Search...

Oracle Linux Local Check: ELSA-2012-1090

2015-10-06T00:00:00

ID OPENVAS:1361412562310123863
Type openvas
Reporter Eero Volotinen
Modified 2018-09-28T00:00:00

Description

Oracle Linux Local Security Checks ELSA-2012-1090

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: ELSA-2012-1090.nasl 11688 2018-09-28 13:36:28Z cfischer $
#
# Oracle Linux Local Check
#
# Authors:
# Eero Volotinen &lt;eero.volotinen@solinor.com&gt;
#
# Copyright:
# Copyright (c) 2015 Eero Volotinen, http://solinor.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.123863");
  script_version("$Revision: 11688 $");
  script_tag(name:"creation_date", value:"2015-10-06 14:09:34 +0300 (Tue, 06 Oct 2015)");
  script_tag(name:"last_modification", value:"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $");
  script_name("Oracle Linux Local Check: ELSA-2012-1090");
  script_tag(name:"solution", value:"Update the affected packages to the latest available version.");
  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"summary", value:"Oracle Linux Local Security Checks ELSA-2012-1090");
  script_xref(name:"URL", value:"http://linux.oracle.com/errata/ELSA-2012-1090.html");
  script_cve_id("CVE-2012-0441");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_tag(name:"qod_type", value:"package");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/oracle_linux", "ssh/login/release", re:"ssh/login/release=OracleLinux5");
  script_category(ACT_GATHER_INFO);
  script_copyright("Eero Volotinen");
  script_family("Oracle Linux Local Security Checks");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release) exit(0);

res = "";

if(release == "OracleLinux5")
{
  if ((res = isrpmvuln(pkg:"nspr", rpm:"nspr~4.9.1~4.el5_8", rls:"OracleLinux5")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"nspr-devel", rpm:"nspr-devel~4.9.1~4.el5_8", rls:"OracleLinux5")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"nss", rpm:"nss~3.13.5~4.0.1.el5_8", rls:"OracleLinux5")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"nss-devel", rpm:"nss-devel~3.13.5~4.0.1.el5_8", rls:"OracleLinux5")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"nss-pkcs11-devel", rpm:"nss-pkcs11-devel~3.13.5~4.0.1.el5_8", rls:"OracleLinux5")) != NULL) {
    security_message(data:res);
    exit(0);
  }
  if ((res = isrpmvuln(pkg:"nss-tools", rpm:"nss-tools~3.13.5~4.0.1.el5_8", rls:"OracleLinux5")) != NULL) {
    security_message(data:res);
    exit(0);
  }

}
if (__pkg_match) exit(99);
  exit(0);

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310123863", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Linux Local Check: ELSA-2012-1090", "description": "Oracle Linux Local Security Checks ELSA-2012-1090", "published": "2015-10-06T00:00:00", "modified": "2018-09-28T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123863", "reporter": "Eero Volotinen", "references": ["http://linux.oracle.com/errata/ELSA-2012-1090.html"], "cvelist": ["CVE-2012-0441"], "lastseen": "2019-05-29T18:35:55", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-0441"]}, {"type": "ubuntu", "idList": ["USN-1463-4", "USN-1463-6", "USN-1463-1", "USN-1540-2", "USN-1463-3", "USN-1540-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310841116", "OPENVAS:841116", "OPENVAS:1361412562310120261", "OPENVAS:1361412562310881211", "OPENVAS:1361412562310870789", "OPENVAS:71467", "OPENVAS:881124", "OPENVAS:870791", "OPENVAS:1361412562310841122", "OPENVAS:136141256231071467"]}, {"type": "centos", "idList": ["CESA-2012:1090", "CESA-2012:1091"]}, {"type": "amazon", "idList": ["ALAS-2012-108"]}, {"type": "mozilla", "idList": ["MFSA2012-39"]}, {"type": "debian", "idList": ["DEBIAN:DSA-2490-1:DB4FF"]}, {"type": "oraclelinux", "idList": ["ELSA-2012-1091", "ELSA-2012-1090"]}, {"type": "redhat", "idList": ["RHSA-2012:1091", "RHSA-2012:1090", "RHSA-2012:1200", "RHSA-2012:1185"]}, {"type": "nessus", "idList": ["UBUNTU_USN-1540-2.NASL", "ALA_ALAS-2012-108.NASL", "SL_20120717_NSS__NSPR__AND_NSS_UTIL_ON_SL6_X.NASL", "CENTOS_RHSA-2012-1090.NASL", "UBUNTU_USN-1540-1.NASL", "REDHAT-RHSA-2012-1090.NASL", "ORACLELINUX_ELSA-2012-1090.NASL", "SL_20120717_NSS_AND_NSPR_ON_SL5_X.NASL", "REDHAT-RHSA-2012-1091.NASL", "DEBIAN_DSA-2490.NASL"]}, {"type": "suse", "idList": ["SUSE-SU-2012:0746-1", "OPENSUSE-SU-2012:0760-1", "OPENSUSE-SU-2014:1100-1"]}, {"type": "vmware", "idList": ["VMSA-2012-0016"]}, {"type": "freebsd", "idList": ["BFECF7C1-AF47-11E1-9580-4061862B8C22"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12410"]}], "modified": "2019-05-29T18:35:55", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2019-05-29T18:35:55", "rev": 2}, "vulnersScore": 6.4}, "pluginID": "1361412562310123863", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2012-1090.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123863\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:09:34 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2012-1090\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2012-1090\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2012-1090.html\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.1~4.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.9.1~4.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.13.5~4.0.1.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.13.5~4.0.1.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.13.5~4.0.1.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.13.5~4.0.1.el5_8\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "naslFamily": "Oracle Linux Local Security Checks"}

{"cve": [{"lastseen": "2020-12-09T19:47:16", "description": "The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.", "edition": 5, "cvss3": {}, "published": "2012-06-05T23:55:00", "title": "CVE-2012-0441", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0441"], "modified": "2018-01-18T02:29:00", "cpe": ["cpe:/a:mozilla:thunderbird:11.0", "cpe:/a:mozilla:seamonkey:1.0.8", "cpe:/a:mozilla:seamonkey:2.0.6", "cpe:/a:mozilla:seamonkey:2.0", "cpe:/a:mozilla:firefox_esr:10.0.4", "cpe:/a:mozilla:seamonkey:2.0.7", "cpe:/a:mozilla:seamonkey:2.7.1", "cpe:/a:mozilla:network_security_services:3.4.2", "cpe:/a:mozilla:firefox:8.0", "cpe:/a:mozilla:thunderbird:10.0.3", "cpe:/a:mozilla:seamonkey:1.1.17", "cpe:/a:mozilla:seamonkey:1.0.2", "cpe:/a:mozilla:seamonkey:1.1.2", "cpe:/a:mozilla:seamonkey:1.5.0.10", "cpe:/a:mozilla:seamonkey:1.1.18", "cpe:/a:mozilla:network_security_services:3.6.1", "cpe:/a:mozilla:thunderbird:7.0", "cpe:/a:mozilla:seamonkey:2.0.3", "cpe:/a:mozilla:seamonkey:1.0", "cpe:/a:mozilla:firefox:4.0.1", "cpe:/a:mozilla:firefox:10.0", "cpe:/a:mozilla:seamonkey:1.5.0.9", "cpe:/a:mozilla:network_security_services:3.7.7", "cpe:/a:mozilla:firefox:8.0.1", "cpe:/a:mozilla:seamonkey:2.0.11", "cpe:/a:mozilla:firefox_esr:10.0.2", "cpe:/a:mozilla:seamonkey:2.3", "cpe:/a:mozilla:network_security_services:3.3", "cpe:/a:mozilla:firefox:5.0.1", "cpe:/a:mozilla:seamonkey:1.0.9", "cpe:/a:mozilla:seamonkey:2.4.1", "cpe:/a:mozilla:firefox:7.0", "cpe:/a:mozilla:firefox:10.0.1", "cpe:/a:mozilla:seamonkey:2.8", "cpe:/a:mozilla:thunderbird:10.0.4", "cpe:/a:mozilla:firefox:9.0", "cpe:/a:mozilla:seamonkey:1.1.15", "cpe:/a:mozilla:seamonkey:2.7.2", "cpe:/a:mozilla:thunderbird:10.0", "cpe:/a:mozilla:network_security_services:3.12.2", "cpe:/a:mozilla:firefox_esr:10.0.3", "cpe:/a:mozilla:firefox:6.0.1", "cpe:/a:mozilla:network_security_services:3.7.3", "cpe:/a:mozilla:firefox_esr:10.0.1", "cpe:/a:mozilla:seamonkey:1.1.9", "cpe:/a:mozilla:network_security_services:3.8", "cpe:/a:mozilla:network_security_services:3.12", "cpe:/a:mozilla:thunderbird:10.0.1", "cpe:/a:mozilla:seamonkey:1.1.10", "cpe:/a:mozilla:seamonkey:1.1.12", "cpe:/a:mozilla:firefox:11.0", "cpe:/a:mozilla:firefox:4.0", "cpe:/a:mozilla:network_security_services:3.2.1", "cpe:/a:mozilla:thunderbird:6.0.2", "cpe:/a:mozilla:network_security_services:3.2", "cpe:/a:mozilla:network_security_services:3.7.5", "cpe:/a:mozilla:seamonkey:2.0.8", "cpe:/a:mozilla:seamonkey:1.1.6", "cpe:/a:mozilla:seamonkey:1.1.5", "cpe:/a:mozilla:network_security_services:3.7.2", "cpe:/a:mozilla:thunderbird_esr:10.0", "cpe:/a:mozilla:firefox:9.0.1", "cpe:/a:mozilla:seamonkey:2.4", "cpe:/a:mozilla:seamonkey:1.1.4", "cpe:/a:mozilla:firefox:7.0.1", "cpe:/a:mozilla:network_security_services:3.11.2", "cpe:/a:mozilla:seamonkey:2.6", "cpe:/a:mozilla:seamonkey:2.0.4", "cpe:/a:mozilla:thunderbird_esr:10.0.4", "cpe:/a:mozilla:firefox_esr:10.0", "cpe:/a:mozilla:thunderbird:9.0.1", "cpe:/a:mozilla:thunderbird:9.0", "cpe:/a:mozilla:seamonkey:2.0.14", "cpe:/a:mozilla:seamonkey:2.5", "cpe:/a:mozilla:thunderbird:7.0.1", "cpe:/a:mozilla:network_security_services:3.11.3", "cpe:/a:mozilla:seamonkey:1.0.6", "cpe:/a:mozilla:seamonkey:2.3.3", "cpe:/a:mozilla:firefox:6.0.2", "cpe:/a:mozilla:thunderbird:6.0", "cpe:/a:mozilla:seamonkey:2.0.2", "cpe:/a:mozilla:seamonkey:2.9", "cpe:/a:mozilla:seamonkey:1.0.4", "cpe:/a:mozilla:seamonkey:2.0.13", "cpe:/a:mozilla:seamonkey:2.7", "cpe:/a:mozilla:seamonkey:1.0.5", "cpe:/a:mozilla:network_security_services:3.9", "cpe:/a:mozilla:thunderbird:10.0.2", "cpe:/a:mozilla:thunderbird:8.0", "cpe:/a:mozilla:seamonkey:1.0.7", "cpe:/a:mozilla:firefox:12.0", "cpe:/a:mozilla:seamonkey:1.1.11", "cpe:/a:mozilla:seamonkey:1.1.3", "cpe:/a:mozilla:network_security_services:3.12.1", "cpe:/a:mozilla:thunderbird:6.0.1", "cpe:/a:mozilla:seamonkey:1.1.1", "cpe:/a:mozilla:thunderbird_esr:10.0.3", "cpe:/a:mozilla:seamonkey:1.1.7", "cpe:/a:mozilla:firefox:6.0", "cpe:/a:mozilla:seamonkey:2.0.9", "cpe:/a:mozilla:seamonkey:2.0.5", "cpe:/a:mozilla:seamonkey:2.0.12", "cpe:/a:mozilla:firefox:10.0.2", "cpe:/a:mozilla:network_security_services:3.3.2", "cpe:/a:mozilla:seamonkey:1.5.0.8", "cpe:/a:mozilla:firefox:5.0", "cpe:/a:mozilla:network_security_services:3.12.3", "cpe:/a:mozilla:thunderbird:12.0", "cpe:/a:mozilla:seamonkey:1.1.14", "cpe:/a:mozilla:seamonkey:1.1.16", "cpe:/a:mozilla:thunderbird_esr:10.0.2", "cpe:/a:mozilla:thunderbird:5.0", "cpe:/a:mozilla:network_security_services:3.6", "cpe:/a:mozilla:network_security_services:3.7.1", "cpe:/a:mozilla:network_security_services:3.4.1", "cpe:/a:mozilla:network_security_services:3.3.1", "cpe:/a:mozilla:seamonkey:2.2", "cpe:/a:mozilla:seamonkey:1.0.1", "cpe:/a:mozilla:seamonkey:1.0.3", "cpe:/a:mozilla:seamonkey:2.0.10", "cpe:/a:mozilla:seamonkey:1.1", "cpe:/a:mozilla:seamonkey:2.3.1", "cpe:/a:mozilla:seamonkey:2.3.2", "cpe:/a:mozilla:seamonkey:1.1.19", "cpe:/a:mozilla:seamonkey:2.6.1", "cpe:/a:mozilla:network_security_services:3.11.5", "cpe:/a:mozilla:network_security_services:3.4", "cpe:/a:mozilla:seamonkey:2.0.1", "cpe:/a:mozilla:thunderbird_esr:10.0.1", "cpe:/a:mozilla:network_security_services:3.11.4", "cpe:/a:mozilla:network_security_services:3.5", "cpe:/a:mozilla:seamonkey:1.1.8", "cpe:/a:mozilla:seamonkey:2.1", "cpe:/a:mozilla:network_security_services:3.7", "cpe:/a:mozilla:seamonkey:1.1.13"], "id": "CVE-2012-0441", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0441", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:mozilla:seamonkey:1.1.10:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.9:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.5:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0:beta_2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.6:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0:beta_1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.7:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.9:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.2:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.5:beta4:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.6:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta7:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.9:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.7.7:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.17:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.2:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:12.0:beta6:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.8:beta6:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:alpha1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:rc2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.8:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.6:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.14:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0:alpha_3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.11.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1:beta:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:alpha3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.5.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.6:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.7:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.8:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.9:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.18:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.12:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.6:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.15:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.16:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.8:beta4:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.11.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.9:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1:alpha:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.12:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.5:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta6:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0:beta:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.19:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.12.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.7.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.5.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.8:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.11:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.7:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.3:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta10:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.4:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.4:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta5:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.5:beta1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.8:beta5:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.7:beta5:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.11.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.7:beta4:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.7:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta12:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta8:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.2:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.6:beta4:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:alpha2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.3:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.12.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0:alpha:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird_esr:10.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox_esr:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:10.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.11.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta9:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.3:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0:alpha_1:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.4.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0:alpha_2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta11:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.5.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.4.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:12.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:10.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:4.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:10.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:12.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.1:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.8:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.4:beta3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.13:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.7.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:thunderbird:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:9.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:2.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:network_security_services:3.12.1:*:*:*:*:*:*:*"]}], "ubuntu": [{"lastseen": "2020-07-09T00:27:57", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "Kaspar Brand discovered a vulnerability in how the Network Security \nServices (NSS) ASN.1 decoder handles zero length items. If the user were \ntricked into opening a specially crafted certificate, an attacker could \npossibly exploit this to cause a denial of service via application crash.", "edition": 5, "modified": "2012-08-16T00:00:00", "published": "2012-08-16T00:00:00", "id": "USN-1540-1", "href": "https://ubuntu.com/security/notices/USN-1540-1", "title": "NSS vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-02T11:34:10", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "USN-1540-1 fixed vulnerabilities in NSS. This update provides the \ncorresponding updates for Ubuntu 12.04 LTS.\n\nOriginal advisory details:\n\nKaspar Brand discovered a vulnerability in how the Network Security \nServices (NSS) ASN.1 decoder handles zero length items. If the user were \ntricked into opening a specially crafted certificate, an attacker could \npossibly exploit this to cause a denial of service via application crash.", "edition": 5, "modified": "2012-08-21T00:00:00", "published": "2012-08-21T00:00:00", "id": "USN-1540-2", "href": "https://ubuntu.com/security/notices/USN-1540-2", "title": "NSS vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-08T23:42:42", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2012-1944", "CVE-2012-1940", "CVE-2012-1938", "CVE-2012-1941", "CVE-2012-1946", "CVE-2011-3101", "CVE-2012-1947", "CVE-2012-0441", "CVE-2012-1937"], "description": "USN-1463-1 fixed vulnerabilities in Firefox. This update provides the \ncorresponding fixes for Thunderbird.\n\nOriginal advisory details:\n\nJesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew \nMcCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered memory \nsafety issues affecting Firefox. If the user were tricked into opening a \nspecially crafted page, an attacker could possibly exploit these to cause a \ndenial of service via application crash, or potentially execute code with \nthe privileges of the user invoking Firefox. (CVE-2012-1937, CVE-2012-1938)\n\nIt was discovered that Mozilla's WebGL implementation exposed a bug in \ncertain NVIDIA graphics drivers. The impact of this issue has not been \ndisclosed at this time. (CVE-2011-3101)\n\nAdam Barth discovered that certain inline event handlers were not being \nblocked properly by the Content Security Policy's (CSP) inline-script \nblocking feature. Web applications relying on this feature of CSP to \nprotect against cross-site scripting (XSS) were not fully protected. With \ncross-site scripting vulnerabilities, if a user were tricked into viewing a \nspecially crafted page, a remote attacker could exploit this to modify the \ncontents, or steal confidential data, within the same domain. \n(CVE-2012-1944)\n\nPaul Stone discovered that a viewed HTML page hosted on a Windows or Samba \nshare could load Windows shortcut files (.lnk) in the same share. These \nshortcut files could then link to arbitrary locations on the local file \nsystem of the individual loading the HTML page. An attacker could \npotentially use this vulnerability to show the contents of these linked \nfiles or directories in an iframe, resulting in information disclosure. \n(CVE-2012-1945)\n\nArthur Gerkis discovered a use-after-free vulnerability while \nreplacing/inserting a node in a document. If the user were tricked into \nopening a specially crafted page, an attacker could possibly exploit this \nto cause a denial of service via application crash, or potentially execute \ncode with the privileges of the user invoking Firefox. (CVE-2012-1946)\n\nKaspar Brand discovered a vulnerability in how the Network Security \nServices (NSS) ASN.1 decoder handles zero length items. If the user were \ntricked into opening a specially crafted page, an attacker could possibly \nexploit this to cause a denial of service via application crash. \n(CVE-2012-0441)\n\nAbhishek Arya discovered two buffer overflow and one use-after-free \nvulnerabilities. If the user were tricked into opening a specially crafted \npage, an attacker could possibly exploit these to cause a denial of service \nvia application crash, or potentially execute code with the privileges of \nthe user invoking Firefox. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)", "edition": 5, "modified": "2012-06-27T00:00:00", "published": "2012-06-27T00:00:00", "id": "USN-1463-6", "href": "https://ubuntu.com/security/notices/USN-1463-6", "title": "Thunderbird vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:41:49", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2012-1944", "CVE-2012-1940", "CVE-2012-1938", "CVE-2012-1941", "CVE-2012-1946", "CVE-2011-3101", "CVE-2012-1947", "CVE-2012-0441", "CVE-2012-1937"], "description": "USN-1463-1 fixed vulnerabilities in Firefox. This update provides the \ncorresponding fixes for Thunderbird.\n\nOriginal advisory details:\n\nJesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew \nMcCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered memory \nsafety issues affecting Firefox. If the user were tricked into opening a \nspecially crafted page, an attacker could possibly exploit these to cause a \ndenial of service via application crash, or potentially execute code with \nthe privileges of the user invoking Firefox. (CVE-2012-1937, CVE-2012-1938)\n\nIt was discovered that Mozilla's WebGL implementation exposed a bug in \ncertain NVIDIA graphics drivers. The impact of this issue has not been \ndisclosed at this time. (CVE-2011-3101)\n\nAdam Barth discovered that certain inline event handlers were not being \nblocked properly by the Content Security Policy's (CSP) inline-script \nblocking feature. Web applications relying on this feature of CSP to \nprotect against cross-site scripting (XSS) were not fully protected. With \ncross-site scripting vulnerabilities, if a user were tricked into viewing a \nspecially crafted page, a remote attacker could exploit this to modify the \ncontents, or steal confidential data, within the same domain. \n(CVE-2012-1944)\n\nPaul Stone discovered that a viewed HTML page hosted on a Windows or Samba \nshare could load Windows shortcut files (.lnk) in the same share. These \nshortcut files could then link to arbitrary locations on the local file \nsystem of the individual loading the HTML page. An attacker could \npotentially use this vulnerability to show the contents of these linked \nfiles or directories in an iframe, resulting in information disclosure. \n(CVE-2012-1945)\n\nArthur Gerkis discovered a use-after-free vulnerability while \nreplacing/inserting a node in a document. If the user were tricked into \nopening a specially crafted page, an attacker could possibly exploit this \nto cause a denial of service via application crash, or potentially execute \ncode with the privileges of the user invoking Firefox. (CVE-2012-1946)\n\nKaspar Brand discovered a vulnerability in how the Network Security \nServices (NSS) ASN.1 decoder handles zero length items. If the user were \ntricked into opening a specially crafted page, an attacker could possibly \nexploit this to cause a denial of service via application crash. \n(CVE-2012-0441)\n\nAbhishek Arya discovered two buffer overflow and one use-after-free \nvulnerabilities. If the user were tricked into opening a specially crafted \npage, an attacker could possibly exploit these to cause a denial of service \nvia application crash, or potentially execute code with the privileges of \nthe user invoking Firefox. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)", "edition": 5, "modified": "2012-06-22T00:00:00", "published": "2012-06-22T00:00:00", "id": "USN-1463-4", "href": "https://ubuntu.com/security/notices/USN-1463-4", "title": "Thunderbird vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:33:13", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2012-1944", "CVE-2012-1940", "CVE-2012-1938", "CVE-2012-1941", "CVE-2012-1946", "CVE-2011-3101", "CVE-2012-1947", "CVE-2012-0441", "CVE-2012-1937"], "description": "USN-1463-1 fixed vulnerabilities in Firefox. The new package caused a \nregression in the rendering of Hebrew text and the ability of the Hotmail \ninbox to auto-update. This update fixes the problem.\n\nOriginal advisory details:\n\nJesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew \nMcCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered memory \nsafety issues affecting Firefox. If the user were tricked into opening a \nspecially crafted page, an attacker could possibly exploit these to cause a \ndenial of service via application crash, or potentially execute code with \nthe privileges of the user invoking Firefox. (CVE-2012-1937, CVE-2012-1938)\n\nIt was discovered that Mozilla's WebGL implementation exposed a bug in \ncertain NVIDIA graphics drivers. The impact of this issue has not been \ndisclosed at this time. (CVE-2011-3101)\n\nAdam Barth discovered that certain inline event handlers were not being \nblocked properly by the Content Security Policy's (CSP) inline-script \nblocking feature. Web applications relying on this feature of CSP to \nprotect against cross-site scripting (XSS) were not fully protected. With \ncross-site scripting vulnerabilities, if a user were tricked into viewing a \nspecially crafted page, a remote attacker could exploit this to modify the \ncontents, or steal confidential data, within the same domain. \n(CVE-2012-1944)\n\nPaul Stone discovered that a viewed HTML page hosted on a Windows or Samba \nshare could load Windows shortcut files (.lnk) in the same share. These \nshortcut files could then link to arbitrary locations on the local file \nsystem of the individual loading the HTML page. An attacker could \npotentially use this vulnerability to show the contents of these linked \nfiles or directories in an iframe, resulting in information disclosure. \n(CVE-2012-1945)\n\nArthur Gerkis discovered a use-after-free vulnerability while \nreplacing/inserting a node in a document. If the user were tricked into \nopening a specially crafted page, an attacker could possibly exploit this \nto cause a denial of service via application crash, or potentially execute \ncode with the privileges of the user invoking Firefox. (CVE-2012-1946)\n\nKaspar Brand discovered a vulnerability in how the Network Security \nServices (NSS) ASN.1 decoder handles zero length items. If the user were \ntricked into opening a specially crafted page, an attacker could possibly \nexploit this to cause a denial of service via application crash. \n(CVE-2012-0441)\n\nAbhishek Arya discovered two buffer overflow and one use-after-free \nvulnerabilities. If the user were tricked into opening a specially crafted \npage, an attacker could possibly exploit these to cause a denial of service \nvia application crash, or potentially execute code with the privileges of \nthe user invoking Firefox. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)", "edition": 5, "modified": "2012-06-20T00:00:00", "published": "2012-06-20T00:00:00", "id": "USN-1463-3", "href": "https://ubuntu.com/security/notices/USN-1463-3", "title": "Firefox regressions", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:40:15", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2012-1944", "CVE-2012-1940", "CVE-2012-1938", "CVE-2012-1941", "CVE-2012-1946", "CVE-2011-3101", "CVE-2012-1947", "CVE-2012-0441", "CVE-2012-1937"], "description": "Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew \nMcCreight, Olli Pettay, Boris Zbarsky, and Brian Bondy discovered memory \nsafety issues affecting Firefox. If the user were tricked into opening a \nspecially crafted page, an attacker could possibly exploit these to cause a \ndenial of service via application crash, or potentially execute code with \nthe privileges of the user invoking Firefox. (CVE-2012-1937, CVE-2012-1938)\n\nIt was discovered that Mozilla's WebGL implementation exposed a bug in \ncertain NVIDIA graphics drivers. The impact of this issue has not been \ndisclosed at this time. (CVE-2011-3101)\n\nAdam Barth discovered that certain inline event handlers were not being \nblocked properly by the Content Security Policy's (CSP) inline-script \nblocking feature. Web applications relying on this feature of CSP to \nprotect against cross-site scripting (XSS) were not fully protected. With \ncross-site scripting vulnerabilities, if a user were tricked into viewing a \nspecially crafted page, a remote attacker could exploit this to modify the \ncontents or steal confidential data within the same domain. \n(CVE-2012-1944)\n\nPaul Stone discovered that a viewed HTML page hosted on a Windows or Samba \nshare could load Windows shortcut files (.lnk) in the same share. These \nshortcut files could then link to arbitrary locations on the local file \nsystem of the individual loading the HTML page. An attacker could \npotentially use this vulnerability to show the contents of these linked \nfiles or directories in an iframe, resulting in information disclosure. \n(CVE-2012-1945)\n\nArthur Gerkis discovered a use-after-free vulnerability while \nreplacing/inserting a node in a document. If the user were tricked into \nopening a specially crafted page, an attacker could possibly exploit this \nto cause a denial of service via application crash, or potentially execute \ncode with the privileges of the user invoking Firefox. (CVE-2012-1946)\n\nKaspar Brand discovered a vulnerability in how the Network Security \nServices (NSS) ASN.1 decoder handles zero length items. If the user were \ntricked into opening a specially crafted page, an attacker could possibly \nexploit this to cause a denial of service via application crash. \n(CVE-2012-0441)\n\nAbhishek Arya discovered two buffer overflow and one use-after-free \nvulnerabilities. If the user were tricked into opening a specially crafted \npage, an attacker could possibly exploit these to cause a denial of service \nvia application crash, or potentially execute code with the privileges of \nthe user invoking Firefox. (CVE-2012-1940, CVE-2012-1941, CVE-2012-1947)", "edition": 5, "modified": "2012-06-06T00:00:00", "published": "2012-06-06T00:00:00", "id": "USN-1463-1", "href": "https://ubuntu.com/security/notices/USN-1463-1", "title": "Firefox vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-24T12:51:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "The remote host is missing an update to nss\nannounced via advisory DSA 2490-1.", "modified": "2017-07-07T00:00:00", "published": "2012-08-10T00:00:00", "id": "OPENVAS:71467", "href": "http://plugins.openvas.org/nasl.php?oid=71467", "type": "openvas", "title": "Debian Security Advisory DSA 2490-1 (nss)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2490_1.nasl 6612 2017-07-07 12:08:03Z cfischer $\n# Description: Auto-generated from advisory DSA 2490-1 (nss)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Kaspar Brand discovered that Mozilla's Network Security Services (NSS)\nlibrary did insufficient length checking in the QuickDER decoder,\nallowing to crash a program using the library.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 3.12.8-1+squeeze5.\n\nFor the testing distribution (wheezy) and unstable distribution (sid),\nthis problem has been fixed in version 2:3.13.4-3.\n\nWe recommend that you upgrade your nss packages.\";\ntag_summary = \"The remote host is missing an update to nss\nannounced via advisory DSA 2490-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202490-1\";\n\nif(description)\n{\n script_id(71467);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2012-0441\");\n script_version(\"$Revision: 6612 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:03 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:02:13 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"Debian Security Advisory DSA 2490-1 (nss)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.12.8-1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-1d-dbg\", ver:\"3.12.8-1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-dev\", ver:\"3.12.8-1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-tools\", ver:\"3.12.8-1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3\", ver:\"2:3.13.5-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"2:3.13.5-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-dbg\", ver:\"2:3.13.5-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-dev\", ver:\"2:3.13.5-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-tools\", ver:\"2:3.13.5-1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1540-2", "modified": "2019-03-13T00:00:00", "published": "2012-08-24T00:00:00", "id": "OPENVAS:1361412562310841122", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841122", "type": "openvas", "title": "Ubuntu Update for nss USN-1540-2", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1540_2.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for nss USN-1540-2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1540-2/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841122\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-24 09:56:43 +0530 (Fri, 24 Aug 2012)\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"USN\", value:\"1540-2\");\n script_name(\"Ubuntu Update for nss USN-1540-2\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU12\\.04 LTS\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1540-2\");\n script_tag(name:\"affected\", value:\"nss on Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"USN-1540-1 fixed vulnerabilities in NSS. This update provides the\n corresponding updates for Ubuntu 12.04 LTS.\n\n Original advisory details:\n\n Kaspar Brand discovered a vulnerability in how the Network Security\n Services (NSS) ASN.1 decoder handles zero length items. If the user were\n tricked into opening a specially crafted certificate, an attacker could\n possibly exploit this to cause a denial of service via application crash.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3\", ver:\"3.13.1.with.ckbi.1.88-1ubuntu6.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:38:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1540-1", "modified": "2019-03-13T00:00:00", "published": "2012-08-17T00:00:00", "id": "OPENVAS:1361412562310841116", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841116", "type": "openvas", "title": "Ubuntu Update for nss USN-1540-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1540_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for nss USN-1540-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1540-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841116\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-17 10:22:05 +0530 (Fri, 17 Aug 2012)\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"USN\", value:\"1540-1\");\n script_name(\"Ubuntu Update for nss USN-1540-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(10\\.04 LTS|11\\.10|11\\.04)\");\n script_tag(name:\"summary\", value:\"Ubuntu Update for Linux kernel vulnerabilities USN-1540-1\");\n script_tag(name:\"affected\", value:\"nss on Ubuntu 11.10,\n Ubuntu 11.04,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Kaspar Brand discovered a vulnerability in how the Network Security\n Services (NSS) ASN.1 decoder handles zero length items. If the user were\n tricked into opening a specially crafted certificate, an attacker could\n possibly exploit this to cause a denial of service via application crash.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.12.9+ckbi-1.82-0ubuntu0.10.04.4\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.12.9+ckbi-1.82-0ubuntu6.1\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.12.9+ckbi-1.82-0ubuntu2.2\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:38:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2012-07-19T00:00:00", "id": "OPENVAS:1361412562310870789", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870789", "type": "openvas", "title": "RedHat Update for nss and nspr RHSA-2012:1090-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for nss and nspr RHSA-2012:1090-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2012-July/msg00017.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.870789\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-19 10:27:57 +0530 (Thu, 19 Jul 2012)\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"RHSA\", value:\"2012:1090-01\");\n script_name(\"RedHat Update for nss and nspr RHSA-2012:1090-01\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss and nspr'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n script_tag(name:\"affected\", value:\"nss and nspr on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed to support\n the cross-platform development of security-enabled client and server\n applications. Netscape Portable Runtime (NSPR) provides platform\n independence for non-GUI operating system facilities.\n\n A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\n decoder in NSS handled zero length items. This flaw could cause the decoder\n to incorrectly skip or replace certain items with a default value, or could\n cause an application to crash if, for example, it received a\n specially-crafted OCSP (Online Certificate Status Protocol) response.\n (CVE-2012-0441)\n\n It was found that a Certificate Authority (CA) issued a subordinate CA\n certificate to its customer, that could be used to issue certificates for\n any name. This update renders the subordinate CA certificate as untrusted.\n (BZ#798533)\n\n Note: The BZ#798533 fix only applies to applications using the NSS Builtin\n Object Token. It does not render the certificates untrusted for\n applications that use the NSS library, but do not use the NSS Builtin\n Object Token.\n\n In addition, the nspr package has been upgraded to upstream version 4.9.1,\n and the nss package has been upgraded to upstream version 3.13.5. These\n updates provide a number of bug fixes and enhancements over the previous\n versions. (BZ#834220, BZ#834219)\n\n All NSS and NSPR users should upgrade to these updated packages, which\n correct these issues and add these enhancements. After installing the\n update, applications using NSS and NSPR must be restarted for the changes\n to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.1~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-debuginfo\", rpm:\"nspr-debuginfo~4.9.1~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.9.1~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-debuginfo\", rpm:\"nss-debuginfo~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:39:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881211", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881211", "type": "openvas", "title": "CentOS Update for nspr CESA-2012:1090 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for nspr CESA-2012:1090 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2012-July/018743.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881211\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:46:20 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"CESA\", value:\"2012:1090\");\n script_name(\"CentOS Update for nspr CESA-2012:1090 centos5\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nspr'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n script_tag(name:\"affected\", value:\"nspr on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed to support\n the cross-platform development of security-enabled client and server\n applications. Netscape Portable Runtime (NSPR) provides platform\n independence for non-GUI operating system facilities.\n\n A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\n decoder in NSS handled zero length items. This flaw could cause the decoder\n to incorrectly skip or replace certain items with a default value, or could\n cause an application to crash if, for example, it received a\n specially-crafted OCSP (Online Certificate Status Protocol) response.\n (CVE-2012-0441)\n\n It was found that a Certificate Authority (CA) issued a subordinate CA\n certificate to its customer, that could be used to issue certificates for\n any name. This update renders the subordinate CA certificate as untrusted.\n (BZ#798533)\n\n Note: The BZ#798533 fix only applies to applications using the NSS Builtin\n Object Token. It does not render the certificates untrusted for\n applications that use the NSS library, but do not use the NSS Builtin\n Object Token.\n\n In addition, the nspr package has been upgraded to upstream version 4.9.1,\n and the nss package has been upgraded to upstream version 3.13.5. These\n updates provide a number of bug fixes and enhancements over the previous\n versions. (BZ#834220, BZ#834219)\n\n All NSS and NSPR users should upgrade to these updated packages, which\n correct these issues and add these enhancements. After installing the\n update, applications using NSS and NSPR must be restarted for the changes\n to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.1~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.9.1~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.13.5~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.13.5~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.13.5~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.13.5~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2018-01-02T10:56:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "Check for the Version of nspr", "modified": "2017-12-26T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:881211", "href": "http://plugins.openvas.org/nasl.php?oid=881211", "type": "openvas", "title": "CentOS Update for nspr CESA-2012:1090 centos5 ", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for nspr CESA-2012:1090 centos5 \n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Network Security Services (NSS) is a set of libraries designed to support\n the cross-platform development of security-enabled client and server\n applications. Netscape Portable Runtime (NSPR) provides platform\n independence for non-GUI operating system facilities.\n\n A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\n decoder in NSS handled zero length items. This flaw could cause the decoder\n to incorrectly skip or replace certain items with a default value, or could\n cause an application to crash if, for example, it received a\n specially-crafted OCSP (Online Certificate Status Protocol) response.\n (CVE-2012-0441)\n \n It was found that a Certificate Authority (CA) issued a subordinate CA\n certificate to its customer, that could be used to issue certificates for\n any name. This update renders the subordinate CA certificate as untrusted.\n (BZ#798533)\n \n Note: The BZ#798533 fix only applies to applications using the NSS Builtin\n Object Token. It does not render the certificates untrusted for\n applications that use the NSS library, but do not use the NSS Builtin\n Object Token.\n \n In addition, the nspr package has been upgraded to upstream version 4.9.1,\n and the nss package has been upgraded to upstream version 3.13.5. These\n updates provide a number of bug fixes and enhancements over the previous\n versions. (BZ#834220, BZ#834219)\n \n All NSS and NSPR users should upgrade to these updated packages, which\n correct these issues and add these enhancements. After installing the\n update, applications using NSS and NSPR must be restarted for the changes\n to take effect.\";\n\ntag_affected = \"nspr on CentOS 5\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2012-July/018743.html\");\n script_id(881211);\n script_version(\"$Revision: 8245 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-26 07:29:59 +0100 (Tue, 26 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:46:20 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"CESA\", value: \"2012:1090\");\n script_name(\"CentOS Update for nspr CESA-2012:1090 centos5 \");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of nspr\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.1~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.9.1~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.13.5~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.13.5~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.13.5~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.13.5~4.el5_8\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-30T00:00:00", "id": "OPENVAS:1361412562310881124", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881124", "type": "openvas", "title": "CentOS Update for nspr CESA-2012:1091 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for nspr CESA-2012:1091 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2012-July/018746.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.881124\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-30 16:16:07 +0530 (Mon, 30 Jul 2012)\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name:\"CESA\", value:\"2012:1091\");\n script_name(\"CentOS Update for nspr CESA-2012:1091 centos6\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nspr'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n script_tag(name:\"affected\", value:\"nspr on CentOS 6\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed to support\n the cross-platform development of security-enabled client and server\n applications. Netscape Portable Runtime (NSPR) provides platform\n independence for non-GUI operating system facilities.\n\n A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\n decoder in NSS handled zero length items. This flaw could cause the decoder\n to incorrectly skip or replace certain items with a default value, or could\n cause an application to crash if, for example, it received a\n specially-crafted OCSP (Online Certificate Status Protocol) response.\n (CVE-2012-0441)\n\n The nspr package has been upgraded to upstream version 4.9.1, which\n provides a number of bug fixes and enhancements over the previous version.\n (BZ#833762)\n\n The nss-util package has been upgraded to upstream version 3.13.5, which\n provides a number of bug fixes and enhancements over the previous version.\n (BZ#833763)\n\n The nss package has been upgraded to upstream version 3.13.5, which\n provides a number of bug fixes and enhancements over the previous version.\n (BZ#834100)\n\n All NSS, NSPR, and nss-util users are advised to upgrade to these updated\n packages, which correct these issues and add these enhancements. After\n installing this update, applications using NSS, NSPR, or nss-util must be\n restarted for this update to take effect.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.1~2.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.9.1~2.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.13.5~1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.13.5~1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.13.5~1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-sysinit\", rpm:\"nss-sysinit~3.13.5~1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.13.5~1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-util\", rpm:\"nss-util~3.13.5~1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-util-devel\", rpm:\"nss-util-devel~3.13.5~1.el6_3\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:38:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "The remote host is missing an update to nss\nannounced via advisory DSA 2490-1.", "modified": "2019-03-18T00:00:00", "published": "2012-08-10T00:00:00", "id": "OPENVAS:136141256231071467", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071467", "type": "openvas", "title": "Debian Security Advisory DSA 2490-1 (nss)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2490_1.nasl 14275 2019-03-18 14:39:45Z cfischer $\n# Description: Auto-generated from advisory DSA 2490-1 (nss)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.71467\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2012-0441\");\n script_version(\"$Revision: 14275 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:39:45 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:02:13 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"Debian Security Advisory DSA 2490-1 (nss)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB(6|7)\");\n script_xref(name:\"URL\", value:\"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202490-1\");\n script_tag(name:\"insight\", value:\"Kaspar Brand discovered that Mozilla's Network Security Services (NSS)\nlibrary did insufficient length checking in the QuickDER decoder,\nallowing to crash a program using the library.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 3.12.8-1+squeeze5.\n\nFor the testing distribution (wheezy) and unstable distribution (sid),\nthis problem has been fixed in version 2:3.13.4-3.\");\n\n script_tag(name:\"solution\", value:\"We recommend that you upgrade your nss packages.\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update to nss\nannounced via advisory DSA 2490-1.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.12.8-1+squeeze5\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-1d-dbg\", ver:\"3.12.8-1+squeeze5\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-dev\", ver:\"3.12.8-1+squeeze5\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-tools\", ver:\"3.12.8-1+squeeze5\", rls:\"DEB6\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3\", ver:\"2:3.13.5-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"2:3.13.5-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-dbg\", ver:\"2:3.13.5-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-dev\", ver:\"2:3.13.5-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libnss3-tools\", ver:\"2:3.13.5-1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-12-04T11:20:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "Ubuntu Update for Linux kernel vulnerabilities USN-1540-1", "modified": "2017-12-01T00:00:00", "published": "2012-08-17T00:00:00", "id": "OPENVAS:841116", "href": "http://plugins.openvas.org/nasl.php?oid=841116", "type": "openvas", "title": "Ubuntu Update for nss USN-1540-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1540_1.nasl 7960 2017-12-01 06:58:16Z santu $\n#\n# Ubuntu Update for nss USN-1540-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Kaspar Brand discovered a vulnerability in how the Network Security\n Services (NSS) ASN.1 decoder handles zero length items. If the user were\n tricked into opening a specially crafted certificate, an attacker could\n possibly exploit this to cause a denial of service via application crash.\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-1540-1\";\ntag_affected = \"nss on Ubuntu 11.10 ,\n Ubuntu 11.04 ,\n Ubuntu 10.04 LTS\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1540-1/\");\n script_id(841116);\n script_version(\"$Revision: 7960 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:58:16 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-17 10:22:05 +0530 (Fri, 17 Aug 2012)\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"USN\", value: \"1540-1\");\n script_name(\"Ubuntu Update for nss USN-1540-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.12.9+ckbi-1.82-0ubuntu0.10.04.4\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.12.9+ckbi-1.82-0ubuntu6.1\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.12.9+ckbi-1.82-0ubuntu2.2\", rls:\"UBUNTU11.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-01-06T13:07:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "description": "Check for the Version of nss and nspr", "modified": "2018-01-04T00:00:00", "published": "2012-07-19T00:00:00", "id": "OPENVAS:870789", "href": "http://plugins.openvas.org/nasl.php?oid=870789", "type": "openvas", "title": "RedHat Update for nss and nspr RHSA-2012:1090-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for nss and nspr RHSA-2012:1090-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Network Security Services (NSS) is a set of libraries designed to support\n the cross-platform development of security-enabled client and server\n applications. Netscape Portable Runtime (NSPR) provides platform\n independence for non-GUI operating system facilities.\n\n A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\n decoder in NSS handled zero length items. This flaw could cause the decoder\n to incorrectly skip or replace certain items with a default value, or could\n cause an application to crash if, for example, it received a\n specially-crafted OCSP (Online Certificate Status Protocol) response.\n (CVE-2012-0441)\n\n It was found that a Certificate Authority (CA) issued a subordinate CA\n certificate to its customer, that could be used to issue certificates for\n any name. This update renders the subordinate CA certificate as untrusted.\n (BZ#798533)\n\n Note: The BZ#798533 fix only applies to applications using the NSS Builtin\n Object Token. It does not render the certificates untrusted for\n applications that use the NSS library, but do not use the NSS Builtin\n Object Token.\n\n In addition, the nspr package has been upgraded to upstream version 4.9.1,\n and the nss package has been upgraded to upstream version 3.13.5. These\n updates provide a number of bug fixes and enhancements over the previous\n versions. (BZ#834220, BZ#834219)\n\n All NSS and NSPR users should upgrade to these updated packages, which\n correct these issues and add these enhancements. After installing the\n update, applications using NSS and NSPR must be restarted for the changes\n to take effect.\";\n\ntag_affected = \"nss and nspr on Red Hat Enterprise Linux (v. 5 server)\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://www.redhat.com/archives/rhsa-announce/2012-July/msg00017.html\");\n script_id(870789);\n script_version(\"$Revision: 8285 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-04 07:29:16 +0100 (Thu, 04 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-19 10:27:57 +0530 (Thu, 19 Jul 2012)\");\n script_cve_id(\"CVE-2012-0441\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"RHSA\", value: \"2012:1090-01\");\n script_name(\"RedHat Update for nss and nspr RHSA-2012:1090-01\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of nss and nspr\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.1~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-debuginfo\", rpm:\"nspr-debuginfo~4.9.1~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.9.1~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-debuginfo\", rpm:\"nss-debuginfo~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.13.5~4.el5_8\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "centos": [{"lastseen": "2019-12-20T18:27:17", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "**CentOS Errata and Security Advisory** CESA-2012:1091\n\n\nNetwork Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the decoder\nto incorrectly skip or replace certain items with a default value, or could\ncause an application to crash if, for example, it received a\nspecially-crafted OCSP (Online Certificate Status Protocol) response.\n(CVE-2012-0441)\n\nThe nspr package has been upgraded to upstream version 4.9.1, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#833762)\n\nThe nss-util package has been upgraded to upstream version 3.13.5, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#833763)\n\nThe nss package has been upgraded to upstream version 3.13.5, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#834100)\n\nAll NSS, NSPR, and nss-util users are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements. After\ninstalling this update, applications using NSS, NSPR, or nss-util must be\nrestarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-July/030784.html\n\n**Affected packages:**\nnspr\nnspr-devel\nnss\nnss-devel\nnss-pkcs11-devel\nnss-sysinit\nnss-tools\nnss-util\nnss-util-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-1091.html", "edition": 3, "modified": "2012-07-18T01:04:20", "published": "2012-07-18T01:04:20", "href": "http://lists.centos.org/pipermail/centos-announce/2012-July/030784.html", "id": "CESA-2012:1091", "title": "nspr, nss security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-20T18:26:57", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "**CentOS Errata and Security Advisory** CESA-2012:1090\n\n\nNetwork Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the decoder\nto incorrectly skip or replace certain items with a default value, or could\ncause an application to crash if, for example, it received a\nspecially-crafted OCSP (Online Certificate Status Protocol) response.\n(CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates for\nany name. This update renders the subordinate CA certificate as untrusted.\n(BZ#798533)\n\nNote: The BZ#798533 fix only applies to applications using the NSS Builtin\nObject Token. It does not render the certificates untrusted for\napplications that use the NSS library, but do not use the NSS Builtin\nObject Token.\n\nIn addition, the nspr package has been upgraded to upstream version 4.9.1,\nand the nss package has been upgraded to upstream version 3.13.5. These\nupdates provide a number of bug fixes and enhancements over the previous\nversions. (BZ#834220, BZ#834219)\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the changes\nto take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2012-July/030781.html\n\n**Affected packages:**\nnspr\nnspr-devel\nnss\nnss-devel\nnss-pkcs11-devel\nnss-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2012-1090.html", "edition": 3, "modified": "2012-07-17T20:32:05", "published": "2012-07-17T20:32:05", "href": "http://lists.centos.org/pipermail/centos-announce/2012-July/030781.html", "id": "CESA-2012:1090", "title": "nspr, nss security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:54", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the decoder\nto incorrectly skip or replace certain items with a default value, or could\ncause an application to crash if, for example, it received a\nspecially-crafted OCSP (Online Certificate Status Protocol) response.\n(CVE-2012-0441)\n\nThe nspr package has been upgraded to upstream version 4.9.1, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#833762)\n\nThe nss-util package has been upgraded to upstream version 3.13.5, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#833763)\n\nThe nss package has been upgraded to upstream version 3.13.5, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#834100)\n\nAll NSS, NSPR, and nss-util users are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements. After\ninstalling this update, applications using NSS, NSPR, or nss-util must be\nrestarted for this update to take effect.\n", "modified": "2018-06-06T20:24:17", "published": "2012-07-17T04:00:00", "id": "RHSA-2012:1091", "href": "https://access.redhat.com/errata/RHSA-2012:1091", "type": "redhat", "title": "(RHSA-2012:1091) Moderate: nss, nspr, and nss-util security, bug fix, and enhancement update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:45:44", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the decoder\nto incorrectly skip or replace certain items with a default value, or could\ncause an application to crash if, for example, it received a\nspecially-crafted OCSP (Online Certificate Status Protocol) response.\n(CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates for\nany name. This update renders the subordinate CA certificate as untrusted.\n(BZ#798533)\n\nNote: The BZ#798533 fix only applies to applications using the NSS Builtin\nObject Token. It does not render the certificates untrusted for\napplications that use the NSS library, but do not use the NSS Builtin\nObject Token.\n\nIn addition, the nspr package has been upgraded to upstream version 4.9.1,\nand the nss package has been upgraded to upstream version 3.13.5. These\nupdates provide a number of bug fixes and enhancements over the previous\nversions. (BZ#834220, BZ#834219)\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the changes\nto take effect.\n", "modified": "2017-09-08T12:18:03", "published": "2012-07-17T04:00:00", "id": "RHSA-2012:1090", "href": "https://access.redhat.com/errata/RHSA-2012:1090", "type": "redhat", "title": "(RHSA-2012:1090) Moderate: nss and nspr security, bug fix, and enhancement update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:44:38", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441", "CVE-2012-2313", "CVE-2012-2337", "CVE-2012-2625", "CVE-2012-3406", "CVE-2012-3440", "CVE-2012-3571", "CVE-2012-3817"], "description": "The rhev-hypervisor5 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization\nHypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor.\nIt includes everything necessary to run and manage virtual machines: A\nsubset of the Red Hat Enterprise Linux operating environment and the Red\nHat Enterprise Virtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nIt was discovered that the formatted printing functionality in glibc did\nnot properly restrict the use of alloca(). This could allow an attacker to\nbypass FORTIFY_SOURCE protections and execute arbitrary code using a format\nstring flaw in an application, even though these protections are expected\nto limit the impact of such flaws to an application abort. (CVE-2012-3406)\n\nThis updated package provides updated components that include fixes for\nvarious security issues. These issues have no security impact on Red Hat\nEnterprise Virtualization Hypervisor itself, however. The security fixes\nincluded in this update address the following CVE numbers:\n\nCVE-2012-3817 (bind issue)\n\nCVE-2012-3571 (dhcp issue)\n\nCVE-2012-2313 (kernel issue)\n\nCVE-2012-0441 (nss issue)\n\nCVE-2012-2337 and CVE-2012-3440 (sudo issues)\n\nCVE-2012-2625 (xen issue)\n\nUsers of Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package, which fixes these issues.\n", "modified": "2019-03-22T23:44:55", "published": "2012-08-21T04:00:00", "id": "RHSA-2012:1185", "href": "https://access.redhat.com/errata/RHSA-2012:1185", "type": "redhat", "title": "(RHSA-2012:1185) Moderate: rhev-hypervisor5 security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-08-13T18:45:49", "bulletinFamily": "unix", "cvelist": ["CVE-2011-1078", "CVE-2012-0441", "CVE-2012-1013", "CVE-2012-1015", "CVE-2012-2337", "CVE-2012-2383", "CVE-2012-2668", "CVE-2012-3404", "CVE-2012-3405", "CVE-2012-3406", "CVE-2012-3571", "CVE-2012-3817", "CVE-2012-3954"], "description": "The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: A subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nMultiple errors in glibc's formatted printing functionality could allow an\nattacker to bypass FORTIFY_SOURCE protections and execute arbitrary code\nusing a format string flaw in an application, even though these protections\nare expected to limit the impact of such flaws to an application abort.\n(CVE-2012-3404, CVE-2012-3405, CVE-2012-3406)\n\nThis updated package provides updated components that include fixes for\nvarious security issues. These issues have no security impact on Red Hat\nEnterprise Virtualization Hypervisor itself, however. The security fixes\nincluded in this update address the following CVE numbers:\n\nCVE-2012-3817 (bind issue)\n\nCVE-2012-3571 and CVE-2012-3954 (dhcp issues)\n\nCVE-2011-1078 and CVE-2012-2383 (kernel issues)\n\nCVE-2012-1013 and CVE-2012-1015 (krb5 issues)\n\nCVE-2012-0441 (nss issue)\n\nCVE-2012-2668 (openldap issue)\n\nCVE-2012-2337 (sudo issue)\n\nUsers of Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package, which fixes these issues.\n", "modified": "2018-06-07T08:59:35", "published": "2012-08-23T04:00:00", "id": "RHSA-2012:1200", "href": "https://access.redhat.com/errata/RHSA-2012:1200", "type": "redhat", "title": "(RHSA-2012:1200) Moderate: rhev-hypervisor6 security and bug fix update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:58", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "nspr\n[4.9.1-2]\n- Related: rhbz#833762 - Update License to MPLv2.0\n[4.9.1-1]\n- Resolves: rhbz#833762 - Update to NSPR_4_9_1_RTM\nnss\n[3.13.5-1.0.1.el6_3 ]\n- Added nss-vendor.patch to change vendor\n- Use blank image instead of clean.gif in tar ball\n[3.13.5-1]\n- Resolves: rhbz#834100 - Update to 3.13.5 for mozilla 10.0.6\nnss-util\n[3.13.5-1]\n- Resolves: rhbz#833763 - Update to 3.13.5 for Mozilla 10.0.6", "edition": 4, "modified": "2012-07-17T00:00:00", "published": "2012-07-17T00:00:00", "id": "ELSA-2012-1091", "href": "http://linux.oracle.com/errata/ELSA-2012-1091.html", "title": "nss, nspr, and nss-util security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:39:32", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "nspr\n[4.9.1-4]\n- Resolves: rhbz#834219 - Fix postinstall scriptlet failures\n- Fix %post and %postun lines per packaging guidelines\n- Updated License: to MPLv2.0 per upstream\n[4.9.1-3]\n- Resolves: rhbz#834219 - Ensure nspr-config.in changes get applied\n[4.9.1-2]\n- Resolves: rhbz#834219 - restore top section of nspr-config-pc.patch\n- Needed to prevent multilib regressions\nnss\n[3.13.5-4.0.1.el5_8 ]\n- Update clean.gif in the tarball\n[3.13.5-4]\n- Related: rhbz#834219 - Fix ia64 / i386 multilib nss install failure\n- Remove no longer needed %pre and %preun scriplets meant for nss updates from RHEL-5.0\n[3.13.5-3]\n- Resolves: rhbz#834219 - Fix the changes to the %post line\n- Having multiple commands requires that /sbin/lconfig be the beginning of the scriptlet\n[3.13.5-2]\n- Resolves: rhbz#834219 - Fix multilib and scriptlet problems\n- Fix %post and %postun lines per packaging guildelines\n- Add %{?_isa} to tools Requires: per packaging guidelines\n- Fix explicit-lib-dependency zlib error reported by rpmlint\n[3.13.5-1]\n- Resolves: rhbz#834219 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 for Mozilla 10.0.6", "edition": 4, "modified": "2012-07-17T00:00:00", "published": "2012-07-17T00:00:00", "id": "ELSA-2012-1090", "href": "http://linux.oracle.com/errata/ELSA-2012-1090.html", "title": "nss and nspr security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:36:25", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "**Issue Overview:**\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One) decoder in NSS handled zero length items. This flaw could cause the decoder to incorrectly skip or replace certain items with a default value, or could cause an application to crash if, for example, it received a specially-crafted OCSP (Online Certificate Status Protocol) response. ([CVE-2012-0441 __](<https://access.redhat.com/security/cve/CVE-2012-0441>))\n\n \n**Affected Packages:** \n\n\nnss\n\n \n**Issue Correction:** \nRun _yum update nss_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n nss-3.13.5-1.26.amzn1.i686 \n nss-debuginfo-3.13.5-1.26.amzn1.i686 \n nss-pkcs11-devel-3.13.5-1.26.amzn1.i686 \n nss-devel-3.13.5-1.26.amzn1.i686 \n nss-tools-3.13.5-1.26.amzn1.i686 \n nss-sysinit-3.13.5-1.26.amzn1.i686 \n \n src: \n nss-3.13.5-1.26.amzn1.src \n \n x86_64: \n nss-debuginfo-3.13.5-1.26.amzn1.x86_64 \n nss-tools-3.13.5-1.26.amzn1.x86_64 \n nss-sysinit-3.13.5-1.26.amzn1.x86_64 \n nss-pkcs11-devel-3.13.5-1.26.amzn1.x86_64 \n nss-devel-3.13.5-1.26.amzn1.x86_64 \n nss-3.13.5-1.26.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2012-07-25T17:55:00", "published": "2012-07-25T17:55:00", "id": "ALAS-2012-108", "href": "https://alas.aws.amazon.com/ALAS-2012-108.html", "title": "Medium: nss", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "mozilla": [{"lastseen": "2016-09-05T13:37:39", "bulletinFamily": "software", "cvelist": ["CVE-2012-0441"], "edition": 1, "description": "Security researcher Kaspar Brand found a flaw in how the\nNetwork Security Services (NSS) ASN.1 decoder handles zero length items. Effects\nof this issue depend on the field. One known symptom is an unexploitable crash\nin handling OCSP responses. NSS also mishandles zero-length basic constraints,\nassuming default values for some types that should be rejected as malformed.\nThese issues have been addressed in NSS 3.13.4, which is now being used by\nMozilla.", "modified": "2012-06-05T00:00:00", "published": "2012-06-05T00:00:00", "id": "MFSA2012-39", "href": "http://www.mozilla.org/en-US/security/advisories/mfsa2012-39/", "type": "mozilla", "title": "NSS parsing errors with zero length items", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "debian": [{"lastseen": "2020-11-11T13:11:22", "bulletinFamily": "unix", "cvelist": ["CVE-2012-0441"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2490-1 security@debian.org\nhttp://www.debian.org/security/ Thijs Kinkhorst\nJune 7, 2012 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : nss\nVulnerability : denial of service\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2012-0441\n\nKaspar Brand discovered that Mozilla's Network Security Services (NSS)\nlibrary did insufficient length checking in the QuickDER decoder,\nallowing to crash a program using the library.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 3.12.8-1+squeeze5.\n\nFor the testing distribution (wheezy) and unstable distribution (sid),\nthis problem has been fixed in version 2:3.13.4-3.\n\nWe recommend that you upgrade your nss packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 7, "modified": "2012-06-07T20:59:45", "published": "2012-06-07T20:59:45", "id": "DEBIAN:DSA-2490-1:DB4FF", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2012/msg00129.html", "title": "[SECURITY] [DSA 2490-1] nss security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "nessus": [{"lastseen": "2021-01-01T06:38:08", "description": "Kaspar Brand discovered a vulnerability in how the Network Security\nServices (NSS) ASN.1 decoder handles zero length items. If the user\nwere tricked into opening a specially crafted certificate, an attacker\ncould possibly exploit this to cause a denial of service via\napplication crash.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2012-08-17T00:00:00", "title": "Ubuntu 10.04 LTS / 11.04 / 11.10 : nss vulnerability (USN-1540-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libnss3-1d", "cpe:/o:canonical:ubuntu_linux:11.10", "cpe:/o:canonical:ubuntu_linux:11.04", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts"], "id": "UBUNTU_USN-1540-1.NASL", "href": "https://www.tenable.com/plugins/nessus/61569", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1540-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61569);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/09/19 12:54:28\");\n\n script_cve_id(\"CVE-2012-0441\");\n script_bugtraq_id(53798);\n script_xref(name:\"USN\", value:\"1540-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 11.04 / 11.10 : nss vulnerability (USN-1540-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Kaspar Brand discovered a vulnerability in how the Network Security\nServices (NSS) ASN.1 decoder handles zero length items. If the user\nwere tricked into opening a specially crafted certificate, an attacker\ncould possibly exploit this to cause a denial of service via\napplication crash.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1540-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libnss3-1d package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libnss3-1d\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|11\\.04|11\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 11.04 / 11.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libnss3-1d\", pkgver:\"3.12.9+ckbi-1.82-0ubuntu0.10.04.4\")) flag++;\nif (ubuntu_check(osver:\"11.04\", pkgname:\"libnss3-1d\", pkgver:\"3.12.9+ckbi-1.82-0ubuntu2.2\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"libnss3-1d\", pkgver:\"3.12.9+ckbi-1.82-0ubuntu6.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libnss3-1d\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-06T09:27:52", "description": "Updated nss and nspr packages that fix two security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates\nfor any name. This update renders the subordinate CA certificate as\nuntrusted. (BZ#798533)\n\nNote: The BZ#798533 fix only applies to applications using the NSS\nBuiltin Object Token. It does not render the certificates untrusted\nfor applications that use the NSS library, but do not use the NSS\nBuiltin Object Token.\n\nIn addition, the nspr package has been upgraded to upstream version\n4.9.1, and the nss package has been upgraded to upstream version\n3.13.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#834220, BZ#834219)\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the\nchanges to take effect.", "edition": 24, "published": "2012-07-18T00:00:00", "title": "CentOS 5 : nss (CESA-2012:1090)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2012-07-18T00:00:00", "cpe": ["p-cpe:/a:centos:centos:nss-devel", "p-cpe:/a:centos:centos:nss-pkcs11-devel", "p-cpe:/a:centos:centos:nss-tools", "p-cpe:/a:centos:centos:nspr-devel", "p-cpe:/a:centos:centos:nspr", "p-cpe:/a:centos:centos:nss", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2012-1090.NASL", "href": "https://www.tenable.com/plugins/nessus/60000", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:1090 and \n# CentOS Errata and Security Advisory 2012:1090 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60000);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2012-0441\");\n script_bugtraq_id(53798);\n script_xref(name:\"RHSA\", value:\"2012:1090\");\n\n script_name(english:\"CentOS 5 : nss (CESA-2012:1090)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss and nspr packages that fix two security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates\nfor any name. This update renders the subordinate CA certificate as\nuntrusted. (BZ#798533)\n\nNote: The BZ#798533 fix only applies to applications using the NSS\nBuiltin Object Token. It does not render the certificates untrusted\nfor applications that use the NSS library, but do not use the NSS\nBuiltin Object Token.\n\nIn addition, the nspr package has been upgraded to upstream version\n4.9.1, and the nss package has been upgraded to upstream version\n3.13.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#834220, BZ#834219)\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the\nchanges to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2012-July/018743.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34e4a596\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nss packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0441\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"nspr-4.9.1-4.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nspr-devel-4.9.1-4.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-3.13.5-4.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-devel-3.13.5-4.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-pkcs11-devel-3.13.5-4.el5_8\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-tools-3.13.5-4.el5_8\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / nss-tools\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T06:38:08", "description": "USN-1540-1 fixed vulnerabilities in NSS. This update provides the\ncorresponding updates for Ubuntu 12.04 LTS.\n\nKaspar Brand discovered a vulnerability in how the Network Security\nServices (NSS) ASN.1 decoder handles zero length items. If the user\nwere tricked into opening a specially crafted certificate, an attacker\ncould possibly exploit this to cause a denial of service via\napplication crash.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "published": "2012-08-22T00:00:00", "title": "Ubuntu 12.04 LTS : nss vulnerability (USN-1540-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libnss3", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1540-2.NASL", "href": "https://www.tenable.com/plugins/nessus/61619", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1540-2. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61619);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/09/19 12:54:28\");\n\n script_cve_id(\"CVE-2012-0441\");\n script_bugtraq_id(53798);\n script_xref(name:\"USN\", value:\"1540-2\");\n\n script_name(english:\"Ubuntu 12.04 LTS : nss vulnerability (USN-1540-2)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"USN-1540-1 fixed vulnerabilities in NSS. This update provides the\ncorresponding updates for Ubuntu 12.04 LTS.\n\nKaspar Brand discovered a vulnerability in how the Network Security\nServices (NSS) ASN.1 decoder handles zero length items. If the user\nwere tricked into opening a specially crafted certificate, an attacker\ncould possibly exploit this to cause a denial of service via\napplication crash.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1540-2/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libnss3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libnss3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(12\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libnss3\", pkgver:\"3.13.1.with.ckbi.1.88-1ubuntu6.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libnss3\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:46:44", "description": "Network Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nThe nspr package has been upgraded to upstream version 4.9.1, which\nprovides a number of bug fixes and enhancements over the previous\nversion.\n\nThe nss-util package has been upgraded to upstream version 3.13.5,\nwhich provides a number of bug fixes and enhancements over the\nprevious version.\n\nThe nss package has been upgraded to upstream version 3.13.5, which\nprovides a number of bug fixes and enhancements over the previous\nversion.\n\nAll NSS, NSPR, and nss-util users are advised to upgrade to these\nupdated packages, which correct these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, or nss-util must be restarted for this update to take effect.", "edition": 15, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : nss, nspr, and nss-util on SL6.x i386/x86_64 (20120717)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2012-08-01T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:nss-util-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-devel", "p-cpe:/a:fermilab:scientific_linux:nss-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel", "p-cpe:/a:fermilab:scientific_linux:nss-util-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:nspr", "p-cpe:/a:fermilab:scientific_linux:nss", "p-cpe:/a:fermilab:scientific_linux:nss-tools", "p-cpe:/a:fermilab:scientific_linux:nspr-devel", "p-cpe:/a:fermilab:scientific_linux:nss-sysinit", "p-cpe:/a:fermilab:scientific_linux:nss-util", "p-cpe:/a:fermilab:scientific_linux:nspr-debuginfo"], "id": "SL_20120717_NSS__NSPR__AND_NSS_UTIL_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61365", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61365);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-0441\");\n\n script_name(english:\"Scientific Linux Security Update : nss, nspr, and nss-util on SL6.x i386/x86_64 (20120717)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nThe nspr package has been upgraded to upstream version 4.9.1, which\nprovides a number of bug fixes and enhancements over the previous\nversion.\n\nThe nss-util package has been upgraded to upstream version 3.13.5,\nwhich provides a number of bug fixes and enhancements over the\nprevious version.\n\nThe nss package has been upgraded to upstream version 3.13.5, which\nprovides a number of bug fixes and enhancements over the previous\nversion.\n\nAll NSS, NSPR, and nss-util users are advised to upgrade to these\nupdated packages, which correct these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, or nss-util must be restarted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1207&L=scientific-linux-errata&T=0&P=5183\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?733f44b3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"nspr-4.9.1-2.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nspr-debuginfo-4.9.1-2.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nspr-devel-4.9.1-2.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-debuginfo-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-devel-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-pkcs11-devel-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-sysinit-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-tools-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-util-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-util-debuginfo-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-util-devel-3.13.5-1.el6_3\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / nss / nss-debuginfo / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:10:58", "description": "Updated nss and nspr packages that fix two security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates\nfor any name. This update renders the subordinate CA certificate as\nuntrusted. (BZ#798533)\n\nNote: The BZ#798533 fix only applies to applications using the NSS\nBuiltin Object Token. It does not render the certificates untrusted\nfor applications that use the NSS library, but do not use the NSS\nBuiltin Object Token.\n\nIn addition, the nspr package has been upgraded to upstream version\n4.9.1, and the nss package has been upgraded to upstream version\n3.13.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#834220, BZ#834219)\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the\nchanges to take effect.", "edition": 25, "published": "2012-07-18T00:00:00", "title": "RHEL 5 : nss and nspr (RHSA-2012:1090)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2012-07-18T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:nss-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nspr-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nss-devel", "p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel", "p-cpe:/a:redhat:enterprise_linux:nss-tools", "p-cpe:/a:redhat:enterprise_linux:nspr", "p-cpe:/a:redhat:enterprise_linux:nss", "p-cpe:/a:redhat:enterprise_linux:nspr-devel"], "id": "REDHAT-RHSA-2012-1090.NASL", "href": "https://www.tenable.com/plugins/nessus/60010", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:1090. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60010);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-0441\");\n script_bugtraq_id(53798);\n script_xref(name:\"RHSA\", value:\"2012:1090\");\n\n script_name(english:\"RHEL 5 : nss and nspr (RHSA-2012:1090)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss and nspr packages that fix two security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates\nfor any name. This update renders the subordinate CA certificate as\nuntrusted. (BZ#798533)\n\nNote: The BZ#798533 fix only applies to applications using the NSS\nBuiltin Object Token. It does not render the certificates untrusted\nfor applications that use the NSS library, but do not use the NSS\nBuiltin Object Token.\n\nIn addition, the nspr package has been upgraded to upstream version\n4.9.1, and the nss package has been upgraded to upstream version\n3.13.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#834220, BZ#834219)\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the\nchanges to take effect.\"\n );\n # http://www.mozilla.org/security/announce/2012/mfsa2012-39.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2012-39/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2012:1090\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-0441\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2012:1090\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"nspr-4.9.1-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nspr-debuginfo-4.9.1-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nspr-devel-4.9.1-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nss-3.13.5-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nss-debuginfo-3.13.5-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nss-devel-3.13.5-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nss-pkcs11-devel-3.13.5-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"nss-tools-3.13.5-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"nss-tools-3.13.5-4.el5_8\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"nss-tools-3.13.5-4.el5_8\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / nss / nss-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T12:47:04", "description": "From Red Hat Security Advisory 2012:1090 :\n\nUpdated nss and nspr packages that fix two security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates\nfor any name. This update renders the subordinate CA certificate as\nuntrusted. (BZ#798533)\n\nNote: The BZ#798533 fix only applies to applications using the NSS\nBuiltin Object Token. It does not render the certificates untrusted\nfor applications that use the NSS library, but do not use the NSS\nBuiltin Object Token.\n\nIn addition, the nspr package has been upgraded to upstream version\n4.9.1, and the nss package has been upgraded to upstream version\n3.13.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#834220, BZ#834219)\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the\nchanges to take effect.", "edition": 21, "published": "2013-07-12T00:00:00", "title": "Oracle Linux 5 : nspr / nss (ELSA-2012-1090)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2013-07-12T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:nss-pkcs11-devel", "p-cpe:/a:oracle:linux:nspr-devel", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:nss-devel", "p-cpe:/a:oracle:linux:nspr", "p-cpe:/a:oracle:linux:nss", "p-cpe:/a:oracle:linux:nss-tools"], "id": "ORACLELINUX_ELSA-2012-1090.NASL", "href": "https://www.tenable.com/plugins/nessus/68580", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2012:1090 and \n# Oracle Linux Security Advisory ELSA-2012-1090 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(68580);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-0441\");\n script_bugtraq_id(53798);\n script_xref(name:\"RHSA\", value:\"2012:1090\");\n\n script_name(english:\"Oracle Linux 5 : nspr / nss (ELSA-2012-1090)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2012:1090 :\n\nUpdated nss and nspr packages that fix two security issues, several\nbugs, and add various enhancements are now available for Red Hat\nEnterprise Linux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates\nfor any name. This update renders the subordinate CA certificate as\nuntrusted. (BZ#798533)\n\nNote: The BZ#798533 fix only applies to applications using the NSS\nBuiltin Object Token. It does not render the certificates untrusted\nfor applications that use the NSS library, but do not use the NSS\nBuiltin Object Token.\n\nIn addition, the nspr package has been upgraded to upstream version\n4.9.1, and the nss package has been upgraded to upstream version\n3.13.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#834220, BZ#834219)\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the\nchanges to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2012-July/002942.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected nspr and / or nss packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"nspr-4.9.1-4.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nspr-devel-4.9.1-4.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-3.13.5-4.0.1.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-devel-3.13.5-4.0.1.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-pkcs11-devel-3.13.5-4.0.1.el5_8\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-tools-3.13.5-4.0.1.el5_8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / nss-tools\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:46:44", "description": "Network Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates\nfor any name. This update renders the subordinate CA certificate as\nuntrusted.\n\nNote: The above fix only applies to applications using the NSS Builtin\nObject Token. It does not render the certificates untrusted for\napplications that use the NSS library, but do not use the NSS Builtin\nObject Token.\n\nIn addition, the nspr package has been upgraded to upstream version\n4.9.1, and the nss package has been upgraded to upstream version\n3.13.5. These updates provide a number of bug fixes and enhancements\nover the previous versions.\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the\nchanges to take effect.", "edition": 14, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20120717)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2012-08-01T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:nss-devel", "p-cpe:/a:fermilab:scientific_linux:nss-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:nspr", "p-cpe:/a:fermilab:scientific_linux:nss", "p-cpe:/a:fermilab:scientific_linux:nss-tools", "p-cpe:/a:fermilab:scientific_linux:nspr-devel", "p-cpe:/a:fermilab:scientific_linux:nspr-debuginfo"], "id": "SL_20120717_NSS_AND_NSPR_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/61366", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(61366);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-0441\");\n\n script_name(english:\"Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20120717)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nIt was found that a Certificate Authority (CA) issued a subordinate CA\ncertificate to its customer, that could be used to issue certificates\nfor any name. This update renders the subordinate CA certificate as\nuntrusted.\n\nNote: The above fix only applies to applications using the NSS Builtin\nObject Token. It does not render the certificates untrusted for\napplications that use the NSS library, but do not use the NSS Builtin\nObject Token.\n\nIn addition, the nspr package has been upgraded to upstream version\n4.9.1, and the nss package has been upgraded to upstream version\n3.13.5. These updates provide a number of bug fixes and enhancements\nover the previous versions.\n\nAll NSS and NSPR users should upgrade to these updated packages, which\ncorrect these issues and add these enhancements. After installing the\nupdate, applications using NSS and NSPR must be restarted for the\nchanges to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1207&L=scientific-linux-errata&T=0&P=5330\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c5537e4a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"nspr-4.9.1-4.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nspr-debuginfo-4.9.1-4.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nspr-devel-4.9.1-4.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-3.13.5-4.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-debuginfo-3.13.5-4.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-devel-3.13.5-4.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-pkcs11-devel-3.13.5-4.el5_8\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-tools-3.13.5-4.el5_8\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / nss / nss-debuginfo / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-12T09:47:30", "description": "Kaspar Brand discovered that Mozilla's Network Security Services (NSS)\nlibraries did insufficient length checking in the QuickDER decoder,\nallowing to crash a program using the libraries.", "edition": 17, "published": "2012-06-29T00:00:00", "title": "Debian DSA-2490-1 : nss - denial of service", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2012-06-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:nss"], "id": "DEBIAN_DSA-2490.NASL", "href": "https://www.tenable.com/plugins/nessus/59768", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2490. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59768);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-0441\");\n script_xref(name:\"DSA\", value:\"2490\");\n\n script_name(english:\"Debian DSA-2490-1 : nss - denial of service\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Kaspar Brand discovered that Mozilla's Network Security Services (NSS)\nlibraries did insufficient length checking in the QuickDER decoder,\nallowing to crash a program using the libraries.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/nss\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2012/dsa-2490\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the nss packages.\n\nFor the stable distribution (squeeze), this problem has been fixed in\nversion 3.12.8-1+squeeze5.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"libnss3-1d\", reference:\"3.12.8-1+squeeze5\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libnss3-1d-dbg\", reference:\"3.12.8-1+squeeze5\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libnss3-dev\", reference:\"3.12.8-1+squeeze5\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libnss3-tools\", reference:\"3.12.8-1+squeeze5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-06T09:27:52", "description": "Updated nss, nss-util, and nspr packages that fix one security issue,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nThe nspr package has been upgraded to upstream version 4.9.1, which\nprovides a number of bug fixes and enhancements over the previous\nversion. (BZ#833762)\n\nThe nss-util package has been upgraded to upstream version 3.13.5,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. (BZ#833763)\n\nThe nss package has been upgraded to upstream version 3.13.5, which\nprovides a number of bug fixes and enhancements over the previous\nversion. (BZ#834100)\n\nAll NSS, NSPR, and nss-util users are advised to upgrade to these\nupdated packages, which correct these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, or nss-util must be restarted for this update to take effect.", "edition": 24, "published": "2012-07-18T00:00:00", "title": "CentOS 6 : nss (CESA-2012:1091)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2012-07-18T00:00:00", "cpe": ["p-cpe:/a:centos:centos:nss-devel", "p-cpe:/a:centos:centos:nss-util-devel", "cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:nss-util", "p-cpe:/a:centos:centos:nss-pkcs11-devel", "p-cpe:/a:centos:centos:nss-tools", "p-cpe:/a:centos:centos:nspr-devel", "p-cpe:/a:centos:centos:nspr", "p-cpe:/a:centos:centos:nss", "p-cpe:/a:centos:centos:nss-sysinit"], "id": "CENTOS_RHSA-2012-1091.NASL", "href": "https://www.tenable.com/plugins/nessus/60001", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2012:1091 and \n# CentOS Errata and Security Advisory 2012:1091 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60001);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2012-0441\");\n script_bugtraq_id(53798);\n script_xref(name:\"RHSA\", value:\"2012:1091\");\n\n script_name(english:\"CentOS 6 : nss (CESA-2012:1091)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss, nss-util, and nspr packages that fix one security issue,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from\nthe CVE link in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\n\nThe nspr package has been upgraded to upstream version 4.9.1, which\nprovides a number of bug fixes and enhancements over the previous\nversion. (BZ#833762)\n\nThe nss-util package has been upgraded to upstream version 3.13.5,\nwhich provides a number of bug fixes and enhancements over the\nprevious version. (BZ#833763)\n\nThe nss package has been upgraded to upstream version 3.13.5, which\nprovides a number of bug fixes and enhancements over the previous\nversion. (BZ#834100)\n\nAll NSS, NSPR, and nss-util users are advised to upgrade to these\nupdated packages, which correct these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, or nss-util must be restarted for this update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2012-July/018746.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?dde1b710\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nss packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0441\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"nspr-4.9.1-2.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nspr-devel-4.9.1-2.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-devel-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-pkcs11-devel-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-sysinit-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-tools-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-util-3.13.5-1.el6_3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-util-devel-3.13.5-1.el6_3\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-01T01:18:01", "description": "A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)", "edition": 23, "published": "2013-09-04T00:00:00", "title": "Amazon Linux AMI : nss (ALAS-2012-108)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0441"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:nss-sysinit", "p-cpe:/a:amazon:linux:nss-devel", "p-cpe:/a:amazon:linux:nss", "p-cpe:/a:amazon:linux:nss-debuginfo", "p-cpe:/a:amazon:linux:nss-pkcs11-devel", "p-cpe:/a:amazon:linux:nss-tools", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2012-108.NASL", "href": "https://www.tenable.com/plugins/nessus/69598", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2012-108.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69598);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/04/18 15:09:34\");\n\n script_cve_id(\"CVE-2012-0441\");\n script_xref(name:\"ALAS\", value:\"2012-108\");\n script_xref(name:\"RHSA\", value:\"2012:1091\");\n\n script_name(english:\"Amazon Linux AMI : nss (ALAS-2012-108)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)\ndecoder in NSS handled zero length items. This flaw could cause the\ndecoder to incorrectly skip or replace certain items with a default\nvalue, or could cause an application to crash if, for example, it\nreceived a specially crafted OCSP (Online Certificate Status Protocol)\nresponse. (CVE-2012-0441)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2012-108.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update nss' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"nss-3.13.5-1.26.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nss-debuginfo-3.13.5-1.26.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nss-devel-3.13.5-1.26.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nss-pkcs11-devel-3.13.5-1.26.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nss-sysinit-3.13.5-1.26.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nss-tools-3.13.5-1.26.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss / nss-debuginfo / nss-devel / nss-pkcs11-devel / nss-sysinit / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "vmware": [{"lastseen": "2019-11-06T16:05:38", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1148", "CVE-2012-5703", "CVE-2011-4944", "CVE-2012-3817", "CVE-2012-1150", "CVE-2012-0876", "CVE-2012-1667", "CVE-2011-4940", "CVE-2012-0441", "CVE-2012-1033"], "description": "a. VMware vSphere API denial of service vulnerability \nThe VMware vSphere API contains a denial of service vulnerability. This issue allows an unauthenticated user to send a maliciously crafted API request and disable the host daemon. Exploitation of the issue would prevent management activities on the host but any virtual machines running on the host would be unaffected. \nVMware would like to thank Sebasti\u00e1n Tello of Core Security Technologies for reporting this issue to us. \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-5703 to this issue. \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "edition": 4, "modified": "2012-11-15T00:00:00", "published": "2012-11-15T00:00:00", "id": "VMSA-2012-0016", "href": "https://www.vmware.com/security/advisories/VMSA-2012-0016.html", "title": "VMware security updates for vSphere API and ESX Service Console", "type": "vmware", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:08:46", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2012-1944", "CVE-2012-1940", "CVE-2012-1938", "CVE-2012-1941", "CVE-2012-1946", "CVE-2011-3101", "CVE-2012-1947", "CVE-2012-0441", "CVE-2012-1937"], "description": "Changes in MozillaFirefox:\n - update to Firefox 13.0 (bnc#765204)\n * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101\n Miscellaneous memory safety hazards\n * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content\n Security Policy inline-script bypass\n * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information\n disclosure though Windows file shares and shortcut files\n * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free\n while replacing/inserting a node in a document\n * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941\n Buffer overflow and use-after-free issues found using\n Address Sanitizer\n - require NSS 3.13.4\n * MFSA 2012-39/CVE-2012-0441 (bmo#715073)\n - fix sound notifications when filename/path contains a\n whitespace (bmo#749739)\n\n - fix build on arm\n\n - reenabled crashreporter for Factory/12.2 (fix in\n mozilla-gcc47.patch)\n\n Changes in MozillaThunderbird:\n - update to Thunderbird 13.0 (bnc#765204)\n * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101\n Miscellaneous memory safety hazards\n * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content\n Security Policy inline-script bypass\n * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information\n disclosure though Windows file shares and shortcut files\n * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free\n while replacing/inserting a node in a document\n * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941\n Buffer overflow and use-after-free issues found using\n Address Sanitizer\n - require NSS 3.13.4\n * MFSA 2012-39/CVE-2012-0441 (bmo#715073)\n - fix build with system NSPR (mozilla-system-nspr.patch)\n - add dependentlibs.list for improved XRE startup\n - update enigmail to 1.4.2\n\n - reenabled crashreporter for Factory/12.2 (fix in\n mozilla-gcc47.patch)\n\n - update to Thunderbird 12.0.1\n * fix regressions\n - POP3 filters (bmo#748090)\n - Message Body not loaded when using "Fetch Headers\n Only" (bmo#748865)\n - Received messages contain parts of other messages\n with movemail account (bmo#748726)\n - New mail notification issue (bmo#748997)\n - crash in nsMsgDatabase::MatchDbName (bmo#748432)\n\n - fixed build with gcc 4.7\n\n Changes in seamonkey:\n - update to Seamonkey 2.10 (bnc#765204)\n * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101\n Miscellaneous memory safety hazards\n * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content\n Security Policy inline-script bypass\n * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information\n disclosure though Windows file shares and shortcut files\n * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free\n while replacing/inserting a node in a document\n * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941\n Buffer overflow and use-after-free issues found using\n Address Sanitizer\n - requires NSS 3.13.4\n * MFSA 2012-39/CVE-2012-0441 (bmo#715073)\n\n - update to Seamonkey 2.9.1\n * fix regressions\n - POP3 filters (bmo#748090)\n - Message Body not loaded when using "Fetch Headers\n Only" (bmo#748865)\n - Received messages contain parts of other messages\n with movemail account (bmo#748726)\n - New mail notification issue (bmo#748997)\n - crash in nsMsgDatabase::MatchDbName (bmo#748432)\n\n - fixed build with gcc 4.7\n\n Changes in mozilla-nss:\n - update to 3.13.5 RTM\n\n - update to 3.13.4 RTM\n * fixed some bugs\n * fixed cert verification regression in PKIX mode\n (bmo#737802) introduced in 3.13.2\n\n Changes in xulrunner:\n - update to 13.0 (bnc#765204)\n * MFSA 2012-34/CVE-2012-1938/CVE-2012-1937/CVE-2011-3101\n Miscellaneous memory safety hazards\n * MFSA 2012-36/CVE-2012-1944 (bmo#751422) Content\n Security Policy inline-script bypass\n * MFSA 2012-37/CVE-2012-1945 (bmo#670514) Information\n disclosure though Windows file shares and shortcut files\n * MFSA 2012-38/CVE-2012-1946 (bmo#750109) Use-after-free\n while replacing/inserting a node in a document\n * MFSA 2012-40/CVE-2012-1947/CVE-2012-1940/CVE-2012-1941\n Buffer overflow and use-after-free issues found using\n Address Sanitizer\n - require NSS 3.13.4\n * MFSA 2012-39/CVE-2012-0441 (bmo#715073)\n - reenabled crashreporter for Factory/12.2 (fixed in\n mozilla-gcc47.patch)\n\n", "edition": 1, "modified": "2012-06-19T12:08:31", "published": "2012-06-19T12:08:31", "id": "OPENSUSE-SU-2012:0760-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00015.html", "title": "MozillaFirefox, MozillaThunderbird, mozilla-nss, seamonkey, xulrunner: June (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:11:40", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2012-1944", "CVE-2012-1940", "CVE-2012-1938", "CVE-2012-1941", "CVE-2012-1946", "CVE-2011-3101", "CVE-2012-1939", "CVE-2012-1942", "CVE-2012-1947", "CVE-2012-0441", "CVE-2012-1937", "CVE-2012-1943"], "description": "MozillaFirefox has been updated to 10.0.5ESR fixing various\n bugs and security issues.\n\n *\n\n MFSA 2012-34 Mozilla developers identified and fixed\n several memory safety bugs in the browser engine used in\n Firefox and other Mozilla-based products. Some of these\n bugs showed evidence of memory corruption under certain\n circumstances, and we presume that with enough effort at\n least some of these could be exploited to run arbitrary\n code.\n\n In general these flaws cannot be exploited through\n email in the Thunderbird and SeaMonkey products because\n scripting is disabled, but are potentially a risk in\n browser or browser-like contexts in those products.\n References\n\n Jesse Ruderman, Igor Bukanov, Bill McCloskey,\n Christian Holler, Andrew McCreight, and Brian Bondy\n reported memory safety problems and crashes that affect\n Firefox 12.(CVE-2012-1938)\n\n Christian Holler reported a memory safety problem\n that affects Firefox ESR. (CVE-2012-1939)\n\n Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse\n Ruderman reported memory safety problems and crashes that\n affect Firefox ESR and Firefox 13. (CVE-2012-1937)\n\n Ken Russell of Google reported a bug in NVIDIA\n graphics drivers that they needed to work around in the\n Chromium WebGL implementation. Mozilla has done the same in\n Firefox 13 and ESR 10.0.5. (CVE-2011-3101)\n\n *\n\n MFSA 2012-35 Security researcher James Forshaw of\n Context Information Security found two issues with the\n Mozilla updater and the Mozilla updater service introduced\n in Firefox 12 for Windows. The first issue allows Mozilla's\n updater to load a local DLL file in a privileged context.\n The updater can be called by the Updater Service or\n independently on systems that do not use the service. The\n second of these issues allows for the updater service to\n load an arbitrary local DLL file, which can then be run\n with the same system privileges used by the service. Both\n of these issues require local file system access to be\n exploitable.\n\n Possible Arbitrary Code Execution by Update Service\n (CVE-2012-1942) Updater.exe loads wsock32.dll from\n application directory (CVE-2012-1943)\n\n *\n\n MFSA 2012-36 Security researcher Adam Barth found\n that inline event handlers, such as onclick, were no longer\n blocked by Content Security Policy's (CSP) inline-script\n blocking feature. Web applications relying on this feature\n of CSP to protect against cross-site scripting (XSS) were\n not fully protected. (CVE-2012-1944)\n\n *\n\n MFSA 2012-37 Security researcher Paul Stone reported\n an attack where an HTML page hosted on a Windows share and\n then loaded could then load Windows shortcut files (.lnk)\n in the same share. These shortcut files could then link to\n arbitrary locations on the local file system of the\n individual loading the HTML page. That page could show the\n contents of these linked files or directories from the\n local file system in an iframe, causing information\n disclosure.\n\n This issue could potentially affect Linux machines\n with samba shares enabled. (CVE-2012-1945)\n\n *\n\n MFSA 2012-38 Security researcher Arthur Gerkis used\n the Address Sanitizer tool to find a use-after-free while\n replacing/inserting a node in a document. This\n use-after-free could possibly allow for remote code\n execution. (CVE-2012-1946)\n\n *\n\n MFSA 2012-39 Security researcher Kaspar Brand found a\n flaw in how the Network Security Services (NSS) ASN.1\n decoder handles zero length items. Effects of this issue\n depend on the field. One known symptom is an unexploitable\n crash in handling OCSP responses. NSS also mishandles\n zero-length basic constraints, assuming default values for\n some types that should be rejected as malformed. These\n issues have been addressed in NSS 3.13.4, which is now\n being used by Mozilla. (CVE-2012-0441)\n\n *\n\n MFSA 2012-40 Security researcher Abhishek Arya of\n Google used the Address Sanitizer tool to uncover several\n issues: two heap buffer overflow bugs and a use-after-free\n problem. The first heap buffer overflow was found in\n conversion from unicode to native character sets when the\n function fails. The use-after-free occurs in nsFrameList\n when working with column layout with absolute positioning\n in a container that changes size. The second buffer\n overflow occurs in nsHTMLReflowState when a window is\n resized on a page with nested columns and a combination of\n absolute and relative positioning. All three of these\n issues are potentially exploitable.\n\n Heap-buffer-overflow in utf16_to_isolatin1\n (CVE-2012-1947) Heap-use-after-free in\n nsFrameList::FirstChild (CVE-2012-1940)\n\n Heap-buffer-overflow in\n nsHTMLReflowState::CalculateHypotheticalBox, with nested\n multi-column, relative position, and absolute position\n (CVE-2012-1941)\n\n More information on security issues can be found on:\n <a rel=\"nofollow\" href=\"http://www.mozilla.org/security/announce/\">http://www.mozilla.org/security/announce/</a>\n <<a rel=\"nofollow\" href=\"http://www.mozilla.org/security/announce/\">http://www.mozilla.org/security/announce/</a>>\n\n", "edition": 1, "modified": "2012-06-15T22:08:23", "published": "2012-06-15T22:08:23", "id": "SUSE-SU-2012:0746-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00012.html", "type": "suse", "title": "Security update for Mozilla Firefox (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:21:58", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2011-3648", "CVE-2014-1505", "CVE-2014-1536", "CVE-2011-0061", "CVE-2011-0077", "CVE-2014-1513", "CVE-2012-0478", "CVE-2012-4193", "CVE-2012-0442", "CVE-2013-5601", "CVE-2013-1687", "CVE-2013-5612", "CVE-2013-1692", "CVE-2010-0654", "CVE-2012-1962", "CVE-2013-0743", "CVE-2012-0443", "CVE-2012-5842", "CVE-2012-4212", "CVE-2013-5595", "CVE-2010-0176", "CVE-2014-1530", "CVE-2011-0083", "CVE-2010-1203", "CVE-2013-1737", "CVE-2012-4214", "CVE-2008-1236", "CVE-2013-5611", "CVE-2012-1970", "CVE-2008-3835", "CVE-2013-1709", "CVE-2007-3738", "CVE-2012-3989", "CVE-2013-5616", "CVE-2013-1678", "CVE-2010-2762", "CVE-2012-5830", "CVE-2013-0763", "CVE-2014-1510", "CVE-2011-3026", "CVE-2012-0460", "CVE-2013-5613", "CVE-2012-1973", "CVE-2014-1522", "CVE-2011-3654", "CVE-2014-1567", "CVE-2012-1974", "CVE-2010-2766", "CVE-2012-4195", "CVE-2012-3986", "CVE-2013-0783", "CVE-2007-3734", "CVE-2011-2371", "CVE-2014-1481", "CVE-2013-1670", "CVE-2012-4185", "CVE-2010-3777", "CVE-2012-3991", "CVE-2013-1719", "CVE-2012-3968", "CVE-2013-1725", "CVE-2012-3963", "CVE-2014-1539", "CVE-2010-0174", "CVE-2012-0452", "CVE-2013-1735", "CVE-2012-1956", "CVE-2014-1487", "CVE-2012-3978", "CVE-2012-3985", "CVE-2013-0746", "CVE-2012-5829", "CVE-2009-1571", "CVE-2012-1944", "CVE-2012-5838", "CVE-2011-2986", "CVE-2010-1205", "CVE-2014-1538", "CVE-2012-4213", "CVE-2013-1685", "CVE-2012-0479", "CVE-2013-5609", "CVE-2007-3737", "CVE-2013-0766", "CVE-2007-3736", "CVE-2012-1940", "CVE-2013-1697", "CVE-2014-1484", "CVE-2014-1525", "CVE-2012-3993", "CVE-2013-5619", "CVE-2012-5837", "CVE-2008-5500", "CVE-2012-5836", "CVE-2014-1509", "CVE-2009-0772", "CVE-2013-0787", "CVE-2012-3995", "CVE-2012-4201", "CVE-2010-0159", "CVE-2009-0773", "CVE-2011-3659", "CVE-2011-3663", "CVE-2014-1494", "CVE-2014-1559", "CVE-2013-0747", "CVE-2012-0470", "CVE-2012-0446", "CVE-2008-4063", "CVE-2014-1537", "CVE-2013-1694", "CVE-2014-1523", "CVE-2012-1972", "CVE-2010-1200", "CVE-2010-0175", "CVE-2012-3988", "CVE-2012-0457", "CVE-2010-3778", "CVE-2012-3994", "CVE-2013-5615", "CVE-2013-1680", "CVE-2012-3962", "CVE-2012-0459", "CVE-2011-2362", "CVE-2014-1529", "CVE-2013-1724", "CVE-2010-1213", "CVE-2013-5597", "CVE-2012-5843", "CVE-2014-1543", "CVE-2014-1486", "CVE-2011-0085", "CVE-2013-5590", "CVE-2008-5510", "CVE-2011-0080", "CVE-2013-0780", "CVE-2008-5502", "CVE-2010-3765", "CVE-2013-1732", "CVE-2013-0744", "CVE-2013-0795", "CVE-2008-1237", "CVE-2013-1720", "CVE-2008-4070", "CVE-2013-0748", "CVE-2012-4183", "CVE-2010-3178", "CVE-2013-1679", "CVE-2007-3285", "CVE-2013-5610", "CVE-2013-0768", "CVE-2011-3661", "CVE-2012-4181", "CVE-2014-1532", "CVE-2013-6671", "CVE-2009-0040", "CVE-2011-3652", "CVE-2013-0755", "CVE-2008-4067", "CVE-2014-1548", "CVE-2011-2364", "CVE-2014-1531", "CVE-2013-0752", "CVE-2012-4186", "CVE-2014-1508", "CVE-2012-1948", "CVE-2008-5012", "CVE-2012-1938", "CVE-2013-0796", "CVE-2012-0449", "CVE-2010-3769", "CVE-2012-3969", "CVE-2014-1502", "CVE-2013-1723", "CVE-2013-0782", "CVE-2012-1953", "CVE-2012-1949", "CVE-2014-1542", "CVE-2012-0456", "CVE-2011-2372", "CVE-2010-3169", "CVE-2012-3970", "CVE-2011-0053", "CVE-2012-5840", "CVE-2010-3176", "CVE-2012-4191", "CVE-2010-3174", "CVE-2010-3768", "CVE-2014-1477", "CVE-2013-0800", "CVE-2010-1212", "CVE-2013-1681", "CVE-2010-1211", "CVE-2010-1121", "CVE-2013-0773", "CVE-2013-0754", "CVE-2010-3167", "CVE-2012-4202", "CVE-2010-3180", "CVE-2012-3957", "CVE-2011-3660", "CVE-2014-1540", "CVE-2014-1534", "CVE-2012-1941", "CVE-2013-1738", "CVE-2014-1482", "CVE-2014-1479", "CVE-2008-4066", "CVE-2008-5018", "CVE-2012-3984", "CVE-2014-1504", "CVE-2012-0444", "CVE-2011-3650", "CVE-2014-1511", "CVE-2010-2753", "CVE-2012-1946", "CVE-2010-3776", "CVE-2012-4182", "CVE-2008-1233", "CVE-2012-4187", "CVE-2012-3983", "CVE-2011-0062", "CVE-2008-0016", "CVE-2011-3101", "CVE-2010-3168", "CVE-2013-0788", "CVE-2013-1728", "CVE-2014-1545", "CVE-2010-0173", "CVE-2012-0472", "CVE-2013-5592", "CVE-2013-1730", "CVE-2008-4059", "CVE-2010-2764", "CVE-2014-1492", "CVE-2011-0081", "CVE-2009-0771", "CVE-2007-3670", "CVE-2012-1954", "CVE-2009-0774", "CVE-2014-1556", "CVE-2012-0461", "CVE-2011-2376", "CVE-2012-3958", "CVE-2012-0469", "CVE-2014-1563", "CVE-2014-1524", "CVE-2014-1512", "CVE-2012-1975", "CVE-2011-0075", "CVE-2013-1690", "CVE-2012-0464", "CVE-2013-0775", "CVE-2012-1967", "CVE-2013-5604", "CVE-2014-1514", "CVE-2010-3166", "CVE-2011-0074", "CVE-2013-0801", "CVE-2012-3956", "CVE-2010-2769", "CVE-2012-3982", "CVE-2009-3555", "CVE-2013-1714", "CVE-2011-2989", "CVE-2010-1196", "CVE-2008-5021", "CVE-2008-5017", "CVE-2013-0769", "CVE-2012-3966", "CVE-2013-0771", "CVE-2014-1490", "CVE-2012-5839", "CVE-2013-0757", "CVE-2014-1498", "CVE-2012-1961", "CVE-2010-3173", "CVE-2012-4216", "CVE-2008-4062", "CVE-2010-3179", "CVE-2010-0182", "CVE-2014-1565", "CVE-2012-3967", "CVE-2013-0749", "CVE-2011-3651", "CVE-2008-4060", "CVE-2007-3656", "CVE-2008-1234", "CVE-2012-1951", "CVE-2012-0475", "CVE-2014-1555", "CVE-2014-1564", "CVE-2012-1952", "CVE-2010-1201", "CVE-2013-0761", "CVE-2013-1669", "CVE-2010-1585", "CVE-2012-3959", "CVE-2012-0455", "CVE-2014-1558", "CVE-2011-0084", "CVE-2012-0759", "CVE-2007-3089", "CVE-2014-1519", "CVE-2013-1701", "CVE-2012-0474", "CVE-2012-3975", "CVE-2010-2768", "CVE-2008-5014", "CVE-2013-1684", "CVE-2008-4058", "CVE-2012-4184", "CVE-2012-0447", "CVE-2014-1547", "CVE-2011-3232", "CVE-2012-4205", "CVE-2014-1480", "CVE-2014-1500", "CVE-2011-0069", "CVE-2013-6630", "CVE-2008-5022", "CVE-2008-5512", "CVE-2014-1497", "CVE-2013-5596", "CVE-2012-3992", "CVE-2008-1235", "CVE-2013-1676", "CVE-2013-0789", "CVE-2008-5501", "CVE-2008-4068", "CVE-2008-5016", "CVE-2013-1675", "CVE-2014-1478", "CVE-2012-3980", "CVE-2008-5503", "CVE-2011-2374", "CVE-2012-1955", "CVE-2012-1960", "CVE-2012-0445", "CVE-2012-0462", "CVE-2012-4217", "CVE-2013-1686", "CVE-2013-0745", "CVE-2013-0756", "CVE-2012-4218", "CVE-2013-0760", "CVE-2011-2377", "CVE-2014-1485", "CVE-2014-1493", "CVE-2007-3735", "CVE-2011-3000", "CVE-2010-2765", "CVE-2014-1544", "CVE-2010-2767", "CVE-2011-0078", "CVE-2012-3960", "CVE-2010-3175", "CVE-2012-0451", "CVE-2011-3655", "CVE-2012-4180", "CVE-2013-0767", "CVE-2010-3182", "CVE-2009-0776", "CVE-2013-5603", "CVE-2012-1959", "CVE-2011-2363", "CVE-2011-0070", "CVE-2013-1682", "CVE-2012-1947", "CVE-2013-6673", "CVE-2013-1674", "CVE-2013-0762", "CVE-2014-1562", "CVE-2010-3170", "CVE-2011-3005", "CVE-2012-4208", "CVE-2011-3658", "CVE-2014-1541", "CVE-2011-2373", "CVE-2008-5511", "CVE-2011-2992", "CVE-2014-1488", "CVE-2012-1957", "CVE-2012-1958", "CVE-2008-4064", "CVE-2012-1976", "CVE-2011-1187", "CVE-2012-5835", "CVE-2014-1552", "CVE-2010-3183", "CVE-2010-1202", "CVE-2012-0468", "CVE-2013-5599", "CVE-2014-1553", "CVE-2014-1549", "CVE-2013-1713", "CVE-2008-5508", "CVE-2012-3972", "CVE-2012-4207", "CVE-2011-2988", "CVE-2008-4061", "CVE-2013-5591", "CVE-2010-1199", "CVE-2012-4204", "CVE-2013-5602", "CVE-2011-2985", "CVE-2012-4192", "CVE-2011-2987", "CVE-2012-4188", "CVE-2012-0441", "CVE-2013-0774", "CVE-2008-5024", "CVE-2013-0753", "CVE-2012-5833", "CVE-2014-1557", "CVE-2013-1736", "CVE-2014-1526", "CVE-2013-0776", "CVE-2012-3964", "CVE-2013-5593", "CVE-2014-1550", "CVE-2013-1718", "CVE-2012-5841", "CVE-2014-1533", "CVE-2013-1717", "CVE-2010-2754", "CVE-2008-5507", "CVE-2012-3990", "CVE-2014-1491", "CVE-2013-6672", "CVE-2013-5614", "CVE-2008-4065", "CVE-2013-1693", "CVE-2010-2760", "CVE-2013-0750", "CVE-2012-1937", "CVE-2014-1560", "CVE-2012-4215", "CVE-2013-6629", "CVE-2012-0463", "CVE-2013-1677", "CVE-2011-2991", "CVE-2013-0770", "CVE-2013-0793", "CVE-2012-4179", "CVE-2011-3001", "CVE-2014-1483", "CVE-2014-1489", "CVE-2011-3062", "CVE-2012-0477", "CVE-2013-1722", "CVE-2012-0473", "CVE-2012-4194", "CVE-2011-2365", "CVE-2012-4209", "CVE-2012-1963", "CVE-2012-4196", "CVE-2008-5506", "CVE-2013-1710", "CVE-2012-0467", "CVE-2012-0458", "CVE-2013-0758", "CVE-2013-5600", "CVE-2010-2752", "CVE-2014-1499", "CVE-2014-1518", "CVE-2012-0471", "CVE-2012-3961", "CVE-2014-1561", "CVE-2012-3971", "CVE-2013-0764", "CVE-2014-1528", "CVE-2013-5618", "CVE-2011-0072"], "description": "This patch contains security updates for\n\n * mozilla-nss 3.16.4\n - The following 1024-bit root CA certificate was restored to allow more\n time to develop a better transition strategy for affected sites. It\n was removed in NSS 3.16.3, but discussion in the\n mozilla.dev.security.policy forum led to the decision to keep this\n root included longer in order to give website administrators more time\n to update their web servers.\n - CN = GTE CyberTrust Global Root\n * In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification\n Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit\n intermediate CA certificate has been included, without explicit trust.\n The intention is to mitigate the effects of the previous removal of\n the 1024-bit Entrust.net root certificate, because many public\n Internet sites still use the "USERTrust Legacy Secure Server CA"\n intermediate certificate that is signed by the 1024-bit Entrust.net\n root certificate. The inclusion of the intermediate certificate is a\n temporary measure to allow those sites to function, by allowing them\n to find a trust path to another 2048-bit root CA certificate. The\n temporarily included intermediate certificate expires November 1, 2015.\n\n * Firefox 31.1esr Firefox is updated from 24esr to 31esr as maintenance\n for version 24 stopped\n\n", "edition": 1, "modified": "2014-09-09T18:04:16", "published": "2014-09-09T18:04:16", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00004.html", "id": "OPENSUSE-SU-2014:1100-1", "title": "Firefox update to 31.1esr (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:49", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2012-1944", "CVE-2012-1940", "CVE-2012-1938", "CVE-2012-1941", "CVE-2012-1946", "CVE-2011-3101", "CVE-2012-1939", "CVE-2012-1947", "CVE-2012-0441", "CVE-2012-1937"], "description": "\nThe Mozilla Project reports:\n\nMFSA 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)\nMFSA 2012-36 Content Security Policy inline-script bypass\nMFSA 2012-37 Information disclosure though Windows file shares and shortcut files\nMFSA 2012-38 Use-after-free while replacing/inserting a node in a document\nMFSA 2012-39 NSS parsing errors with zero length items\nMFSA 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer\n\n", "edition": 4, "modified": "2012-06-05T00:00:00", "published": "2012-06-05T00:00:00", "id": "BFECF7C1-AF47-11E1-9580-4061862B8C22", "href": "https://vuxml.freebsd.org/freebsd/bfecf7c1-af47-11e1-9580-4061862b8c22.html", "title": "mozilla -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "cvelist": ["CVE-2012-1944", "CVE-2012-1940", "CVE-2012-1938", "CVE-2012-1941", "CVE-2012-1946", "CVE-2011-3101", "CVE-2012-1939", "CVE-2012-1942", "CVE-2012-1947", "CVE-2012-0441", "CVE-2012-1937", "CVE-2012-1943"], "description": "Buffer overflows, memory corruptions, use-after-free, code executions, privilege escalations.", "edition": 1, "modified": "2012-06-13T00:00:00", "published": "2012-06-13T00:00:00", "id": "SECURITYVULNS:VULN:12410", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12410", "title": "Mozilla Firefox / Thunderbird / Seamonkey multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}