regress
existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
** Affects: nss (Ubuntu)
Importance: High
Assignee: Vineetha Kamath (vineetha)
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1837734
Title:
firefox crash on a FIPS enabled machine due to libnss3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
