5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
64.2%
CentOS Errata and Security Advisory CESA-2010:0165
Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSLv2, SSLv3, TLS,
and other security standards.
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI
operating system facilities. These facilities include threads, thread
synchronization, normal file and network I/O, interval timing, calendar
time, basic memory management (malloc and free), and shared library
linking.
A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client’s
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker’s request as if authenticated using the
victim’s credentials. This update addresses this flaw by implementing the
TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)
Refer to the following Knowledgebase article for additional details about
this flaw: http://kbase.redhat.com/faq/docs/DOC-20491
Users of Red Hat Certificate System 7.3 and 8.0 should review the following
Knowledgebase article before installing this update:
http://kbase.redhat.com/faq/docs/DOC-28439
All users of NSS are advised to upgrade to these updated packages, which
update NSS to version 3.12.6. This erratum also updates the NSPR packages
to the version required by NSS 3.12.6. All running applications using the
NSS library must be restarted for this update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2010-March/078763.html
https://lists.centos.org/pipermail/centos-announce/2010-March/078764.html
https://lists.centos.org/pipermail/centos-announce/2010-March/078769.html
https://lists.centos.org/pipermail/centos-announce/2010-March/078770.html
Affected packages:
nspr
nspr-devel
nss
nss-devel
nss-pkcs11-devel
nss-tools
Upstream details at:
https://access.redhat.com/errata/RHSA-2010:0165
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 5 | i386 | nspr | < 4.8.4-1.el5_4 | nspr-4.8.4-1.el5_4.i386.rpm |
CentOS | 5 | i386 | nspr-devel | < 4.8.4-1.el5_4 | nspr-devel-4.8.4-1.el5_4.i386.rpm |
CentOS | 5 | i386 | nss | < 3.12.6-1.el5.centos | nss-3.12.6-1.el5.centos.i386.rpm |
CentOS | 5 | i386 | nss-devel | < 3.12.6-1.el5.centos | nss-devel-3.12.6-1.el5.centos.i386.rpm |
CentOS | 5 | i386 | nss-pkcs11-devel | < 3.12.6-1.el5.centos | nss-pkcs11-devel-3.12.6-1.el5.centos.i386.rpm |
CentOS | 5 | i386 | nss-tools | < 3.12.6-1.el5.centos | nss-tools-3.12.6-1.el5.centos.i386.rpm |
CentOS | 5 | i386 | nspr | < 4.8.4-1.el5_4 | nspr-4.8.4-1.el5_4.i386.rpm |
CentOS | 5 | i386 | nspr-devel | < 4.8.4-1.el5_4 | nspr-devel-4.8.4-1.el5_4.i386.rpm |
CentOS | 5 | i386 | nss | < 3.12.6-1.el5.centos | nss-3.12.6-1.el5.centos.i386.rpm |
CentOS | 5 | i386 | nss-devel | < 3.12.6-1.el5.centos | nss-devel-3.12.6-1.el5.centos.i386.rpm |