| 2019-07-24 13:41:50 |
Vineetha Kamath |
bug |
|
|
added bug |
| 2019-07-24 15:01:07 |
Vineetha Kamath |
description |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10 |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
FIX]
This fix proposes to disable libnss3 reading /proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our
fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
|
| 2019-07-24 16:09:55 |
Vineetha Kamath |
attachment added |
|
debdiff.eoan https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+attachment/5279025/+files/debdiff.eoan |
|
| 2019-07-24 16:10:28 |
Vineetha Kamath |
attachment added |
|
debdiff.disco https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+attachment/5279026/+files/debdiff.disco |
|
| 2019-07-24 16:10:45 |
Vineetha Kamath |
attachment added |
|
debdiff.bionic https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+attachment/5279027/+files/debdiff.bionic |
|
| 2019-07-24 16:11:08 |
Vineetha Kamath |
attachment added |
|
debdiff.xenial https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1837734/+attachment/5279028/+files/debdiff.xenial |
|
| 2019-07-24 16:13:32 |
Vineetha Kamath |
description |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
FIX]
This fix proposes to disable libnss3 reading /proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our
fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
|
| 2019-07-24 16:20:48 |
Vineetha Kamath |
description |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. firefox worked as expected and no changes were observed.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
|
| 2019-07-24 16:21:33 |
Vineetha Kamath |
description |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. firefox worked as expected and no changes were observed.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
|
| 2019-07-24 16:21:53 |
Vineetha Kamath |
summary |
firefox crash on a FIPS enabled machine due to libnss3 |
Firefox crash on a FIPS enabled machine due to libnss3 |
|
| 2019-07-24 16:32:13 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Eoan |
|
| 2019-07-24 16:32:13 |
Marc Deslauriers |
bug task added |
|
nss (Ubuntu Eoan) |
|
| 2019-07-24 16:32:13 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Xenial |
|
| 2019-07-24 16:32:13 |
Marc Deslauriers |
bug task added |
|
nss (Ubuntu Xenial) |
|
| 2019-07-24 16:32:13 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Disco |
|
| 2019-07-24 16:32:13 |
Marc Deslauriers |
bug task added |
|
nss (Ubuntu Disco) |
|
| 2019-07-24 16:32:13 |
Marc Deslauriers |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-07-24 16:32:13 |
Marc Deslauriers |
bug task added |
|
nss (Ubuntu Bionic) |
|
| 2019-07-24 16:32:19 |
Marc Deslauriers |
nss (Ubuntu Xenial): status |
New |
Confirmed |
|
| 2019-07-24 16:32:22 |
Marc Deslauriers |
nss (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2019-07-24 16:32:25 |
Marc Deslauriers |
nss (Ubuntu Disco): status |
New |
Confirmed |
|
| 2019-07-24 16:32:27 |
Marc Deslauriers |
nss (Ubuntu Eoan): status |
New |
Confirmed |
|
| 2019-07-24 17:00:23 |
Marc Deslauriers |
nss (Ubuntu Xenial): status |
Confirmed |
In Progress |
|
| 2019-07-24 17:00:26 |
Marc Deslauriers |
nss (Ubuntu Bionic): status |
Confirmed |
In Progress |
|
| 2019-07-24 17:00:27 |
Marc Deslauriers |
nss (Ubuntu Disco): status |
Confirmed |
In Progress |
|
| 2019-07-24 17:00:30 |
Marc Deslauriers |
nss (Ubuntu Eoan): status |
Confirmed |
Fix Committed |
|
| 2019-07-24 17:00:36 |
Marc Deslauriers |
bug |
|
|
added subscriber Marc Deslauriers |
| 2019-07-24 17:00:45 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2019-07-25 03:43:23 |
Launchpad Janitor |
nss (Ubuntu Eoan): status |
Fix Committed |
Fix Released |
|
| 2019-07-30 18:54:19 |
Brian Murray |
nss (Ubuntu Disco): status |
In Progress |
Fix Committed |
|
| 2019-07-30 18:54:24 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2019-07-30 18:54:29 |
Brian Murray |
tags |
|
verification-needed verification-needed-disco |
|
| 2019-07-30 18:55:31 |
Brian Murray |
nss (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2019-07-30 18:55:38 |
Brian Murray |
tags |
verification-needed verification-needed-disco |
verification-needed verification-needed-bionic verification-needed-disco |
|
| 2019-07-30 19:03:02 |
Brian Murray |
nss (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2019-07-30 19:03:10 |
Brian Murray |
tags |
verification-needed verification-needed-bionic verification-needed-disco |
verification-needed verification-needed-bionic verification-needed-disco verification-needed-xenial |
|
| 2019-08-14 16:23:16 |
David Negreira |
tags |
verification-needed verification-needed-bionic verification-needed-disco verification-needed-xenial |
verification-failed-xenial verification-needed verification-needed-bionic |
|
| 2019-08-14 16:24:12 |
David Negreira |
tags |
verification-failed-xenial verification-needed verification-needed-bionic |
verification-failed-xenial verification-needed verification-needed-bionic verification-needed-disco |
|
| 2019-09-06 12:55:17 |
Vineetha Kamath |
summary |
Firefox crash on a FIPS enabled machine due to libnss3 |
libnss3 reads fips_enabled flag and automatically switches to FIPS mode |
|
| 2019-09-06 19:32:26 |
Vineetha Kamath |
description |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode. A FIPS customer reported firefox crash on a FIPS enabled system and strace showed it was repeatedly trying to read the fips_enabled flag from libnss3 before crashing.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
[IMPACT]
nss is not a FIPS certified library. On a machine running FIPS enabled kernel, the library by default goes into FIPS mode if /proc/sys/crypto/fips_enabled=1. This is an untested configuration and since libnss3 is not a certified library we propose disabling reading the 'fips_enabled' flag and therefore switching the library automatically into FIPS mode.
The proposed patch disables reading the /proc/sys/crypto/fips_enabled flag. The users of the library however can force nss into FIPS mode via an environment variable. We plan to leave it as is so as not to regress existing users who may be using it.
The issue impacts libnss3 versions in eoan, disco, bionic and xenial.
lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10
Version: 2:3.45-1ubuntu1
lsb_release -rd
Description: Ubuntu Disco Dingo
Release: 19.04
Version: 2:3.42-1ubuntu2
lsb_release -rd
Description: Ubuntu Bionic Beaver
Release: 18.04
Version: 2:3.35-2ubuntu2.3
lsb_release -rd
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Version: 2:3.28.4-0ubuntu0.16.04
[FIX]
This fix proposes to disable libnss3 reading proc/sys/crypto/fips_enabled. We only want fips certified modules reading this file and running in fips mode. libnss3 is not one of our fips certified modules, so should not be reading this along with our fips certified modules to determine whether to run in fips mode.
Users who do want to run the library in FIPS mode can do so by using the environment variable "NSS_FIPS". We propose to leave it as is so as not to regress anyone using this. The user who is using this option should be doing so with the awareness.
[TEST]
Tested on a xenial and bionic desktop ISO running FIPS enabled kernel and in FIPS mode. With the patch fix no crashes were observed when launching firefox browser.
Without the patch fix, firefox crashes.
Tested on a xenial and bionic desktop ISO running non-FIPS generic kernel. With the patch fix, firefox worked as expected and no changes were observed.
[REGRESSION POTENTIAL]
The regression potential for this is small. A FIPS kernel is required to
create /proc/sys/crypto/fips_enabled and it is not available in standard ubuntu archive. For users forcing FIPS through environment variable, nothing has changed. |
|
| 2019-09-17 10:30:10 |
Steve Langasek |
nss (Ubuntu Xenial): status |
Fix Committed |
Won't Fix |
|
| 2019-10-31 21:01:57 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/nss/+git/nss/+merge/374996 |
|
| 2019-11-04 19:55:59 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/nss/+git/nss/+merge/375115 |
|
| 2019-11-07 14:12:11 |
Andreas Hasenack |
merge proposal unlinked |
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/nss/+git/nss/+merge/375115 |
|
|
| 2019-12-17 16:15:02 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~lucaskanashiro/ubuntu/+source/nss/+git/nss/+merge/376913 |
|
| 2020-07-02 20:01:50 |
Steve Langasek |
nss (Ubuntu Disco): status |
Fix Committed |
Won't Fix |
|
| 2020-07-21 22:41:59 |
Brian Murray |
nss (Ubuntu Bionic): status |
Fix Committed |
Won't Fix |
|
