Lucene search

K
centosCentOS ProjectCESA-2010:0165
HistoryMar 28, 2010 - 3:36 p.m.

nspr, nss security update

2010-03-2815:36:50
CentOS Project
lists.centos.org
62

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

0.003 Low

EPSS

Percentile

69.4%

CentOS Errata and Security Advisory CESA-2010:0165

Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSLv2, SSLv3, TLS,
and other security standards.

Netscape Portable Runtime (NSPR) provides platform independence for non-GUI
operating system facilities. These facilities include threads, thread
synchronization, normal file and network I/O, interval timing, calendar
time, basic memory management (malloc and free), and shared library
linking.

A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure
Sockets Layer) protocols handled session renegotiation. A man-in-the-middle
attacker could use this flaw to prefix arbitrary plain text to a client’s
session (for example, an HTTPS connection to a website). This could force
the server to process an attacker’s request as if authenticated using the
victim’s credentials. This update addresses this flaw by implementing the
TLS Renegotiation Indication Extension, as defined in RFC 5746.
(CVE-2009-3555)

Refer to the following Knowledgebase article for additional details about
this flaw: http://kbase.redhat.com/faq/docs/DOC-20491

Users of Red Hat Certificate System 7.3 and 8.0 should review the following
Knowledgebase article before installing this update:
http://kbase.redhat.com/faq/docs/DOC-28439

All users of NSS are advised to upgrade to these updated packages, which
update NSS to version 3.12.6. This erratum also updates the NSPR packages
to the version required by NSS 3.12.6. All running applications using the
NSS library must be restarted for this update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2010-March/078763.html
https://lists.centos.org/pipermail/centos-announce/2010-March/078764.html
https://lists.centos.org/pipermail/centos-announce/2010-March/078769.html
https://lists.centos.org/pipermail/centos-announce/2010-March/078770.html

Affected packages:
nspr
nspr-devel
nss
nss-devel
nss-pkcs11-devel
nss-tools

Upstream details at:
https://access.redhat.com/errata/RHSA-2010:0165

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

0.003 Low

EPSS

Percentile

69.4%