Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
centosCentOS ProjectCESA-2013:1144
HistoryAug 07, 2013 - 10:22 p.m.

nspr, nss security update

2013-08-0722:22:50
CentOS Project
lists.centos.org
56

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.069 Low

EPSS

Percentile

93.8%

JSON

CentOS Errata and Security Advisory CESA-2013:1144

Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Netscape Portable Runtime (NSPR) provides platform
independence for non-GUI operating system facilities. nss-softokn provides
an NSS softoken cryptographic module.

It was discovered that NSS leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites
were used. A remote attacker could possibly use this flaw to retrieve plain
text from the encrypted packets by using a TLS/SSL or DTLS server as a
padding oracle. (CVE-2013-1620)

An out-of-bounds memory read flaw was found in the way NSS decoded certain
certificates. If an application using NSS decoded a malformed certificate,
it could cause the application to crash. (CVE-2013-0791)

Red Hat would like to thank the Mozilla project for reporting
CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter
of CVE-2013-0791.

This update also fixes the following bugs:

  • The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented
    the use of certificates that have an MD5 signature. This caused problems in
    certain environments. With this update, certificates that have an MD5
    signature are once again allowed. To prevent the use of certificates that
    have an MD5 signature, set the “NSS_HASH_ALG_SUPPORT” environment variable
    to “-MD5”. (BZ#957603)

  • Previously, the sechash.h header file was missing, preventing certain
    source RPMs (such as firefox and xulrunner) from building. (BZ#948715)

  • A memory leak in the nssutil_ReadSecmodDB() function has been fixed.
    (BZ#984967)

In addition, the nss package has been upgraded to upstream version 3.14.3,
the nss-util package has been upgraded to upstream version 3.14.3, the
nss-softokn package has been upgraded to upstream version 3.14.3, and the
nspr package has been upgraded to upstream version 4.9.5. These updates
provide a number of bug fixes and enhancements over the previous versions.
(BZ#927157, BZ#927171, BZ#927158, BZ#927186)

Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to
these updated packages, which fix these issues and add these enhancements.
After installing this update, applications using NSS, NSPR, nss-util, or
nss-softokn must be restarted for this update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2013-August/082058.html

Affected packages:
nspr
nspr-devel
nss
nss-devel
nss-pkcs11-devel
nss-softokn
nss-softokn-devel
nss-softokn-freebl
nss-softokn-freebl-devel
nss-sysinit
nss-tools
nss-util
nss-util-devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2013:1144

OSVersionArchitecturePackageVersionFilename
CentOS6i686nspr< 4.9.5-2.el6_4nspr-4.9.5-2.el6_4.i686.rpm
CentOS6i686nspr-devel< 4.9.5-2.el6_4nspr-devel-4.9.5-2.el6_4.i686.rpm
CentOS6i686nss< 3.14.3-4.el6_4nss-3.14.3-4.el6_4.i686.rpm
CentOS6i686nss-devel< 3.14.3-4.el6_4nss-devel-3.14.3-4.el6_4.i686.rpm
CentOS6i686nss-pkcs11-devel< 3.14.3-4.el6_4nss-pkcs11-devel-3.14.3-4.el6_4.i686.rpm
CentOS6i686nss-softokn< 3.14.3-3.el6_4nss-softokn-3.14.3-3.el6_4.i686.rpm
CentOS6i686nss-softokn-devel< 3.14.3-3.el6_4nss-softokn-devel-3.14.3-3.el6_4.i686.rpm
CentOS6i686nss-softokn-freebl< 3.14.3-3.el6_4nss-softokn-freebl-3.14.3-3.el6_4.i686.rpm
CentOS6i686nss-softokn-freebl-devel< 3.14.3-3.el6_4nss-softokn-freebl-devel-3.14.3-3.el6_4.i686.rpm
CentOS6i686nss-sysinit< 3.14.3-4.el6_4nss-sysinit-3.14.3-4.el6_4.i686.rpm
Rows per page:
1-10 of 371

Related

openvas 82
nessus 57
redhat 5
centos 3
amazon 4
oraclelinux 2
veracode 6
securityvulns 4
fedora 10
ubuntu 4
mozilla 1
cve 2
ubuntucve 2
prion 2
debiancve 2
f5 2
suse 7
vmware 1
gentoo 2
freebsd 1
openvas
openvas
Oracle Linux Local Check: ELSA-2013-1144
2015-10-06 00:00:00
Oracle Linux Local Check: ELSA-2013-1135
2015-10-06 00:00:00
RedHat Update for nss and nspr RHSA-2013:1135-01
2013-08-08 00:00:00
nessus
nessus
Oracle Linux 6 : nspr / nss / nss-softokn / nss-util (ELSA-2013-1144)
2013-08-08 00:00:00
CentOS 5 : nss (CESA-2013:1135)
2013-08-06 00:00:00
Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20130805)
2013-08-06 00:00:00
redhat
redhat
(RHSA-2013:1135) Moderate: nss and nspr security, bug fix, and enhancement update
2013-08-05 00:00:00
(RHSA-2013:1144) Moderate: nss, nss-util, nss-softokn, and nspr security update
2013-08-07 00:00:00
(RHSA-2013:1181) Moderate: rhev-hypervisor6 security and bug fix update
2013-08-27 00:00:00
centos
centos
nspr, nss security update
2013-08-05 19:56:06
nspr, nss security update
2013-12-13 00:04:31
nspr, nss security update
2013-12-05 17:45:58
amazon
amazon
Medium: nss
2013-08-07 21:23:00
Medium: nspr
2013-08-07 21:23:00
Important: nss
2013-12-17 21:31:00
oraclelinux
oraclelinux
nss and nspr security, bug fix, and enhancement update
2013-08-05 00:00:00
nss, nss-util, nss-softokn, and nspr security update
2013-08-07 00:00:00
veracode
veracode
Timing Side-Channel
2019-05-02 04:48:16
Denial Of Service (DoS)
2019-01-15 08:57:12
Denial Of Service
2019-01-15 08:52:48
securityvulns
securityvulns
Mozilla NSS library TLS timing attacks
2013-03-24 00:00:00
[USN-1763-1] NSS vulnerability
2013-03-24 00:00:00
Mozilla Firefox / Thunderbird / Seamonkey multiple security vulnerabilities
2013-04-03 00:00:00
fedora
fedora
[SECURITY] Fedora 18 Update: nss-util-3.14.3-1.fc18
2013-02-28 07:04:40
[SECURITY] Fedora 17 Update: nss-3.14.3-1.fc17
2013-03-14 02:40:31
[SECURITY] Fedora 17 Update: nss-softokn-3.14.3-1.fc17
2013-03-14 02:40:31
ubuntu
ubuntu
NSS vulnerability
2013-03-14 00:00:00
Thunderbird vulnerabilities
2013-04-08 00:00:00
Firefox vulnerabilities
2013-04-04 00:00:00
mozilla
mozilla
Out-of-bounds array read in CERT_DecodeCertPackage — Mozilla
2013-04-02 00:00:00
cve
cve
CVE-2013-0791
2013-04-03 11:56:00
CVE-2013-1620
2013-02-08 19:55:00
ubuntucve
ubuntucve
CVE-2013-0791
2013-04-03 00:00:00
CVE-2013-1620
2013-02-08 00:00:00
prion
prion
Out-of-bounds
2013-04-03 11:56:00
Design/Logic Flaw
2013-02-08 19:55:00
debiancve
debiancve
CVE-2013-0791
2013-04-03 11:56:00
CVE-2013-1620
2013-02-08 19:55:00
f5
f5
SOL15630 - TLS in Mozilla NSS vulnerability CVE-2013-1620
2014-09-25 00:00:00
K15630 : TLS in Mozilla NSS vulnerability CVE-2013-1620
2015-09-17 00:00:00
suse
suse
Mozilla Firefox and others: Update to Firefox 20.0 release (important)
2013-04-05 15:06:14
Mozilla Firefox and others: Update to 20.0/17.0.5 releases (important)
2013-04-05 18:06:10
Security update for Mozilla Firefox (important)
2013-05-28 22:04:36
vmware
vmware
VMware ESX updates to third party libraries
2013-12-05 00:00:00
gentoo
gentoo
Mozilla Network Security Service: Multiple vulnerabilities
2014-06-21 00:00:00
Mozilla Products: Multiple vulnerabilities
2013-09-27 00:00:00
freebsd
freebsd
mozilla -- multiple vulnerabilities
2013-04-02 00:00:00

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.069 Low

EPSS

Percentile

93.8%

JSON
Related for CESA-2013:1144
openvas82nessus57redhat5centos3amazon4oraclelinux2veracode6securityvulns4fedora10ubuntu4mozilla1cve2ubuntucve2prion2debiancve2f52suse7vmware1gentoo2freebsd1