Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2013-1144.NASL
HistoryAug 08, 2013 - 12:00 a.m.

Oracle Linux 6 : nspr / nss / nss-softokn / nss-util (ELSA-2013-1144)

2013-08-0800:00:00
This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
JSON

From Red Hat Security Advisory 2013:1144 :

Updated nss, nss-util, nss-softokn, and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.
nss-softokn provides an NSS softoken cryptographic module.

It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620)

An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791)

Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791.

This update also fixes the following bugs :

  • The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented the use of certificates that have an MD5 signature. This caused problems in certain environments. With this update, certificates that have an MD5 signature are once again allowed. To prevent the use of certificates that have an MD5 signature, set the ‘NSS_HASH_ALG_SUPPORT’ environment variable to ‘-MD5’. (BZ#957603)

  • Previously, the sechash.h header file was missing, preventing certain source RPMs (such as firefox and xulrunner) from building.
    (BZ#948715)

  • A memory leak in the nssutil_ReadSecmodDB() function has been fixed.
    (BZ#984967)

In addition, the nss package has been upgraded to upstream version 3.14.3, the nss-util package has been upgraded to upstream version 3.14.3, the nss-softokn package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#927157, BZ#927171, BZ#927158, BZ#927186)

Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS, NSPR, nss-util, or nss-softokn must be restarted for this update to take effect.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2013:1144 and 
# Oracle Linux Security Advisory ELSA-2013-1144 respectively.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(69253);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");

  script_cve_id("CVE-2013-0791", "CVE-2013-1620");
  script_bugtraq_id(57777, 58826);
  script_xref(name:"RHSA", value:"2013:1144");

  script_name(english:"Oracle Linux 6 : nspr / nss / nss-softokn / nss-util (ELSA-2013-1144)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Oracle Linux host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"From Red Hat Security Advisory 2013:1144 :

Updated nss, nss-util, nss-softokn, and nspr packages that fix two
security issues, various bugs, and add enhancements are now available
for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

Network Security Services (NSS) is a set of libraries designed to
support the cross-platform development of security-enabled client and
server applications. Netscape Portable Runtime (NSPR) provides
platform independence for non-GUI operating system facilities.
nss-softokn provides an NSS softoken cryptographic module.

It was discovered that NSS leaked timing information when decrypting
TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher
suites were used. A remote attacker could possibly use this flaw to
retrieve plain text from the encrypted packets by using a TLS/SSL or
DTLS server as a padding oracle. (CVE-2013-1620)

An out-of-bounds memory read flaw was found in the way NSS decoded
certain certificates. If an application using NSS decoded a malformed
certificate, it could cause the application to crash. (CVE-2013-0791)

Red Hat would like to thank the Mozilla project for reporting
CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original
reporter of CVE-2013-0791.

This update also fixes the following bugs :

* The RHBA-2013:0445 update (which upgraded NSS to version 3.14)
prevented the use of certificates that have an MD5 signature. This
caused problems in certain environments. With this update,
certificates that have an MD5 signature are once again allowed. To
prevent the use of certificates that have an MD5 signature, set the
'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603)

* Previously, the sechash.h header file was missing, preventing
certain source RPMs (such as firefox and xulrunner) from building.
(BZ#948715)

* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.
(BZ#984967)

In addition, the nss package has been upgraded to upstream version
3.14.3, the nss-util package has been upgraded to upstream version
3.14.3, the nss-softokn package has been upgraded to upstream version
3.14.3, and the nspr package has been upgraded to upstream version
4.9.5. These updates provide a number of bug fixes and enhancements
over the previous versions. (BZ#927157, BZ#927171, BZ#927158,
BZ#927186)

Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade
to these updated packages, which fix these issues and add these
enhancements. After installing this update, applications using NSS,
NSPR, nss-util, or nss-softokn must be restarted for this update to
take effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://oss.oracle.com/pipermail/el-errata/2013-August/003624.html"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nspr");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nspr-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-pkcs11-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-softokn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-softokn-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-softokn-freebl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-softokn-freebl-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-sysinit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-util");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nss-util-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:6");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/02/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/08/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/08");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Oracle Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 6", "Oracle Linux " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);

flag = 0;
if (rpm_check(release:"EL6", reference:"nspr-4.9.5-2.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nspr-devel-4.9.5-2.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-3.14.3-4.0.1.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-devel-3.14.3-4.0.1.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-pkcs11-devel-3.14.3-4.0.1.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-softokn-3.14.3-3.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-softokn-devel-3.14.3-3.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-softokn-freebl-3.14.3-3.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-softokn-freebl-devel-3.14.3-3.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-sysinit-3.14.3-4.0.1.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-tools-3.14.3-4.0.1.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-util-3.14.3-3.el6_4")) flag++;
if (rpm_check(release:"EL6", reference:"nss-util-devel-3.14.3-3.el6_4")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / etc");
}
VendorProductVersionCPE
oraclelinuxnsprp-cpe:/a:oracle:linux:nspr
oraclelinuxnspr-develp-cpe:/a:oracle:linux:nspr-devel
oraclelinuxnssp-cpe:/a:oracle:linux:nss
oraclelinuxnss-develp-cpe:/a:oracle:linux:nss-devel
oraclelinuxnss-pkcs11-develp-cpe:/a:oracle:linux:nss-pkcs11-devel
oraclelinuxnss-softoknp-cpe:/a:oracle:linux:nss-softokn
oraclelinuxnss-softokn-develp-cpe:/a:oracle:linux:nss-softokn-devel
oraclelinuxnss-softokn-freeblp-cpe:/a:oracle:linux:nss-softokn-freebl
oraclelinuxnss-softokn-freebl-develp-cpe:/a:oracle:linux:nss-softokn-freebl-devel
oraclelinuxnss-sysinitp-cpe:/a:oracle:linux:nss-sysinit
Rows per page:
1-10 of 141

Related

openvas 82
nessus 56
redhat 5
amazon 4
centos 4
oraclelinux 2
veracode 6
securityvulns 4
fedora 10
ubuntu 4
mozilla 1
cve 2
ubuntucve 2
prion 2
debiancve 2
f5 2
suse 7
vmware 1
gentoo 2
freebsd 1
openvas
openvas
Oracle Linux Local Check: ELSA-2013-1144
2015-10-06 00:00:00
Oracle Linux Local Check: ELSA-2013-1135
2015-10-06 00:00:00
RedHat Update for nss and nspr RHSA-2013:1135-01
2013-08-08 00:00:00
nessus
nessus
CentOS 5 : nss (CESA-2013:1135)
2013-08-06 00:00:00
Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20130805)
2013-08-06 00:00:00
RHEL 6 : nss, nss-util, nss-softokn, and nspr (RHSA-2013:1144)
2013-08-08 00:00:00
redhat
redhat
(RHSA-2013:1135) Moderate: nss and nspr security, bug fix, and enhancement update
2013-08-05 00:00:00
(RHSA-2013:1144) Moderate: nss, nss-util, nss-softokn, and nspr security update
2013-08-07 00:00:00
(RHSA-2013:1181) Moderate: rhev-hypervisor6 security and bug fix update
2013-08-27 00:00:00
amazon
amazon
Medium: nss
2013-08-07 21:23:00
Medium: nspr
2013-08-07 21:23:00
Important: nss
2013-12-17 21:31:00
centos
centos
nspr, nss security update
2013-08-05 19:56:06
nspr, nss security update
2013-08-07 22:22:50
nspr, nss security update
2013-12-13 00:04:31
oraclelinux
oraclelinux
nss and nspr security, bug fix, and enhancement update
2013-08-05 00:00:00
nss, nss-util, nss-softokn, and nspr security update
2013-08-07 00:00:00
veracode
veracode
Timing Side-Channel
2019-05-02 04:48:16
Denial Of Service (DoS)
2019-01-15 08:57:12
Denial Of Service
2019-01-15 08:52:48
securityvulns
securityvulns
Mozilla NSS library TLS timing attacks
2013-03-24 00:00:00
[USN-1763-1] NSS vulnerability
2013-03-24 00:00:00
Mozilla Firefox / Thunderbird / Seamonkey multiple security vulnerabilities
2013-04-03 00:00:00
fedora
fedora
[SECURITY] Fedora 18 Update: nss-util-3.14.3-1.fc18
2013-02-28 07:04:40
[SECURITY] Fedora 17 Update: nss-3.14.3-1.fc17
2013-03-14 02:40:31
[SECURITY] Fedora 17 Update: nss-softokn-3.14.3-1.fc17
2013-03-14 02:40:31
ubuntu
ubuntu
NSS vulnerability
2013-03-14 00:00:00
Thunderbird vulnerabilities
2013-04-08 00:00:00
Firefox vulnerabilities
2013-04-04 00:00:00
mozilla
mozilla
Out-of-bounds array read in CERT_DecodeCertPackage — Mozilla
2013-04-02 00:00:00
cve
cve
CVE-2013-0791
2013-04-03 11:56:00
CVE-2013-1620
2013-02-08 19:55:00
ubuntucve
ubuntucve
CVE-2013-0791
2013-04-03 00:00:00
CVE-2013-1620
2013-02-08 00:00:00
prion
prion
Out-of-bounds
2013-04-03 11:56:00
Design/Logic Flaw
2013-02-08 19:55:00
debiancve
debiancve
CVE-2013-0791
2013-04-03 11:56:00
CVE-2013-1620
2013-02-08 19:55:00
f5
f5
SOL15630 - TLS in Mozilla NSS vulnerability CVE-2013-1620
2014-09-25 00:00:00
K15630 : TLS in Mozilla NSS vulnerability CVE-2013-1620
2015-09-17 00:00:00
suse
suse
Mozilla Firefox and others: Update to Firefox 20.0 release (important)
2013-04-05 15:06:14
Mozilla Firefox and others: Update to 20.0/17.0.5 releases (important)
2013-04-05 18:06:10
Security update for Mozilla Firefox (important)
2013-05-28 22:04:36
vmware
vmware
VMware ESX updates to third party libraries
2013-12-05 00:00:00
gentoo
gentoo
Mozilla Network Security Service: Multiple vulnerabilities
2014-06-21 00:00:00
Mozilla Products: Multiple vulnerabilities
2013-09-27 00:00:00
freebsd
freebsd
mozilla -- multiple vulnerabilities
2013-04-02 00:00:00
JSON
Related for ORACLELINUX_ELSA-2013-1144.NASL
openvas82nessus56redhat5amazon4centos4oraclelinux2veracode6securityvulns4fedora10ubuntu4mozilla1cve2ubuntucve2prion2debiancve2f52suse7vmware1gentoo2freebsd1