{"id": "OPENVAS:1361412562310841362", "type": "openvas", "bulletinFamily": "scanner", "title": "Ubuntu Update for nss USN-1763-1", "description": "The remote host is missing an update for the ", "published": "2013-03-15T00:00:00", "modified": "2019-03-13T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841362", "reporter": "Copyright (c) 2013 Greenbone Networks GmbH", "references": ["http://www.ubuntu.com/usn/usn-1763-1/", "1763-1"], "cvelist": ["CVE-2013-1620"], "lastseen": "2019-05-29T18:37:50", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1620"]}, {"type": "f5", "idList": ["F5:K15630", "SOL15630"]}, {"type": "ubuntu", "idList": ["USN-1763-1"]}, {"type": "fedora", "idList": ["FEDORA:AF0F321312", "FEDORA:0759D248D0", "FEDORA:2BC32204D4", "FEDORA:4D88B20D1A", "FEDORA:3EB68209C4", "FEDORA:EB65E21314", "FEDORA:1FC192220C", "FEDORA:633E4211F2", "FEDORA:15BFB20237", "FEDORA:19FD321318"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:29211", "SECURITYVULNS:VULN:12966"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310865406", "OPENVAS:841362", "OPENVAS:1361412562310865402", "OPENVAS:865470", "OPENVAS:865402", "OPENVAS:1361412562310865470", "OPENVAS:1361412562310865410", "OPENVAS:1361412562310865463", "OPENVAS:865428", "OPENVAS:865406"]}, {"type": "nessus", "idList": ["UBUNTU_USN-1763-1.NASL", "FEDORA_2013-3079.NASL", "FEDORA_2013-2929.NASL", "ALA_ALAS-2013-216.NASL", "ORACLELINUX_ELSA-2013-1144.NASL", "ORACLELINUX_ELSA-2013-1135.NASL", "SL_20130805_NSS_AND_NSPR_ON_SL5_X.NASL", "SL_20130807_NSS__NSS_UTIL__NSS_SOFTOKN__AND_NSPR_ON_SL6_X.NASL", "CENTOS_RHSA-2013-1144.NASL", "CENTOS_RHSA-2013-1135.NASL"]}, {"type": "centos", "idList": ["CESA-2013:1791", "CESA-2013:1135", "CESA-2013:1144"]}, {"type": "oraclelinux", "idList": ["ELSA-2013-1144", "ELSA-2013-1135"]}, {"type": "redhat", "idList": ["RHSA-2013:1829", "RHSA-2013:1144", "RHSA-2013:1135"]}, {"type": "amazon", "idList": ["ALAS-2013-217", "ALAS-2013-265", "ALAS-2013-216"]}], "modified": "2019-05-29T18:37:50", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2019-05-29T18:37:50", "rev": 2}, "vulnersScore": 5.1}, "pluginID": "1361412562310841362", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1763_1.nasl 14132 2019-03-13 09:25:59Z cfischer $\n#\n# Ubuntu Update for nss USN-1763-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-1763-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.841362\");\n script_version(\"$Revision: 14132 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 10:25:59 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-15 10:06:19 +0530 (Fri, 15 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name:\"USN\", value:\"1763-1\");\n script_name(\"Ubuntu Update for nss USN-1763-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.04 LTS|11\\.10|10\\.04 LTS|12\\.10)\");\n script_tag(name:\"affected\", value:\"nss on Ubuntu 12.10,\n Ubuntu 12.04 LTS,\n Ubuntu 11.10,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"insight\", value:\"Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used\n in NSS was vulnerable to a timing side-channel attack known as the\n 'Lucky Thirteen' issue. A remote attacker could use this issue to perform\n plaintext-recovery attacks via analysis of timing data.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3\", ver:\"3.14.3-0ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3\", ver:\"3.14.3-0ubuntu0.11.10.1\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.14.3-0ubuntu0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3\", ver:\"3.14.3-0ubuntu0.12.10.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Ubuntu Local Security Checks", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:06:49", "description": "The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", "edition": 4, "cvss3": {}, "published": "2013-02-08T19:55:00", "title": "CVE-2013-1620", "type": "cve", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1620"], "modified": "2018-10-09T19:33:00", "cpe": ["cpe:/a:mozilla:network_security_services:*"], "id": "CVE-2013-1620", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1620", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2019-02-20T21:07:48", "bulletinFamily": "software", "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "description": "\nF5 Product Development has assigned ID 427174 (BIG-IP), ID 480240 (BIG-IQ), and ID 480241 (Enterprise Manager) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature \n---|---|---|--- \nBIG-IP LTM| 11.0.0 - 11.5.3 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.0 \n| NSS, only used by RPM \nBIG-IP AAM| 11.4.0 - 11.5.3| 12.0.0 \n11.6.0| NSS, only used by RPM \nBIG-IP AFM| 11.3.0 - 11.5.3| 12.0.0 \n11.6.0| NSS, only used by RPM \nBIG-IP Analytics| 11.0.0 - 11.5.3| 12.0.0 \n11.6.0| NSS, only used by RPM \nBIG-IP APM| 11.0.0 - 11.5.3 \n10.1.0 - 10.2.4| 12.0.0 \n11.6.0| NSS, only used by RPM \nBIG-IP ASM| 11.0.0 - 11.5.3 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.0| NSS, only used by RPM \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| NSS, only used by RPM \nBIG-IP GTM| 11.0.0 - 11.5.3 \n10.0.0 - 10.2.4| 11.6.0| NSS, only used by RPM \nBIG-IP Link Controller| 11.0.0 - 11.5.3 \n10.0.0 - 10.2.4| 12.0.0 \n11.6.0| NSS, only used by RPM \nBIG-IP PEM| 11.3.0 - 11.5.3| 12.0.0 \n11.6.0| NSS, only used by RPM \nBIG-IP DNS| None| 12.0.0| None \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| None| NSS, only used by RPM \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None| NSS, only used by RPM \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| None| NSS, only used by RPM \nARX| None| 6.0.0 - 6.4.0 \n5.0.0 - 5.3.1| None \nEnterprise Manager| 3.0.0 - 3.1.1 \n2.0.0 - 2.3.0| None| NSS, only used by RPM \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| NSS, only used by RPM \nBIG-IQ Device| 4.2.0 - 4.5.0| None| NSS, only used by RPM \nBIG-IQ Security| 4.0.0 - 4.5.0| None| NSS, only used by RPM \nBIG-IQ ADC| 4.5.0| None| NSS, only used by RPM\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. \n\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2017-03-14T22:05:00", "published": "2014-09-26T02:56:00", "id": "F5:K15630", "href": "https://support.f5.com/csp/article/K15630", "title": "TLS in Mozilla NSS vulnerability CVE-2013-1620", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2016-11-09T00:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2013-0169", "CVE-2013-1620"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. \n\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2016-07-25T00:00:00", "published": "2014-09-25T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/600/sol15630.html", "id": "SOL15630", "title": "SOL15630 - TLS in Mozilla NSS vulnerability CVE-2013-1620", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "ubuntu": [{"lastseen": "2020-07-02T11:40:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used \nin NSS was vulnerable to a timing side-channel attack known as the \n\"Lucky Thirteen\" issue. A remote attacker could use this issue to perform \nplaintext-recovery attacks via analysis of timing data.", "edition": 5, "modified": "2013-03-14T00:00:00", "published": "2013-03-14T00:00:00", "id": "USN-1763-1", "href": "https://ubuntu.com/security/notices/USN-1763-1", "title": "NSS vulnerability", "type": "ubuntu", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "Network Security Services Softoken Cryptographic Module ", "modified": "2013-02-28T07:04:40", "published": "2013-02-28T07:04:40", "id": "FEDORA:2BC32204D4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: nss-softokn-3.14.3-1.fc18", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "Network Security Services Softoken Cryptographic Module ", "modified": "2013-03-14T02:40:31", "published": "2013-03-14T02:40:31", "id": "FEDORA:AF0F321312", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: nss-softokn-3.14.3-1.fc17", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "NSPR provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing and calendar time, basic memory management (malloc and free) and shared library linking. ", "modified": "2013-02-28T07:04:40", "published": "2013-02-28T07:04:40", "id": "FEDORA:4D88B20D1A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: nspr-4.9.5-2.fc18", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "NSPR provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing and calendar time, basic memory management (malloc and free) and shared library linking. ", "modified": "2013-03-14T02:40:32", "published": "2013-03-14T02:40:32", "id": "FEDORA:19FD321318", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: nspr-4.9.5-2.fc17", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "Utilities for Network Security Services and the Softoken module ", "modified": "2013-03-14T02:40:31", "published": "2013-03-14T02:40:31", "id": "FEDORA:EB65E21314", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: nss-util-3.14.3-1.fc17", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. ", "modified": "2013-02-28T07:04:40", "published": "2013-02-28T07:04:40", "id": "FEDORA:15BFB20237", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: nss-3.14.3-1.fc18", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "Utilities for Network Security Services and the Softoken module ", "modified": "2013-02-28T07:04:40", "published": "2013-02-28T07:04:40", "id": "FEDORA:3EB68209C4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: nss-util-3.14.3-1.fc18", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620"], "description": "Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. ", "modified": "2013-03-14T02:40:31", "published": "2013-03-14T02:40:31", "id": "FEDORA:633E4211F2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: nss-3.14.3-1.fc17", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620", "CVE-2013-1741", "CVE-2013-5605", "CVE-2013-5606"], "description": "Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. ", "modified": "2013-12-21T02:19:41", "published": "2013-12-21T02:19:41", "id": "FEDORA:1FC192220C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: nss-3.15.3-1.fc18", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:52", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620", "CVE-2013-1741", "CVE-2013-5605", "CVE-2013-5606"], "description": "Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. ", "modified": "2013-12-31T02:02:10", "published": "2013-12-31T02:02:10", "id": "FEDORA:0759D248D0", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 18 Update: nss-3.15.3.1-1.fc18", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-1620"], "description": "\r\n\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-1763-1\r\nMarch 14, 2013\r\n\r\nnss vulnerability\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 12.10\r\n- Ubuntu 12.04 LTS\r\n- Ubuntu 11.10\r\n- Ubuntu 10.04 LTS\r\n\r\nSummary:\r\n\r\nNSS could be made to expose sensitive information over the network.\r\n\r\nSoftware Description:\r\n- nss: Network Security Service library\r\n\r\nDetails:\r\n\r\nNadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used\r\nin NSS was vulnerable to a timing side-channel attack known as the\r\n&quot;Lucky Thirteen&quot; issue. A remote attacker could use this issue to perform\r\nplaintext-recovery attacks via analysis of timing data.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 12.10:\r\n libnss3 3.14.3-0ubuntu0.12.10.1\r\n\r\nUbuntu 12.04 LTS:\r\n libnss3 3.14.3-0ubuntu0.12.04.1\r\n\r\nUbuntu 11.10:\r\n libnss3 3.14.3-0ubuntu0.11.10.1\r\n\r\nUbuntu 10.04 LTS:\r\n libnss3-1d 3.14.3-0ubuntu0.10.04.1\r\n\r\nAfter a standard system update you need to restart any applications that\r\nuse NSS, such as Evolution and Chromium, to make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-1763-1\r\n CVE-2013-1620\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/nss/3.14.3-0ubuntu0.12.10.1\r\n https://launchpad.net/ubuntu/+source/nss/3.14.3-0ubuntu0.12.04.1\r\n https://launchpad.net/ubuntu/+source/nss/3.14.3-0ubuntu0.11.10.1\r\n https://launchpad.net/ubuntu/+source/nss/3.14.3-0ubuntu0.10.04.1\r\n\r\n\r\n\r\n\r\n\r\n\r\n-- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n", "edition": 1, "modified": "2013-03-24T00:00:00", "published": "2013-03-24T00:00:00", "id": "SECURITYVULNS:DOC:29211", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29211", "title": "[USN-1763-1] NSS vulnerability", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:50", "bulletinFamily": "software", "cvelist": ["CVE-2013-1620"], "description": "&quot;Lucky Thirteen&quot; attacks are possible", "edition": 1, "modified": "2013-03-24T00:00:00", "published": "2013-03-24T00:00:00", "id": "SECURITYVULNS:VULN:12966", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12966", "title": "Mozilla NSS library TLS timing attacks", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2018-01-26T11:10:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "Check for the Version of nss", "modified": "2018-01-26T00:00:00", "published": "2013-03-15T00:00:00", "id": "OPENVAS:865470", "href": "http://plugins.openvas.org/nasl.php?oid=865470", "type": "openvas", "title": "Fedora Update for nss FEDORA-2013-3079", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nss FEDORA-2013-3079\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"nss on Fedora 17\";\ntag_insight = \"Network Security Services (NSS) is a set of libraries designed to\n support cross-platform development of security-enabled client and\n server applications. Applications built with NSS can support SSL v2\n and v3, TLS, PKCS \\#5, PKCS \\#7, PKCS \\#11, PKCS \\#12, S/MIME, X.509\n v3 certificates, and other security standards.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100070.html\");\n script_id(865470);\n script_version(\"$Revision: 8542 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-26 07:57:28 +0100 (Fri, 26 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-15 09:49:44 +0530 (Fri, 15 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-3079\");\n script_name(\"Fedora Update for nss FEDORA-2013-3079\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of nss\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.14.3~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:37:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-03-05T00:00:00", "id": "OPENVAS:1361412562310865406", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865406", "type": "openvas", "title": "Fedora Update for nss-util FEDORA-2013-2929", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nss-util FEDORA-2013-2929\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099416.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865406\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-05 09:39:46 +0530 (Tue, 05 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name:\"FEDORA\", value:\"2013-2929\");\n script_name(\"Fedora Update for nss-util FEDORA-2013-2929\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss-util'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC18\");\n script_tag(name:\"affected\", value:\"nss-util on Fedora 18\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss-util\", rpm:\"nss-util~3.14.3~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-25T10:51:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "Check for the Version of nss-util", "modified": "2017-07-10T00:00:00", "published": "2013-03-05T00:00:00", "id": "OPENVAS:865406", "href": "http://plugins.openvas.org/nasl.php?oid=865406", "type": "openvas", "title": "Fedora Update for nss-util FEDORA-2013-2929", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nss-util FEDORA-2013-2929\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"nss-util on Fedora 18\";\ntag_insight = \"Utilities for Network Security Services and the Softoken module\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099416.html\");\n script_id(865406);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-05 09:39:46 +0530 (Tue, 05 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-2929\");\n script_name(\"Fedora Update for nss-util FEDORA-2013-2929\");\n\n script_summary(\"Check for the Version of nss-util\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss-util\", rpm:\"nss-util~3.14.3~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:37:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-03-15T00:00:00", "id": "OPENVAS:1361412562310865460", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865460", "type": "openvas", "title": "Fedora Update for nspr FEDORA-2013-3079", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nspr FEDORA-2013-3079\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100069.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865460\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-15 09:49:21 +0530 (Fri, 15 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name:\"FEDORA\", value:\"2013-3079\");\n script_name(\"Fedora Update for nspr FEDORA-2013-3079\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nspr'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"nspr on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.5~2.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2018-01-26T11:09:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "Check for the Version of nspr", "modified": "2018-01-25T00:00:00", "published": "2013-03-05T00:00:00", "id": "OPENVAS:865428", "href": "http://plugins.openvas.org/nasl.php?oid=865428", "type": "openvas", "title": "Fedora Update for nspr FEDORA-2013-2929", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nspr FEDORA-2013-2929\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"nspr on Fedora 18\";\ntag_insight = \"NSPR provides platform independence for non-GUI operating system\n facilities. These facilities include threads, thread synchronization,\n normal file and network I/O, interval timing and calendar time, basic\n memory management (malloc and free) and shared library linking.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099417.html\");\n script_id(865428);\n script_version(\"$Revision: 8526 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-25 07:57:37 +0100 (Thu, 25 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-05 09:42:20 +0530 (Tue, 05 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-2929\");\n script_name(\"Fedora Update for nspr FEDORA-2013-2929\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of nspr\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.5~2.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:38:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-03-15T00:00:00", "id": "OPENVAS:1361412562310865463", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310865463", "type": "openvas", "title": "Fedora Update for nss-softokn FEDORA-2013-3079", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nss-softokn FEDORA-2013-3079\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_tag(name:\"affected\", value:\"nss-softokn on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100068.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.865463\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-15 09:49:33 +0530 (Fri, 15 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"FEDORA\", value:\"2013-3079\");\n script_name(\"Fedora Update for nss-softokn FEDORA-2013-3079\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss-softokn'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss-softokn\", rpm:\"nss-softokn~3.14.3~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2018-02-06T13:09:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "Check for the Version of nss-softokn", "modified": "2018-02-05T00:00:00", "published": "2013-03-05T00:00:00", "id": "OPENVAS:865402", "href": "http://plugins.openvas.org/nasl.php?oid=865402", "type": "openvas", "title": "Fedora Update for nss-softokn FEDORA-2013-2929", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nss-softokn FEDORA-2013-2929\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"nss-softokn on Fedora 18\";\ntag_insight = \"Network Security Services Softoken Cryptographic Module\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-February/099415.html\");\n script_id(865402);\n script_version(\"$Revision: 8672 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-02-05 17:39:18 +0100 (Mon, 05 Feb 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-05 09:39:41 +0530 (Tue, 05 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-2929\");\n script_name(\"Fedora Update for nss-softokn FEDORA-2013-2929\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of nss-softokn\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC18\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss-softokn\", rpm:\"nss-softokn~3.14.3~1.fc18\", rls:\"FC18\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-12-04T11:21:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "Check for the Version of nss", "modified": "2017-12-01T00:00:00", "published": "2013-03-15T00:00:00", "id": "OPENVAS:841362", "href": "http://plugins.openvas.org/nasl.php?oid=841362", "type": "openvas", "title": "Ubuntu Update for nss USN-1763-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_1763_1.nasl 7958 2017-12-01 06:47:47Z santu $\n#\n# Ubuntu Update for nss USN-1763-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"nss on Ubuntu 12.10 ,\n Ubuntu 12.04 LTS ,\n Ubuntu 11.10 ,\n Ubuntu 10.04 LTS\";\ntag_insight = \"Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used\n in NSS was vulnerable to a timing side-channel attack known as the\n &quot;Lucky Thirteen&quot; issue. A remote attacker could use this issue to perform\n plaintext-recovery attacks via analysis of timing data.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-1763-1/\");\n script_id(841362);\n script_version(\"$Revision: 7958 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-01 07:47:47 +0100 (Fri, 01 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-15 10:06:19 +0530 (Fri, 15 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"USN\", value: \"1763-1\");\n script_name(\"Ubuntu Update for nss USN-1763-1\");\n\n script_summary(\"Check for the Version of nss\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3\", ver:\"3.14.3-0ubuntu0.12.04.1\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU11.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3\", ver:\"3.14.3-0ubuntu0.11.10.1\", rls:\"UBUNTU11.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3-1d\", ver:\"3.14.3-0ubuntu0.10.04.1\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libnss3\", ver:\"3.14.3-0ubuntu0.12.10.1\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-25T10:51:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "Check for the Version of nspr", "modified": "2017-07-10T00:00:00", "published": "2013-03-15T00:00:00", "id": "OPENVAS:865460", "href": "http://plugins.openvas.org/nasl.php?oid=865460", "type": "openvas", "title": "Fedora Update for nspr FEDORA-2013-3079", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nspr FEDORA-2013-3079\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"nspr on Fedora 17\";\ntag_insight = \"NSPR provides platform independence for non-GUI operating system\n facilities. These facilities include threads, thread synchronization,\n normal file and network I/O, interval timing and calendar time, basic\n memory management (malloc and free) and shared library linking.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100069.html\");\n script_id(865460);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-15 09:49:21 +0530 (Fri, 15 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-3079\");\n script_name(\"Fedora Update for nspr FEDORA-2013-3079\");\n\n script_summary(\"Check for the Version of nspr\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.9.5~2.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-01-18T11:09:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "description": "Check for the Version of nss-util", "modified": "2018-01-17T00:00:00", "published": "2013-03-15T00:00:00", "id": "OPENVAS:865467", "href": "http://plugins.openvas.org/nasl.php?oid=865467", "type": "openvas", "title": "Fedora Update for nss-util FEDORA-2013-3079", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for nss-util FEDORA-2013-3079\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"nss-util on Fedora 17\";\ntag_insight = \"Utilities for Network Security Services and the Softoken module\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100071.html\");\n script_id(865467);\n script_version(\"$Revision: 8448 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 17:18:06 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-03-15 09:49:41 +0530 (Fri, 15 Mar 2013)\");\n script_cve_id(\"CVE-2013-1620\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_xref(name: \"FEDORA\", value: \"2013-3079\");\n script_name(\"Fedora Update for nss-util FEDORA-2013-3079\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of nss-util\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss-util\", rpm:\"nss-util~3.14.3~1.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-12T10:11:44", "description": "Update nss to nss-3.14.3\n\nThis is a patch release to address CVE-2013-1620.\n\nDetailed descriptions of the bugs fixes on nss-3.14.3 can be found in\nthe upstream release notes at\nhttps://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-03-01T00:00:00", "title": "Fedora 18 : nspr-4.9.5-2.fc18 / nss-3.14.3-1.fc18 / nss-softokn-3.14.3-1.fc18 / etc (2013-2929)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "modified": "2013-03-01T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:18", "p-cpe:/a:fedoraproject:fedora:nss-softokn", "p-cpe:/a:fedoraproject:fedora:nss-util", "p-cpe:/a:fedoraproject:fedora:nss", "p-cpe:/a:fedoraproject:fedora:nspr"], "id": "FEDORA_2013-2929.NASL", "href": "https://www.tenable.com/plugins/nessus/64941", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-2929.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64941);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-1620\");\n script_bugtraq_id(57777);\n script_xref(name:\"FEDORA\", value:\"2013-2929\");\n\n script_name(english:\"Fedora 18 : nspr-4.9.5-2.fc18 / nss-3.14.3-1.fc18 / nss-softokn-3.14.3-1.fc18 / etc (2013-2929)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update nss to nss-3.14.3\n\nThis is a patch release to address CVE-2013-1620.\n\nDetailed descriptions of the bugs fixes on nss-3.14.3 can be found in\nthe upstream release notes at\nhttps://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=896651\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=908257\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=909775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=909781\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=909782\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=910584\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=912483\"\n );\n # https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5c94a8bf\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/099414.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?38bf961f\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/099415.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?548ae4d6\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/099416.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?59c660a1\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-February/099417.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e140fd31\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:18\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^18([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 18.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC18\", reference:\"nspr-4.9.5-2.fc18\")) flag++;\nif (rpm_check(release:\"FC18\", reference:\"nss-3.14.3-1.fc18\")) flag++;\nif (rpm_check(release:\"FC18\", reference:\"nss-softokn-3.14.3-1.fc18\")) flag++;\nif (rpm_check(release:\"FC18\", reference:\"nss-util-3.14.3-1.fc18\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nss / nss-softokn / nss-util\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:11:44", "description": "Update to nss-3.14.3\n\nThis is a patch release to address CVE-2013-1620.\n\nDetailed descriptions of the bugs fixed by nss-3.14.3 can be found in\nthe upstream release notes at\nhttps://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2013-03-14T00:00:00", "title": "Fedora 17 : nspr-4.9.5-2.fc17 / nss-3.14.3-1.fc17 / nss-softokn-3.14.3-1.fc17 / etc (2013-3079)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "modified": "2013-03-14T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:nss-softokn", "p-cpe:/a:fedoraproject:fedora:nss-util", "p-cpe:/a:fedoraproject:fedora:nss", "p-cpe:/a:fedoraproject:fedora:nspr"], "id": "FEDORA_2013-3079.NASL", "href": "https://www.tenable.com/plugins/nessus/65532", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-3079.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65532);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2013-1620\");\n script_bugtraq_id(57777);\n script_xref(name:\"FEDORA\", value:\"2013-3079\");\n\n script_name(english:\"Fedora 17 : nspr-4.9.5-2.fc17 / nss-3.14.3-1.fc17 / nss-softokn-3.14.3-1.fc17 / etc (2013-3079)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Update to nss-3.14.3\n\nThis is a patch release to address CVE-2013-1620.\n\nDetailed descriptions of the bugs fixed by nss-3.14.3 can be found in\nthe upstream release notes at\nhttps://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=896651\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=908257\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=910584\"\n );\n # https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5c94a8bf\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/100068.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a8bfd6f4\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/100069.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?28b8acec\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/100070.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5d87b17d\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/100071.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?57ea8a1a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"nspr-4.9.5-2.fc17\")) flag++;\nif (rpm_check(release:\"FC17\", reference:\"nss-3.14.3-1.fc17\")) flag++;\nif (rpm_check(release:\"FC17\", reference:\"nss-softokn-3.14.3-1.fc17\")) flag++;\nif (rpm_check(release:\"FC17\", reference:\"nss-util-3.14.3-1.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nss / nss-softokn / nss-util\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-04-01T07:22:06", "description": "Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as\nused in NSS was vulnerable to a timing side-channel attack known as\nthe 'Lucky Thirteen' issue. A remote attacker could use this issue to\nperform plaintext-recovery attacks via analysis of timing data.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 27, "published": "2013-03-15T00:00:00", "title": "Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : nss vulnerability (USN-1763-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1620"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libnss3-1d", "cpe:/o:canonical:ubuntu_linux:11.10", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.10", "p-cpe:/a:canonical:ubuntu_linux:libnss3", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-1763-1.NASL", "href": "https://www.tenable.com/plugins/nessus/65572", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-1763-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(65572);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/09/19 12:54:29\");\n\n script_cve_id(\"CVE-2013-1620\");\n script_xref(name:\"USN\", value:\"1763-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : nss vulnerability (USN-1763-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as\nused in NSS was vulnerable to a timing side-channel attack known as\nthe 'Lucky Thirteen' issue. A remote attacker could use this issue to\nperform plaintext-recovery attacks via analysis of timing data.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/1763-1/\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libnss3 and / or libnss3-1d packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libnss3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libnss3-1d\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:11.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(10\\.04|11\\.10|12\\.04|12\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 11.10 / 12.04 / 12.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libnss3-1d\", pkgver:\"3.14.3-0ubuntu0.10.04.1\")) flag++;\nif (ubuntu_check(osver:\"11.10\", pkgname:\"libnss3\", pkgver:\"3.14.3-0ubuntu0.11.10.1\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libnss3\", pkgver:\"3.14.3-0ubuntu0.12.04.1\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"libnss3\", pkgver:\"3.14.3-0ubuntu0.12.10.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libnss3 / libnss3-1d\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-06T09:28:54", "description": "Updated nss, nss-util, nss-softokn, and nspr packages that fix two\nsecurity issues, various bugs, and add enhancements are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\nnss-softokn provides an NSS softoken cryptographic module.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* The RHBA-2013:0445 update (which upgraded NSS to version 3.14)\nprevented the use of certificates that have an MD5 signature. This\ncaused problems in certain environments. With this update,\ncertificates that have an MD5 signature are once again allowed. To\nprevent the use of certificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603)\n\n* Previously, the sechash.h header file was missing, preventing\ncertain source RPMs (such as firefox and xulrunner) from building.\n(BZ#948715)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#984967)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, the nss-util package has been upgraded to upstream version\n3.14.3, the nss-softokn package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#927157, BZ#927171, BZ#927158,\nBZ#927186)\n\nUsers of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade\nto these updated packages, which fix these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, nss-util, or nss-softokn must be restarted for this update to\ntake effect.", "edition": 24, "published": "2013-08-08T00:00:00", "title": "CentOS 6 : nss / nss-util / nss-softokn / nspr (CESA-2013:1144)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "modified": "2013-08-08T00:00:00", "cpe": ["p-cpe:/a:centos:centos:nss-devel", "p-cpe:/a:centos:centos:nss-util-devel", "cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:nss-util", "p-cpe:/a:centos:centos:nss-pkcs11-devel", "p-cpe:/a:centos:centos:nss-softokn-freebl", "p-cpe:/a:centos:centos:nss-softokn", "p-cpe:/a:centos:centos:nss-softokn-freebl-devel", "p-cpe:/a:centos:centos:nss-tools", "p-cpe:/a:centos:centos:nspr-devel", "p-cpe:/a:centos:centos:nspr", "p-cpe:/a:centos:centos:nss", "p-cpe:/a:centos:centos:nss-sysinit", "p-cpe:/a:centos:centos:nss-softokn-devel"], "id": "CENTOS_RHSA-2013-1144.NASL", "href": "https://www.tenable.com/plugins/nessus/69247", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1144 and \n# CentOS Errata and Security Advisory 2013:1144 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69247);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-0791\", \"CVE-2013-1620\");\n script_bugtraq_id(57777, 58826);\n script_xref(name:\"RHSA\", value:\"2013:1144\");\n\n script_name(english:\"CentOS 6 : nss / nss-util / nss-softokn / nspr (CESA-2013:1144)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss, nss-util, nss-softokn, and nspr packages that fix two\nsecurity issues, various bugs, and add enhancements are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\nnss-softokn provides an NSS softoken cryptographic module.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* The RHBA-2013:0445 update (which upgraded NSS to version 3.14)\nprevented the use of certificates that have an MD5 signature. This\ncaused problems in certain environments. With this update,\ncertificates that have an MD5 signature are once again allowed. To\nprevent the use of certificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603)\n\n* Previously, the sechash.h header file was missing, preventing\ncertain source RPMs (such as firefox and xulrunner) from building.\n(BZ#948715)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#984967)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, the nss-util package has been upgraded to upstream version\n3.14.3, the nss-softokn package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#927157, BZ#927171, BZ#927158,\nBZ#927186)\n\nUsers of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade\nto these updated packages, which fix these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, nss-util, or nss-softokn must be restarted for this update to\ntake effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-August/019896.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bfdaf893\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0791\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"nspr-4.9.5-2.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nspr-devel-4.9.5-2.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-3.14.3-4.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-devel-3.14.3-4.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-pkcs11-devel-3.14.3-4.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-softokn-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-softokn-devel-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-softokn-freebl-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-softokn-freebl-devel-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-sysinit-3.14.3-4.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-tools-3.14.3-4.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-util-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-util-devel-3.14.3-3.el6_4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T12:48:07", "description": "From Red Hat Security Advisory 2013:1144 :\n\nUpdated nss, nss-util, nss-softokn, and nspr packages that fix two\nsecurity issues, various bugs, and add enhancements are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\nnss-softokn provides an NSS softoken cryptographic module.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* The RHBA-2013:0445 update (which upgraded NSS to version 3.14)\nprevented the use of certificates that have an MD5 signature. This\ncaused problems in certain environments. With this update,\ncertificates that have an MD5 signature are once again allowed. To\nprevent the use of certificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603)\n\n* Previously, the sechash.h header file was missing, preventing\ncertain source RPMs (such as firefox and xulrunner) from building.\n(BZ#948715)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#984967)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, the nss-util package has been upgraded to upstream version\n3.14.3, the nss-softokn package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#927157, BZ#927171, BZ#927158,\nBZ#927186)\n\nUsers of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade\nto these updated packages, which fix these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, nss-util, or nss-softokn must be restarted for this update to\ntake effect.", "edition": 21, "published": "2013-08-08T00:00:00", "title": "Oracle Linux 6 : nspr / nss / nss-softokn / nss-util (ELSA-2013-1144)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "modified": "2013-08-08T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:nss-pkcs11-devel", "p-cpe:/a:oracle:linux:nspr-devel", "p-cpe:/a:oracle:linux:nss-softokn", "p-cpe:/a:oracle:linux:nss-util-devel", "p-cpe:/a:oracle:linux:nss-devel", "p-cpe:/a:oracle:linux:nspr", "p-cpe:/a:oracle:linux:nss", "p-cpe:/a:oracle:linux:nss-util", "p-cpe:/a:oracle:linux:nss-softokn-freebl-devel", "p-cpe:/a:oracle:linux:nss-softokn-freebl", "p-cpe:/a:oracle:linux:nss-softokn-devel", "p-cpe:/a:oracle:linux:nss-tools", "p-cpe:/a:oracle:linux:nss-sysinit"], "id": "ORACLELINUX_ELSA-2013-1144.NASL", "href": "https://www.tenable.com/plugins/nessus/69253", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:1144 and \n# Oracle Linux Security Advisory ELSA-2013-1144 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69253);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-0791\", \"CVE-2013-1620\");\n script_bugtraq_id(57777, 58826);\n script_xref(name:\"RHSA\", value:\"2013:1144\");\n\n script_name(english:\"Oracle Linux 6 : nspr / nss / nss-softokn / nss-util (ELSA-2013-1144)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:1144 :\n\nUpdated nss, nss-util, nss-softokn, and nspr packages that fix two\nsecurity issues, various bugs, and add enhancements are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\nnss-softokn provides an NSS softoken cryptographic module.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* The RHBA-2013:0445 update (which upgraded NSS to version 3.14)\nprevented the use of certificates that have an MD5 signature. This\ncaused problems in certain environments. With this update,\ncertificates that have an MD5 signature are once again allowed. To\nprevent the use of certificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603)\n\n* Previously, the sechash.h header file was missing, preventing\ncertain source RPMs (such as firefox and xulrunner) from building.\n(BZ#948715)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#984967)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, the nss-util package has been upgraded to upstream version\n3.14.3, the nss-softokn package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#927157, BZ#927171, BZ#927158,\nBZ#927186)\n\nUsers of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade\nto these updated packages, which fix these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, nss-util, or nss-softokn must be restarted for this update to\ntake effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-August/003624.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"nspr-4.9.5-2.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nspr-devel-4.9.5-2.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-3.14.3-4.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-devel-3.14.3-4.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-pkcs11-devel-3.14.3-4.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-softokn-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-softokn-devel-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-softokn-freebl-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-softokn-freebl-devel-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-sysinit-3.14.3-4.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-tools-3.14.3-4.0.1.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-util-3.14.3-3.el6_4\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-util-devel-3.14.3-3.el6_4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T12:48:05", "description": "From Red Hat Security Advisory 2013:1135 :\n\nUpdated nss and nspr packages that fix two security issues, various\nbugs, and add enhancements are now available for Red Hat Enterprise\nLinux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* A defect in the FreeBL library implementation of the Diffie-Hellman\n(DH) protocol previously caused Openswan to drop connections.\n(BZ#958023)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#986969)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#949845, BZ#924741)\n\nNote that while upstream NSS version 3.14 prevents the use of\ncertificates that have an MD5 signature, this erratum includes a patch\nthat allows such certificates by default. To prevent the use of\ncertificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'.\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which fix these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.", "edition": 21, "published": "2013-08-06T00:00:00", "title": "Oracle Linux 5 : nspr / nss (ELSA-2013-1135)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "modified": "2013-08-06T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:nss-pkcs11-devel", "p-cpe:/a:oracle:linux:nspr-devel", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:nss-devel", "p-cpe:/a:oracle:linux:nspr", "p-cpe:/a:oracle:linux:nss", "p-cpe:/a:oracle:linux:nss-tools"], "id": "ORACLELINUX_ELSA-2013-1135.NASL", "href": "https://www.tenable.com/plugins/nessus/69221", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2013:1135 and \n# Oracle Linux Security Advisory ELSA-2013-1135 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69221);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-0791\", \"CVE-2013-1620\");\n script_bugtraq_id(57777, 58826);\n script_xref(name:\"RHSA\", value:\"2013:1135\");\n\n script_name(english:\"Oracle Linux 5 : nspr / nss (ELSA-2013-1135)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2013:1135 :\n\nUpdated nss and nspr packages that fix two security issues, various\nbugs, and add enhancements are now available for Red Hat Enterprise\nLinux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* A defect in the FreeBL library implementation of the Diffie-Hellman\n(DH) protocol previously caused Openswan to drop connections.\n(BZ#958023)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#986969)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#949845, BZ#924741)\n\nNote that while upstream NSS version 3.14 prevents the use of\ncertificates that have an MD5 signature, this erratum includes a patch\nthat allows such certificates by default. To prevent the use of\ncertificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'.\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which fix these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2013-August/003616.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected nspr and / or nss packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"nspr-4.9.5-1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nspr-devel-4.9.5-1.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-3.14.3-6.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-devel-3.14.3-6.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-pkcs11-devel-3.14.3-6.el5_9\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-tools-3.14.3-6.el5_9\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / nss-tools\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:12:58", "description": "Updated nss, nss-util, nss-softokn, and nspr packages that fix two\nsecurity issues, various bugs, and add enhancements are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\nnss-softokn provides an NSS softoken cryptographic module.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* The RHBA-2013:0445 update (which upgraded NSS to version 3.14)\nprevented the use of certificates that have an MD5 signature. This\ncaused problems in certain environments. With this update,\ncertificates that have an MD5 signature are once again allowed. To\nprevent the use of certificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603)\n\n* Previously, the sechash.h header file was missing, preventing\ncertain source RPMs (such as firefox and xulrunner) from building.\n(BZ#948715)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#984967)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, the nss-util package has been upgraded to upstream version\n3.14.3, the nss-softokn package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#927157, BZ#927171, BZ#927158,\nBZ#927186)\n\nUsers of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade\nto these updated packages, which fix these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, nss-util, or nss-softokn must be restarted for this update to\ntake effect.", "edition": 25, "published": "2013-08-08T00:00:00", "title": "RHEL 6 : nss, nss-util, nss-softokn, and nspr (RHSA-2013:1144)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "modified": "2013-08-08T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:nss-util", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl-devel", "p-cpe:/a:redhat:enterprise_linux:nss-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nss-util-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nspr-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nss-softokn", "p-cpe:/a:redhat:enterprise_linux:nss-devel", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl", "cpe:/o:redhat:enterprise_linux:6.4", "p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel", "p-cpe:/a:redhat:enterprise_linux:nss-tools", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-devel", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:nspr", "p-cpe:/a:redhat:enterprise_linux:nss", "p-cpe:/a:redhat:enterprise_linux:nss-sysinit", "p-cpe:/a:redhat:enterprise_linux:nspr-devel", "p-cpe:/a:redhat:enterprise_linux:nss-util-devel"], "id": "REDHAT-RHSA-2013-1144.NASL", "href": "https://www.tenable.com/plugins/nessus/69256", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1144. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69256);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-0791\", \"CVE-2013-1620\");\n script_bugtraq_id(57777, 58826);\n script_xref(name:\"RHSA\", value:\"2013:1144\");\n\n script_name(english:\"RHEL 6 : nss, nss-util, nss-softokn, and nspr (RHSA-2013:1144)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss, nss-util, nss-softokn, and nspr packages that fix two\nsecurity issues, various bugs, and add enhancements are now available\nfor Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\nnss-softokn provides an NSS softoken cryptographic module.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* The RHBA-2013:0445 update (which upgraded NSS to version 3.14)\nprevented the use of certificates that have an MD5 signature. This\ncaused problems in certain environments. With this update,\ncertificates that have an MD5 signature are once again allowed. To\nprevent the use of certificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603)\n\n* Previously, the sechash.h header file was missing, preventing\ncertain source RPMs (such as firefox and xulrunner) from building.\n(BZ#948715)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#984967)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, the nss-util package has been upgraded to upstream version\n3.14.3, the nss-softokn package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#927157, BZ#927171, BZ#927158,\nBZ#927186)\n\nUsers of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade\nto these updated packages, which fix these issues and add these\nenhancements. After installing this update, applications using NSS,\nNSPR, nss-util, or nss-softokn must be restarted for this update to\ntake effect.\"\n );\n # https://rhn.redhat.com/errata/RHBA-2013-0445.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHBA-2013:0445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:1144\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0791\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1620\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:1144\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"nspr-4.9.5-2.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nspr-debuginfo-4.9.5-2.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nspr-devel-4.9.5-2.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-debuginfo-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-devel-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-pkcs11-devel-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-softokn-3.14.3-3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-softokn-debuginfo-3.14.3-3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-softokn-devel-3.14.3-3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-softokn-freebl-3.14.3-3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-softokn-freebl-devel-3.14.3-3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"nss-sysinit-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"nss-sysinit-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"nss-sysinit-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"nss-tools-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"nss-tools-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"nss-tools-3.14.3-4.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-util-3.14.3-3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-util-debuginfo-3.14.3-3.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-util-devel-3.14.3-3.el6_4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / nss / nss-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-04-01T01:22:51", "description": "It was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)", "edition": 26, "published": "2013-10-01T00:00:00", "title": "Amazon Linux AMI : nspr (ALAS-2013-216)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:nspr-debuginfo", "p-cpe:/a:amazon:linux:nspr-devel", "p-cpe:/a:amazon:linux:nspr", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2013-216.NASL", "href": "https://www.tenable.com/plugins/nessus/70220", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2013-216.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70220);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2013-0791\", \"CVE-2013-1620\");\n script_xref(name:\"ALAS\", value:\"2013-216\");\n script_xref(name:\"RHSA\", value:\"2013:1144\");\n\n script_name(english:\"Amazon Linux AMI : nspr (ALAS-2013-216)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2013-216.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update nspr' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/10/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"nspr-4.9.5-2.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nspr-debuginfo-4.9.5-2.17.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"nspr-devel-4.9.5-2.17.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-17T13:12:55", "description": "Updated nss and nspr packages that fix two security issues, various\nbugs, and add enhancements are now available for Red Hat Enterprise\nLinux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* A defect in the FreeBL library implementation of the Diffie-Hellman\n(DH) protocol previously caused Openswan to drop connections.\n(BZ#958023)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#986969)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#949845, BZ#924741)\n\nNote that while upstream NSS version 3.14 prevents the use of\ncertificates that have an MD5 signature, this erratum includes a patch\nthat allows such certificates by default. To prevent the use of\ncertificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'.\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which fix these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.", "edition": 24, "published": "2013-08-06T00:00:00", "title": "RHEL 5 : nss and nspr (RHSA-2013:1135)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "modified": "2013-08-06T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:nss-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nspr-debuginfo", "cpe:/o:redhat:enterprise_linux:5.9", "p-cpe:/a:redhat:enterprise_linux:nss-devel", "p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel", "p-cpe:/a:redhat:enterprise_linux:nss-tools", "p-cpe:/a:redhat:enterprise_linux:nspr", "p-cpe:/a:redhat:enterprise_linux:nss", "p-cpe:/a:redhat:enterprise_linux:nspr-devel"], "id": "REDHAT-RHSA-2013-1135.NASL", "href": "https://www.tenable.com/plugins/nessus/69222", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1135. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69222);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-0791\", \"CVE-2013-1620\");\n script_bugtraq_id(57777, 58826);\n script_xref(name:\"RHSA\", value:\"2013:1135\");\n\n script_name(english:\"RHEL 5 : nss and nspr (RHSA-2013:1135)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss and nspr packages that fix two security issues, various\nbugs, and add enhancements are now available for Red Hat Enterprise\nLinux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* A defect in the FreeBL library implementation of the Diffie-Hellman\n(DH) protocol previously caused Openswan to drop connections.\n(BZ#958023)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#986969)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#949845, BZ#924741)\n\nNote that while upstream NSS version 3.14 prevents the use of\ncertificates that have an MD5 signature, this erratum includes a patch\nthat allows such certificates by default. To prevent the use of\ncertificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'.\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which fix these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:1135\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0791\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1620\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:1135\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"nspr-4.9.5-1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"nspr-debuginfo-4.9.5-1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"nspr-devel-4.9.5-1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"nss-3.14.3-6.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"nss-debuginfo-3.14.3-6.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"nss-devel-3.14.3-6.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", reference:\"nss-pkcs11-devel-3.14.3-6.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"nss-tools-3.14.3-6.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"nss-tools-3.14.3-6.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"nss-tools-3.14.3-6.el5_9\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / nss / nss-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-06T09:28:50", "description": "Updated nss and nspr packages that fix two security issues, various\nbugs, and add enhancements are now available for Red Hat Enterprise\nLinux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* A defect in the FreeBL library implementation of the Diffie-Hellman\n(DH) protocol previously caused Openswan to drop connections.\n(BZ#958023)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#986969)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#949845, BZ#924741)\n\nNote that while upstream NSS version 3.14 prevents the use of\ncertificates that have an MD5 signature, this erratum includes a patch\nthat allows such certificates by default. To prevent the use of\ncertificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'.\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which fix these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.", "edition": 24, "published": "2013-08-06T00:00:00", "title": "CentOS 5 : nss (CESA-2013:1135)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "modified": "2013-08-06T00:00:00", "cpe": ["p-cpe:/a:centos:centos:nss-devel", "p-cpe:/a:centos:centos:nss-pkcs11-devel", "p-cpe:/a:centos:centos:nss-tools", "p-cpe:/a:centos:centos:nspr-devel", "p-cpe:/a:centos:centos:nspr", "p-cpe:/a:centos:centos:nss", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2013-1135.NASL", "href": "https://www.tenable.com/plugins/nessus/69215", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:1135 and \n# CentOS Errata and Security Advisory 2013:1135 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(69215);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-0791\", \"CVE-2013-1620\");\n script_bugtraq_id(57777, 58826);\n script_xref(name:\"RHSA\", value:\"2013:1135\");\n\n script_name(english:\"CentOS 5 : nss (CESA-2013:1135)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss and nspr packages that fix two security issues, various\nbugs, and add enhancements are now available for Red Hat Enterprise\nLinux 5.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher\nsuites were used. A remote attacker could possibly use this flaw to\nretrieve plain text from the encrypted packets by using a TLS/SSL or\nDTLS server as a padding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded\ncertain certificates. If an application using NSS decoded a malformed\ncertificate, it could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original\nreporter of CVE-2013-0791.\n\nThis update also fixes the following bugs :\n\n* A defect in the FreeBL library implementation of the Diffie-Hellman\n(DH) protocol previously caused Openswan to drop connections.\n(BZ#958023)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#986969)\n\nIn addition, the nss package has been upgraded to upstream version\n3.14.3, and the nspr package has been upgraded to upstream version\n4.9.5. These updates provide a number of bug fixes and enhancements\nover the previous versions. (BZ#949845, BZ#924741)\n\nNote that while upstream NSS version 3.14 prevents the use of\ncertificates that have an MD5 signature, this erratum includes a patch\nthat allows such certificates by default. To prevent the use of\ncertificates that have an MD5 signature, set the\n'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'.\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which fix these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2013-August/019892.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7495b55e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nss packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-0791\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"nspr-4.9.5-1.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nspr-devel-4.9.5-1.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-3.14.3-6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-devel-3.14.3-6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-pkcs11-devel-3.14.3-6.el5_9\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-tools-3.14.3-6.el5_9\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / nss-tools\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:27:41", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "description": "**CentOS Errata and Security Advisory** CESA-2013:1135\n\n\nNetwork Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites\nwere used. A remote attacker could possibly use this flaw to retrieve plain\ntext from the encrypted packets by using a TLS/SSL or DTLS server as a\npadding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded certain\ncertificates. If an application using NSS decoded a malformed certificate,\nit could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter\nof CVE-2013-0791.\n\nThis update also fixes the following bugs:\n\n* A defect in the FreeBL library implementation of the Diffie-Hellman (DH)\nprotocol previously caused Openswan to drop connections. (BZ#958023)\n\n * A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#986969)\n\nIn addition, the nss package has been upgraded to upstream version 3.14.3,\nand the nspr package has been upgraded to upstream version 4.9.5. These\nupdates provide a number of bug fixes and enhancements over the previous\nversions. (BZ#949845, BZ#924741)\n\nNote that while upstream NSS version 3.14 prevents the use of certificates\nthat have an MD5 signature, this erratum includes a patch that allows such\ncertificates by default. To prevent the use of certificates that have an\nMD5 signature, set the \"NSS_HASH_ALG_SUPPORT\" environment variable\nto \"-MD5\".\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements. After installing this\nupdate, applications using NSS or NSPR must be restarted for this update to\ntake effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-August/031930.html\n\n**Affected packages:**\nnspr\nnspr-devel\nnss\nnss-devel\nnss-pkcs11-devel\nnss-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1135.html", "edition": 3, "modified": "2013-08-05T19:56:06", "published": "2013-08-05T19:56:06", "href": "http://lists.centos.org/pipermail/centos-announce/2013-August/031930.html", "id": "CESA-2013:1135", "title": "nspr, nss security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-20T18:24:00", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "description": "**CentOS Errata and Security Advisory** CESA-2013:1144\n\n\nNetwork Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities. nss-softokn provides\nan NSS softoken cryptographic module.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites\nwere used. A remote attacker could possibly use this flaw to retrieve plain\ntext from the encrypted packets by using a TLS/SSL or DTLS server as a\npadding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded certain\ncertificates. If an application using NSS decoded a malformed certificate,\nit could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter\nof CVE-2013-0791.\n\nThis update also fixes the following bugs:\n\n* The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented\nthe use of certificates that have an MD5 signature. This caused problems in\ncertain environments. With this update, certificates that have an MD5\nsignature are once again allowed. To prevent the use of certificates that\nhave an MD5 signature, set the \"NSS_HASH_ALG_SUPPORT\" environment variable\nto \"-MD5\". (BZ#957603)\n\n* Previously, the sechash.h header file was missing, preventing certain\nsource RPMs (such as firefox and xulrunner) from building. (BZ#948715)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#984967)\n\nIn addition, the nss package has been upgraded to upstream version 3.14.3,\nthe nss-util package has been upgraded to upstream version 3.14.3, the\nnss-softokn package has been upgraded to upstream version 3.14.3, and the\nnspr package has been upgraded to upstream version 4.9.5. These updates\nprovide a number of bug fixes and enhancements over the previous versions.\n(BZ#927157, BZ#927171, BZ#927158, BZ#927186)\n\nUsers of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to\nthese updated packages, which fix these issues and add these enhancements.\nAfter installing this update, applications using NSS, NSPR, nss-util, or\nnss-softokn must be restarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-August/031934.html\n\n**Affected packages:**\nnspr\nnspr-devel\nnss\nnss-devel\nnss-pkcs11-devel\nnss-softokn\nnss-softokn-devel\nnss-softokn-freebl\nnss-softokn-freebl-devel\nnss-sysinit\nnss-tools\nnss-util\nnss-util-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1144.html", "edition": 3, "modified": "2013-08-07T22:22:50", "published": "2013-08-07T22:22:50", "href": "http://lists.centos.org/pipermail/centos-announce/2013-August/031934.html", "id": "CESA-2013:1144", "title": "nspr, nss security update", "type": "centos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-12-20T18:28:04", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5607", "CVE-2013-5605", "CVE-2013-1741", "CVE-2013-1739", "CVE-2013-5606", "CVE-2013-1620"], "description": "**CentOS Errata and Security Advisory** CESA-2013:1791\n\n\nNetwork Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA flaw was found in the way NSS handled invalid handshake packets. A remote\nattacker could use this flaw to cause a TLS/SSL client using NSS to crash\nor, possibly, execute arbitrary code with the privileges of the user\nrunning the application. (CVE-2013-5605)\n\nIt was found that the fix for CVE-2013-1620 released via RHSA-2013:1135\nintroduced a regression causing NSS to read uninitialized data when a\ndecryption failure occurred. A remote attacker could use this flaw to cause\na TLS/SSL server using NSS to crash. (CVE-2013-1739)\n\nAn integer overflow flaw was discovered in both NSS and NSPR's\nimplementation of certification parsing on 64-bit systems. A remote\nattacker could use these flaws to cause an application using NSS or NSPR to\ncrash. (CVE-2013-1741, CVE-2013-5607)\n\nIt was discovered that NSS did not reject certificates with incompatible\nkey usage constraints when validating them while the verifyLog feature was\nenabled. An application using the NSS certificate validation API could\naccept an invalid certificate. (CVE-2013-5606)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges\nTavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as\nthe original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and\nWan-Teh Chang as the original reporters of CVE-2013-5607.\n\nIn addition, the nss package has been upgraded to upstream version 3.15.3,\nand the nspr package has been upgraded to upstream version 4.10.2.\nThese updates provide a number of bug fixes and enhancements over the\nprevious versions. (BZ#1033478, BZ#1020520)\n\nThis update also fixes the following bug:\n\n* The RHBA-2013:1318 update introduced a regression that prevented the use\nof certificates that have an MD5 signature. This update fixes this\nregression and certificates that have an MD5 signature are once again\nsupported. To prevent the use of certificates that have an MD5 signature,\nset the \"NSS_HASH_ALG_SUPPORT\" environment variable to \"-MD5\". (BZ#1033499)\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements. After installing this\nupdate, applications using NSS or NSPR must be restarted for this update to\ntake effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-December/032084.html\nhttp://lists.centos.org/pipermail/centos-announce/2013-December/032085.html\n\n**Affected packages:**\nnspr\nnspr-devel\nnss\nnss-devel\nnss-pkcs11-devel\nnss-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-1791.html", "edition": 3, "modified": "2013-12-05T17:46:14", "published": "2013-12-05T17:45:58", "href": "http://lists.centos.org/pipermail/centos-announce/2013-December/032084.html", "id": "CESA-2013:1791", "title": "nspr, nss security update", "type": "centos", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:36:29", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "description": "nspr\n[4.9.2-4]\n- Resolves: rhbz#924741 - Rebase to nspr-4.9.5\nnss\n[3.14.3-6]\n- Resolves: rhbz#986969 - nssutil_ReadSecmodDB() leaks memory\n[3.14.3-5]\n- Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility\n- Remove the unused and obsolete nss-nochktest.patch\n- Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue\n[3.14.3-4]\n- Fix rpmdiff test reported failures and remove other unwanted changes\n- Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue\n[3.14.3-3]\n- Update to NSS_3_14_3_RTM\n- Rework the rebase to preserve needed idiosynchracies\n- Ensure we install frebl/softoken from the extra build tree\n- Don't include freebl static library or its private headers\n- Add patch to deal with system sqlite not being recent enough\n- Don't install nss-sysinit nor sharedb\n- Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue\n[3.14.3-2]\n- Restore the freebl-softoken source tar ball updated to 3.14.3\n- Renumbering of some sources for clarity\n- Resolves: rhbz#918870 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue\n[3.14.3-1]\n- Update to NSS_3_14_3_RTM\n- Resolves: rhbz#918870 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue", "edition": 4, "modified": "2013-08-05T00:00:00", "published": "2013-08-05T00:00:00", "id": "ELSA-2013-1135", "href": "http://linux.oracle.com/errata/ELSA-2013-1135.html", "title": "nss and nspr security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:35:45", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "description": "nspr\n[4.9.5-2] \n- Update to NSPR_4_9_5_RTM \n- Resolves: rhbz#927186 - Rebase to nspr-4.9.5 \n- Add upstream URL for an existing patch per packaging guidelines \n[4.9.5-1] \n- Resolves: Rebase to nspr-4.9.5 \n[4.9.2-1] \n- Update to nspr-4.9.2 \n- Related: rhbz#863286 \nnss \n[3.14.3-4.0.1.el6_4] \n- Added nss-vendor.patch to change vendor \n[3.14.3-4] \n- Revert to accepting MD5 on digital signatures by default \n- Resolves: rhbz#957603 - nss 3.14 - MD5 hash algorithm disabled \n[3.14.3-3] \n- Ensure pem uses system freebl as with this update freebl brings in new API's \n- Resolves: rhbz#927157 - [RFE][RHEL6] Rebase to nss-3.14.3 to fix the lucky-13 issue \n[3.14.3-2] \n- Install sechash.h and secmodt.h which are now provided by nss-devel \n- Resolves: rhbz#927157 - [RFE][RHEL6] Rebase to nss-3.14.3 to fix the lucky-13 issue \n- Remove unsafe -r option from commands that remove headers already shipped by nss-util and nss-softoken \n[3.14.3-1] \n- Update to NSS_3.14.3_RTM \n- Resolves: rhbz#927157 - [RFE][RHEL6] Rebase to nss-3.14.3 to fix the lucky-13 issue \n- Update expired test certificates (fixed in upstream bug 852781) \n- Sync up pem module's rsawrapr.c with softoken's upstream changes for nss-3.14.3 \n- Reactivate the aia tests \nnss-softokn \n[3.14.3-3] \n- Add patch to conditionally compile according to old or new sqlite api \n- new is used on rhel-6 while rhel-5 uses old but we need the same code for both \n- Resolves: rhbz#927158 - Rebase to nss-softokn 3.14.3 to fix the lucky-13 issue \n[3.14.3-2] \n- Revert to using a code patch for relro support \n- Related: rhbz#927158 \n[3.14.3-1] \n- Update to NSS_3_14_3_RTM \n- Resolves: rhbz#927158 - Rebase to nss-softokn 3.14.3 to fix the lucky-13 issue \n- Add export LD_LIBRARY_PATH=//usr/lib before the signing commands in __spec_install_post scriplet \nto ensure signing tool links with in-tree freebl so verification uses same algorithm as in signing \n- Add %check section to run the upstream crypto reqression test suite as per packaging guidelines \n- Don't install sechash.h or secmodt.h which as per 3.14 are provided by nss-devel \n- Update the licence to MPLv2.0 \n[3.12.9-12] \n- Bootstrapping of the builroot in preparation for rebase to 3.14.3 \n- Remove hasht.h from the %files devel list to prevent update conflicts with nss-util \n- With 3.14.3 hasht.h will be provided by nss-util-devel \n- Related: rhbz#927158 - rebase nss-softokn to 3.14.3 \nnss-util \n[3.14.3-3] \n- Resolves: rhbz#984967 - nssutil_ReadSecmodDB leaks memory \n[3.14.3-2] \n- Revert to accepting MD5 on digital signatures by default \n- Resolves: rhbz#957603 - nss 3.14 - MD5 hash algorithm disabled \n[3.14.3-1] \n- Update to NSS_3_14_3_RTM \n- Resolves: rhbz#927171 - Rebase to 3.14.3 as part of the fix for the lucky-13 issue", "edition": 4, "modified": "2013-08-07T00:00:00", "published": "2013-08-07T00:00:00", "id": "ELSA-2013-1144", "href": "http://linux.oracle.com/errata/ELSA-2013-1144.html", "title": "nss, nss-util, nss-softokn, and nspr security update", "type": "oraclelinux", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:56", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "description": "Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites\nwere used. A remote attacker could possibly use this flaw to retrieve plain\ntext from the encrypted packets by using a TLS/SSL or DTLS server as a\npadding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded certain\ncertificates. If an application using NSS decoded a malformed certificate,\nit could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter\nof CVE-2013-0791.\n\nThis update also fixes the following bugs:\n\n* A defect in the FreeBL library implementation of the Diffie-Hellman (DH)\nprotocol previously caused Openswan to drop connections. (BZ#958023)\n\n * A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#986969)\n\nIn addition, the nss package has been upgraded to upstream version 3.14.3,\nand the nspr package has been upgraded to upstream version 4.9.5. These\nupdates provide a number of bug fixes and enhancements over the previous\nversions. (BZ#949845, BZ#924741)\n\nNote that while upstream NSS version 3.14 prevents the use of certificates\nthat have an MD5 signature, this erratum includes a patch that allows such\ncertificates by default. To prevent the use of certificates that have an\nMD5 signature, set the \"NSS_HASH_ALG_SUPPORT\" environment variable\nto \"-MD5\".\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements. After installing this\nupdate, applications using NSS or NSPR must be restarted for this update to\ntake effect.\n", "modified": "2017-09-08T11:51:49", "published": "2013-08-05T04:00:00", "id": "RHSA-2013:1135", "href": "https://access.redhat.com/errata/RHSA-2013:1135", "type": "redhat", "title": "(RHSA-2013:1135) Moderate: nss and nspr security, bug fix, and enhancement update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:45:06", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "description": "Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities. nss-softokn provides\nan NSS softoken cryptographic module.\n\nIt was discovered that NSS leaked timing information when decrypting\nTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites\nwere used. A remote attacker could possibly use this flaw to retrieve plain\ntext from the encrypted packets by using a TLS/SSL or DTLS server as a\npadding oracle. (CVE-2013-1620)\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded certain\ncertificates. If an application using NSS decoded a malformed certificate,\nit could cause the application to crash. (CVE-2013-0791)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter\nof CVE-2013-0791.\n\nThis update also fixes the following bugs:\n\n* The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented\nthe use of certificates that have an MD5 signature. This caused problems in\ncertain environments. With this update, certificates that have an MD5\nsignature are once again allowed. To prevent the use of certificates that\nhave an MD5 signature, set the \"NSS_HASH_ALG_SUPPORT\" environment variable\nto \"-MD5\". (BZ#957603)\n\n* Previously, the sechash.h header file was missing, preventing certain\nsource RPMs (such as firefox and xulrunner) from building. (BZ#948715)\n\n* A memory leak in the nssutil_ReadSecmodDB() function has been fixed.\n(BZ#984967)\n\nIn addition, the nss package has been upgraded to upstream version 3.14.3,\nthe nss-util package has been upgraded to upstream version 3.14.3, the\nnss-softokn package has been upgraded to upstream version 3.14.3, and the\nnspr package has been upgraded to upstream version 4.9.5. These updates\nprovide a number of bug fixes and enhancements over the previous versions.\n(BZ#927157, BZ#927171, BZ#927158, BZ#927186)\n\nUsers of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to\nthese updated packages, which fix these issues and add these enhancements.\nAfter installing this update, applications using NSS, NSPR, nss-util, or\nnss-softokn must be restarted for this update to take effect.\n", "modified": "2018-06-06T20:24:09", "published": "2013-08-07T04:00:00", "id": "RHSA-2013:1144", "href": "https://access.redhat.com/errata/RHSA-2013:1144", "type": "redhat", "title": "(RHSA-2013:1144) Moderate: nss, nss-util, nss-softokn, and nspr security update", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-08-13T18:44:47", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620", "CVE-2013-1739", "CVE-2013-1741", "CVE-2013-5605", "CVE-2013-5606", "CVE-2013-5607"], "description": "Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA flaw was found in the way NSS handled invalid handshake packets. A remote\nattacker could use this flaw to cause a TLS/SSL client using NSS to crash\nor, possibly, execute arbitrary code with the privileges of the user\nrunning the application. (CVE-2013-5605)\n\nIt was found that the fix for CVE-2013-1620 released via RHSA-2013:1135\nintroduced a regression causing NSS to read uninitialized data when a\ndecryption failure occurred. A remote attacker could use this flaw to cause\na TLS/SSL server using NSS to crash. (CVE-2013-1739)\n\nAn integer overflow flaw was discovered in both NSS and NSPR's\nimplementation of certification parsing on 64-bit systems. A remote\nattacker could use these flaws to cause an application using NSS or NSPR to\ncrash. (CVE-2013-1741, CVE-2013-5607)\n\nIt was discovered that NSS did not reject certificates with incompatible\nkey usage constraints when validating them while the verifyLog feature was\nenabled. An application using the NSS certificate validation API could\naccept an invalid certificate. (CVE-2013-5606)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges\nTavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as\nthe original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and\nWan-Teh Chang as the original reporters of CVE-2013-5607.\n\nIn addition, the nss package has been upgraded to upstream version 3.15.3,\nand the nspr package has been upgraded to upstream version 4.10.2.\nThese updates provide a number of bug fixes and enhancements over the\nprevious versions. (BZ#1033478, BZ#1020520)\n\nThis update also fixes the following bug:\n\n* The RHBA-2013:1318 update introduced a regression that prevented the use\nof certificates that have an MD5 signature. This update fixes this\nregression and certificates that have an MD5 signature are once again\nsupported. To prevent the use of certificates that have an MD5 signature,\nset the \"NSS_HASH_ALG_SUPPORT\" environment variable to \"-MD5\". (BZ#1033499)\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich fix these issues and add these enhancements. After installing this\nupdate, applications using NSS or NSPR must be restarted for this update to\ntake effect.\n", "modified": "2017-09-08T12:20:25", "published": "2013-12-05T05:00:00", "id": "RHSA-2013:1791", "href": "https://access.redhat.com/errata/RHSA-2013:1791", "type": "redhat", "title": "(RHSA-2013:1791) Important: nss and nspr security, bug fix, and enhancement update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:32", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1620", "CVE-2013-1739", "CVE-2013-1741", "CVE-2013-5605", "CVE-2013-5606", "CVE-2013-5607"], "description": "Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA flaw was found in the way NSS handled invalid handshake packets. A remote\nattacker could use this flaw to cause a TLS/SSL client using NSS to crash\nor, possibly, execute arbitrary code with the privileges of the user\nrunning the application. (CVE-2013-5605)\n\nIt was found that the fix for CVE-2013-1620 released via RHSA-2013:1135\nintroduced a regression causing NSS to read uninitialized data when a\ndecryption failure occurred. A remote attacker could use this flaw to cause\na TLS/SSL server using NSS to crash. (CVE-2013-1739)\n\nAn integer overflow flaw was discovered in both NSS and NSPR's\nimplementation of certification parsing on 64-bit systems. A remote\nattacker could use these flaws to cause an application using NSS or NSPR to\ncrash. (CVE-2013-1741, CVE-2013-5607)\n\nIt was discovered that NSS did not reject certificates with incompatible\nkey usage constraints when validating them while the verifyLog feature was\nenabled. An application using the NSS certificate validation API could\naccept an invalid certificate. (CVE-2013-5606)\n\nRed Hat would like to thank the Mozilla project for reporting\nCVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges\nTavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as\nthe original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and\nWan-Teh Chang as the original reporters of CVE-2013-5607.\n\nAll NSS, NSPR, and nss-util users are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues.\nAfter installing this update, applications using NSS, NSPR, or nss-util\nmust be restarted for this update to take effect.\n", "modified": "2018-06-06T20:24:18", "published": "2013-12-12T05:00:00", "id": "RHSA-2013:1829", "href": "https://access.redhat.com/errata/RHSA-2013:1829", "type": "redhat", "title": "(RHSA-2013:1829) Important: nss, nspr, and nss-util security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:36:53", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "description": "**Issue Overview:**\n\nIt was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. ([CVE-2013-1620 __](<https://access.redhat.com/security/cve/CVE-2013-1620>))\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. ([CVE-2013-0791 __](<https://access.redhat.com/security/cve/CVE-2013-0791>))\n\n \n**Affected Packages:** \n\n\nnss\n\n \n**Issue Correction:** \nRun _yum update nss_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n nss-3.14.3-4.29.amzn1.i686 \n nss-tools-3.14.3-4.29.amzn1.i686 \n nss-devel-3.14.3-4.29.amzn1.i686 \n nss-debuginfo-3.14.3-4.29.amzn1.i686 \n nss-sysinit-3.14.3-4.29.amzn1.i686 \n nss-pkcs11-devel-3.14.3-4.29.amzn1.i686 \n \n src: \n nss-3.14.3-4.29.amzn1.src \n \n x86_64: \n nss-debuginfo-3.14.3-4.29.amzn1.x86_64 \n nss-sysinit-3.14.3-4.29.amzn1.x86_64 \n nss-3.14.3-4.29.amzn1.x86_64 \n nss-devel-3.14.3-4.29.amzn1.x86_64 \n nss-pkcs11-devel-3.14.3-4.29.amzn1.x86_64 \n nss-tools-3.14.3-4.29.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-08-07T21:23:00", "published": "2013-08-07T21:23:00", "id": "ALAS-2013-217", "href": "https://alas.aws.amazon.com/ALAS-2013-217.html", "title": "Medium: nss", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-10T12:35:04", "bulletinFamily": "unix", "cvelist": ["CVE-2013-0791", "CVE-2013-1620"], "description": "**Issue Overview:**\n\nIt was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. ([CVE-2013-1620 __](<https://access.redhat.com/security/cve/CVE-2013-1620>))\n\nAn out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. ([CVE-2013-0791 __](<https://access.redhat.com/security/cve/CVE-2013-0791>))\n\n \n**Affected Packages:** \n\n\nnspr\n\n \n**Issue Correction:** \nRun _yum update nspr_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n nspr-4.9.5-2.17.amzn1.i686 \n nspr-devel-4.9.5-2.17.amzn1.i686 \n nspr-debuginfo-4.9.5-2.17.amzn1.i686 \n \n src: \n nspr-4.9.5-2.17.amzn1.src \n \n x86_64: \n nspr-devel-4.9.5-2.17.amzn1.x86_64 \n nspr-debuginfo-4.9.5-2.17.amzn1.x86_64 \n nspr-4.9.5-2.17.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-08-07T21:23:00", "published": "2013-08-07T21:23:00", "id": "ALAS-2013-216", "href": "https://alas.aws.amazon.com/ALAS-2013-216.html", "title": "Medium: nspr", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-11-10T12:36:42", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5607", "CVE-2013-5605", "CVE-2013-1741", "CVE-2013-1739", "CVE-2013-5606", "CVE-2013-1620"], "description": "**Issue Overview:**\n\nA flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. ([CVE-2013-5605 __](<https://access.redhat.com/security/cve/CVE-2013-5605>))\n\nIt was found that the fix for [CVE-2013-1620 __](<https://access.redhat.com/security/cve/CVE-2013-1620>) introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. ([CVE-2013-1739 __](<https://access.redhat.com/security/cve/CVE-2013-1739>))\n\nAn integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. ([CVE-2013-1741 __](<https://access.redhat.com/security/cve/CVE-2013-1741>), [CVE-2013-5607 __](<https://access.redhat.com/security/cve/CVE-2013-5607>))\n\nIt was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. ([CVE-2013-5606 __](<https://access.redhat.com/security/cve/CVE-2013-5606>))\n\n \n**Affected Packages:** \n\n\nnss\n\n \n**Issue Correction:** \nRun _yum update nss_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n nss-3.15.3-2.31.amzn1.i686 \n nss-devel-3.15.3-2.31.amzn1.i686 \n nss-debuginfo-3.15.3-2.31.amzn1.i686 \n nss-sysinit-3.15.3-2.31.amzn1.i686 \n nss-tools-3.15.3-2.31.amzn1.i686 \n nss-pkcs11-devel-3.15.3-2.31.amzn1.i686 \n \n src: \n nss-3.15.3-2.31.amzn1.src \n \n x86_64: \n nss-debuginfo-3.15.3-2.31.amzn1.x86_64 \n nss-devel-3.15.3-2.31.amzn1.x86_64 \n nss-tools-3.15.3-2.31.amzn1.x86_64 \n nss-pkcs11-devel-3.15.3-2.31.amzn1.x86_64 \n nss-sysinit-3.15.3-2.31.amzn1.x86_64 \n nss-3.15.3-2.31.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-12-17T21:31:00", "published": "2013-12-17T21:31:00", "id": "ALAS-2013-265", "href": "https://alas.aws.amazon.com/ALAS-2013-265.html", "title": "Important: nss", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-10T12:35:09", "bulletinFamily": "unix", "cvelist": ["CVE-2013-5607", "CVE-2013-5605", "CVE-2013-1741", "CVE-2013-1739", "CVE-2013-5606", "CVE-2013-1620"], "description": "**Issue Overview:**\n\nA flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. ([CVE-2013-5605 __](<https://access.redhat.com/security/cve/CVE-2013-5605>))\n\nIt was found that the fix for [CVE-2013-1620 __](<https://access.redhat.com/security/cve/CVE-2013-1620>) introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. ([CVE-2013-1739 __](<https://access.redhat.com/security/cve/CVE-2013-1739>))\n\nAn integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. ([CVE-2013-1741 __](<https://access.redhat.com/security/cve/CVE-2013-1741>), [CVE-2013-5607 __](<https://access.redhat.com/security/cve/CVE-2013-5607>))\n\nIt was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. ([CVE-2013-5606 __](<https://access.redhat.com/security/cve/CVE-2013-5606>))\n\n \n**Affected Packages:** \n\n\nnspr\n\n \n**Issue Correction:** \nRun _yum update nspr_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n nspr-debuginfo-4.10.2-1.19.amzn1.i686 \n nspr-devel-4.10.2-1.19.amzn1.i686 \n nspr-4.10.2-1.19.amzn1.i686 \n \n src: \n nspr-4.10.2-1.19.amzn1.src \n \n x86_64: \n nspr-debuginfo-4.10.2-1.19.amzn1.x86_64 \n nspr-devel-4.10.2-1.19.amzn1.x86_64 \n nspr-4.10.2-1.19.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2013-12-17T21:31:00", "published": "2013-12-17T21:31:00", "id": "ALAS-2013-266", "href": "https://alas.aws.amazon.com/ALAS-2013-266.html", "title": "Important: nspr", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}