View Issue Details

IDProjectCategoryView StatusLast Update
0014681CentOS-7nsspublic2018-04-12 08:29
Reporterzouyu2001518 
PriorityimmediateSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Platformx86_64OScentos7OS Version7.4.1708
Product Version7.4.1708 
Target VersionFixed in Version 
Summary0014681: nss security issue is reported
DescriptionWe built base image from yum repos. nss security issue was found by open source tool 'Clair'.
Refer to 'https://coreos.com/blog/vulnerability-analysis-for-containers.html' to know more of 'Clair' tool.

I upload the file with reported issue as attached. From where all nss security issue can be spotted.


Actually this security issue was solved by below fact.

From

http://www.linuxcompatible.org/news/story/firefoxnss_updates_for_centos_67.html#87493

CESA-2017:2832 Important CentOS 7 nss Security Update

CentOS Errata and Security Advisory 2017:2832 Important

Upstream details at : https://access.redhat.com/errata/RHSA-2017:2832

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
5b9f01457f88d0b6b4f442b2f7c4d5318962b9a3321ee79fee9d9f541513d439 nss-3.28.4-12.el7_4.i686.rpm
8443f61e40876db42ec1e5ea0fcb45cb2d0cc2647752a5e2ae03939d3ff08628 nss-3.28.4-12.el7_4.x86_64.rpm
3431721d1a3876799351c45b6923d123c69847ccdea17de5d82151412c979c33 nss-devel-3.28.4-12.el7_4.i686.rpm
1116f9a4e85302f4b85fc4511153e2623841c22b6a733d9b061331be46c5022d nss-devel-3.28.4-12.el7_4.x86_64.rpm
c16e3a00b15df077d56996572a16482593795c0e798a3e879af186a7987ea93f nss-pkcs11-devel-3.28.4-12.el7_4.i686.rpm
a8998872a428c177201f6db49c3f24472eb78729ebb1a15731440739a2155da1 nss-pkcs11-devel-3.28.4-12.el7_4.x86_64.rpm
de14017234abf879caf5843aacc732719dbde7e033d824b57224bd34f55b73ae nss-sysinit-3.28.4-12.el7_4.x86_64.rpm
66b4b4bb2a679ddfe0471a33774aa1c0f17388a04b319056cb9dd3ed5060f230 nss-tools-3.28.4-12.el7_4.x86_64.rpm

Source:
6725abae2df7fbc35d33545095c51e4e3bfc559fc323b73bf07d19f06e062bee nss-3.28.4-12.el7_4.src.rpm


We know from above this security issue is solved by ‘nss-3.28.4-12.el7_4.x86_64.rpm’.
But from below logs we know our centos repo source has the version ‘x86_64 3.28.4-8.el7’ .

Below is centos case:
nss x86_64 3.28.4-8.el7 local_drop_repo_os 848 k
nss-pem x86_64 1.0.3-4.el7 local_drop_repo_os 73 k
nss-softokn x86_64 3.28.3-6.el7 local_drop_repo_os 309 k
nss-softokn-freebl x86_64 3.28.3-6.el7 local_drop_repo_os 213 k
nss-sysinit x86_64 3.28.4-8.el7 local_drop_repo_os 59 k
nss-tools x86_64 3.28.4-8.el7 local_drop_repo_os 499 k
nss-util x86_64 3.28.4-3.el7 local_drop_repo_os 73 k

Actually from below site we know it really is.
http://mirrors.163.com/centos/7/os/x86_64/Packages/
http://mirrors.aliyun.com/centos/7/os/x86_64/Packages/

I think official repo should upgrade the relevant nss* packages to solve this issue.

As known to all, redhat repo don't have this issue because they upgraded relevant nss* packages.

Below is redhat case.
nss x86_64 3.34.0-4.el7 local_drop_repo_base 841 k
nss-pem x86_64 1.0.3-4.el7 local_drop_repo_base 73 k
nss-softokn x86_64 3.34.0-2.el7 local_drop_repo_base 311 k
nss-softokn-freebl x86_64 3.34.0-2.el7 local_drop_repo_base 220 k
nss-sysinit x86_64 3.34.0-4.el7 local_drop_repo_base 61 k
nss-tools x86_64 3.34.0-4.el7 local_drop_repo_base 513 k
nss-util x86_64 3.34.0-2.el7 local_drop_repo_base 78 k



Steps To Reproducebuild base docker image from centos official yum repos.
Then scan the built docker image by Clair tool.
this issue was reported.
Tagsnss
abrt_hash
URL

Activities

zouyu2001518

zouyu2001518

2018-04-12 04:07

reporter  

analysis-centos-base-1.0-latest.html (38,390 bytes)
zouyu2001518

zouyu2001518

2018-04-12 06:33

reporter   ~0031606

Of course, I think other security issues in attached file should also be proceeded by this report.
TrevorH

TrevorH

2018-04-12 08:29

manager   ~0031607

Your local repo is out of date. The current CentOS 7 nss package is already nss-3.28.4-15.el7_4.x86_64 and has this fix. This package was released around the 20th Oct 2017 so has been fixed for some time. The RHEL package versions you list look like they are probably from 7.5 which is in the process of being rebuilt for CentOS and will be released ASAP when that is done. However the currently released package is already a higher version number than the one you list as containing the fix.

Issue History

Date Modified Username Field Change
2018-04-12 04:07 zouyu2001518 New Issue
2018-04-12 04:07 zouyu2001518 File Added: analysis-centos-base-1.0-latest.html
2018-04-12 04:07 zouyu2001518 Tag Attached: nss
2018-04-12 06:33 zouyu2001518 Note Added: 0031606
2018-04-12 08:29 TrevorH Status new => closed
2018-04-12 08:29 TrevorH Resolution open => fixed
2018-04-12 08:29 TrevorH Note Added: 0031607