Patch-ID# 119213-10 NOTE: *********************************************************************** READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE. *********************************************************************** Keywords: nspr nss jss security Synopsis: NSS_NSPR_JSS 3.11.3: NSPR 4.6.3 / NSS 3.11.3 / JSS 4.2.4 Date: Oct/06/2006 Install Requirements: NA Solaris Release: 10 SunOS Release: 5.10 Unbundled Product: NSPR/NSS/JSS Unbundled Release: 3.11.3 Xref: This patch available for i386 as patch 119214 Topic: Relevant Architectures: sparc BugId's fixed with this patch: 4689266 5045171 6210080 6228370 6237228 6237231 6242112 6243892 6243894 6243895 6243896 6243900 6243905 6243907 6243909 6243913 6243915 6243916 6243918 6250799 6250801 6250802 6250803 6250807 6250808 6250812 6250814 6250816 6251104 6253118 6258052 6258053 6258055 6258056 6258057 6258061 6258062 6258064 6258066 6260111 6260658 6264996 6302177 6315463 6326988 6326994 6326998 6327000 6327002 6327004 6327009 6327013 6327014 6327018 6327020 6327021 6330310 6333604 6341685 6341687 6350173 6359866 6362932 6374429 6377957 6406845 6407468 6416004 6419586 6419590 6421471 6427037 6442985 6442986 6442988 6442990 6442993 6442994 6442995 6464665 6464668 6464671 6464673 6464677 6464680 6464683 6464752 6464756 6464757 6464759 6464762 6464764 6464766 6464767 6465317 6467033 6467643 6468410 6468441 6468495 Changes incorporated in this version: 6464665 6464668 6464671 6464756 6464673 6464677 6464680 6464767 6465317 6464683 6468441 6464752 6228370 6464757 6468410 6464759 6464762 6464764 6464766 6467643 6468495 6467033 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /usr/include/mps/base64.h /usr/include/mps/blapit.h /usr/include/mps/cert.h /usr/include/mps/certdb.h /usr/include/mps/certt.h /usr/include/mps/ciferfam.h /usr/include/mps/cmmf.h /usr/include/mps/cmmft.h /usr/include/mps/cms.h /usr/include/mps/cmsreclist.h /usr/include/mps/cmst.h /usr/include/mps/crmf.h /usr/include/mps/crmft.h /usr/include/mps/cryptohi.h /usr/include/mps/cryptoht.h /usr/include/mps/ecl-exp.h /usr/include/mps/hasht.h /usr/include/mps/jar-ds.h /usr/include/mps/jar.h /usr/include/mps/jarfile.h /usr/include/mps/key.h /usr/include/mps/keyhi.h /usr/include/mps/keyt.h /usr/include/mps/keythi.h /usr/include/mps/nspr.h /usr/include/mps/nss.h /usr/include/mps/nssb64.h /usr/include/mps/nssb64t.h /usr/include/mps/nssbase.h /usr/include/mps/nssbaset.h /usr/include/mps/nssckbi.h /usr/include/mps/nssckepv.h /usr/include/mps/nssckft.h /usr/include/mps/nssckfw.h /usr/include/mps/nssckfwc.h /usr/include/mps/nssckfwt.h /usr/include/mps/nssckg.h /usr/include/mps/nssckmdt.h /usr/include/mps/nssckt.h /usr/include/mps/nssilckt.h /usr/include/mps/nssilock.h /usr/include/mps/nsslocks.h /usr/include/mps/nssrwlk.h /usr/include/mps/nssrwlkt.h /usr/include/mps/obsolete/protypes.h /usr/include/mps/ocsp.h /usr/include/mps/ocspt.h /usr/include/mps/p12.h /usr/include/mps/p12plcy.h /usr/include/mps/p12t.h /usr/include/mps/pk11func.h /usr/include/mps/pk11pqg.h /usr/include/mps/pk11priv.h /usr/include/mps/pk11pub.h /usr/include/mps/pk11sdr.h /usr/include/mps/pkcs11.h /usr/include/mps/pkcs11f.h /usr/include/mps/pkcs11n.h /usr/include/mps/pkcs11p.h /usr/include/mps/pkcs11t.h /usr/include/mps/pkcs11u.h /usr/include/mps/pkcs12.h /usr/include/mps/pkcs12t.h /usr/include/mps/pkcs7t.h /usr/include/mps/plarena.h /usr/include/mps/plarenas.h /usr/include/mps/plbase64.h /usr/include/mps/plerror.h /usr/include/mps/plgetopt.h /usr/include/mps/plhash.h /usr/include/mps/plresolv.h /usr/include/mps/plstr.h /usr/include/mps/portreg.h /usr/include/mps/pratom.h /usr/include/mps/prbit.h /usr/include/mps/prclist.h /usr/include/mps/prcmon.h /usr/include/mps/prcountr.h /usr/include/mps/prcpucfg.h /usr/include/mps/prcvar.h /usr/include/mps/prdtoa.h /usr/include/mps/preenc.h /usr/include/mps/prenv.h /usr/include/mps/prerr.h /usr/include/mps/prerror.h /usr/include/mps/prinet.h /usr/include/mps/prinit.h /usr/include/mps/prinrval.h /usr/include/mps/prio.h /usr/include/mps/pripcsem.h /usr/include/mps/prlink.h /usr/include/mps/prlock.h /usr/include/mps/prlog.h /usr/include/mps/prlong.h /usr/include/mps/prmem.h /usr/include/mps/prmon.h /usr/include/mps/prmwait.h /usr/include/mps/prnetdb.h /usr/include/mps/prolock.h /usr/include/mps/prpdce.h /usr/include/mps/prprf.h /usr/include/mps/prproces.h /usr/include/mps/prrng.h /usr/include/mps/prrwlock.h /usr/include/mps/prshm.h /usr/include/mps/prshma.h /usr/include/mps/prsystem.h /usr/include/mps/prthread.h /usr/include/mps/prtime.h /usr/include/mps/prtpool.h /usr/include/mps/prtrace.h /usr/include/mps/prtypes.h /usr/include/mps/prvrsion.h /usr/include/mps/prwin16.h /usr/include/mps/secasn1.h /usr/include/mps/secasn1t.h /usr/include/mps/seccomon.h /usr/include/mps/secder.h /usr/include/mps/secdert.h /usr/include/mps/secdig.h /usr/include/mps/secdigt.h /usr/include/mps/secerr.h /usr/include/mps/sechash.h /usr/include/mps/secitem.h /usr/include/mps/secmime.h /usr/include/mps/secmod.h /usr/include/mps/secmodt.h /usr/include/mps/secoid.h /usr/include/mps/secoidt.h /usr/include/mps/secpkcs5.h /usr/include/mps/secpkcs7.h /usr/include/mps/secport.h /usr/include/mps/shsign.h /usr/include/mps/smime.h /usr/include/mps/ssl.h /usr/include/mps/sslerr.h /usr/include/mps/sslproto.h /usr/include/mps/sslt.h /usr/include/mps/watcomfx.h /usr/lib/mps/cpu/sparcv8plus/libnspr_flt4.so /usr/lib/mps/libfreebl_32fpu_3.chk /usr/lib/mps/libfreebl_32fpu_3.so /usr/lib/mps/libfreebl_32int64_3.chk /usr/lib/mps/libfreebl_32int64_3.so /usr/lib/mps/libfreebl_32int_3.chk /usr/lib/mps/libfreebl_32int_3.so /usr/lib/mps/libjss4.so /usr/lib/mps/libnspr4.so /usr/lib/mps/libnss3.so /usr/lib/mps/libnssckbi.so /usr/lib/mps/libplc4.so /usr/lib/mps/libplds4.so /usr/lib/mps/libsmime3.so /usr/lib/mps/libsoftokn3.chk /usr/lib/mps/libsoftokn3.so /usr/lib/mps/libssl3.so /usr/lib/mps/sparcv9/libfreebl_64fpu_3.chk /usr/lib/mps/sparcv9/libfreebl_64fpu_3.so /usr/lib/mps/sparcv9/libfreebl_64int_3.chk /usr/lib/mps/sparcv9/libfreebl_64int_3.so /usr/lib/mps/sparcv9/libjss4.so /usr/lib/mps/sparcv9/libnspr4.so /usr/lib/mps/sparcv9/libnss3.so /usr/lib/mps/sparcv9/libnssckbi.so /usr/lib/mps/sparcv9/libplc4.so /usr/lib/mps/sparcv9/libplds4.so /usr/lib/mps/sparcv9/libsmime3.so /usr/lib/mps/sparcv9/libsoftokn3.chk /usr/lib/mps/sparcv9/libsoftokn3.so /usr/lib/mps/sparcv9/libssl3.so /usr/sfw/bin/addbuiltin /usr/sfw/bin/certutil /usr/sfw/bin/cmsutil /usr/sfw/bin/crlutil /usr/sfw/bin/modutil /usr/sfw/bin/pk12util /usr/sfw/bin/signtool /usr/sfw/bin/signver /usr/sfw/bin/sparcv9/addbuiltin /usr/sfw/bin/sparcv9/certutil /usr/sfw/bin/sparcv9/cmsutil /usr/sfw/bin/sparcv9/crlutil /usr/sfw/bin/sparcv9/modutil /usr/sfw/bin/sparcv9/pk12util /usr/sfw/bin/sparcv9/signtool /usr/sfw/bin/sparcv9/signver /usr/sfw/bin/sparcv9/ssltap /usr/sfw/bin/ssltap /usr/share/lib/mps/jss4.jar /usr/share/lib/mps/sparcv9/jss4.jar Problem Description: 6464665 C_VerifyUpdate fails for hmac 6464668 race assigning NSSCertificate fields leaks memory and slot reference 6464671 Race condition in Stan import cert code called from CERT_NewTempCertificate 6464756 curve-limited clients must not negotiate ECC ciphersuites unless they send the supported curve ext 6464673 Continuous RNG test failure does not immediately put the FIPS module in the error state 6464677 PORT_FreeArena NEVER zeros memory before freeing it 6464680 Move the software integrity test into sftk_fipsPowerUpSelfTest 6464767 smime: possible memory corruption when encoding/decoding smime_encryptionkeypref_template 6465317 seckey_put_private_key leaks memory 6464683 Variable ""(cache)->sharedCache"" tracked as NULL was passed to a function that dereferences it. 6468441 OOM crash @ nssArena_Destroy - nssTrustDomain_TraverseCertificatesBySubject/ByNickname(info) 6464752 Multiple NULL ptr dereferences in nss/lib/base/arena.c 6228370 NSS code should not fork netstat 6464757 freebl libraries are always optimized on Sparc 6468410 Regression Assertion failure: 0, at unix_rand.c:149 6464759 mismatch between PK11_FindCertFromNickname and FindCerts 6464762 chain validation returns ambiguous error codes when OCSP enabled 6464764 Coverity 874, NULL cert ptr crash in NSS_CMSRecipientInfo_WrapBulkKey 6464766 Coverity 543, leak after OOM in CMMF_POPODecKeyChallContDecryptChallenge 6467643 HP-UX : protypes.h is not available as part of sun-nspr-devel depot 6468495 PKCS#1 signature DigestInfo parsing problems in NSS 6467033 Security vulnerability in the way NSPR library creates log files (from 119213-09) 6442985 selfserv reports error -12272 SSL_ERROR_BAD_MAC_ALERT in QA stress tests 6442986 PK11_ functions that find objects fail when user not logged in and softoken is in FIPS140 mode 6442988 Reference leak in selfserv in FIPS140-2 mode 6442990 Crash in pk12util on Windows; pk12util and certutil test failures on other platforms 6442993 NSS ECDSA signature length incompatible with other implementations for some curves 6427037 Fix for 4689266 uncovered bug in SSL writev on async socket 6442994 incorrect smime_encryptionkeypref_template leads to QuickDER decoding failure 6442995 Assertion failure in FIPS test (from 119213-08) 4689266 SSL write indicates all data sent when some is buffered 6377957 softoken leaks in nsc_pbe_key_gen 6407468 certutil cannot generate RSA keys larger than 2048 bits 6406845 certutil adds 3 months to user-specified validity period 6374429 patches 119213 and 119214 do not apply via patch automation. These are all released to SunSolve 6416004 Add rpath for HP-UX on pa-risc 6419586 The SSL session timeout arguments to SSL_ConfigServerSessionIDCache and SSL_ConfigMPServerSIDCache 6419590 Allow NSS to decode certs with unsupported critical extensions 6421471 memory leaks in selfserv with ECC cipher suites (from 119213-07) 6326988 MSVC debug runtime library assertion failures in crlutil 6326994 PK11_ListCertsInSlot crashes in subject_list_sort on a cert with unsupported critical extension 6326998 softoken PKCS#11 version is incorrect 6327000 RSA key size limits are not applied to key pair generation in freebl 6327002 Multipart CKM_DSA_SHA1 signing broken if given large buffer 6242112 certutil crashes when -P is empty 6327004 Some NSS mechanism numbers don't match the PKCS11 6327009 S/MIME message verification fails if cert is signing-only 6327013 PK11_TokenKeyGen should add CKA_UNWRAP and CKA_WRAP attributes to object template3 6253118 Installing a CRL on WS 6.1SP4 (Windows) adds it to the CKLs section in the GUI 6327014 Need CKA_EXTRACTABLE for PK11_GenerateKeyPair 6327018 NSS 3.9.3 not support SHA-512 6210080 libsoftokn3 fails to load libfreebl in setuid programs 6327020 SSL/TLS Client Authentication with 3rd party PKCS#11 module fails with unrecognized token 6327021 NSS tries to call C_WaitForSlotEvent on PKCS#11 2.0 modules 6315463 toString() call in SSLSocket.java does not check for exceptions 6341685 PKCS#11 CKF_PROTECTED_AUTHENTICATION_PATH token flag not supported 6341687 ASN.1 encoder outputs trash for optional may-stream subtemplate 6264996 SSLSocket.GetIPAddress needs to return null, if socket is not connected 6330310 JSS accumulates CLOSE_WAIT sockets due to not closing the SSLSocket when SSLInputStream is closed 6350173 Expose new key generation functions in JSS for key export 6359866 Thread protection needed for getPeerAddress 6362932 JSS 4.1.2 needs to work with NSS 3.9.x (from 119213-06) 6333604 Wrong obsolete patch ID for patches 119213-05 and 119214-05 (from 119213-05) 6302177 Zlib vulnerability in NSS tools (from 119213-04) 6258052 NSS doesn't fetch CRLs during the first minute of program execution on AIX 6258053 Compile source files with absolute pathnames on AIX 6258055 Add Sonera CA certs (2) to builtin trusted CA list 6258056 Add Go Daddy root certs to NSS 6258057 Add CRL generation to crlutil 6258061 certutil -A reports extension not found if file has extra data 6258062 ssltap creates cert files containing garbage 6258064 Can not encode CRL using classic ASN.1 encoder 6258066 NSC_CopyObject crashes when trying to copy token object 6260111 certutil core dump during installation of Sun Cluster 6260658 certutil crash reading key data base. (from 119213-03) 6250799 SSL_ConfigSecureServer always generates a step-down key for RSA 6250801 NSC_Encrypt with RSA mechanism crashes if len is greater than modulus len 6250802 nss3.10 certutil sees 3.9.x root certs as government issued 6250803 C_Finalize status not checked in SECMOD_CancelWait 6250807 pk11_AnyUnwrapKey does not process error condition correctly 6250808 Make rsaperf use PKCS#11 6250812 Remove PKCS11_USE_THREADS and PK11_USE_THREADS 6250814 Add option for rsaperf to run for a fixed duration, and display ops/s 6250816 PK11Token.c:GenerateCertRequest leaks 'arena' 6251104 Socket.close needs to interrupt threads blocked in I/O (from 119213-02) 6243892 Add Camerfirma CA certificate to NSS 6243894 Add NetLock CA certificates to NSS 6243895 crash in NSS server if server SID cache uninitialized 5045171 Specify 'Subject Alt Name' during CSR creation 6243896 RPATH not set on AMD64 platform for libnss3.so and tools 6243900 certutil -C78 creates invalid cert with two subjAltName extensions 6243905 PK11_HashBuf buffer overflow 6243907 NSS improperly handles sessions for SSL derived keys. 6243909 Remove the PKCS11_STATIC_ATTRIBUTES macro 6243913 pk11_getKeyFromList can call PORT_Alloc instead of PORT_ZAlloc 6243915 Optimize frequently called function pk11_SessionFromHandle 6243916 Make PK11_CreateSymKey static 6243918 certutil has infinite loop in interactive mode for cert extensions (from 119213-01) 6237228 Upgrade to Security 3.10 6237231 Move SVRCORE functionality into NSS Patch Installation Instructions: -------------------------------- Refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- None. README -- Last modified date: Friday, October 6, 2006