OBSOLETE Patch-ID# 119209-27


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: nspr nss jss security java_es-3 java_es-4
Synopsis: Obsoleted by: 119209-29 NSS_NSPR_JSS 3.13.1: NSPR 4.8.9 / NSS 3.13.1 / JSS 4.3.2
Date: Feb/04/2012


Install Requirements: NA

Solaris Release: 8

SunOS Release: 5.8

Unbundled Product: NSS_NSPR_JSS

Unbundled Release: 3.13.1

Xref:

Topic:

Relevant Architectures: sparc

Bugs fixed with this patch:

Sun CR # Bug #
698912112301816
700182612304214
700853012305711
701121512306340
701157812306440
701516112307252
701755312307757
702551112309095
702593712309169
13341290
13341314
468926612016449
492642911981121
504517111965251
621008012105645
622837012109460
623722812111309
623723112111311
624211212112342
624389212112643
624389412112644
624389512112645
624389612112646
624390012112647
624390512112649
624390712112650
624390912112651
624391312112652
624391512112653
624391612112654
624391812112655
625079912114249
625080112114250
625080212114251
625080312114252
625080712114253
625080812114254
625081212114255
625081412114256
625081612114257
625110412114305
625311812114759
625805212116050
625805312116051
625805512116052
625805612116053
625805712116054
625806112116056
625806212116057
625806412116058
625806612116060
626011112116693
626065812116825
626499612117962
630217712128310
631546312132025
632698812135600
632699412135602
632699812135603
632700012135604
632700212135606
632700412135608
632700912135609
632701312135610
632701412135611
632701812135612
632702012135613
632702112135614
633031012136791
634168512140180
634168712140183
635017312142353
635986612145185
636293212146230
637442912149730
637795712150787
640684512159307
640746812159456
641600412162169
641958612163351
641959012163352
642147112163875
642397012164594
642703712165486
644298512169916
644298612169918
644298812169919
644299012169920
644299312169921
644299412169922
644299512169923
646466512175821
646466812175822
646467112175823
646467312175825
646467712175827
646468012175830
646468312175832
646475212175844
646475612175848
646475712175849
646475912175850
646476212175852
646476412175853
646476612175854
646476712175855
646531712176042
646703312176706
646764312176886
646841012177152
646844112177159
646849512177165
648806012182891
649123812183830
649231012184140
649349212184546
650762712188523
650776212188548
652456512192977
652465112193003
652480912193029
652673812193568
654723612198864
654931912199432
655558712200746
655558812200747
655558912200748
655559012200749
656082312201863
658034712206536
659616112210134
660571212212351
661296012213936
662431912216533
662432612216537
662432812216538
662432912216539
662433112216540
662433412216541
662433512216542
662433712216543
662433812216544
662434212216545
662434312216546
662434412216547
662434612216548
662434812216550
662435012216551
662435112216552
662435212216553
662435412216554
662435612216555
662699312217225
663016312218078
664307112221617
665728812225743
665729212225744
665731712225745
665732012225746
665732212225747
665781512225916
665781612225917
665781812225918
665782012225919
665782212225920
665782312225921
665782612225922
665782912225923
665783012225924
665783412225925
665783712225926
672535912243616
673781812245997
673782012245998
673782112245999
673782212246000
673782612246001
673782712246002
673782812246003
673782912246004
673783212246005
673783412246006
673783712246008
673783812246009
673784112246011
673784312246012
673784612246013
673784812246014
673785012246015
673785212246016
673785412246017
673786212246019
675251012249027
676317712251441
676324812251459
676362612251567
676363012251570
676402212251638
676734112252418
678227612256640
679938212260886
682161212265858
682161712265859
682161812265860
682162012265861
682163012265866
682163112265867
682163312265868
682163412265869
682163812265870
682164012265872
682164312265873
682164512265874
684647012271380
685383112272885
687008312276638
687469412277567
687470012277569
687470112277570
687470212277571
687470712277573
687470812277574
687470912277575
687471012277576
687471212277577
687471412277578
687471512277579
687471612277580
687471712277581
687471912277582
687472112277583
687472212277584
687472312277585
687472512277586
687472612277587
687472812277588
687473212277589
687473412277590
687473612277591
687473712277592
687473812277593
687474012277594
687474212277595
687474512277596
687474612277597
687474712277598
687474812277599
687475012277600
687475212277601
687481912277609
687482012277610
687974912278607
689948212282685
689948612282686
689948712282687
689954212282705
689954312282706
689954412282707
689954612282708
689954712282709
689954912282710
689956112282713
689956512282715
689956812282716
691981912286965
692653812288319
692907912288823
692908112288824
692908212288825
692909312288826
692909812288827
692909912288828
692910312288829
693097012289278
693865012291116
693884312291156
696357512297099
696357712297100
696357912297102
696358012297103
696584112297620
698546712301201
698550112301203


Changes incorporated in this version: 13341290 13341314

Patches accumulated and obsoleted by this patch: 115924-11 117722-10

Patches which conflict with this patch:

Patches required with this patch:

Obsoleted by:

Files included with this patch:

/usr/include/mps/base64.h
/usr/include/mps/blapit.h
/usr/include/mps/cert.h
/usr/include/mps/certdb.h
/usr/include/mps/certt.h
/usr/include/mps/ciferfam.h
/usr/include/mps/cmmf.h
/usr/include/mps/cmmft.h
/usr/include/mps/cms.h
/usr/include/mps/cmsreclist.h
/usr/include/mps/cmst.h
/usr/include/mps/crmf.h
/usr/include/mps/crmft.h
/usr/include/mps/cryptohi.h
/usr/include/mps/cryptoht.h
/usr/include/mps/ecl-exp.h
/usr/include/mps/hasht.h
/usr/include/mps/jar-ds.h
/usr/include/mps/jar.h
/usr/include/mps/jarfile.h
/usr/include/mps/key.h
/usr/include/mps/keyhi.h
/usr/include/mps/keyt.h
/usr/include/mps/keythi.h
/usr/include/mps/nspr.h
/usr/include/mps/nss.h
/usr/include/mps/nssb64.h
/usr/include/mps/nssb64t.h
/usr/include/mps/nssbase.h
/usr/include/mps/nssbaset.h
/usr/include/mps/nssckbi.h
/usr/include/mps/nssckepv.h
/usr/include/mps/nssckft.h
/usr/include/mps/nssckfw.h
/usr/include/mps/nssckfwc.h
/usr/include/mps/nssckfwt.h
/usr/include/mps/nssckg.h
/usr/include/mps/nssckmdt.h
/usr/include/mps/nssckt.h
/usr/include/mps/nssilckt.h
/usr/include/mps/nssilock.h
/usr/include/mps/nsslocks.h
/usr/include/mps/nssrwlk.h
/usr/include/mps/nssrwlkt.h
/usr/include/mps/obsolete/pralarm.h
/usr/include/mps/obsolete/probslet.h
/usr/include/mps/obsolete/protypes.h
/usr/include/mps/obsolete/prsem.h
/usr/include/mps/ocsp.h
/usr/include/mps/ocspt.h
/usr/include/mps/p12.h
/usr/include/mps/p12plcy.h
/usr/include/mps/p12t.h
/usr/include/mps/pk11func.h
/usr/include/mps/pk11pqg.h
/usr/include/mps/pk11priv.h
/usr/include/mps/pk11pub.h
/usr/include/mps/pk11sdr.h
/usr/include/mps/pkcs11.h
/usr/include/mps/pkcs11f.h
/usr/include/mps/pkcs11n.h
/usr/include/mps/pkcs11p.h
/usr/include/mps/pkcs11t.h
/usr/include/mps/pkcs11u.h
/usr/include/mps/pkcs12.h
/usr/include/mps/pkcs12t.h
/usr/include/mps/pkcs7t.h
/usr/include/mps/plarena.h
/usr/include/mps/plarenas.h
/usr/include/mps/plbase64.h
/usr/include/mps/plerror.h
/usr/include/mps/plgetopt.h
/usr/include/mps/plhash.h
/usr/include/mps/plresolv.h (deleted)
/usr/include/mps/plstr.h
/usr/include/mps/portreg.h
/usr/include/mps/pratom.h
/usr/include/mps/prbit.h
/usr/include/mps/prclist.h
/usr/include/mps/prcmon.h
/usr/include/mps/prcountr.h
/usr/include/mps/prcpucfg.h
/usr/include/mps/prcvar.h
/usr/include/mps/prdtoa.h
/usr/include/mps/preenc.h
/usr/include/mps/prenv.h
/usr/include/mps/prerr.h
/usr/include/mps/prerror.h
/usr/include/mps/prinet.h
/usr/include/mps/prinit.h
/usr/include/mps/prinrval.h
/usr/include/mps/prio.h
/usr/include/mps/pripcsem.h
/usr/include/mps/private/pprio.h
/usr/include/mps/private/pprthred.h
/usr/include/mps/private/prpriv.h
/usr/include/mps/prlink.h
/usr/include/mps/prlock.h
/usr/include/mps/prlog.h
/usr/include/mps/prlong.h
/usr/include/mps/prmem.h
/usr/include/mps/prmon.h
/usr/include/mps/prmwait.h
/usr/include/mps/prnetdb.h
/usr/include/mps/prolock.h
/usr/include/mps/prpdce.h
/usr/include/mps/prprf.h
/usr/include/mps/prproces.h
/usr/include/mps/prrng.h
/usr/include/mps/prrwlock.h
/usr/include/mps/prshm.h
/usr/include/mps/prshma.h
/usr/include/mps/prsystem.h
/usr/include/mps/prthread.h
/usr/include/mps/prtime.h
/usr/include/mps/prtpool.h
/usr/include/mps/prtrace.h
/usr/include/mps/prtypes.h
/usr/include/mps/prvrsion.h
/usr/include/mps/prwin16.h
/usr/include/mps/secasn1.h
/usr/include/mps/secasn1t.h
/usr/include/mps/seccomon.h
/usr/include/mps/secder.h
/usr/include/mps/secdert.h
/usr/include/mps/secdig.h
/usr/include/mps/secdigt.h
/usr/include/mps/secerr.h
/usr/include/mps/sechash.h
/usr/include/mps/secitem.h
/usr/include/mps/secmime.h
/usr/include/mps/secmod.h
/usr/include/mps/secmodt.h
/usr/include/mps/secoid.h
/usr/include/mps/secoidt.h
/usr/include/mps/secpkcs5.h
/usr/include/mps/secpkcs7.h
/usr/include/mps/secport.h
/usr/include/mps/shsign.h
/usr/include/mps/smime.h
/usr/include/mps/ssl.h
/usr/include/mps/sslerr.h
/usr/include/mps/sslproto.h
/usr/include/mps/sslt.h
/usr/include/mps/utilrename.h
/usr/include/mps/watcomfx.h (deleted)
/usr/lib/mps/secv1/64
/usr/lib/mps/secv1/cpu/sparcv8plus/libnspr_flt4.so
/usr/lib/mps/secv1/libfreebl_32fpu_3.chk
/usr/lib/mps/secv1/libfreebl_32fpu_3.so
/usr/lib/mps/secv1/libfreebl_32int64_3.chk
/usr/lib/mps/secv1/libfreebl_32int64_3.so
/usr/lib/mps/secv1/libfreebl_32int_3.chk
/usr/lib/mps/secv1/libfreebl_32int_3.so
/usr/lib/mps/secv1/libjss4.so
/usr/lib/mps/secv1/libnspr4.so
/usr/lib/mps/secv1/libnss3.so
/usr/lib/mps/secv1/libnssckbi.so
/usr/lib/mps/secv1/libnssdbm3.chk
/usr/lib/mps/secv1/libnssdbm3.so
/usr/lib/mps/secv1/libnssutil3.so
/usr/lib/mps/secv1/libplc4.so
/usr/lib/mps/secv1/libplds4.so
/usr/lib/mps/secv1/libsmime3.so
/usr/lib/mps/secv1/libsoftokn3.chk
/usr/lib/mps/secv1/libsoftokn3.so
/usr/lib/mps/secv1/libsqlite3.so
/usr/lib/mps/secv1/libssl3.so
/usr/lib/mps/secv1/sparcv9/libfreebl_64fpu_3.chk
/usr/lib/mps/secv1/sparcv9/libfreebl_64fpu_3.so
/usr/lib/mps/secv1/sparcv9/libfreebl_64int_3.chk
/usr/lib/mps/secv1/sparcv9/libfreebl_64int_3.so
/usr/lib/mps/secv1/sparcv9/libjss4.so
/usr/lib/mps/secv1/sparcv9/libnspr4.so
/usr/lib/mps/secv1/sparcv9/libnss3.so
/usr/lib/mps/secv1/sparcv9/libnssckbi.so
/usr/lib/mps/secv1/sparcv9/libnssdbm3.chk
/usr/lib/mps/secv1/sparcv9/libnssdbm3.so
/usr/lib/mps/secv1/sparcv9/libnssutil3.so
/usr/lib/mps/secv1/sparcv9/libplc4.so
/usr/lib/mps/secv1/sparcv9/libplds4.so
/usr/lib/mps/secv1/sparcv9/libsmime3.so
/usr/lib/mps/secv1/sparcv9/libsoftokn3.chk
/usr/lib/mps/secv1/sparcv9/libsoftokn3.so
/usr/lib/mps/secv1/sparcv9/libsqlite3.so
/usr/lib/mps/secv1/sparcv9/libssl3.so
/usr/lib/pkgconfig/nspr.pc
/usr/lib/pkgconfig/nss.pc
/usr/sfw/bin/64
/usr/sfw/bin/addbuiltin
/usr/sfw/bin/certutil
/usr/sfw/bin/cmsutil
/usr/sfw/bin/crlutil
/usr/sfw/bin/modutil
/usr/sfw/bin/pk12util
/usr/sfw/bin/signtool
/usr/sfw/bin/signver
/usr/sfw/bin/sparcv9/addbuiltin
/usr/sfw/bin/sparcv9/certutil
/usr/sfw/bin/sparcv9/cmsutil
/usr/sfw/bin/sparcv9/crlutil
/usr/sfw/bin/sparcv9/modutil
/usr/sfw/bin/sparcv9/pk12util
/usr/sfw/bin/sparcv9/signtool
/usr/sfw/bin/sparcv9/signver
/usr/sfw/bin/sparcv9/ssltap
/usr/sfw/bin/ssltap
/usr/share/lib/mps/secv1/jss4.jar
/usr/share/lib/mps/secv1/sparcv9/jss4.jar

Problem Description:

13341290 DIS-TRUST DIGINOTAR ROOT CERTIFICATE
13341314 (CVE-2011-3389) RIZZO/DUONG CHOSEN PLAINTEXT ATTACK (BEAST) ON SSL/TLS 1.0
 
(from 119209-26)
 
12301816 SUNBT6989121 ENABLE AES CRYPTO INSTRUCTIONS (AVALABLE IN WESTMERE SYSTEMS) IN NS
12305711 SUNBT7008530 CERTUTIL -T -D "SQL:." DUMPS CORE
12307252 SUNBT7015161 CORE DUMP WHEN TLS SESSION TICKETS ARE ENABLED AND SESSION CACHE IS
12306440 SUNBT7011578 ENHANCEMENT TO MAKE NSS SEARCH FOR A COMPLETE CHAIN THAT WOULD END
12306340 SUNBT7011215 PROBLEM WITH CERTIFICATE IMPORT INTO CERT9.DB AND TRUST FLAGS USING
12307757 SUNBT7017553 SSL_RECONFIGFD TRIES TO ACCESS ELEMENTS OF A NULL POINTER.
12309095 SUNBT7025511 POSSIBLE MINOR MEMORY LEAK IN SNI CODE
12309169 SUNBT7025937 MEMORY LEAK IN SSL_CANBYPASS
12304214 SUNBT7001826 NSS SUPPORT REQUIRED FOR SOCKET DIRECT PROTOCOL OVER INFINIBAND
 
(from 119209-25)
 
6938843 NSS having CKM_TLS_MASTER_KEY_DERIVE_DH enabled causes SSL/ECDHE to fail
6985467 Certutil is able to read and display a der cert from a file 
6985501 (CVE-2010-3170) Browser wildcard certificate validation issue
 
(from 119209-24)
 
6963575 NSS does not support CKR_PIN_LOCKED from C_Login
6938650 libnssckbi: invalid length for nicknames containing multi-byte characters
6963577 Remove support for Netscape SSL server names (SEC_OID_NS_CERT_EXT_SSL_SERVER_NAME)
6963579 An invalid CRL should not cause all certificates issued by that CA to be considered revoked.
6963580 Unable to build pk11util on OpenSolaris (SunOS 5.11)
6965841 Crash in ServerSessionIDLookup or SSL handshake in client hello
 
(from 119209-23)
 
6879749 Re-initialization of NSS 3.12.3 dumps core.
6926538 Linux installpatch does not handle 64 bit systems
6929079 Add multiple roots to NSS 3.12.6
6929081 CERT_PKIXVerifyCert considers a certificate revoked if cert_ProcessOCSPResponse fails for any reason
6929082 Support for TLS compression RFC 3749
6929093 Implement new safe SSL3 & TLS renegotiation (RFC 5746)
6929103 NSPR logging timestamp month number is off by one
6919819 Remove unused header file plresolv.h
6929098 PR_StringToNetAddr("255.255.255.255",ptr) fails on platforms that use inet_addr
6929099 PR_StringToNetAddr("", *ptr) behaviour is inconsistent on windows & solaris
6930970 Expose TLS enableRequireSafeNegotiation in JSS (RFC 5746)
 
(from 119209-22)
 
6899482 NSS fails to load softoken looking for sqlite3.dll
6899486 (CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability
6899542 NSS uses PORT_Memcmp for comparing secret data.
6899543 Timing attack against ssl3ext.c:ssl3_ServerHandleSessionTicketXtn()
6899544 If PK11_ImportCert fails it leaves the certificate undiscoverable by CERT_PKIXVerifyCert
6899546 PK11_ImportAndReturnPrivateKey leaks an arena
6899547 PK11_DEREncodePublicKey leaks a CERTSubjectPublicKeyInfo
6899549 NSS include files key.h and pk11func.h are deprecated
6899561 PR_LoadLibraryWithFlags should have a way to set LOAD_WITH_ALTERED_SEARCH_PATH flag with LoadLibrary
6899565 (CVE-2009-1563) Array indexing error in NSPR's Balloc() leads to floating point memory vulnerability
6899487 Expose Support for SSL & TLS Renegotiation settings in JSS
6899568 Fix leaks in PK11Token.c function make_cert_request()
 
(from 119209-21)
 
6874694 pkix_HttpCertStore_FindSocketConnection reuses closed socket OCSP fails
6874700 Multiple object leaks reported by tinderbox
6874701 object leak in libpkix library upon error
6874702 Cryptokey framework requires module to implement GenerateKey when they support KeyPairGeneration
6874707 update RSA/DSA powerupself tests to be compliant for 2011
6874708 CERT_PKIXVerifyCert reports wrong error code when EE cert is expired
6874709 Passing NULL as the value of cert_pi_trustAnchors causes a crash in cert_pkixSetParam
6874710 NSS 3.12.3 (and later) doesn't build on AIX 5.1
6874712 crash freeing named CRL entry on shutdown
6874714 Improve DES and SHA512 for x86_64 platform
6874715 During NSS_NoDB_Init(), softoken tries but fails to load libsqlite3.so crash
6874716 cert7.db/cert8.db "corruption" when importing a large certificate (>64K)
6874717 assert if profile path contains cyrillic chars.
6874719 (CVE-2009-2404) Exploitable heap overflow in NSS shell expression (filename globbing) parsing
6874721 When using cert9 (SQLite3) DB, set or change master password fails
6874722 DBM needs to be FIPS certifiable.
6874723 NSS_InitReadWrite("sql:configdir") leaves behind a pkcs11.txu file if libnssckbi.so is in configdir
6874725 Need function to identify the one and only default internal private key slot.
6874726 Need a generic function a la SECMOD_OpenUserDB() that can be used on non-softoken modules.
6874728 NSS_InitReadWrite("sql:dbdir") causes NSS to look for "sql:dbdir/libnssckbi.so"
6874732 (CRLDP) implement crlDistributionPoint extension in libPKIX
6874734 libPKIX returns wrong NSS error code
6874736 NSS_ENABLE_PKIX_VERIFY=1 causes sec_error_unknown_issuer errors
6874737 libpkix ocsp checker should use "date" argument to obtain the time for cert validity verification
6874738 Miscellaneous crashes in signtool on Windows
6874740 PK11_ImportCRL reports SEC_ERROR_CRL_NOT_FOUND when it fails to import a CRL
6853831 utilrename.h referenced in multiple header files in /usr/include/mps missing in Solaris 10
6874742 Calling SSL_SetSockPeerID a second time leaks the previous value
6874745 CERT_NameToAscii reports "Invalid AVA" whenever value exceeds 384 bytes
6874746 crash in certutil or pp when printing cert with empty subject name
6874747 A failure to import a cert from a P12 file leaves error code set to zero
6874748 NSS_RegisterShutdown can return without unlocking nssShutdownList.lock
6874750 crash when PORT_NewArena fails
6874752 IO timeout during cert fetching makes libpkix abort validation
6870083 RH4:NSS3.12.3xDS5.2:error while loading shared libraries: libnssutil3.so: cannot open shared object
6846470 Messaging Server pipe_master program fails after installing NSS patch 119211-20
6874819 Crash or data corruption in NSPR's TransmitFile and SendFile on HPUX
6874820 PR_ExplodeTime() works only if given a PRTime argument between year 1901-2099
 
(from 119209-20)
 
6821612 NSS 3.12.x series
6821617 cert name matching: RFC 2818 vs. backwards compatibility (wildcards)
6782276 Error override "trust flags" don't override invalid CA certs in NSS 3.12
6821618 Stop honoring digital signatures in certificates and CRLs based on weak hashes
6799382 CERT_AsciiToName incorrectly parses a name in which an RDN has two or more AVAs separated by '+'
6821620 add environment variable to disable/enable hash algorithms in cert/CRL signatures
6767341 Need to add RPATH to 64-bit libraries on HP-UX
6764022 Using NSS 3.12 makes Directory Server daemon ns-slapd dump core on some Unix platforms
6821630 In prlink.c errStrBuf is not thread-safe.
6821631 ForkAndExec is crashing on Solaris 8/9 due to environ being NULL
6821633 support HmacSHA256, HmacSHA384, and HmacSHA512
6821634 add support to JSS to initialize NSS with more options
6821638 Wrong OIDs for SHA-256, SHA-384, and SHA-512.
6821640 Add SEED support to JSS.
6821643 Expose the TLS session ticket extension (STE)
6821645 JSS doesn't support AES Key unwrapping
 
(from 119209-19)
 
6737818 Add Entrust root CA certificate(s) to NSS
6737820 Add VeriSign Class 3 Public Primary CA - G5 to NSS
6737821 Add thawte Primary Root CA to NSS
6737822 Add GeoTrust Primary Certification Authority root to NSS
6737826 Add Trustwave Certification Authority certificate to NSS
6737827 Add COMODO Certification Authority certificate to NSS
6737828 Add Network Solutions Certificate Authority root to NSS
6737829 Add DigiNotar Root CA root to NSS
6763177 add network solutions and diginotar root certs to NSS
6763626 Don't send an SNI Client Hello extension bearing an IPv6 address
6737832 Fix PK11_GenerateKeyPair for ECC keys on the 3.11 branch
6737834 Can't import certificate into cert database in FIPS mode (certutil).
6737837 PK11_Authenticate, PK11_DoPassword fail on 3rd party slots if NSS softoken is in FIPS140-2 mode
6737838 Session cache locks not freed at shutdown.
6612960 Assertion failures if SSL_ForceHandshake is called
6737841 threads hanging in nss_InitLock
6737843 memory leak in trustdomain.c
6737846 certutil -L -h token doesn't report token authentication failure
6737848 certutil -K behavior doesn't match usage
6737850 modutil -disable command not disabling modules' slots
6737852 Lock from ssl_InitSymWrapKeysLock not freed at shutdown.
6737854 Certification path validation fails when "Authority Key Identifier" extension contains key identifie
6763630 NSS misbehaves badly in the presence of a disabled PKCS#11 slot
6737862 The primordial thread is attached again in _PR_CleanupIO in PR_Cleanup.
6763248 "RC2/CBC/NoPadding cannot use a null parameter" error message pops up when trying to import a PKCS12
6752510 NSS.pc requires NSPR >= 4.6, but NSPR.pc doesn't exist
6725359 private directory is missing in SUNWprd package for OpenSolaris
6492310 lint warnings in keythi.h
 
(from 119209-18)
 
Revision -19 created to correct metadata.
 
(from 119209-17)
 
6643071 Installpatch of T121656-16 on linux is failed by dependency error.
6657288 Add Identrust, Truktrust, SwissSign Roots
6657292 key search functions ignore the nickname argument
6657317 Correct NSS error string for SEC_ERROR_OCSP_RESPONDER_CERT_INVALID
6657320 built-in root certs module shows no slot name
6657322 Optstate not freed in ocspclnt.
6657815 get offset from UTC out of NSPR
6657816 PR_ImplodeTime only works with years 1901-2099
6657818 A process created by PR_CreateProcess with an inherited fd can't pass any inheritable fd to a child
6657820 PR_CreateProcess() function drops empty string parameters
6657822 port NSPR to Windows XP / Server 2003 64bit for AMD64
6657823 Unix: clean up NSPR when the NSPR library is unloaded
6657826 PR_GetFileInfo much slower on Windows than native system call
6657829 PR_CallOnce/PR_CallOnceWithArg do not set NSPR error code if once->initialized is TRUE and once->sta
6657830 add capability to parse long command line option names
6657834 memory leak in prcmon.c
6657837 Use getaddrinfo/getnameinfo
6626993 JSS should have a method that states true/false if a token needs login
6630163 spurious javax.crypto.ShortBufferException with SUNWjss (4.0,REV=2004.11.05.02.31)
 
(from 119209-16)
 
6624319 Add multiple new roots to NSS
6549319 NSS needs a function to indicate bypassability of a private key
6624326 certutil -T crashes if -h <token> specifies a nonexistant token
6624328 NSS allocation functions don't always set SEC_ERROR_NO_MEMORY
6624329 SSL_CanBypass leaks memory
6624331 Bug in PK11_ListPrivKeysInSlot
6624334 OOM crash in softoken
6624335 unexported api calls in p12plcy.h
6624337 unexported api calls in pkcs12.h
6624338 pk12util leaks password strings
6624342 libSSL leaks global array of trusted client auth CA names
6624343 Infinite loop in CERT_CertChainFromCert
6624344 PK11_FindCertFromNickname sets no error code when token not found
6624346 PK11_FindCertByIssuerAndSN must validate input arguments
6624348 Do not send hello extensions when using SSL v3.0
6624350 ssl_GetPrivate can corrupt non-SSL private structures
6624351 two public SSL functions require PRFD* to point to SSL layer
6624352 RSA certificate request succeeds even when underlying pkcs11 module returns error
6624354 Make DEBUG_PKCS11 work for optimized builds, too
6624356 Three root CA certs don't have explicit CKA_TRUST_STEP_UP_APPROVED flags
6580347 PR_Accept() on IPv6 socket returns invalid argument on Windows
6596161 PR_SendFile spins on Solaris due to Solaris sendfile return 0 (to mean sendfile failure)
 
(from 119209-15)
 
6605712 Revert JSS build to support Java 1.4 again
6526738 Add nspr.pc to SUNWprd and nss.pc to SUNWtlsd
 
(from 119209-14)
 
6560823 Unauthorized OCSP response error
 
(from 119209-13)
 
6555587 memory leak in mp_bdivmod
6555589 Export DER_Generalized* and DER_TimeChoice* functions
6547236 crash in certutil when high validity value is specified 
6555590 DER_TimeToGeneralizedTimeArena and DER_TimeToUTCTime don't check for valid range and may leak
6555588 bogus PKCS12_KEY_USAGE in secoid table
4926429 PR_vsnprintf can crash with finite precision string specifiers and non-NULL terminated strings 
6524809 JSS SSLSocket.close() may be blocked and not interrupting the SSLSocket.read() thread
 
(from 119209-12)
 
6507762 Two SSL2 security vulnerabilities found in NSS
6507627 overflow in session counter leads to crash
6423970 certutil does not detect and report error when unsupported ONB curve is specified on command line
6524565 Changes in Daylight Savings Time computations
6524651 Update HP-UX IPv6 code 
 
(from 119209-11)
 
6491238 ns-slapd failed to start during upgrade of WS from Jes4 to Jes5 with backend data base errors
6488060 signver and signtool in solaris cannot find libnspr4 libplds4 and libplc4
6493492 64 bit ldap operations fails in HPUX on Build12A
 
(from 119209-10)
 
6464665 C_VerifyUpdate fails for hmac
6464668 race assigning NSSCertificate fields leaks memory and slot reference
6464671 Race condition in Stan import cert code called from CERT_NewTempCertificate
6464756 curve-limited clients must not negotiate ECC ciphersuites unless they send the supported curve ext
6464673 Continuous RNG test failure does not immediately put the FIPS module in the error state
6464677 PORT_FreeArena NEVER zeros memory before freeing it
6464680 Move the software integrity test into sftk_fipsPowerUpSelfTest
6464767 smime: possible memory corruption when encoding/decoding smime_encryptionkeypref_template
6465317 seckey_put_private_key leaks memory
6464683 Variable ""(cache)->sharedCache"" tracked as NULL was passed to a function that dereferences it.
6468441 OOM crash @ nssArena_Destroy - nssTrustDomain_TraverseCertificatesBySubject/ByNickname(info)
6464752 Multiple NULL ptr dereferences in nss/lib/base/arena.c
6228370 NSS code should not fork netstat
6464757 freebl libraries are always optimized on Sparc
6468410 Regression Assertion failure: 0, at unix_rand.c:149
6464759 mismatch between PK11_FindCertFromNickname and FindCerts
6464762 chain validation returns ambiguous error codes when OCSP enabled
6464764 Coverity 874, NULL cert ptr crash in NSS_CMSRecipientInfo_WrapBulkKey
6464766 Coverity 543, leak after OOM in CMMF_POPODecKeyChallContDecryptChallenge
6467643 HP-UX : protypes.h is not available as part of sun-nspr-devel depot	
6468495 PKCS#1 signature DigestInfo parsing problems in NSS
6467033 Security vulnerability in the way NSPR library creates log files
 
(from 119209-09)
 
6442985 selfserv reports error -12272 SSL_ERROR_BAD_MAC_ALERT in QA stress tests
6442986 PK11_ functions that find objects fail when user not logged in and softoken is in FIPS140 mode
6442988 Reference leak in selfserv in FIPS140-2 mode
6442990 Crash in pk12util on Windows; pk12util and certutil test failures on other platforms
6442993 NSS ECDSA signature length incompatible with other implementations for some curves
6427037 Fix for 4689266 uncovered bug in SSL writev on async socket
6442994 incorrect smime_encryptionkeypref_template leads to QuickDER decoding failure
6442995 Assertion failure in FIPS test
 
(from 119209-08)
 
4689266	SSL write indicates all data sent when some is buffered
6377957	softoken leaks in nsc_pbe_key_gen
6407468	certutil cannot generate RSA keys larger than 2048 bits
6406845	certutil adds 3 months to user-specified validity period
6374429	patches 119213 and 119214 do not apply via patch automation. These are all released to MOS
6416004 Add rpath for HP-UX on pa-risc
6419586 The SSL session timeout arguments to SSL_ConfigServerSessionIDCache and SSL_ConfigMPServerSIDCache
6419590 Allow NSS to decode certs with unsupported critical extensions
6421471 memory leaks in selfserv with ECC cipher suites
 
(from 119209-07)
 
6326988 MSVC debug runtime library assertion failures in crlutil
6326994 PK11_ListCertsInSlot crashes in subject_list_sort on a cert with unsupported critical extension
6326998 softoken PKCS#11 version is incorrect
6327000 RSA key size limits are not applied to key pair generation in freebl
6327002 Multipart CKM_DSA_SHA1 signing broken if given large buffer
6242112 certutil crashes when -P is empty
6327004 Some NSS mechanism numbers don't match the PKCS11 
6327009 S/MIME message verification fails if cert is signing-only
6327013 PK11_TokenKeyGen should add CKA_UNWRAP and CKA_WRAP attributes to object template3
6253118 Installing a CRL on WS 6.1SP4 (Windows) adds it to the CKLs section in the GUI
6327014 Need CKA_EXTRACTABLE for PK11_GenerateKeyPair
6327018 NSS 3.9.3 not support SHA-512
6210080 libsoftokn3 fails to load libfreebl in setuid programs
6327020 SSL/TLS Client Authentication with 3rd party PKCS#11 module fails with unrecognized token
6327021 NSS tries to call C_WaitForSlotEvent on PKCS#11 2.0 modules
6315463 toString() call in SSLSocket.java does not check for exceptions
6341685 PKCS#11 CKF_PROTECTED_AUTHENTICATION_PATH token flag not supported
6341687 ASN.1 encoder outputs trash for optional may-stream subtemplate
6264996 SSLSocket.GetIPAddress needs to return null, if socket is not connected
6330310 JSS accumulates CLOSE_WAIT sockets due to not closing the SSLSocket when SSLInputStream is closed
6350173 Expose new key generation functions in JSS for key export
6359866 Thread protection needed for getPeerAddress
6362932 JSS 4.1.2 needs to work with NSS 3.9.x
 
(from 119209-05)
 
6302177 Zlib vulnerability in NSS tools
 
(from 119209-04)
 
6258052 NSS doesn't fetch CRLs during the first minute of program execution on AIX
6258053 Compile source files with absolute pathnames on AIX
6258055 Add Sonera CA certs (2) to builtin trusted CA list
6258056 Add Go Daddy root certs to NSS
6258057 Add CRL generation to crlutil
6258061 certutil -A reports extension not found if file has extra data
6258062 ssltap creates cert files containing garbage
6258064 Can not encode CRL using classic ASN.1 encoder
6258066 NSC_CopyObject crashes when trying to copy token object
6260111 certutil core dump during installation of Sun Cluster
6260658 certutil crash reading key data base.
 
(from 119209-03)
 
6250799 SSL_ConfigSecureServer always generates a step-down key for RSA
6250801 NSC_Encrypt with RSA mechanism crashes if len is greater than modulus len
6250802 nss3.10 certutil sees 3.9.x root certs as government issued
6250803 C_Finalize status not checked in SECMOD_CancelWait
6250807 pk11_AnyUnwrapKey does not process error condition correctly
6250808 Make rsaperf use PKCS#11
6250812 Remove PKCS11_USE_THREADS and PK11_USE_THREADS
6250814 Add option for rsaperf to run for a fixed duration, and display ops/s
6250816 PK11Token.c:GenerateCertRequest leaks 'arena'
6251104 Socket.close needs to interrupt threads blocked in I/O
 
(from 119209-02)
 
6243892 Add Camerfirma CA certificate to NSS
6243894 Add NetLock CA certificates to NSS
6243895 crash in NSS server if server SID cache uninitialized
5045171 Specify 'Subject Alt Name' during CSR creation
6243896 RPATH not set on AMD64 platform for libnss3.so and tools
6243900 certutil -C78 creates invalid cert with two subjAltName extensions
6243905 PK11_HashBuf buffer overflow
6243907 NSS improperly handles sessions for SSL derived keys.
6243909 Remove the PKCS11_STATIC_ATTRIBUTES macro
6243913 pk11_getKeyFromList can call PORT_Alloc instead of PORT_ZAlloc
6243915 Optimize frequently called function pk11_SessionFromHandle
6243916 Make PK11_CreateSymKey static
6243918 certutil has infinite loop in interactive mode for cert extensions
 
(from 119209-01)
 
6237228 Upgrade to Security 3.10
6237231 Move SVRCORE functionality into NSS


Patch Installation Instructions:
-------------------------------- 
Refer to the man pages for instructions on using 'patchadd' and
'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/104945-02
 
The following example removes a patch from a standalone system:
 
       example# patchrm 104945-02
 
For additional examples please see the appropriate man pages.


Special Install Instructions:
-----------------------------
How to choose the right NSPR/NSS/JSS patch for your system:
 
1/ Get the package version for SUNWpr and SUNtls
using the following commands:
    # pkginfo -l SUNWpr | grep VERSION
and
    # pkginfo -l SUNWtls | grep VERSION
and
    # pkginfo -l SUNWjss | grep VERSION
 
2/ Choose the right patch series from the table below.
IMPORTANT: You may have to install 1 or 2 patches to update
all NSPR/NSS/JSS to the same compatible level, depending on how
your system was previously installed and updated.
 
==================================================================
|Solaris |Package version                              |Patch*   |
|========|=============================================|=========|
|8 SPARC |SUNWpr:  VERSION=4.1.2,REV=2002.09.03.00.17  |119209-xx|
|        |SUNWtls: VERSION=3.3.2,REV=2002.09.18.12.49  |         |
|        |SUNWjss: VERSION=3.1.2.3,REV=2003.03.08.12.17|         |
|--------|---------------------------------------------|---------|
|9 SPARC |SUNWpr:  VERSION=4.1.2,REV=2002.09.03.00.17  |119211-xx|
|        |SUNWtls: VERSION=3.3.2,REV=2002.09.18.12.49  |         |
|        |SUNWjss: VERSION=3.1.2.3,REV=2003.03.08.12.17|         |
|--------|---------------------------------------------|---------|
|9 x86   |SUNWpr:  VERSION=4.1.3,REV=2003.01.09.13.59  |119212-xx|
|        |SUNWtls: VERSION=3.3.3,REV=2003.01.09.17.07  |         |
|        |SUNWjss: VERSION=3.1.2.3,REV=2003.03.08.13.04|         |
|--------|---------------------------------------------|---------|
|10 SPARC|SUNWpr:  VERSION=4.5.1,REV=2004.11.05.02.30  |119213-xx|
|        |SUNWtls: VERSION=3.9.5,REV=2005.01.14.17.27  |         |
|        |SUNWjss: VERSION=4.0,REV=2004.11.05.02.31    |         |
|--------|---------------------------------------------|---------|
|10 x86  |SUNWpr:  VERSION=4.5.1,REV=2004.11.05.03.44  |119214-xx|
|        |SUNWtls: VERSION=3.9.5,REV=2005.01.14.19.03  |         |
|        |SUNWjss: VERSION=4.0,REV=2004.11.05.03.05    |         |
|--------|---------------------------------------------|---------|
|8, 9, 10|SUNWpr:  VERSION=4.6.4,REV=2006.11.16.20.40  |125358-xx|
|SPARC   |SUNWtls: VERSION=3.11.4,REV=2006.11.16.20.40 |         |
|        |SUNWjss: VERSION=4.2.4,REV=2006.11.16.20.40  |         |
|--------|---------------------------------------------|---------|
|9, 10   |SUNWpr:  VERSION=4.6.4,REV=2006.11.16.21.41  |125359-xx|
|x86     |SUNWtls: VERSION=3.11.4,REV=2006.11.16.21.41 |         |
|        |SUNWjss: VERSION=4.2.4,REV=2006.11.16.21.41  |         |
==================================================================
*: always choose the highest available revision of the patch
 
Note:
VERSION represents the version of the package, not the version
of NSPR, NSS or JSS.
To get the actual version of the product installed on your
system, type the following commands:
 
version of NSPR:
    $ pkgparam SUNWpr SUNW_PRODVERS
version of NSS:
    $ pkgparam SUNWtls SUNW_PRODVERS
version of JSS:
    $ pkgparam SUNWjss SUNW_PRODVERS
 
IMPORTANT NOTE:
** This version of NSS is known to be incompatible with certain versions of Sun Directory Server version 5.2. **
** Installing it without corrective action will result in directory service stopped. **
** Newer versions of Directory Server are not affected by this incompatibility issue. **
** Please see http://docs.oracle.com for detailed information on this issue, including the availability
of a related Directory Server version 5.2 patch.**
** This behavior can also be changed by setting an environment variable (details below).**
 
The PKCS#11 cryptographic software interface standard used in many Sun server products requires every process that uses a
PKCS#11 cryptographic library to initialize that library for itself, and not to rely on the initialization that may have
been done by the parent process to leave the cryptographic library in a usable state.  Programs that do not conform to
this requirement, but instead rely on the library being usable after it was initialized by a parent process, are not
guaranteed to work with all hardware and software cryptographic modules conforming to that interface standard.
 
Beginning in this release, NSS's cryptographic library requires programs that use it to conform to the requirement that
every process must initialize the library for itself.
 
Some old versions of Sun server applications do not conform to those interface requirements. Customers who are still using
those old versions, and have not updated the server products to conforming versions, may find that those products have
problems with this release of NSS's cryptographic libraries.
 
To disable the enforcement of this requirement an environment variable can be set:
 
NSS_STRICT_NOFORK=DISABLED
 
This environment variable is a workaround that will make NSS behave as it did in prior versions. However, the
aforementioned compatibility problems between Directory Server version 5.2 and some PKCS#11 cryptographic modules still
remain.
** The appropriate fix is to get the Directory Server 5.2 patch, when available. **


README -- Last modified date: Wednesday, August 6, 2014