{"cve": [{"lastseen": "2020-12-09T19:58:21", "description": "Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.", "edition": 7, "cvss3": {}, "published": "2014-02-06T05:44:00", "title": "CVE-2014-1490", "type": "cve", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-1490"], "modified": "2020-07-31T20:28:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "cpe:/o:opensuse:opensuse:13.1", "cpe:/a:oracle:vm_server:3.2", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:13.10", "cpe:/o:suse:linux_enterprise_software_development_kit:11", "cpe:/a:oracle:enterprise_manager_ops_center:12.2.0", "cpe:/o:canonical:ubuntu_linux:12.10", "cpe:/o:fedoraproject:fedora:20", "cpe:/a:oracle:enterprise_manager_ops_center:12.3.0", "cpe:/o:opensuse:opensuse:11.4", "cpe:/o:debian:debian_linux:7.0", "cpe:/o:suse:linux_enterprise_server:11", "cpe:/o:suse:linux_enterprise_desktop:11", "cpe:/a:oracle:enterprise_manager_ops_center:12.2.1", "cpe:/o:opensuse:opensuse:12.3"], "id": "CVE-2014-1490", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1490", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:vmware:*:*", "cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:vm_server:3.2:*:*:*:*:*:x86:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp3:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.1:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:11:sp3:*:*:*:*:*:*"]}], "mozilla": [{"lastseen": "2016-09-05T13:37:39", "bulletinFamily": "software", "cvelist": ["CVE-2014-1490", "CVE-2014-1491"], "edition": 1, "description": "Mozilla developer Brian Smith and security researchers\nAntoine Delignat-Lavaud and Karthikeyan\nBhargavan of the Prosecco research team at INRIA Paris reported issues\nwith ticket handling in the Network Security Services (NSS) libraries. These\nhave been addressed in the NSS 3.15.4 release, shipping on affected platforms.", "modified": "2014-02-04T00:00:00", "published": "2014-02-04T00:00:00", "id": "MFSA2014-12", "href": "http://www.mozilla.org/en-US/security/advisories/mfsa2014-12/", "type": "mozilla", "title": "NSS ticket handling issues", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "centos": [{"lastseen": "2019-12-20T18:28:32", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "description": "**CentOS Errata and Security Advisory** CESA-2014:1246\n\n\nNetwork Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications.\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490, Antoine\nDelignat-Lavaud and Karthikeyan Bhargavan as the original reporters of\nCVE-2014-1491, and Abhishek Arya as the original reporter of CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version 3.16.1 and\n4.10.6 respectively, which provide a number of bug fixes and enhancements\nover the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs:\n\n* Previously, when the output.log file was not present on the system, the\nshell in the Network Security Services (NSS) specification handled test\nfailures incorrectly as false positive test results. Consequently, certain\nutilities, such as \"grep\", could not handle failures properly. This update\nimproves error detection in the specification file, and \"grep\" and other\nutilities now handle missing files or crashes as intended. (BZ#1035281)\n\n* Prior to this update, a subordinate Certificate Authority (CA) of the\nANSSI agency incorrectly issued an intermediate certificate installed on a\nnetwork monitoring device. As a consequence, the monitoring device was\nenabled to act as an MITM (Man in the Middle) proxy performing traffic\nmanagement of domain names or IP addresses that the certificate holder did\nnot own or control. The trust in the intermediate certificate to issue the\ncertificate for an MITM device has been revoked, and such a device can no\nlonger be used for MITM attacks. (BZ#1042684)\n\n* Due to a regression, MD5 certificates were rejected by default because\nNetwork Security Services (NSS) did not trust MD5 certificates. With this\nupdate, MD5 certificates are supported in Red Hat Enterprise Linux 5.\n(BZ#11015864)\n\nUsers of nss and nspr are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-September/032672.html\n\n**Affected packages:**\nnss\nnss-devel\nnss-pkcs11-devel\nnss-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-1246.html", "edition": 3, "modified": "2014-09-30T11:21:57", "published": "2014-09-30T11:21:57", "href": "http://lists.centos.org/pipermail/centos-announce/2014-September/032672.html", "id": "CESA-2014:1246", "title": "nss security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T18:26:19", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "description": "**CentOS Errata and Security Advisory** CESA-2014:0917\n\n\nNetwork Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain certificates.\nA remote attacker could use this flaw to crash an application using NSS or,\npossibly, execute arbitrary code with the privileges of the user running\nthat application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original reporter\nof CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan Bhargavan as the\noriginal reporters of CVE-2014-1491, and Abhishek Arya as the original\nreporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version 3.16.1,\nand the nspr package has been upgraded to upstream version 4.10.6. These\nupdated packages provide a number of bug fixes and enhancements over the\nprevious versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements. After installing\nthis update, applications using NSS or NSPR must be restarted for this\nupdate to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/032472.html\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/032474.html\nhttp://lists.centos.org/pipermail/centos-announce/2014-July/032475.html\n\n**Affected packages:**\nnspr\nnspr-devel\nnss\nnss-devel\nnss-pkcs11-devel\nnss-sysinit\nnss-tools\nnss-util\nnss-util-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2014-0917.html", "edition": 3, "modified": "2014-07-23T02:58:54", "published": "2014-07-23T02:49:51", "href": "http://lists.centos.org/pipermail/centos-announce/2014-July/032472.html", "id": "CESA-2014:0917", "title": "nspr, nss security update", "type": "centos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:38", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1740", "CVE-2014-1490", "CVE-2014-1491", "CVE-2014-1492", "CVE-2014-1545"], "description": "Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications.\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490, Antoine\nDelignat-Lavaud and Karthikeyan Bhargavan as the original reporters of\nCVE-2014-1491, and Abhishek Arya as the original reporter of CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version 3.16.1 and\n4.10.6 respectively, which provide a number of bug fixes and enhancements\nover the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs:\n\n* Previously, when the output.log file was not present on the system, the\nshell in the Network Security Services (NSS) specification handled test\nfailures incorrectly as false positive test results. Consequently, certain\nutilities, such as \"grep\", could not handle failures properly. This update\nimproves error detection in the specification file, and \"grep\" and other\nutilities now handle missing files or crashes as intended. (BZ#1035281)\n\n* Prior to this update, a subordinate Certificate Authority (CA) of the\nANSSI agency incorrectly issued an intermediate certificate installed on a\nnetwork monitoring device. As a consequence, the monitoring device was\nenabled to act as an MITM (Man in the Middle) proxy performing traffic\nmanagement of domain names or IP addresses that the certificate holder did\nnot own or control. The trust in the intermediate certificate to issue the\ncertificate for an MITM device has been revoked, and such a device can no\nlonger be used for MITM attacks. (BZ#1042684)\n\n* Due to a regression, MD5 certificates were rejected by default because\nNetwork Security Services (NSS) did not trust MD5 certificates. With this\nupdate, MD5 certificates are supported in Red Hat Enterprise Linux 5.\n(BZ#11015864)\n\nUsers of nss and nspr are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements.\n", "modified": "2017-09-08T12:06:39", "published": "2014-09-16T04:00:00", "id": "RHSA-2014:1246", "href": "https://access.redhat.com/errata/RHSA-2014:1246", "type": "redhat", "title": "(RHSA-2014:1246) Moderate: nss and nspr security, bug fix, and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:01", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1740", "CVE-2014-1490", "CVE-2014-1491", "CVE-2014-1492", "CVE-2014-1544", "CVE-2014-1545"], "description": "Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain certificates.\nA remote attacker could use this flaw to crash an application using NSS or,\npossibly, execute arbitrary code with the privileges of the user running\nthat application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original reporter\nof CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan Bhargavan as the\noriginal reporters of CVE-2014-1491, and Abhishek Arya as the original\nreporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version 3.16.1,\nand the nspr package has been upgraded to upstream version 4.10.6. These\nupdated packages provide a number of bug fixes and enhancements over the\nprevious versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements. After installing\nthis update, applications using NSS or NSPR must be restarted for this\nupdate to take effect.\n", "modified": "2018-06-06T20:24:28", "published": "2014-07-22T04:00:00", "id": "RHSA-2014:0917", "href": "https://access.redhat.com/errata/RHSA-2014:0917", "type": "redhat", "title": "(RHSA-2014:0917) Critical: nss and nspr security, bug fix, and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:44:46", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1740", "CVE-2014-1490", "CVE-2014-1491", "CVE-2014-1492", "CVE-2014-1544", "CVE-2014-1545", "CVE-2014-4607", "CVE-2014-4699", "CVE-2014-4943"], "description": "The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization\nHypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor\nis a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes\neverything necessary to run and manage virtual machines: a subset of the\nRed Hat Enterprise Linux operating environment and the Red Hat Enterprise\nVirtualization Agent.\n\nNote: Red Hat Enterprise Virtualization Hypervisor is only available for\nthe Intel 64 and AMD64 architectures with virtualization extensions.\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1491 issue. Upstream acknowledges Antoine Delignat-Lavaud and\nKarthikeyan Bhargavan as the original reporters of CVE-2014-1491.\n\nThis update includes changes to the rhev-hypervisor component:\n\n* The most recent build of rhev-hypervisor is included in version 3.4.1.\n(BZ#1118298)\n\nThis updated package also provides updated components that include fixes\nfor various security issues. These issues have no security impact on Red\nHat Enterprise Virtualization Hypervisor itself, however. The security\nfixes included in this update address the following CVE numbers:\n\nCVE-2014-4699 and CVE-2014-4943 (kernel issues)\n\nCVE-2014-4607 (lzo issue)\n\nCVE-2013-1740, CVE-2014-1490, CVE-2014-1492, CVE-2014-1545, and\nCVE-2014-1544 (nss and nspr issues)\n\nUsers of the Red Hat Enterprise Virtualization Hypervisor are advised to\nupgrade to this updated package.\n", "modified": "2018-06-07T08:59:43", "published": "2014-07-29T04:00:00", "id": "RHSA-2014:0979", "href": "https://access.redhat.com/errata/RHSA-2014:0979", "type": "redhat", "title": "(RHSA-2014:0979) Moderate: rhev-hypervisor6 security and bug fix update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:25", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "description": "[3.16.1-2]\r\n- Backport nss-3.12.6 upstream fix required by Firefox 31 ESR\r\n- Resolves: Bug 1110860\r\n \n[3.16.1-1]\r\n- Rebase to nss-3.16.1 for FF31\r\n- Resolves: Bug 1110860 - Rebase nss in RHEL 5.11 to NSS 3.16.1, required for FF 31\r\n ", "edition": 4, "modified": "2014-09-17T00:00:00", "published": "2014-09-17T00:00:00", "id": "ELSA-2014-1246", "href": "http://linux.oracle.com/errata/ELSA-2014-1246.html", "title": "nss and nspr security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:04", "bulletinFamily": "unix", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "description": "nspr\n[4.10.6-1]\n- Rebase to nspr-4.10.6\n- Resolves: rhbz#1112135\nnss\n[3.16.1-4.0.1.el6_5]\n- Added nss-vendor.patch to change vendor\n[3.16.1-4]\n- Update some patches on account of the rebase\n- Resolves: Bug 1099619\n[3.16.1-3]\n- Backport nss-3.12.6 upstream fix required by Firefox 31\n- Resolves: Bug 1099619\n[3.16.1-2]\n- Remove two unused patches and apply a needed one that was missed\n- Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1\n[3.16.1-1]\n- Update to nss-3.16.1\n- Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1\nnss-util\n[3.15.6-1]\n- Update to nss-3.16.1\n- Resolves: rhbz#1112136", "edition": 4, "modified": "2014-07-22T00:00:00", "published": "2014-07-22T00:00:00", "id": "ELSA-2014-0917", "href": "http://linux.oracle.com/errata/ELSA-2014-0917.html", "title": "nss and nspr security, bug fix, and enhancement update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:37:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-10-01T00:00:00", "id": "OPENVAS:1361412562310882049", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882049", "type": "openvas", "title": "CentOS Update for nss CESA-2014:1246 centos5", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for nss CESA-2014:1246 centos5\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882049\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-10-01 16:59:35 +0530 (Wed, 01 Oct 2014)\");\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1545\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for nss CESA-2014:1246 centos5\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications.\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490, Antoine\nDelignat-Lavaud and Karthikeyan Bhargavan as the original reporters of\nCVE-2014-1491, and Abhishek Arya as the original reporter of CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version 3.16.1 and\n4.10.6 respectively, which provide a number of bug fixes and enhancements\nover the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs:\n\n * Previously, when the output.log file was not present on the system, the\nshell in the Network Security Services (NSS) specification handled test\nfailures incorrectly as false positive test results. Consequently, certain\nutilities, such as 'grep', could not handle failures properly. This update\nimproves error detection in the specification file, and 'grep' and other\nutilities now handle missing files or crashes as intended. (BZ#1035281)\n\n * Prior to this update, a subordinate Certificate Authority (CA) of the\nANSSI agency incorrectly issued an intermediate certificate installed on a\nnetwork monit ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"nss on CentOS 5\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"CESA\", value:\"2014:1246\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-September/020634.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS5\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS5\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.16.1~2.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.16.1~2.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.16.1~2.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.16.1~2.el5\", rls:\"CentOS5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:35:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "description": "Oracle Linux Local Security Checks ELSA-2014-1246", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123309", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123309", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-1246", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-1246.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123309\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:02:05 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-1246\");\n script_tag(name:\"insight\", value:\"ELSA-2014-1246 - nss and nspr security, bug fix, and enhancement update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-1246\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-1246.html\");\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1545\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.16.1~2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.16.1~2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.16.1~2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.16.1~2.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-09-17T00:00:00", "id": "OPENVAS:1361412562310871244", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871244", "type": "openvas", "title": "RedHat Update for nss and nspr RHSA-2014:1246-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for nss and nspr RHSA-2014:1246-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871244\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-09-17 05:57:45 +0200 (Wed, 17 Sep 2014)\");\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1545\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for nss and nspr RHSA-2014:1246-01\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications.\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490, Antoine\nDelignat-Lavaud and Karthikeyan Bhargavan as the original reporters of\nCVE-2014-1491, and Abhishek Arya as the original reporter of CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version 3.16.1 and\n4.10.6 respectively, which provide a number of bug fixes and enhancements\nover the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs:\n\n * Previously, when the output.log file was not present on the system, the\nshell in the Network Security Services (NSS) specification handled test\nfailures incorrectly as false positive test results. Consequently, certain\nutilities, such as 'grep', could not handle failures properly. This update\nimproves error detection in the specification file, and 'grep' and other\nutilities now handle missing files or crashes as intended. (BZ#1035281)\n\n * Prior to this update, a subordinate Certificate Authority (CA) of the\nANSSI agency incorrectly issued an intermediate c ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"nss and nspr on Red Hat Enterprise Linux (v. 5 server)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"RHSA\", value:\"2014:1246-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-September/msg00033.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss and nspr'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_5\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_5\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.16.1~2.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-debuginfo\", rpm:\"nss-debuginfo~3.16.1~2.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.16.1~2.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.16.1~2.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.16.1~2.el5\", rls:\"RHENT_5\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310881970", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881970", "type": "openvas", "title": "CentOS Update for nspr CESA-2014:0917 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for nspr CESA-2014:0917 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881970\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:32:21 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\",\n \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for nspr CESA-2014:0917 centos6\");\n\n script_tag(name:\"affected\", value:\"nspr on CentOS 6\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed\nto support the cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain certificates.\nA remote attacker could use this flaw to crash an application using NSS or,\npossibly, execute arbitrary code with the privileges of the user running\nthat application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original reporter\nof CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan Bhargavan as the\noriginal reporters of CVE-2014-1491, and Abhishek Arya as the original\nreporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version 3.16.1,\nand the nspr package has been upgraded to upstream version 4.10.6. These\nupdated packages provide a number of bug fixes and enhancements over the\nprevious versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements. After installing\nthis update, applications using NSS or NSPR must be restarted for this\nupdate to take effect.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0917\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-July/020434.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nspr'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.10.6~1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.10.6~1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310881975", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881975", "type": "openvas", "title": "CentOS Update for nss CESA-2014:0917 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for nss CESA-2014:0917 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881975\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:35:26 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\",\n \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for nss CESA-2014:0917 centos6\");\n\n script_tag(name:\"affected\", value:\"nss on CentOS 6\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed\nto support the cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain certificates.\nA remote attacker could use this flaw to crash an application using NSS or,\npossibly, execute arbitrary code with the privileges of the user running\nthat application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original reporter\nof CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan Bhargavan as the\noriginal reporters of CVE-2014-1491, and Abhishek Arya as the original\nreporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version 3.16.1,\nand the nspr package has been upgraded to upstream version 4.10.6. These\nupdated packages provide a number of bug fixes and enhancements over the\nprevious versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements. After installing\nthis update, applications using NSS or NSPR must be restarted for this\nupdate to take effect.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0917\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-July/020437.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.16.1~4.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.16.1~4.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.16.1~4.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-sysinit\", rpm:\"nss-sysinit~3.16.1~4.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.16.1~4.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310871209", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871209", "type": "openvas", "title": "RedHat Update for nss and nspr RHSA-2014:0917-01", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for nss and nspr RHSA-2014:0917-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871209\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:43:49 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\",\n \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Update for nss and nspr RHSA-2014:0917-01\");\n\n\n script_tag(name:\"affected\", value:\"nss and nspr on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed to support\nthe cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain certificates.\nA remote attacker could use this flaw to crash an application using NSS or,\npossibly, execute arbitrary code with the privileges of the user running\nthat application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original reporter\nof CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan Bhargavan as the\noriginal reporters of CVE-2014-1491, and Abhishek Arya as the original\nreporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version 3.16.1,\nand the nspr package has been upgraded to upstream version 4.10.6. These\nupdated packages provide a number of bug fixes and enhancements over the\nprevious versions. (BZ#1112136, BZ#11121 ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"RHSA\", value:\"2014:0917-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2014-July/msg00043.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss and nspr'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.10.6~1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-debuginfo\", rpm:\"nspr-debuginfo~4.10.6~1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.10.6~1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.16.1~4.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-debuginfo\", rpm:\"nss-debuginfo~3.16.1~4.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.16.1~4.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-sysinit\", rpm:\"nss-sysinit~3.16.1~4.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.16.1~4.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-util\", rpm:\"nss-util~3.16.1~1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-util-debuginfo\", rpm:\"nss-util-debuginfo~3.16.1~1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-util-devel\", rpm:\"nss-util-devel~3.16.1~1.el6_5\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:36:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "description": "Oracle Linux Local Security Checks ELSA-2014-0917", "modified": "2018-09-28T00:00:00", "published": "2015-10-06T00:00:00", "id": "OPENVAS:1361412562310123369", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123369", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2014-0917", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2014-0917.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.123369\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-06 14:02:52 +0300 (Tue, 06 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2014-0917\");\n script_tag(name:\"insight\", value:\"ELSA-2014-0917 - nss and nspr security, bug fix, and enhancement update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2014-0917\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2014-0917.html\");\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"nspr\", rpm:\"nspr~4.10.6~1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nspr-devel\", rpm:\"nspr-devel~4.10.6~1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss\", rpm:\"nss~3.16.1~4.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-devel\", rpm:\"nss-devel~3.16.1~4.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-pkcs11-devel\", rpm:\"nss-pkcs11-devel~3.16.1~4.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-sysinit\", rpm:\"nss-sysinit~3.16.1~4.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-tools\", rpm:\"nss-tools~3.16.1~4.0.1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-util\", rpm:\"nss-util~3.16.1~1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"nss-util-devel\", rpm:\"nss-util-devel~3.16.1~1.el6_5\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:37:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2014-07-28T00:00:00", "id": "OPENVAS:1361412562310881967", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881967", "type": "openvas", "title": "CentOS Update for nss-util CESA-2014:0917 centos6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for nss-util CESA-2014:0917 centos6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.881967\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2014-07-28 16:30:14 +0530 (Mon, 28 Jul 2014)\");\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\",\n \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"CentOS Update for nss-util CESA-2014:0917 centos6\");\n\n script_tag(name:\"affected\", value:\"nss-util on CentOS 6\");\n script_tag(name:\"insight\", value:\"Network Security Services (NSS) is a set of libraries designed\nto support the cross-platform development of security-enabled client and server\napplications. Netscape Portable Runtime (NSPR) provides platform\nindependence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain certificates.\nA remote attacker could use this flaw to crash an application using NSS or,\npossibly, execute arbitrary code with the privileges of the user running\nthat application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS.\nAn attacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to crash\nan application using NSS or, in rare cases, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or, possibly,\nexecute arbitrary code with the privileges of the user running that\napplication. This NSPR flaw was not exposed to web content in any shipped\nversion of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain Names in\nApplications (IDNA) hostname matching in NSS did not follow the RFC 6125\nrecommendations. This could lead to certain invalid certificates with\ninternational characters to be accepted as valid. (CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original reporter\nof CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan Bhargavan as the\noriginal reporters of CVE-2014-1491, and Abhishek Arya as the original\nreporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version 3.16.1,\nand the nspr package has been upgraded to upstream version 4.10.6. These\nupdated packages provide a number of bug fixes and enhancements over the\nprevious versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated packages,\nwhich correct these issues and add these enhancements. After installing\nthis update, applications using NSS or NSPR must be restarted for this\nupdate to take effect.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"CESA\", value:\"2014:0917\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2014-July/020436.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss-util'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS6\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS6\")\n{\n\n if ((res = isrpmvuln(pkg:\"nss-util\", rpm:\"nss-util~3.16.1~1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"nss-util-devel\", rpm:\"nss-util-devel~3.16.1~1.el6_5\", rls:\"CentOS6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-19T22:14:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1491"], "description": "This host is installed with Mozilla Firefox and is prone to multiple\nvulnerabilities.", "modified": "2019-07-17T00:00:00", "published": "2014-02-11T00:00:00", "id": "OPENVAS:1361412562310804090", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804090", "type": "openvas", "title": "Mozilla Firefox ESR Multiple Vulnerabilities-01 Feb14 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_mozilla_firefox_esr_mult_vuln01_feb14_win.nasl 35149 2014-02-11 19:12:08Z feb$\n#\n# Mozilla Firefox ESR Multiple Vulnerabilities-01 Feb14 (Windows)\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:mozilla:firefox_esr\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804090\");\n script_version(\"2019-07-17T11:14:11+0000\");\n script_cve_id(\"CVE-2014-1477\", \"CVE-2014-1479\", \"CVE-2014-1481\", \"CVE-2014-1482\",\n \"CVE-2014-1486\", \"CVE-2014-1487\", \"CVE-2014-1490\", \"CVE-2014-1491\");\n script_bugtraq_id(65317, 65320, 65326, 65328, 65334, 65330, 65335, 65332);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-17 11:14:11 +0000 (Wed, 17 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-02-11 19:12:08 +0530 (Tue, 11 Feb 2014)\");\n script_name(\"Mozilla Firefox ESR Multiple Vulnerabilities-01 Feb14 (Windows)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Mozilla Firefox and is prone to multiple\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error when handling XML Binding Language (XBL) content scopes.\n\n - An error when handling discarded images within the 'RasterImage' class.\n\n - A use-after-free error related to certain content types when used with the\n 'imgRequestProxy()' function.\n\n - An error when handling web workers error messages.\n\n - A race condition error when handling session tickets within libssl.\n\n - An error when handling JavaScript native getters on window objects.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to bypass certain security\nrestrictions and compromise a user's system.\");\n script_tag(name:\"affected\", value:\"Mozilla Firefox ESR version 24.x before 24.3 on Windows\");\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox ESR version 24.3 or later.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/56767\");\n script_xref(name:\"URL\", value:\"http://www.mozilla.org/security/announce/2014/mfsa2014-01.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_firefox_detect_portable_win.nasl\");\n script_mandatory_keys(\"Firefox-ESR/Win/Ver\");\n\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!ffVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(ffVer =~ \"^24\\.\" && version_in_range(version:ffVer,\n test_version:\"24.0\",\n test_version2:\"24.2\"))\n{\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-08-04T10:49:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1491"], "description": "Multiple security issues have been found in Iceweasel, Debian's version\nof the Mozilla Firefox web browser: Multiple memory safety errors,\nuse-after-frees, too-verbose error messages and missing permission checks\nmay lead to the execution of arbitrary code, the bypass of security\nchecks or information disclosure. This update also addresses security\nissues in the bundled version of the NSS crypto library.\n\nThis update updates Iceweasel to the ESR24 series of Firefox.", "modified": "2017-07-20T00:00:00", "published": "2014-02-10T00:00:00", "id": "OPENVAS:702858", "href": "http://plugins.openvas.org/nasl.php?oid=702858", "type": "openvas", "title": "Debian Security Advisory DSA 2858-1 (iceweasel - several vulnerabilities)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2858.nasl 6769 2017-07-20 09:56:33Z teissa $\n# Auto-generated from advisory DSA 2858-1 using nvtgen 1.0\n# Script version: 1.2\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_affected = \"iceweasel on Debian Linux\";\ntag_insight = \"Iceweasel is Firefox, rebranded. It is a powerful, extensible web browser\nwith support for modern web application technologies.\";\ntag_solution = \"For the stable distribution (wheezy), these problems have been fixed in\nversion 24.3.0esr-1~deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 24.3.0esr-1.\n\nWe recommend that you upgrade your iceweasel packages.\";\ntag_summary = \"Multiple security issues have been found in Iceweasel, Debian's version\nof the Mozilla Firefox web browser: Multiple memory safety errors,\nuse-after-frees, too-verbose error messages and missing permission checks\nmay lead to the execution of arbitrary code, the bypass of security\nchecks or information disclosure. This update also addresses security\nissues in the bundled version of the NSS crypto library.\n\nThis update updates Iceweasel to the ESR24 series of Firefox.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(702858);\n script_version(\"$Revision: 6769 $\");\n script_cve_id(\"CVE-2014-1477\", \"CVE-2014-1479\", \"CVE-2014-1481\", \"CVE-2014-1482\", \"CVE-2014-1486\", \"CVE-2014-1487\", \"CVE-2014-1490\", \"CVE-2014-1491\");\n script_name(\"Debian Security Advisory DSA 2858-1 (iceweasel - several vulnerabilities)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-20 11:56:33 +0200 (Thu, 20 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2014-02-10 00:00:00 +0100 (Mon, 10 Feb 2014)\");\n script_tag(name: \"cvss_base\", value:\"10.0\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2014/dsa-2858.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"iceweasel\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ach\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-af\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ak\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-all\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ar\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-as\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ast\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-be\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-bd\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-br\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bs\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ca\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-cs\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-csb\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-cy\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-da\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-de\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-el\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-en-gb\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-en-za\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-eo\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-ar\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-cl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-es\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-mx\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-et\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-eu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fa\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ff\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fi\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fy-nl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ga-ie\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gd\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gu-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-he\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hi-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hy-am\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-id\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-is\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-it\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ja\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-kk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-km\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-kn\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ko\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ku\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lij\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lt\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lv\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mai\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ml\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nb-no\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nn-no\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nso\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-or\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pa-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-br\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-pt\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-rm\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ro\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ru\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-si\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-son\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sq\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sv-se\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ta\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ta-lk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-te\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-th\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-tr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-uk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-vi\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-cn\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-tw\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs-dev\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs24d\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs24d-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"spidermonkey-bin\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-24.0\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-24.0-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-dev\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ach\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-af\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ak\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-all\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ar\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-as\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ast\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-be\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-bd\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-br\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bs\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ca\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-cs\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-csb\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-cy\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-da\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-de\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-el\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-en-gb\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-en-za\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-eo\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-ar\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-cl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-es\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-mx\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-et\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-eu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fa\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ff\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fi\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fy-nl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ga-ie\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gd\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gu-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-he\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hi-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hy-am\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-id\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-is\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-it\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ja\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-kk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-km\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-kn\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ko\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ku\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lij\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lt\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lv\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mai\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ml\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nb-no\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nn-no\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nso\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-or\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pa-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-br\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-pt\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-rm\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ro\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ru\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-si\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-son\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sq\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sv-se\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ta\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ta-lk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-te\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-th\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-tr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-uk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-vi\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-cn\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-tw\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs-dev\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs24d\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs24d-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"spidermonkey-bin\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-24.0\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-24.0-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-dev\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.1\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ach\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-af\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ak\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-all\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ar\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-as\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ast\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-be\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-bd\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-br\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bs\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ca\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-cs\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-csb\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-cy\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-da\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-de\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-el\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-en-gb\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-en-za\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-eo\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-ar\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-cl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-es\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-mx\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-et\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-eu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fa\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ff\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fi\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fy-nl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ga-ie\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gd\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gu-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-he\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hi-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hy-am\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-id\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-is\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-it\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ja\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-kk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-km\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-kn\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ko\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ku\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lij\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lt\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lv\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mai\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ml\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nb-no\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nn-no\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nso\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-or\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pa-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-br\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-pt\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-rm\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ro\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ru\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-si\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-son\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sq\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sv-se\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ta\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ta-lk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-te\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-th\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-tr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-uk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-vi\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-cn\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-tw\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs-dev\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs24d\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs24d-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"spidermonkey-bin\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-24.0\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-24.0-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-dev\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ach\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-af\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ak\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-all\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ar\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-as\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ast\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-be\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-bd\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bn-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-br\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-bs\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ca\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-cs\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-csb\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-cy\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-da\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-de\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-el\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-en-gb\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-en-za\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-eo\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-ar\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-cl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-es\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-es-mx\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-et\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-eu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fa\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ff\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fi\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-fy-nl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ga-ie\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gd\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-gu-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-he\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hi-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-hy-am\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-id\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-is\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-it\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ja\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-kk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-km\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-kn\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ko\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ku\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lij\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lt\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-lv\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mai\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ml\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-mr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nb-no\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nn-no\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-nso\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-or\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pa-in\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-br\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-pt-pt\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-rm\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ro\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ru\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-si\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sl\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-son\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sq\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-sv-se\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ta\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-ta-lk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-te\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-th\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-tr\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-uk\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-vi\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-cn\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zh-tw\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"iceweasel-l10n-zu\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs-dev\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs24d\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libmozjs24d-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"spidermonkey-bin\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-24.0\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-24.0-dbg\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"xulrunner-dev\", ver:\"24.3.0esr-1~deb7u1\", rls:\"DEB7.3\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-06T09:29:45", "description": "Updated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications.\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490,\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan as the original\nreporters of CVE-2014-1491, and Abhishek Arya as the original reporter\nof CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version\n3.16.1 and 4.10.6 respectively, which provide a number of bug fixes\nand enhancements over the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs :\n\n* Previously, when the output.log file was not present on the system,\nthe shell in the Network Security Services (NSS) specification handled\ntest failures incorrectly as false positive test results.\nConsequently, certain utilities, such as 'grep', could not handle\nfailures properly. This update improves error detection in the\nspecification file, and 'grep' and other utilities now handle missing\nfiles or crashes as intended. (BZ#1035281)\n\n* Prior to this update, a subordinate Certificate Authority (CA) of\nthe ANSSI agency incorrectly issued an intermediate certificate\ninstalled on a network monitoring device. As a consequence, the\nmonitoring device was enabled to act as an MITM (Man in the Middle)\nproxy performing traffic management of domain names or IP addresses\nthat the certificate holder did not own or control. The trust in the\nintermediate certificate to issue the certificate for an MITM device\nhas been revoked, and such a device can no longer be used for MITM\nattacks. (BZ#1042684)\n\n* Due to a regression, MD5 certificates were rejected by default\nbecause Network Security Services (NSS) did not trust MD5\ncertificates. With this update, MD5 certificates are supported in Red\nHat Enterprise Linux 5. (BZ#11015864)\n\nUsers of nss and nspr are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.", "edition": 25, "published": "2014-10-01T00:00:00", "title": "CentOS 5 : nss (CESA-2014:1246)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "modified": "2014-10-01T00:00:00", "cpe": ["p-cpe:/a:centos:centos:nss-devel", "p-cpe:/a:centos:centos:nss-pkcs11-devel", "p-cpe:/a:centos:centos:nss-tools", "p-cpe:/a:centos:centos:nss", "cpe:/o:centos:centos:5"], "id": "CENTOS_RHSA-2014-1246.NASL", "href": "https://www.tenable.com/plugins/nessus/77993", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1246 and \n# CentOS Errata and Security Advisory 2014:1246 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77993);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1545\");\n script_bugtraq_id(64944, 65332, 65335, 66356, 67975);\n script_xref(name:\"RHSA\", value:\"2014:1246\");\n\n script_name(english:\"CentOS 5 : nss (CESA-2014:1246)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications.\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490,\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan as the original\nreporters of CVE-2014-1491, and Abhishek Arya as the original reporter\nof CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version\n3.16.1 and 4.10.6 respectively, which provide a number of bug fixes\nand enhancements over the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs :\n\n* Previously, when the output.log file was not present on the system,\nthe shell in the Network Security Services (NSS) specification handled\ntest failures incorrectly as false positive test results.\nConsequently, certain utilities, such as 'grep', could not handle\nfailures properly. This update improves error detection in the\nspecification file, and 'grep' and other utilities now handle missing\nfiles or crashes as intended. (BZ#1035281)\n\n* Prior to this update, a subordinate Certificate Authority (CA) of\nthe ANSSI agency incorrectly issued an intermediate certificate\ninstalled on a network monitoring device. As a consequence, the\nmonitoring device was enabled to act as an MITM (Man in the Middle)\nproxy performing traffic management of domain names or IP addresses\nthat the certificate holder did not own or control. The trust in the\nintermediate certificate to issue the certificate for an MITM device\nhas been revoked, and such a device can no longer be used for MITM\nattacks. (BZ#1042684)\n\n* Due to a regression, MD5 certificates were rejected by default\nbecause Network Security Services (NSS) did not trust MD5\ncertificates. With this update, MD5 certificates are supported in Red\nHat Enterprise Linux 5. (BZ#11015864)\n\nUsers of nss and nspr are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-September/020634.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?364ebec7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected nss packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-1545\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 5.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-devel-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-pkcs11-devel-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"nss-tools-3.16.1-2.el5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss / nss-devel / nss-pkcs11-devel / nss-tools\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:49:11", "description": "From Red Hat Security Advisory 2014:1246 :\n\nUpdated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications.\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490,\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan as the original\nreporters of CVE-2014-1491, and Abhishek Arya as the original reporter\nof CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version\n3.16.1 and 4.10.6 respectively, which provide a number of bug fixes\nand enhancements over the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs :\n\n* Previously, when the output.log file was not present on the system,\nthe shell in the Network Security Services (NSS) specification handled\ntest failures incorrectly as false positive test results.\nConsequently, certain utilities, such as 'grep', could not handle\nfailures properly. This update improves error detection in the\nspecification file, and 'grep' and other utilities now handle missing\nfiles or crashes as intended. (BZ#1035281)\n\n* Prior to this update, a subordinate Certificate Authority (CA) of\nthe ANSSI agency incorrectly issued an intermediate certificate\ninstalled on a network monitoring device. As a consequence, the\nmonitoring device was enabled to act as an MITM (Man in the Middle)\nproxy performing traffic management of domain names or IP addresses\nthat the certificate holder did not own or control. The trust in the\nintermediate certificate to issue the certificate for an MITM device\nhas been revoked, and such a device can no longer be used for MITM\nattacks. (BZ#1042684)\n\n* Due to a regression, MD5 certificates were rejected by default\nbecause Network Security Services (NSS) did not trust MD5\ncertificates. With this update, MD5 certificates are supported in Red\nHat Enterprise Linux 5. (BZ#11015864)\n\nUsers of nss and nspr are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.", "edition": 22, "published": "2014-09-18T00:00:00", "title": "Oracle Linux 5 : nspr / nss (ELSA-2014-1246)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "modified": "2014-09-18T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:nss-pkcs11-devel", "cpe:/o:oracle:linux:5", "p-cpe:/a:oracle:linux:nss-devel", "p-cpe:/a:oracle:linux:nss", "p-cpe:/a:oracle:linux:nss-tools"], "id": "ORACLELINUX_ELSA-2014-1246.NASL", "href": "https://www.tenable.com/plugins/nessus/77739", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:1246 and \n# Oracle Linux Security Advisory ELSA-2014-1246 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77739);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1545\");\n script_bugtraq_id(64944, 65332, 65335, 66356, 67975);\n script_xref(name:\"RHSA\", value:\"2014:1246\");\n\n script_name(english:\"Oracle Linux 5 : nspr / nss (ELSA-2014-1246)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2014:1246 :\n\nUpdated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications.\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490,\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan as the original\nreporters of CVE-2014-1491, and Abhishek Arya as the original reporter\nof CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version\n3.16.1 and 4.10.6 respectively, which provide a number of bug fixes\nand enhancements over the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs :\n\n* Previously, when the output.log file was not present on the system,\nthe shell in the Network Security Services (NSS) specification handled\ntest failures incorrectly as false positive test results.\nConsequently, certain utilities, such as 'grep', could not handle\nfailures properly. This update improves error detection in the\nspecification file, and 'grep' and other utilities now handle missing\nfiles or crashes as intended. (BZ#1035281)\n\n* Prior to this update, a subordinate Certificate Authority (CA) of\nthe ANSSI agency incorrectly issued an intermediate certificate\ninstalled on a network monitoring device. As a consequence, the\nmonitoring device was enabled to act as an MITM (Man in the Middle)\nproxy performing traffic management of domain names or IP addresses\nthat the certificate holder did not own or control. The trust in the\nintermediate certificate to issue the certificate for an MITM device\nhas been revoked, and such a device can no longer be used for MITM\nattacks. (BZ#1042684)\n\n* Due to a regression, MD5 certificates were rejected by default\nbecause Network Security Services (NSS) did not trust MD5\ncertificates. With this update, MD5 certificates are supported in Red\nHat Enterprise Linux 5. (BZ#11015864)\n\nUsers of nss and nspr are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-September/004456.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected nspr and / or nss packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 5\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL5\", reference:\"nss-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-devel-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-pkcs11-devel-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"EL5\", reference:\"nss-tools-3.16.1-2.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss / nss-devel / nss-pkcs11-devel / nss-tools\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:48:27", "description": "A flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nThe nss and nspr packages have been upgraded to upstream version\n3.16.1 and 4.10.6 respectively, which provide a number of bug fixes\nand enhancements over the previous versions.\n\nThis update also fixes the following bugs :\n\n - Previously, when the output.log file was not present on\n the system, the shell in the Network Security Services\n (NSS) specification handled test failures incorrectly as\n false positive test results. Consequently, certain\n utilities, such as 'grep', could not handle failures\n properly. This update improves error detection in the\n specification file, and 'grep' and other utilities now\n handle missing files or crashes as intended.\n\n - Prior to this update, a subordinate Certificate\n Authority (CA) of the ANSSI agency incorrectly issued an\n intermediate certificate installed on a network\n monitoring device. As a consequence, the monitoring\n device was enabled to act as an MITM (Man in the Middle)\n proxy performing traffic management of domain names or\n IP addresses that the certificate holder did not own or\n control. The trust in the intermediate certificate to\n issue the certificate for an MITM device has been\n revoked, and such a device can no longer be used for\n MITM attacks.\n\n - Due to a regression, MD5 certificates were rejected by\n default because Network Security Services (NSS) did not\n trust MD5 certificates. With this update, MD5\n certificates are supported in Scientific Linux 5.", "edition": 15, "published": "2014-09-29T00:00:00", "title": "Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20140916)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "modified": "2014-09-29T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:nss-devel", "p-cpe:/a:fermilab:scientific_linux:nss-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:nss", "p-cpe:/a:fermilab:scientific_linux:nss-tools"], "id": "SL_20140916_NSS_AND_NSPR_ON_SL5_X.NASL", "href": "https://www.tenable.com/plugins/nessus/77955", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77955);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1545\");\n\n script_name(english:\"Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64 (20140916)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nThe nss and nspr packages have been upgraded to upstream version\n3.16.1 and 4.10.6 respectively, which provide a number of bug fixes\nand enhancements over the previous versions.\n\nThis update also fixes the following bugs :\n\n - Previously, when the output.log file was not present on\n the system, the shell in the Network Security Services\n (NSS) specification handled test failures incorrectly as\n false positive test results. Consequently, certain\n utilities, such as 'grep', could not handle failures\n properly. This update improves error detection in the\n specification file, and 'grep' and other utilities now\n handle missing files or crashes as intended.\n\n - Prior to this update, a subordinate Certificate\n Authority (CA) of the ANSSI agency incorrectly issued an\n intermediate certificate installed on a network\n monitoring device. As a consequence, the monitoring\n device was enabled to act as an MITM (Man in the Middle)\n proxy performing traffic management of domain names or\n IP addresses that the certificate holder did not own or\n control. The trust in the intermediate certificate to\n issue the certificate for an MITM device has been\n revoked, and such a device can no longer be used for\n MITM attacks.\n\n - Due to a regression, MD5 certificates were rejected by\n default because Network Security Services (NSS) did not\n trust MD5 certificates. With this update, MD5\n certificates are supported in Scientific Linux 5.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1409&L=scientific-linux-errata&T=0&P=2118\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?008faad0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 5.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL5\", reference:\"nss-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-debuginfo-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-devel-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-pkcs11-devel-3.16.1-2.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"nss-tools-3.16.1-2.el5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss / nss-debuginfo / nss-devel / nss-pkcs11-devel / nss-tools\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:14:58", "description": "Updated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications.\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490,\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan as the original\nreporters of CVE-2014-1491, and Abhishek Arya as the original reporter\nof CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version\n3.16.1 and 4.10.6 respectively, which provide a number of bug fixes\nand enhancements over the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs :\n\n* Previously, when the output.log file was not present on the system,\nthe shell in the Network Security Services (NSS) specification handled\ntest failures incorrectly as false positive test results.\nConsequently, certain utilities, such as 'grep', could not handle\nfailures properly. This update improves error detection in the\nspecification file, and 'grep' and other utilities now handle missing\nfiles or crashes as intended. (BZ#1035281)\n\n* Prior to this update, a subordinate Certificate Authority (CA) of\nthe ANSSI agency incorrectly issued an intermediate certificate\ninstalled on a network monitoring device. As a consequence, the\nmonitoring device was enabled to act as an MITM (Man in the Middle)\nproxy performing traffic management of domain names or IP addresses\nthat the certificate holder did not own or control. The trust in the\nintermediate certificate to issue the certificate for an MITM device\nhas been revoked, and such a device can no longer be used for MITM\nattacks. (BZ#1042684)\n\n* Due to a regression, MD5 certificates were rejected by default\nbecause Network Security Services (NSS) did not trust MD5\ncertificates. With this update, MD5 certificates are supported in Red\nHat Enterprise Linux 5. (BZ#11015864)\n\nUsers of nss and nspr are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.", "edition": 27, "published": "2014-09-16T00:00:00", "title": "RHEL 5 : nss and nspr (RHSA-2014:1246)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1491"], "modified": "2014-09-16T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:nss-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nss-devel", "p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel", "p-cpe:/a:redhat:enterprise_linux:nss-tools", "p-cpe:/a:redhat:enterprise_linux:nss"], "id": "REDHAT-RHSA-2014-1246.NASL", "href": "https://www.tenable.com/plugins/nessus/77699", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:1246. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(77699);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1545\");\n script_xref(name:\"RHSA\", value:\"2014:1246\");\n\n script_name(english:\"RHEL 5 : nss and nspr (RHSA-2014:1246)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications.\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues. Upstream\nacknowledges Brian Smith as the original reporter of CVE-2014-1490,\nAntoine Delignat-Lavaud and Karthikeyan Bhargavan as the original\nreporters of CVE-2014-1491, and Abhishek Arya as the original reporter\nof CVE-2014-1545.\n\nThe nss and nspr packages have been upgraded to upstream version\n3.16.1 and 4.10.6 respectively, which provide a number of bug fixes\nand enhancements over the previous versions. (BZ#1110857, BZ#1110860)\n\nThis update also fixes the following bugs :\n\n* Previously, when the output.log file was not present on the system,\nthe shell in the Network Security Services (NSS) specification handled\ntest failures incorrectly as false positive test results.\nConsequently, certain utilities, such as 'grep', could not handle\nfailures properly. This update improves error detection in the\nspecification file, and 'grep' and other utilities now handle missing\nfiles or crashes as intended. (BZ#1035281)\n\n* Prior to this update, a subordinate Certificate Authority (CA) of\nthe ANSSI agency incorrectly issued an intermediate certificate\ninstalled on a network monitoring device. As a consequence, the\nmonitoring device was enabled to act as an MITM (Man in the Middle)\nproxy performing traffic management of domain names or IP addresses\nthat the certificate holder did not own or control. The trust in the\nintermediate certificate to issue the certificate for an MITM device\nhas been revoked, and such a device can no longer be used for MITM\nattacks. (BZ#1042684)\n\n* Due to a regression, MD5 certificates were rejected by default\nbecause Network Security Services (NSS) did not trust MD5\ncertificates. With this update, MD5 certificates are supported in Red\nHat Enterprise Linux 5. (BZ#11015864)\n\nUsers of nss and nspr are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1491\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1492\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:1246\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/09/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^5([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:1246\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", reference:\"nss-3.16.1-2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nss-debuginfo-3.16.1-2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nss-devel-3.16.1-2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", reference:\"nss-pkcs11-devel-3.16.1-2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"nss-tools-3.16.1-2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"s390x\", reference:\"nss-tools-3.16.1-2.el5\")) flag++;\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"nss-tools-3.16.1-2.el5\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nss / nss-debuginfo / nss-devel / nss-pkcs11-devel / nss-tools\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:58:10", "description": "CVE-2013-1740 The ssl_Do1stHandshake function in sslsecur.c in libssl\nin Mozilla Network Security Services (NSS) before 3.15.4, when the TLS\nFalse Start feature is enabled, allows man-in-the-middle attackers to\nspoof SSL servers by using an arbitrary X.509 certificate during\ncertain handshake traffic.\n\nCVE-2014-1490 Race condition in libssl in Mozilla Network Security\nServices (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0,\nFirefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey\nbefore 2.24, and other products, allows remote attackers to cause a\ndenial of service (use-after-free) or possibly have unspecified other\nimpact via vectors involving a resumption handshake that triggers\nincorrect replacement of a session ticket.\n\nCVE-2014-1491 Mozilla Network Security Services (NSS) before 3.15.4,\nas used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3,\nThunderbird before 24.3, SeaMonkey before 2.24, and other products,\ndoes not properly restrict public values in Diffie-Hellman key\nexchanges, which makes it easier for remote attackers to bypass\ncryptographic protection mechanisms in ticket handling by leveraging\nuse of a certain value.\n\nCVE-2014-1492 The cert_TestHostName function in lib/certdb/certdb.c in\nthe certificate-checking implementation in Mozilla Network Security\nServices (NSS) before 3.16 accepts a wildcard character that is\niframeded in an internationalized domain name's U-label, which might\nallow man-in-the-middle attackers to spoof SSL servers via a crafted\ncertificate.\n\nCVE-2014-1544 Use-after-free vulnerability in the\nCERT_DestroyCertificate function in libnss3.so in Mozilla Network\nSecurity Services (NSS) 3.x, as used in Firefox before 31.0, Firefox\nESR 24.x before 24.7, and Thunderbird before 24.7, allows remote\nattackers to execute arbitrary code via vectors that trigger certain\nimproper removal of an NSSCertificate structure from a trust domain.\n\nCVE-2014-1545 Mozilla Netscape Portable Runtime (NSPR) before 4.10.6\nallows remote attackers to execute arbitrary code or cause a denial of\nservice (out-of-bounds write) via vectors involving the sprintf and\nconsole functions.", "edition": 28, "published": "2016-05-18T00:00:00", "title": "F5 Networks BIG-IP : Multiple Mozilla NSS vulnerabilities (K16716)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL16716.NASL", "href": "https://www.tenable.com/plugins/nessus/91202", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K16716.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91202);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_bugtraq_id(64944, 65332, 65335, 66356, 67975, 68816);\n\n script_name(english:\"F5 Networks BIG-IP : Multiple Mozilla NSS vulnerabilities (K16716)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2013-1740 The ssl_Do1stHandshake function in sslsecur.c in libssl\nin Mozilla Network Security Services (NSS) before 3.15.4, when the TLS\nFalse Start feature is enabled, allows man-in-the-middle attackers to\nspoof SSL servers by using an arbitrary X.509 certificate during\ncertain handshake traffic.\n\nCVE-2014-1490 Race condition in libssl in Mozilla Network Security\nServices (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0,\nFirefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey\nbefore 2.24, and other products, allows remote attackers to cause a\ndenial of service (use-after-free) or possibly have unspecified other\nimpact via vectors involving a resumption handshake that triggers\nincorrect replacement of a session ticket.\n\nCVE-2014-1491 Mozilla Network Security Services (NSS) before 3.15.4,\nas used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3,\nThunderbird before 24.3, SeaMonkey before 2.24, and other products,\ndoes not properly restrict public values in Diffie-Hellman key\nexchanges, which makes it easier for remote attackers to bypass\ncryptographic protection mechanisms in ticket handling by leveraging\nuse of a certain value.\n\nCVE-2014-1492 The cert_TestHostName function in lib/certdb/certdb.c in\nthe certificate-checking implementation in Mozilla Network Security\nServices (NSS) before 3.16 accepts a wildcard character that is\niframeded in an internationalized domain name's U-label, which might\nallow man-in-the-middle attackers to spoof SSL servers via a crafted\ncertificate.\n\nCVE-2014-1544 Use-after-free vulnerability in the\nCERT_DestroyCertificate function in libnss3.so in Mozilla Network\nSecurity Services (NSS) 3.x, as used in Firefox before 31.0, Firefox\nESR 24.x before 24.7, and Thunderbird before 24.7, allows remote\nattackers to execute arbitrary code via vectors that trigger certain\nimproper removal of an NSSCertificate structure from a trust domain.\n\nCVE-2014-1545 Mozilla Netscape Portable Runtime (NSPR) before 4.10.6\nallows remote attackers to execute arbitrary code or cause a denial of\nservice (out-of-bounds write) via vectors involving the sprintf and\nconsole functions.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K16716\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K16716.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K16716\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"11.3.0-11.6.0\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"11.4.0-11.6.0\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.1\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.0\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"11.3.0-11.6.0\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.0.0\",\"11.6.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:29:38", "description": "Updated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nCritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain\ncertificates. A remote attacker could use this flaw to crash an\napplication using NSS or, possibly, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original\nreporter of CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan\nBhargavan as the original reporters of CVE-2014-1491, and Abhishek\nArya as the original reporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version\n3.16.1, and the nspr package has been upgraded to upstream version\n4.10.6. These updated packages provide a number of bug fixes and\nenhancements over the previous versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.", "edition": 24, "published": "2014-07-23T00:00:00", "title": "CentOS 6 : nspr / nss / nss-util (CESA-2014:0917)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "modified": "2014-07-23T00:00:00", "cpe": ["p-cpe:/a:centos:centos:nss-devel", "p-cpe:/a:centos:centos:nss-util-devel", "cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:nss-util", "p-cpe:/a:centos:centos:nss-pkcs11-devel", "p-cpe:/a:centos:centos:nss-tools", "p-cpe:/a:centos:centos:nspr-devel", "p-cpe:/a:centos:centos:nspr", "p-cpe:/a:centos:centos:nss", "p-cpe:/a:centos:centos:nss-sysinit"], "id": "CENTOS_RHSA-2014-0917.NASL", "href": "https://www.tenable.com/plugins/nessus/76686", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0917 and \n# CentOS Errata and Security Advisory 2014:0917 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76686);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_bugtraq_id(64944, 65332, 65335, 66356, 67975, 68816);\n script_xref(name:\"RHSA\", value:\"2014:0917\");\n\n script_name(english:\"CentOS 6 : nspr / nss / nss-util (CESA-2014:0917)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nCritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain\ncertificates. A remote attacker could use this flaw to crash an\napplication using NSS or, possibly, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original\nreporter of CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan\nBhargavan as the original reporters of CVE-2014-1491, and Abhishek\nArya as the original reporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version\n3.16.1, and the nspr package has been upgraded to upstream version\n4.10.6. These updated packages provide a number of bug fixes and\nenhancements over the previous versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-July/020434.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?161fdcc2\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-July/020436.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9b9dd993\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2014-July/020437.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?33cc54de\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected nspr, nss and / or nss-util packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2014-1544\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 6.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"nspr-4.10.6-1.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nspr-devel-4.10.6-1.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-devel-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-pkcs11-devel-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-sysinit-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-tools-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-util-3.16.1-1.el6_5\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"nss-util-devel-3.16.1-1.el6_5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T12:49:05", "description": "From Red Hat Security Advisory 2014:0917 :\n\nUpdated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nCritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain\ncertificates. A remote attacker could use this flaw to crash an\napplication using NSS or, possibly, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original\nreporter of CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan\nBhargavan as the original reporters of CVE-2014-1491, and Abhishek\nArya as the original reporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version\n3.16.1, and the nspr package has been upgraded to upstream version\n4.10.6. These updated packages provide a number of bug fixes and\nenhancements over the previous versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.", "edition": 21, "published": "2014-07-23T00:00:00", "title": "Oracle Linux 6 : nspr / nss (ELSA-2014-0917)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "modified": "2014-07-23T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:nss-pkcs11-devel", "p-cpe:/a:oracle:linux:nspr-devel", "p-cpe:/a:oracle:linux:nss-util-devel", "p-cpe:/a:oracle:linux:nss-devel", "p-cpe:/a:oracle:linux:nspr", "p-cpe:/a:oracle:linux:nss", "p-cpe:/a:oracle:linux:nss-util", "p-cpe:/a:oracle:linux:nss-tools", "p-cpe:/a:oracle:linux:nss-sysinit"], "id": "ORACLELINUX_ELSA-2014-0917.NASL", "href": "https://www.tenable.com/plugins/nessus/76694", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2014:0917 and \n# Oracle Linux Security Advisory ELSA-2014-0917 respectively.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76694);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_bugtraq_id(64944, 65332, 65335, 66356, 67975, 68816);\n script_xref(name:\"RHSA\", value:\"2014:0917\");\n\n script_name(english:\"Oracle Linux 6 : nspr / nss (ELSA-2014-0917)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2014:0917 :\n\nUpdated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nCritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain\ncertificates. A remote attacker could use this flaw to crash an\napplication using NSS or, possibly, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original\nreporter of CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan\nBhargavan as the original reporters of CVE-2014-1491, and Abhishek\nArya as the original reporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version\n3.16.1, and the nspr package has been upgraded to upstream version\n4.10.6. These updated packages provide a number of bug fixes and\nenhancements over the previous versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2014-July/004239.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected nspr and / or nss packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"nspr-4.10.6-1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nspr-devel-4.10.6-1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-3.16.1-4.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-devel-3.16.1-4.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-pkcs11-devel-3.16.1-4.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-sysinit-3.16.1-4.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-tools-3.16.1-4.0.1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-util-3.16.1-1.el6_5\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"nss-util-devel-3.16.1-1.el6_5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:14:45", "description": "Updated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nCritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain\ncertificates. A remote attacker could use this flaw to crash an\napplication using NSS or, possibly, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original\nreporter of CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan\nBhargavan as the original reporters of CVE-2014-1491, and Abhishek\nArya as the original reporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version\n3.16.1, and the nspr package has been upgraded to upstream version\n4.10.6. These updated packages provide a number of bug fixes and\nenhancements over the previous versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.", "edition": 24, "published": "2014-07-23T00:00:00", "title": "RHEL 6 : nss and nspr (RHSA-2014:0917)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "modified": "2014-07-23T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:nss-util", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:nss-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nss-util-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nspr-debuginfo", "p-cpe:/a:redhat:enterprise_linux:nss-devel", "p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel", "p-cpe:/a:redhat:enterprise_linux:nss-tools", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:nspr", "p-cpe:/a:redhat:enterprise_linux:nss", "p-cpe:/a:redhat:enterprise_linux:nss-sysinit", "p-cpe:/a:redhat:enterprise_linux:nspr-devel", "p-cpe:/a:redhat:enterprise_linux:nss-util-devel"], "id": "REDHAT-RHSA-2014-0917.NASL", "href": "https://www.tenable.com/plugins/nessus/76698", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2014:0917. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76698);\n script_version(\"1.19\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1544\", \"CVE-2014-1545\");\n script_bugtraq_id(64944, 65332, 65335, 66356, 67975, 68816);\n script_xref(name:\"RHSA\", value:\"2014:0917\");\n\n script_name(english:\"RHEL 6 : nss and nspr (RHSA-2014:0917)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated nss and nspr packages that fix multiple security issues,\nseveral bugs, and add various enhancements are now available for Red\nHat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having\nCritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nNetwork Security Services (NSS) is a set of libraries designed to\nsupport the cross-platform development of security-enabled client and\nserver applications. Netscape Portable Runtime (NSPR) provides\nplatform independence for non-GUI operating system facilities.\n\nA race condition was found in the way NSS verified certain\ncertificates. A remote attacker could use this flaw to crash an\napplication using NSS or, possibly, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nRed Hat would like to thank the Mozilla project for reporting the\nCVE-2014-1544, CVE-2014-1490, CVE-2014-1491, and CVE-2014-1545 issues.\nUpstream acknowledges Tyson Smith and Jesse Schwartzentruber as the\noriginal reporters of CVE-2014-1544, Brian Smith as the original\nreporter of CVE-2014-1490, Antoine Delignat-Lavaud and Karthikeyan\nBhargavan as the original reporters of CVE-2014-1491, and Abhishek\nArya as the original reporter of CVE-2014-1545.\n\nIn addition, the nss package has been upgraded to upstream version\n3.16.1, and the nspr package has been upgraded to upstream version\n4.10.6. These updated packages provide a number of bug fixes and\nenhancements over the previous versions. (BZ#1112136, BZ#1112135)\n\nUsers of NSS and NSPR are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements. After\ninstalling this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2014:0917\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1544\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-1740\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1492\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1545\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2014-1491\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2014:0917\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"nspr-4.10.6-1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nspr-debuginfo-4.10.6-1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nspr-devel-4.10.6-1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-debuginfo-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-devel-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-pkcs11-devel-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"nss-sysinit-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"nss-sysinit-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"nss-sysinit-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"nss-tools-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"nss-tools-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"nss-tools-3.16.1-4.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-util-3.16.1-1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-util-debuginfo-3.16.1-1.el6_5\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", reference:\"nss-util-devel-3.16.1-1.el6_5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / nss / nss-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:48:24", "description": "A race condition was found in the way NSS verified certain\ncertificates. A remote attacker could use this flaw to crash an\napplication using NSS or, possibly, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nIn addition, the nss package has been upgraded to upstream version\n3.16.1, and the nspr package has been upgraded to upstream version\n4.10.6. These updated packages provide a number of bug fixes and\nenhancements over the previous versions.\n\nAfter installing this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.", "edition": 15, "published": "2014-07-23T00:00:00", "title": "Scientific Linux Security Update : nss and nspr on SL6.x i386/x86_64 (20140722)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "modified": "2014-07-23T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:nss-util-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-devel", "p-cpe:/a:fermilab:scientific_linux:nss-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel", "p-cpe:/a:fermilab:scientific_linux:nss-util-devel", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:nspr", "p-cpe:/a:fermilab:scientific_linux:nss", "p-cpe:/a:fermilab:scientific_linux:nss-tools", "p-cpe:/a:fermilab:scientific_linux:nspr-devel", "p-cpe:/a:fermilab:scientific_linux:nss-sysinit", "p-cpe:/a:fermilab:scientific_linux:nss-util", "p-cpe:/a:fermilab:scientific_linux:nspr-debuginfo"], "id": "SL_20140722_NSS_AND_NSPR_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/nessus/76702", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(76702);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2013-1740\", \"CVE-2014-1490\", \"CVE-2014-1491\", \"CVE-2014-1492\", \"CVE-2014-1544\", \"CVE-2014-1545\");\n\n script_name(english:\"Scientific Linux Security Update : nss and nspr on SL6.x i386/x86_64 (20140722)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A race condition was found in the way NSS verified certain\ncertificates. A remote attacker could use this flaw to crash an\napplication using NSS or, possibly, execute arbitrary code with the\nprivileges of the user running that application. (CVE-2014-1544)\n\nA flaw was found in the way TLS False Start was implemented in NSS. An\nattacker could use this flaw to potentially return unencrypted\ninformation from the server. (CVE-2013-1740)\n\nA race condition was found in the way NSS implemented session ticket\nhandling as specified by RFC 5077. An attacker could use this flaw to\ncrash an application using NSS or, in rare cases, execute arbitrary\ncode with the privileges of the user running that application.\n(CVE-2014-1490)\n\nIt was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)\nparameters. This could possibly lead to weak encryption being used in\ncommunication between the client and the server. (CVE-2014-1491)\n\nAn out-of-bounds write flaw was found in NSPR. A remote attacker could\npotentially use this flaw to crash an application using NSPR or,\npossibly, execute arbitrary code with the privileges of the user\nrunning that application. This NSPR flaw was not exposed to web\ncontent in any shipped version of Firefox. (CVE-2014-1545)\n\nIt was found that the implementation of Internationalizing Domain\nNames in Applications (IDNA) hostname matching in NSS did not follow\nthe RFC 6125 recommendations. This could lead to certain invalid\ncertificates with international characters to be accepted as valid.\n(CVE-2014-1492)\n\nIn addition, the nss package has been upgraded to upstream version\n3.16.1, and the nspr package has been upgraded to upstream version\n4.10.6. These updated packages provide a number of bug fixes and\nenhancements over the previous versions.\n\nAfter installing this update, applications using NSS or NSPR must be\nrestarted for this update to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1407&L=scientific-linux-errata&T=0&P=1484\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?348ff2de\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/07/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 6.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"nspr-4.10.6-1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nspr-debuginfo-4.10.6-1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nspr-devel-4.10.6-1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-debuginfo-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-devel-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-pkcs11-devel-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-sysinit-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-tools-3.16.1-4.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-util-3.16.1-1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-util-debuginfo-3.16.1-1.el6_5\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"nss-util-devel-3.16.1-1.el6_5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / nss / nss-debuginfo / etc\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T04:34:53", "description": "The Oracle OpenSSO agent installed on the remote host is missing a\nvendor-supplied update. It is, therefore, affected by multiple\nvulnerabilities in the bundled Mozilla Network Security Services, the\nmost serious of which can allow remote code execution.", "edition": 24, "published": "2014-10-31T00:00:00", "title": "Oracle OpenSSO Agent Multiple Vulnerabilities (October 2014 CPU)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5605", "CVE-2013-1740", "CVE-2013-1739", "CVE-2014-1492", "CVE-2013-5606", "CVE-2014-1490", "CVE-2014-1491"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:oracle:opensso", "cpe:/a:oracle:fusion_middleware"], "id": "ORACLE_OPENSSO_AGENT_CPU_OCT_2014.NASL", "href": "https://www.tenable.com/plugins/nessus/78774", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78774);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\n \"CVE-2013-1739\",\n \"CVE-2013-1740\",\n \"CVE-2013-5605\",\n \"CVE-2013-5606\",\n \"CVE-2014-1490\",\n \"CVE-2014-1491\",\n \"CVE-2014-1492\"\n );\n script_bugtraq_id(\n 62966,\n 63737,\n 63738,\n 64944,\n 65332,\n 65335,\n 66356\n );\n\n script_name(english:\"Oracle OpenSSO Agent Multiple Vulnerabilities (October 2014 CPU)\");\n script_summary(english:\"Checks the version and patch number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Oracle OpenSSO agent installed on the remote host is missing a\nvendor-supplied update. It is, therefore, affected by multiple\nvulnerabilities in the bundled Mozilla Network Security Services, the\nmost serious of which can allow remote code execution.\");\n # https://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1ada40cc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2014 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/09/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:opensso\");\n\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"oracle_opensso_agent_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle OpenSSO Agent\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\nappname = \"Oracle OpenSSO Agent\";\n\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\nver = install['version'];\npath = install['path'];\n\nfix = '3.0-05';\n\n# OpenSSO Agent versions are in the format of 'major.minor-patch'\n# Only version 3.0-04 is specified in the advisory as vulnerable\nif (ver == \"3.0-04\")\n{\n port = get_kb_item(\"SMB/transport\");\n if (isnull(port)) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, ver, path);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2017-06-08T10:18:57", "bulletinFamily": "software", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "edition": 1, "description": "\nF5 Product Development has assigned ID 472696 (BIG-IP), ID 526154 (BIG-IQ), and ID 526159 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth>) may list Heuristic H526163 on the **Diagnostics** > **Identified **> **High** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 12.0.0 \n11.6.1| Low| libnss \nBIG-IP AAM| 11.4.0 - 11.6.0| 12.0.0 \n11.6.1| Low| libnss \nBIG-IP AFM| 11.3.0 - 11.6.0| 12.0.0 \n11.6.1| Low| libnss \nBIG-IP Analytics| 11.0.0 - 11.6.0| 12.0.0 \n11.6.1| Low| libnss \nBIG-IP APM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 12.0.0 \n11.6.1| Low| libnss \nBIG-IP ASM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 12.0.0 \n11.6.1| Low| libnss \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| libnss \nBIG-IP GTM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 11.6.1| Low| libnss \nBIG-IP Link Controller| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 12.0.0 \n11.6.1| Low| libnss \nBIG-IP PEM| 11.3.0 - 11.6.0| 12.0.0 \n11.6.1| Low| libnss \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| libnss \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| libnss \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| libnss \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| libnss \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| libnss \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| libnss \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| libnss \nBIG-IQ ADC| 4.5.0| None| Low| libnss \nLineRate| None| 2.4.0 - 2.6.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you should only permit management access to F5 products over a secure network and restrict command line access for affected systems to the trusted users. For more information, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-03-14T22:06:00", "published": "2015-06-06T00:16:00", "id": "F5:K16716", "href": "https://support.f5.com/csp/article/K16716", "title": "Multiple Mozilla NSS vulnerabilities", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-11-09T00:09:52", "bulletinFamily": "software", "cvelist": ["CVE-2013-1740", "CVE-2014-1545", "CVE-2014-1492", "CVE-2014-1490", "CVE-2014-1544", "CVE-2014-1491"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you should only permit management access to F5 products over a secure network and restrict command line access for affected systems to the trusted users. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x) and SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "modified": "2016-06-21T00:00:00", "published": "2015-06-05T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/16000/700/sol16716.html", "id": "SOL16716", "title": "SOL16716 - Multiple Mozilla NSS vulnerabilities", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "debian": [{"lastseen": "2019-05-30T02:23:09", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1491"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2858-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nFebruary 10, 2014 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : iceweasel\nVulnerability : several\nCVE ID : CVE-2014-1477 CVE-2014-1479 CVE-2014-1481 CVE-2014-1482 \n CVE-2014-1486 CVE-2014-1487 CVE-2014-1490 CVE-2014-1491\n\nMultiple security issues have been found in Iceweasel, Debian's version\nof the Mozilla Firefox web browser: Multiple memory safety errors, \nuse-after-frees, too-verbose error messages and missing permission checks\nmay lead to the execution of arbitrary code, the bypass of security \nchecks or information disclosure. This update also addresses security \nissues in the bundled version of the NSS crypto library.\n\nThis update updates Iceweasel to the ESR24 series of Firefox.\n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 24.3.0esr-1~deb7u1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 24.3.0esr-1.\n\nWe recommend that you upgrade your iceweasel packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 3, "modified": "2014-02-10T15:42:08", "published": "2014-02-10T15:42:08", "id": "DEBIAN:DSA-2858-1:20980", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2014/msg00028.html", "title": "[SECURITY] [DSA 2858-1] iceweasel security update", "type": "debian", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:37:41", "bulletinFamily": "unix", "cvelist": ["CVE-2013-6674", "CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1491"], "description": "Christian Holler, Terrence Cole, Jesse Ruderman, Gary Kwong, Eric \nRescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen and Sotaro Ikeda \ndiscovered multiple memory safety issues in Thunderbird. If a user were \ntricked in to opening a specially crafted message with scripting enabled, \nan attacker could potentially exploit these to cause a denial of service \nvia application crash, or execute arbitrary code with the privileges of \nthe user invoking Thunderbird. (CVE-2014-1477)\n\nCody Crews discovered a method to bypass System Only Wrappers. If a user \nhad enabled scripting, an attacker could potentially exploit this to steal \nconfidential data or execute code with the privileges of the user invoking \nThunderbird. (CVE-2014-1479)\n\nFredrik L\u00f6nnqvist discovered a use-after-free in Thunderbird. If a user \nhad enabled scripting, an attacker could potentially exploit this to cause \na denial of service via application crash, or execute arbitrary code with \nthe priviliges of the user invoking Thunderbird. (CVE-2014-1482)\n\nArthur Gerkis discovered a use-after-free in Thunderbird. If a user had \nenabled scripting, an attacker could potentially exploit this to cause a \ndenial of service via application crash, or execute arbitrary code with \nthe priviliges of the user invoking Thunderbird. (CVE-2014-1486)\n\nMasato Kinugawa discovered a cross-origin information leak in web worker \nerror messages. If a user had enabled scripting, an attacker could \npotentially exploit this to steal confidential information. \n(CVE-2014-1487)\n\nSeveral issues were discovered with ticket handling in NSS. An attacker \ncould potentially exploit these to cause a denial of service or bypass \ncryptographic protection mechanisms. (CVE-2014-1490, CVE-2014-1491)\n\nBoris Zbarsky discovered that security restrictions on window objects \ncould be bypassed under certain circumstances. (CVE-2014-1481)\n\nFabi\u00e1n Cuchietti and Ateeq ur Rehman Khan discovered that it was possible \nto bypass Javascript execution restrictions when replying to or forwarding \nmail messages in certain circumstances. An attacker could potentially \nexploit this to steal confidential information or modify message content. \n(CVE-2013-6674)", "edition": 5, "modified": "2014-02-19T00:00:00", "published": "2014-02-19T00:00:00", "id": "USN-2119-1", "href": "https://ubuntu.com/security/notices/USN-2119-1", "title": "Thunderbird vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:35:33", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1480", "CVE-2014-1478", "CVE-2014-1485", "CVE-2014-1488", "CVE-2014-1491", "CVE-2014-1483", "CVE-2014-1489"], "description": "Christian Holler, Terrence Cole, Jesse Ruderman, Gary Kwong, Eric \nRescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen, Carsten Book, \nAndrew Sutherland, Byron Campen, Nicholas Nethercote, Paul Adenot, David \nBaron, Julian Seward and Sotaro Ikeda discovered multiple memory safety \nissues in Firefox. If a user were tricked in to opening a specially \ncrafted website, an attacker could potentially exploit these to cause a \ndenial of service via application crash, or execute arbitrary code with \nthe privileges of the user invoking Firefox. (CVE-2014-1477, \nCVE-2014-1478)\n\nCody Crews discovered a method to bypass System Only Wrappers. An attacker \ncould potentially exploit this to steal confidential data or execute code \nwith the privileges of the user invoking Firefox. (CVE-2014-1479)\n\nJordi Chancel discovered that the downloads dialog did not implement a \nsecurity timeout before button presses are processed. An attacker could \npotentially exploit this to conduct clickjacking attacks. (CVE-2014-1480)\n\nFredrik L\u00f6nnqvist discovered a use-after-free in Firefox. An attacker \ncould potentially exploit this to cause a denial of service via \napplication crash, or execute arbitrary code with the priviliges of the \nuser invoking Firefox. (CVE-2014-1482)\n\nJordan Milne discovered a timing flaw when using document.elementFromPoint \nand document.caretPositionFromPoint on cross-origin iframes. An attacker \ncould potentially exploit this to steal confidential imformation. \n(CVE-2014-1483)\n\nFrederik Braun discovered that the CSP implementation in Firefox did not \nhandle XSLT stylesheets in accordance with the specification, potentially \nresulting in unexpected script execution in some circumstances \n(CVE-2014-1485)\n\nArthur Gerkis discovered a use-after-free in Firefox. An attacker could \npotentially exploit this to cause a denial of service via application \ncrash, or execute arbitrary code with the priviliges of the user invoking \nFirefox. (CVE-2014-1486)\n\nMasato Kinugawa discovered a cross-origin information leak in web worker \nerror messages. An attacker could potentially exploit this to steal \nconfidential information. (CVE-2014-1487)\n\nYazan Tommalieh discovered that web pages could activate buttons on the \ndefault Firefox startpage (about:home) in some circumstances. An attacker \ncould potentially exploit this to cause data loss by triggering a session \nrestore. (CVE-2014-1489)\n\nSoeren Balko discovered a crash in Firefox when terminating web workers \nrunning asm.js code in some circumstances. An attacker could potentially \nexploit this to execute arbitrary code with the priviliges of the user \ninvoking Firefox. (CVE-2014-1488)\n\nSeveral issues were discovered with ticket handling in NSS. An attacker \ncould potentially exploit these to cause a denial of service or bypass \ncryptographic protection mechanisms. (CVE-2014-1490, CVE-2014-1491)\n\nBoris Zbarsky discovered that security restrictions on window objects \ncould be bypassed under certain circumstances. (CVE-2014-1481)", "edition": 68, "modified": "2014-02-10T00:00:00", "published": "2014-02-10T00:00:00", "id": "USN-2102-1", "href": "https://ubuntu.com/security/notices/USN-2102-1", "title": "Firefox vulnerabilities", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-02T11:44:41", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1480", "CVE-2014-1478", "CVE-2014-1485", "CVE-2014-1488", "CVE-2014-1491", "CVE-2014-1483", "CVE-2014-1489"], "description": "USN-2102-1 fixed vulnerabilities in Firefox. The update introduced a \nregression which could make Firefox crash under some circumstances. This \nupdate fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nChristian Holler, Terrence Cole, Jesse Ruderman, Gary Kwong, Eric \nRescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen, Carsten Book, \nAndrew Sutherland, Byron Campen, Nicholas Nethercote, Paul Adenot, David \nBaron, Julian Seward and Sotaro Ikeda discovered multiple memory safety \nissues in Firefox. If a user were tricked in to opening a specially \ncrafted website, an attacker could potentially exploit these to cause a \ndenial of service via application crash, or execute arbitrary code with \nthe privileges of the user invoking Firefox. (CVE-2014-1477, \nCVE-2014-1478)\n\nCody Crews discovered a method to bypass System Only Wrappers. An attacker \ncould potentially exploit this to steal confidential data or execute code \nwith the privileges of the user invoking Firefox. (CVE-2014-1479)\n\nJordi Chancel discovered that the downloads dialog did not implement a \nsecurity timeout before button presses are processed. An attacker could \npotentially exploit this to conduct clickjacking attacks. (CVE-2014-1480)\n\nFredrik L\u00f6nnqvist discovered a use-after-free in Firefox. An attacker \ncould potentially exploit this to cause a denial of service via \napplication crash, or execute arbitrary code with the priviliges of the \nuser invoking Firefox. (CVE-2014-1482)\n\nJordan Milne discovered a timing flaw when using document.elementFromPoint \nand document.caretPositionFromPoint on cross-origin iframes. An attacker \ncould potentially exploit this to steal confidential imformation. \n(CVE-2014-1483)\n\nFrederik Braun discovered that the CSP implementation in Firefox did not \nhandle XSLT stylesheets in accordance with the specification, potentially \nresulting in unexpected script execution in some circumstances \n(CVE-2014-1485)\n\nArthur Gerkis discovered a use-after-free in Firefox. An attacker could \npotentially exploit this to cause a denial of service via application \ncrash, or execute arbitrary code with the priviliges of the user invoking \nFirefox. (CVE-2014-1486)\n\nMasato Kinugawa discovered a cross-origin information leak in web worker \nerror messages. An attacker could potentially exploit this to steal \nconfidential information. (CVE-2014-1487)\n\nYazan Tommalieh discovered that web pages could activate buttons on the \ndefault Firefox startpage (about:home) in some circumstances. An attacker \ncould potentially exploit this to cause data loss by triggering a session \nrestore. (CVE-2014-1489)\n\nSoeren Balko discovered a crash in Firefox when terminating web workers \nrunning asm.js code in some circumstances. An attacker could potentially \nexploit this to execute arbitrary code with the priviliges of the user \ninvoking Firefox. (CVE-2014-1488)\n\nSeveral issues were discovered with ticket handling in NSS. An attacker \ncould potentially exploit these to cause a denial of service or bypass \ncryptographic protection mechanisms. (CVE-2014-1490, CVE-2014-1491)\n\nBoris Zbarsky discovered that security restrictions on window objects \ncould be bypassed under certain circumstances. (CVE-2014-1481)", "edition": 68, "modified": "2014-02-19T00:00:00", "published": "2014-02-19T00:00:00", "id": "USN-2102-2", "href": "https://ubuntu.com/security/notices/USN-2102-2", "title": "Firefox regression", "type": "ubuntu", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T11:50:17", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2013-1740", "CVE-2014-1490", "CVE-2014-1478", "CVE-2014-1491"], "description": "Updates for mozilla-nss (3.15.4) MozillaFirefox (24.3.0esr)\n MozillaThunderbird (24.3.0) including fixes for the\n following issues:\n * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 Miscellaneous\n memory safety hazards (rv:27.0 / rv:24.3)\n * MFSA 2014-02/CVE-2014-1479 (bmo#911864) Clone protected\n content with XBL scopes\n * MFSA 2014-04/CVE-2014-1482 (bmo#943803) Incorrect use\n of discarded images by RasterImage\n * MFSA 2014-08/CVE-2014-1486 (bmo#942164) Use-after-free\n with imgRequestProxy and image proccessing\n * MFSA 2014-09/CVE-2014-1487 (bmo#947592) Cross-origin\n information leak through web workers\n * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 (bmo#934545,\n bmo#930874, bmo#930857) NSS ticket handling issues\n * MFSA 2014-13/CVE-2014-1481(bmo#936056) Inconsistent\n JavaScript handling of access to Window objects\n\n", "edition": 1, "modified": "2014-02-08T13:04:12", "published": "2014-02-08T13:04:12", "id": "OPENSUSE-SU-2014:0213-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00005.html", "title": "Mozilla updates February 2014 (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:45:49", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1484", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1480", "CVE-2014-1485", "CVE-2014-1488", "CVE-2014-1491", "CVE-2014-1483", "CVE-2014-1489"], "description": "Mozilla Firefox was updated to the 24.3.0ESR security\n release.\n\n The following security issues have been fixed:\n\n *\n\n MFSA 2014-01: Memory safety bugs fixed in Firefox ESR\n 24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345)\n\n *\n\n MFSA 2014-02: Using XBL scopes its possible to\n steal(clone) native anonymous content\n (CVE-2014-1479)(bnc#862348)\n\n *\n\n MFSA 2014-03: Download "open file" dialog delay is\n too quick, doesn't prevent clickjacking (CVE-2014-1480)\n\n *\n\n MFSA 2014-04: Image decoding causing FireFox to crash\n with Goo Create (CVE-2014-1482)(bnc#862356)\n\n *\n\n MFSA 2014-05: caretPositionFromPoint and\n elementFromPoint leak information about iframe contents via\n timing information (CVE-2014-1483)(bnc#862360)\n\n *\n\n MFSA 2014-06: Fennec leaks profile path to logcat\n (CVE-2014-1484)\n\n *\n\n MFSA 2014-07: CSP should block XSLT as script, not as\n style (CVE-2014-1485)\n\n *\n\n MFSA 2014-08: imgRequestProxy Use-After-Free Remote\n Code Execution Vulnerability (CVE-2014-1486)\n\n *\n\n MFSA 2014-09: Cross-origin information disclosure\n with error message of Web Workers (CVE-2014-1487)\n\n *\n\n MFSA 2014-10: settings & history ID bug\n (CVE-2014-1489)\n\n *\n\n MFSA 2014-11: Firefox reproducibly crashes when using\n asm.js code in workers and transferable objects\n (CVE-2014-1488)\n\n *\n\n MFSA 2014-12: TOCTOU, potential use-after-free in\n libssl's session ticket processing\n (CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH\n value (CVE-2014-1491)(bnc#862289)\n\n *\n\n MFSA 2014-13: Inconsistent this value when invoking\n getters on window (CVE-2014-1481)(bnc#862309)\n\n Also Mozilla NSS was updated to 3.15.4 release.\n\n * required for Firefox 27\n * regular CA root store update (1.96)\n * some OSCP improvments\n * other bugfixes\n", "edition": 1, "modified": "2014-02-19T21:04:13", "published": "2014-02-19T21:04:13", "id": "SUSE-SU-2014:0248-2", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00011.html", "type": "suse", "title": "Security update for Mozilla Firefox (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:08:03", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1484", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1480", "CVE-2014-1485", "CVE-2014-1488", "CVE-2014-1491", "CVE-2014-1483", "CVE-2014-1489"], "description": "This updates the Mozilla Firefox browser to the 24.3.0ESR\n security release. The Mozilla NSS libraries are now on\n version 3.15.4.\n\n The following security issues have been fixed:\n\n *\n\n MFSA 2014-01: Memory safety bugs fixed in Firefox ESR\n 24.3 and Firefox 27.0 (CVE-2014-1477)(bnc#862345)\n\n *\n\n MFSA 2014-02: Using XBL scopes its possible to\n steal(clone) native anonymous content\n (CVE-2014-1479)(bnc#862348)\n\n *\n\n MFSA 2014-03: Download "open file" dialog delay is\n too quick, doesn't prevent clickjacking (CVE-2014-1480)\n\n *\n\n MFSA 2014-04: Image decoding causing FireFox to crash\n with Goo Create (CVE-2014-1482)(bnc#862356)\n\n *\n\n MFSA 2014-05: caretPositionFromPoint and\n elementFromPoint leak information about iframe contents via\n timing information (CVE-2014-1483)(bnc#862360)\n\n *\n\n MFSA 2014-06: Fennec leaks profile path to logcat\n (CVE-2014-1484)\n\n *\n\n MFSA 2014-07: CSP should block XSLT as script, not as\n style (CVE-2014-1485)\n\n *\n\n MFSA 2014-08: imgRequestProxy Use-After-Free Remote\n Code Execution Vulnerability (CVE-2014-1486)\n\n *\n\n MFSA 2014-09: Cross-origin information disclosure\n with error message of Web Workers (CVE-2014-1487)\n\n *\n\n MFSA 2014-10: settings & history ID bug\n (CVE-2014-1489)\n\n *\n\n MFSA 2014-11: Firefox reproducibly crashes when using\n asm.js code in workers and transferable objects\n (CVE-2014-1488)\n\n *\n\n MFSA 2014-12: TOCTOU, potential use-after-free in\n libssl's session ticket processing\n (CVE-2014-1490)(bnc#862300) Do not allow p-1 as a public DH\n value (CVE-2014-1491)(bnc#862289)\n\n *\n\n MFSA 2014-13: Inconsistent this value when invoking\n getters on window (CVE-2014-1481)(bnc#862309)\n", "edition": 1, "modified": "2014-02-18T13:25:23", "published": "2014-02-18T13:25:23", "id": "SUSE-SU-2014:0248-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00010.html", "type": "suse", "title": "Security update for MozillaFirefox (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:42:58", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1484", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2013-1740", "CVE-2014-1490", "CVE-2014-1480", "CVE-2014-1478", "CVE-2014-1485", "CVE-2014-1488", "CVE-2014-1491", "CVE-2014-1483", "CVE-2014-1489"], "description": "Mozilla Firefox was updated to version 27. Mozilla\n Seamonkey was updated to 2.24, fixing similar issues as\n Firefox 27. Mozilla Thunderbird was updated to 24.3.0,\n fixing similar issues as Firefox 27.\n\n The Firefox 27 release brings TLS 1.2 support as a major\n security feature.\n\n It also fixes following security issues:\n * MFSA 2014-01/CVE-2014-1477/CVE-2014-1478 Miscellaneous\n memory safety hazards (rv:27.0 / rv:24.3)\n * MFSA 2014-02/CVE-2014-1479 (bmo#911864) Clone protected\n content with XBL scopes\n * MFSA 2014-03/CVE-2014-1480 (bmo#916726) UI selection\n timeout missing on download prompts\n * MFSA 2014-04/CVE-2014-1482 (bmo#943803) Incorrect use\n of discarded images by RasterImage\n * MFSA 2014-05/CVE-2014-1483 (bmo#950427) Information\n disclosure with *FromPoint on iframes\n * MFSA 2014-06/CVE-2014-1484 (bmo#953993) Profile path\n leaks to Android system log\n * MFSA 2014-07/CVE-2014-1485 (bmo#910139) XSLT\n stylesheets treated as styles in Content Security Policy\n * MFSA 2014-08/CVE-2014-1486 (bmo#942164) Use-after-free\n with imgRequestProxy and image proccessing\n * MFSA 2014-09/CVE-2014-1487 (bmo#947592) Cross-origin\n information leak through web workers\n * MFSA 2014-10/CVE-2014-1489 (bmo#959531) Firefox default\n start page UI content invokable by script\n * MFSA 2014-11/CVE-2014-1488 (bmo#950604) Crash when\n using web workers with asm.js\n * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 (bmo#934545,\n bmo#930874, bmo#930857) NSS ticket handling issues\n * MFSA 2014-13/CVE-2014-1481(bmo#936056) Inconsistent\n JavaScript handling of access to Window objects\n\n Mozilla NSS was updated to 3.15.4:\n * required for Firefox 27\n * regular CA root store update (1.96)\n * Reordered the cipher suites offered in SSL/TLS client\n hello messages to match modern best practices.\n * Improved SSL/TLS false start. In addition to enabling\n the SSL_ENABLE_FALSE_START option, an application must\n now register a callback using the\n SSL_SetCanFalseStartCallback function.\n * When false start is enabled, libssl will sometimes\n return unencrypted, unauthenticated data from PR_Recv\n (CVE-2013-1740, bmo#919877)\n * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 NSS ticket\n handling issues New functionality\n * Implemented OCSP querying using the HTTP GET method,\n which is the new default, and will fall back to the\n HTTP POST method.\n * Implemented OCSP server functionality for testing\n purposes (httpserv utility).\n * Support SHA-1 signatures with TLS 1.2 client\n authentication.\n * Added the --empty-password command-line option to\n certutil, to be used with -N: use an empty password\n when creating a new database.\n * Added the -w command-line option to pp: don't wrap long\n output lines.\n\n", "edition": 1, "modified": "2014-02-08T09:04:14", "published": "2014-02-08T09:04:14", "id": "OPENSUSE-SU-2014:0212-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00004.html", "type": "suse", "title": "Mozilla Firefox 27 release (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:46:06", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1505", "CVE-2014-1513", "CVE-2014-1510", "CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1509", "CVE-2014-1494", "CVE-2014-1486", "CVE-2014-1508", "CVE-2014-1502", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1504", "CVE-2014-1511", "CVE-2014-1512", "CVE-2014-1514", "CVE-2014-1490", "CVE-2014-1498", "CVE-2014-1480", "CVE-2014-1500", "CVE-2014-1497", "CVE-2014-1478", "CVE-2014-1485", "CVE-2014-1493", "CVE-2014-1488", "CVE-2014-1491", "CVE-2014-1483", "CVE-2014-1499"], "description": "This patch contains a collection of security relevant\n updates for Mozilla applications.\n\n Update Firefox to 24.4.0 (bnc#868603) Update Thunderbird to\n 24.4.0 Update NSPR to 4.10.4 Update NSS to 3.15.5\n\n * MFSA 2014-15/CVE-2014-1493/CVE-2014-1494 Miscellaneous\n memory safety hazards\n * MFSA 2014-17/CVE-2014-1497 (bmo#966311) Out of bounds\n read during WAV file decoding\n * MFSA 2014-26/CVE-2014-1508 (bmo#963198) Information\n disclosure through polygon rendering in MathML\n * MFSA 2014-27/CVE-2014-1509 (bmo#966021) Memory\n corruption in Cairo during PDF font rendering\n * MFSA 2014-28/CVE-2014-1505 (bmo#941887) SVG filters\n information disclosure through feDisplacementMap\n * MFSA 2014-29/CVE-2014-1510/CVE-2014-1511 (bmo#982906,\n bmo#982909) Privilege escalation using\n WebIDL-implemented APIs\n * MFSA 2014-30/CVE-2014-1512 (bmo#982957) Use-after-free\n in TypeObject\n * MFSA 2014-31/CVE-2014-1513 (bmo#982974) Out-of-bounds\n read/write through neutering ArrayBuffer objects\n * MFSA 2014-32/CVE-2014-1514 (bmo#983344) Out-of-bounds\n write through TypedArrayObject after neutering\n\n", "edition": 1, "modified": "2014-03-21T23:04:31", "published": "2014-03-21T23:04:31", "id": "OPENSUSE-SU-2014:0419-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00017.html", "type": "suse", "title": "Mozilla updates 2014/03 (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:21:58", "bulletinFamily": "unix", "cvelist": ["CVE-2012-1945", "CVE-2011-3648", "CVE-2014-1505", "CVE-2014-1536", "CVE-2011-0061", "CVE-2011-0077", "CVE-2014-1513", "CVE-2012-0478", "CVE-2012-4193", "CVE-2012-0442", "CVE-2013-5601", "CVE-2013-1687", "CVE-2013-5612", "CVE-2013-1692", "CVE-2010-0654", "CVE-2012-1962", "CVE-2013-0743", "CVE-2012-0443", "CVE-2012-5842", "CVE-2012-4212", "CVE-2013-5595", "CVE-2010-0176", "CVE-2014-1530", "CVE-2011-0083", "CVE-2010-1203", "CVE-2013-1737", "CVE-2012-4214", "CVE-2008-1236", "CVE-2013-5611", "CVE-2012-1970", "CVE-2008-3835", "CVE-2013-1709", "CVE-2007-3738", "CVE-2012-3989", "CVE-2013-5616", "CVE-2013-1678", "CVE-2010-2762", "CVE-2012-5830", "CVE-2013-0763", "CVE-2014-1510", "CVE-2011-3026", "CVE-2012-0460", "CVE-2013-5613", "CVE-2012-1973", "CVE-2014-1522", "CVE-2011-3654", "CVE-2014-1567", "CVE-2012-1974", "CVE-2010-2766", "CVE-2012-4195", "CVE-2012-3986", "CVE-2013-0783", "CVE-2007-3734", "CVE-2011-2371", "CVE-2014-1481", "CVE-2013-1670", "CVE-2012-4185", "CVE-2010-3777", "CVE-2012-3991", "CVE-2013-1719", "CVE-2012-3968", "CVE-2013-1725", "CVE-2012-3963", "CVE-2014-1539", "CVE-2010-0174", "CVE-2012-0452", "CVE-2013-1735", "CVE-2012-1956", "CVE-2014-1487", "CVE-2012-3978", "CVE-2012-3985", "CVE-2013-0746", "CVE-2012-5829", "CVE-2009-1571", "CVE-2012-1944", "CVE-2012-5838", "CVE-2011-2986", "CVE-2010-1205", "CVE-2014-1538", "CVE-2012-4213", "CVE-2013-1685", "CVE-2012-0479", "CVE-2013-5609", "CVE-2007-3737", "CVE-2013-0766", "CVE-2007-3736", "CVE-2012-1940", "CVE-2013-1697", "CVE-2014-1484", "CVE-2014-1525", "CVE-2012-3993", "CVE-2013-5619", "CVE-2012-5837", "CVE-2008-5500", "CVE-2012-5836", "CVE-2014-1509", "CVE-2009-0772", "CVE-2013-0787", "CVE-2012-3995", "CVE-2012-4201", "CVE-2010-0159", "CVE-2009-0773", "CVE-2011-3659", "CVE-2011-3663", "CVE-2014-1494", "CVE-2014-1559", "CVE-2013-0747", "CVE-2012-0470", "CVE-2012-0446", "CVE-2008-4063", "CVE-2014-1537", "CVE-2013-1694", "CVE-2014-1523", "CVE-2012-1972", "CVE-2010-1200", "CVE-2010-0175", "CVE-2012-3988", "CVE-2012-0457", "CVE-2010-3778", "CVE-2012-3994", "CVE-2013-5615", "CVE-2013-1680", "CVE-2012-3962", "CVE-2012-0459", "CVE-2011-2362", "CVE-2014-1529", "CVE-2013-1724", "CVE-2010-1213", "CVE-2013-5597", "CVE-2012-5843", "CVE-2014-1543", "CVE-2014-1486", "CVE-2011-0085", "CVE-2013-5590", "CVE-2008-5510", "CVE-2011-0080", "CVE-2013-0780", "CVE-2008-5502", "CVE-2010-3765", "CVE-2013-1732", "CVE-2013-0744", "CVE-2013-0795", "CVE-2008-1237", "CVE-2013-1720", "CVE-2008-4070", "CVE-2013-0748", "CVE-2012-4183", "CVE-2010-3178", "CVE-2013-1679", "CVE-2007-3285", "CVE-2013-5610", "CVE-2013-0768", "CVE-2011-3661", "CVE-2012-4181", "CVE-2014-1532", "CVE-2013-6671", "CVE-2009-0040", "CVE-2011-3652", "CVE-2013-0755", "CVE-2008-4067", "CVE-2014-1548", "CVE-2011-2364", "CVE-2014-1531", "CVE-2013-0752", "CVE-2012-4186", "CVE-2014-1508", "CVE-2012-1948", "CVE-2008-5012", "CVE-2012-1938", "CVE-2013-0796", "CVE-2012-0449", "CVE-2010-3769", "CVE-2012-3969", "CVE-2014-1502", "CVE-2013-1723", "CVE-2013-0782", "CVE-2012-1953", "CVE-2012-1949", "CVE-2014-1542", "CVE-2012-0456", "CVE-2011-2372", "CVE-2010-3169", "CVE-2012-3970", "CVE-2011-0053", "CVE-2012-5840", "CVE-2010-3176", "CVE-2012-4191", "CVE-2010-3174", "CVE-2010-3768", "CVE-2014-1477", "CVE-2013-0800", "CVE-2010-1212", "CVE-2013-1681", "CVE-2010-1211", "CVE-2010-1121", "CVE-2013-0773", "CVE-2013-0754", "CVE-2010-3167", "CVE-2012-4202", "CVE-2010-3180", "CVE-2012-3957", "CVE-2011-3660", "CVE-2014-1540", "CVE-2014-1534", "CVE-2012-1941", "CVE-2013-1738", "CVE-2014-1482", "CVE-2014-1479", "CVE-2008-4066", "CVE-2008-5018", "CVE-2012-3984", "CVE-2014-1504", "CVE-2012-0444", "CVE-2011-3650", "CVE-2014-1511", "CVE-2010-2753", "CVE-2012-1946", "CVE-2010-3776", "CVE-2012-4182", "CVE-2008-1233", "CVE-2012-4187", "CVE-2012-3983", "CVE-2011-0062", "CVE-2008-0016", "CVE-2011-3101", "CVE-2010-3168", "CVE-2013-0788", "CVE-2013-1728", "CVE-2014-1545", "CVE-2010-0173", "CVE-2012-0472", "CVE-2013-5592", "CVE-2013-1730", "CVE-2008-4059", "CVE-2010-2764", "CVE-2014-1492", "CVE-2011-0081", "CVE-2009-0771", "CVE-2007-3670", "CVE-2012-1954", "CVE-2009-0774", "CVE-2014-1556", "CVE-2012-0461", "CVE-2011-2376", "CVE-2012-3958", "CVE-2012-0469", "CVE-2014-1563", "CVE-2014-1524", "CVE-2014-1512", "CVE-2012-1975", "CVE-2011-0075", "CVE-2013-1690", "CVE-2012-0464", "CVE-2013-0775", "CVE-2012-1967", "CVE-2013-5604", "CVE-2014-1514", "CVE-2010-3166", "CVE-2011-0074", "CVE-2013-0801", "CVE-2012-3956", "CVE-2010-2769", "CVE-2012-3982", "CVE-2009-3555", "CVE-2013-1714", "CVE-2011-2989", "CVE-2010-1196", "CVE-2008-5021", "CVE-2008-5017", "CVE-2013-0769", "CVE-2012-3966", "CVE-2013-0771", "CVE-2014-1490", "CVE-2012-5839", "CVE-2013-0757", "CVE-2014-1498", "CVE-2012-1961", "CVE-2010-3173", "CVE-2012-4216", "CVE-2008-4062", "CVE-2010-3179", "CVE-2010-0182", "CVE-2014-1565", "CVE-2012-3967", "CVE-2013-0749", "CVE-2011-3651", "CVE-2008-4060", "CVE-2007-3656", "CVE-2008-1234", "CVE-2012-1951", "CVE-2012-0475", "CVE-2014-1555", "CVE-2014-1564", "CVE-2012-1952", "CVE-2010-1201", "CVE-2013-0761", "CVE-2013-1669", "CVE-2010-1585", "CVE-2012-3959", "CVE-2012-0455", "CVE-2014-1558", "CVE-2011-0084", "CVE-2012-0759", "CVE-2007-3089", "CVE-2014-1519", "CVE-2013-1701", "CVE-2012-0474", "CVE-2012-3975", "CVE-2010-2768", "CVE-2008-5014", "CVE-2013-1684", "CVE-2008-4058", "CVE-2012-4184", "CVE-2012-0447", "CVE-2014-1547", "CVE-2011-3232", "CVE-2012-4205", "CVE-2014-1480", "CVE-2014-1500", "CVE-2011-0069", "CVE-2013-6630", "CVE-2008-5022", "CVE-2008-5512", "CVE-2014-1497", "CVE-2013-5596", "CVE-2012-3992", "CVE-2008-1235", "CVE-2013-1676", "CVE-2013-0789", "CVE-2008-5501", "CVE-2008-4068", "CVE-2008-5016", "CVE-2013-1675", "CVE-2014-1478", "CVE-2012-3980", "CVE-2008-5503", "CVE-2011-2374", "CVE-2012-1955", "CVE-2012-1960", "CVE-2012-0445", "CVE-2012-0462", "CVE-2012-4217", "CVE-2013-1686", "CVE-2013-0745", "CVE-2013-0756", "CVE-2012-4218", "CVE-2013-0760", "CVE-2011-2377", "CVE-2014-1485", "CVE-2014-1493", "CVE-2007-3735", "CVE-2011-3000", "CVE-2010-2765", "CVE-2014-1544", "CVE-2010-2767", "CVE-2011-0078", "CVE-2012-3960", "CVE-2010-3175", "CVE-2012-0451", "CVE-2011-3655", "CVE-2012-4180", "CVE-2013-0767", "CVE-2010-3182", "CVE-2009-0776", "CVE-2013-5603", "CVE-2012-1959", "CVE-2011-2363", "CVE-2011-0070", "CVE-2013-1682", "CVE-2012-1947", "CVE-2013-6673", "CVE-2013-1674", "CVE-2013-0762", "CVE-2014-1562", "CVE-2010-3170", "CVE-2011-3005", "CVE-2012-4208", "CVE-2011-3658", "CVE-2014-1541", "CVE-2011-2373", "CVE-2008-5511", "CVE-2011-2992", "CVE-2014-1488", "CVE-2012-1957", "CVE-2012-1958", "CVE-2008-4064", "CVE-2012-1976", "CVE-2011-1187", "CVE-2012-5835", "CVE-2014-1552", "CVE-2010-3183", "CVE-2010-1202", "CVE-2012-0468", "CVE-2013-5599", "CVE-2014-1553", "CVE-2014-1549", "CVE-2013-1713", "CVE-2008-5508", "CVE-2012-3972", "CVE-2012-4207", "CVE-2011-2988", "CVE-2008-4061", "CVE-2013-5591", "CVE-2010-1199", "CVE-2012-4204", "CVE-2013-5602", "CVE-2011-2985", "CVE-2012-4192", "CVE-2011-2987", "CVE-2012-4188", "CVE-2012-0441", "CVE-2013-0774", "CVE-2008-5024", "CVE-2013-0753", "CVE-2012-5833", "CVE-2014-1557", "CVE-2013-1736", "CVE-2014-1526", "CVE-2013-0776", "CVE-2012-3964", "CVE-2013-5593", "CVE-2014-1550", "CVE-2013-1718", "CVE-2012-5841", "CVE-2014-1533", "CVE-2013-1717", "CVE-2010-2754", "CVE-2008-5507", "CVE-2012-3990", "CVE-2014-1491", "CVE-2013-6672", "CVE-2013-5614", "CVE-2008-4065", "CVE-2013-1693", "CVE-2010-2760", "CVE-2013-0750", "CVE-2012-1937", "CVE-2014-1560", "CVE-2012-4215", "CVE-2013-6629", "CVE-2012-0463", "CVE-2013-1677", "CVE-2011-2991", "CVE-2013-0770", "CVE-2013-0793", "CVE-2012-4179", "CVE-2011-3001", "CVE-2014-1483", "CVE-2014-1489", "CVE-2011-3062", "CVE-2012-0477", "CVE-2013-1722", "CVE-2012-0473", "CVE-2012-4194", "CVE-2011-2365", "CVE-2012-4209", "CVE-2012-1963", "CVE-2012-4196", "CVE-2008-5506", "CVE-2013-1710", "CVE-2012-0467", "CVE-2012-0458", "CVE-2013-0758", "CVE-2013-5600", "CVE-2010-2752", "CVE-2014-1499", "CVE-2014-1518", "CVE-2012-0471", "CVE-2012-3961", "CVE-2014-1561", "CVE-2012-3971", "CVE-2013-0764", "CVE-2014-1528", "CVE-2013-5618", "CVE-2011-0072"], "description": "This patch contains security updates for\n\n * mozilla-nss 3.16.4\n - The following 1024-bit root CA certificate was restored to allow more\n time to develop a better transition strategy for affected sites. It\n was removed in NSS 3.16.3, but discussion in the\n mozilla.dev.security.policy forum led to the decision to keep this\n root included longer in order to give website administrators more time\n to update their web servers.\n - CN = GTE CyberTrust Global Root\n * In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification\n Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit\n intermediate CA certificate has been included, without explicit trust.\n The intention is to mitigate the effects of the previous removal of\n the 1024-bit Entrust.net root certificate, because many public\n Internet sites still use the "USERTrust Legacy Secure Server CA"\n intermediate certificate that is signed by the 1024-bit Entrust.net\n root certificate. The inclusion of the intermediate certificate is a\n temporary measure to allow those sites to function, by allowing them\n to find a trust path to another 2048-bit root CA certificate. The\n temporarily included intermediate certificate expires November 1, 2015.\n\n * Firefox 31.1esr Firefox is updated from 24esr to 31esr as maintenance\n for version 24 stopped\n\n", "edition": 1, "modified": "2014-09-09T18:04:16", "published": "2014-09-09T18:04:16", "href": "http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00004.html", "id": "OPENSUSE-SU-2014:1100-1", "title": "Firefox update to 31.1esr (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:30", "bulletinFamily": "unix", "cvelist": ["CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1484", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1480", "CVE-2014-1478", "CVE-2014-1485", "CVE-2014-1488", "CVE-2014-1491", "CVE-2014-1483", "CVE-2014-1489"], "description": "\nThe Mozilla Project reports:\n\nMFSA 2014-01 Miscellaneous memory safety hazards\n\t (rv:27.0 / rv:24.3)\nMFSA 2014-02 Clone protected content with XBL scopes\nMFSA 2014-03 UI selection timeout missing on download\n\t prompts\nMFSA 2014-04 Incorrect use of discarded images by\n\t RasterImage\nMFSA 2014-05 Information disclosure with *FromPoint on\n\t iframes\nMFSA 2014-06 Profile path leaks to Android system log\nMFSA 2014-07 XSLT stylesheets treated as styles in Content\n\t Security Policy\nMFSA 2014-08 Use-after-free with imgRequestProxy and image\n\t proccessing\nMFSA 2014-09 Cross-origin information leak through web\n\t workers\nMFSA 2014-10 Firefox default start page UI content invokable\n\t by script\nMFSA 2014-11 Crash when using web workers with asm.js\nMFSA 2014-12 NSS ticket handling issues\nMFSA 2014-13 Inconsistent JavaScript handling of access to\n\t Window objects\n\n", "edition": 4, "modified": "2014-02-04T00:00:00", "published": "2014-02-04T00:00:00", "id": "1753F0FF-8DD5-11E3-9B45-B4B52FCE4CE8", "href": "https://vuxml.freebsd.org/freebsd/1753f0ff-8dd5-11e3-9b45-b4b52fce4ce8.html", "title": "mozilla -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "cvelist": ["CVE-2013-6674", "CVE-2014-1481", "CVE-2014-1487", "CVE-2014-1484", "CVE-2014-1486", "CVE-2014-1477", "CVE-2014-1482", "CVE-2014-1479", "CVE-2014-1490", "CVE-2014-1480", "CVE-2014-1478", "CVE-2014-1485", "CVE-2014-1488", "CVE-2014-1491", "CVE-2014-1483", "CVE-2014-1489"], "description": "Multiple memory corruptions, crossite scripting, DoS, information leakage.", "edition": 1, "modified": "2014-02-10T00:00:00", "published": "2014-02-10T00:00:00", "id": "SECURITYVULNS:VULN:13556", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13556", "title": "Mozilla Firefox / Thunderbird / Seamonkey multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2019-05-29T18:20:55", "bulletinFamily": "software", "cvelist": ["CVE-2014-2482", "CVE-2012-3544", "CVE-2014-4224", "CVE-2014-4208", "CVE-2014-4213", "CVE-2014-4262", "CVE-2014-4242", "CVE-2014-2490", "CVE-2014-4226", "CVE-2014-4251", "CVE-2014-4263", "CVE-2014-4238", "CVE-2014-2481", "CVE-2013-3774", "CVE-2014-2480", "CVE-2014-4250", "CVE-2014-4260", "CVE-2014-2479", "CVE-2014-4218", "CVE-2014-4254", "CVE-2014-4258", "CVE-2014-4221", "CVE-2013-6449", "CVE-2014-4255", "CVE-2014-4253", "CVE-2014-4268", "CVE-2013-2172", "CVE-2014-4203", "CVE-2014-4265", "CVE-2014-4231", "CVE-2014-4201", "CVE-2014-4233", "CVE-2013-5855", "CVE-2014-4210", "CVE-2014-4229", "CVE-2013-5605", "CVE-2014-0224", "CVE-2014-4267", "CVE-2014-4266", "CVE-2014-2486", "CVE-2014-4270", "CVE-2014-0098", "CVE-2014-4214", "CVE-2014-2485", "CVE-2014-4222", "CVE-2013-1741", "CVE-2014-4257", "CVE-2014-4244", "CVE-2014-2494", "CVE-2014-2487", "CVE-2014-4205", "CVE-2014-4261", "CVE-2014-0436", "CVE-2013-1740", "CVE-2014-2493", "CVE-2014-4206", "CVE-2014-0099", "CVE-2013-6438", "CVE-2014-3470", "CVE-2014-2488", "CVE-2013-1739", "CVE-2014-4215", "CVE-2014-0119", "CVE-2014-1492", "CVE-2014-4209", "CVE-2013-6450", "CVE-2014-4245", "CVE-2013-5606", "CVE-2014-0114", "CVE-2014-0211", "CVE-2013-4322", "CVE-2014-0050", "CVE-2013-2461", "CVE-2014-1490", "CVE-2010-5298", "CVE-2014-0160", "CVE-2013-4286", "CVE-2014-0209", "CVE-2014-0210", "CVE-2014-4234", "CVE-2014-2489", "CVE-2014-0195", "CVE-2014-4269", "CVE-2014-0198", "CVE-2014-4216", "CVE-2014-4230", "CVE-2013-3751", "CVE-2014-4264", "CVE-2014-2477", "CVE-2014-4220", "CVE-2014-4237", "CVE-2014-4204", "CVE-2014-0096", "CVE-2014-4243", "CVE-2014-4217", "CVE-2014-4239", "CVE-2014-4248", "CVE-2014-0075", "CVE-2014-4211", "CVE-2014-2496", "CVE-2014-2483", "CVE-2014-4235", "CVE-2014-0033", "CVE-2014-4225", "CVE-2014-4241", "CVE-2014-4246", "CVE-2014-4207", "CVE-2014-4232", "CVE-2014-4256", "CVE-2014-1491", "CVE-2014-4227", "CVE-2014-4247", "CVE-2014-4252", "CVE-2014-2492", "CVE-2014-4228", "CVE-2014-4202", "CVE-2014-4212", "CVE-2014-2484", "CVE-2014-4236", "CVE-2014-4240", "CVE-2014-4219", "CVE-2014-2456", "CVE-2014-4249", "CVE-2013-1620", "CVE-2014-4223", "CVE-2014-4271", "CVE-2014-0221", "CVE-2014-2491", "CVE-2014-2495"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are generally cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.** This Critical Patch Update contains 113 new security fixes across the product families listed below.\n\nPlease note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\nPlease note that on April 18, 2014, Oracle released a [Security Alert for CVE-2014-0160 OpenSSL \"Heartbleed\"](<http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-2190703.html>). This Critical Patch Update includes an update to MySQL Enterprise Server 5.6 and this update includes a fix for vulnerability CVE-2014-0160. Customers of other Oracle products are strongly advised to apply the [fixes ](<http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html>) that were announced in the Security Alert for CVE-2014-0160.\n", "modified": "2014-07-24T00:00:00", "published": "2014-07-15T00:00:00", "id": "ORACLE:CPUJUL2014-1972956", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - July 2014", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:21:14", "bulletinFamily": "software", "cvelist": ["CVE-2014-6495", "CVE-2014-6506", "CVE-2014-6500", "CVE-2014-2478", "CVE-2014-6564", "CVE-2014-6482", "CVE-2014-6536", "CVE-2014-6544", "CVE-2014-6558", "CVE-2014-6516", "CVE-2014-6560", "CVE-2014-6530", "CVE-2014-6505", "CVE-2014-4301", "CVE-2014-6463", "CVE-2014-6515", "CVE-2014-6460", "CVE-2014-6554", "CVE-2014-6539", "CVE-2014-4292", "CVE-2014-6487", "CVE-2014-6538", "CVE-2014-6493", "CVE-2014-4280", "CVE-2014-6488", "CVE-2014-4282", "CVE-2014-6519", "CVE-2014-2472", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6471", "CVE-2014-6501", "CVE-2014-6504", "CVE-2014-6534", "CVE-2014-6455", "CVE-2014-6459", "CVE-2014-6502", "CVE-2014-7169", "CVE-2013-5605", "CVE-2014-6472", "CVE-2014-0224", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-4284", "CVE-2014-6484", "CVE-2014-6476", "CVE-2014-6479", "CVE-2014-6535", "CVE-2014-6507", "CVE-2014-6503", "CVE-2014-6490", "CVE-2014-6557", "CVE-2014-6542", "CVE-2014-6454", "CVE-2014-4295", "CVE-2014-4291", "CVE-2014-6469", "CVE-2014-4278", "CVE-2014-6537", "CVE-2014-6486", "CVE-2014-6496", "CVE-2013-1741", "CVE-2014-6555", "CVE-2014-2476", "CVE-2014-6529", "CVE-2014-6562", "CVE-2013-1740", "CVE-2014-4293", "CVE-2014-6511", "CVE-2014-3470", "CVE-2013-1739", "CVE-2014-6475", "CVE-2014-6485", "CVE-2014-6559", "CVE-2014-6470", "CVE-2014-4274", "CVE-2014-4294", "CVE-2014-6531", "CVE-2014-0119", "CVE-2014-1492", "CVE-2014-6456", "CVE-2014-6547", "CVE-2014-2880", "CVE-2013-5606", "CVE-2014-0114", "CVE-2014-4310", "CVE-2014-6543", "CVE-2014-6464", "CVE-2014-6468", "CVE-2014-4297", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-6520", "CVE-2014-6551", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-6533", "CVE-2014-4276", "CVE-2014-4277", "CVE-2014-4288", "CVE-2014-6550", "CVE-2014-0195", "CVE-2014-4296", "CVE-2014-0198", "CVE-2013-4590", "CVE-2014-4290", "CVE-2014-6478", "CVE-2014-6553", "CVE-2014-6483", "CVE-2014-6473", "CVE-2014-0096", "CVE-2014-2475", "CVE-2014-4300", "CVE-2014-0075", "CVE-2014-6546", "CVE-2014-6465", "CVE-2014-4299", "CVE-2014-6491", "CVE-2014-6508", "CVE-2014-4289", "CVE-2014-6453", "CVE-2014-2473", "CVE-2014-4285", "CVE-2014-6522", "CVE-2014-0033", "CVE-2012-5615", "CVE-2014-6467", "CVE-2014-6523", "CVE-2014-6452", "CVE-2014-0095", "CVE-2014-6513", "CVE-2014-6474", "CVE-2014-1491", "CVE-2014-6489", "CVE-2014-2474", "CVE-2014-6563", "CVE-2014-6545", "CVE-2014-4281", "CVE-2014-4275", "CVE-2014-4287", "CVE-2014-6477", "CVE-2014-6552", "CVE-2014-6540", "CVE-2014-6494", "CVE-2014-6461", "CVE-2014-4283", "CVE-2014-6527", "CVE-2014-6462", "CVE-2014-6561", "CVE-2014-4298", "CVE-2014-6499", "CVE-2014-6512", "CVE-2014-0221", "CVE-2014-6498", "CVE-2014-6497"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nOracle acknowledges Dana Taylor of netinfiltration.com for bringing to Oracle's attention a number of sites that were vulnerable to disclosure of sensitive information because Oracle CPU fixes were not applied to those sites for more than a year.\n\nThis Critical Patch Update contains 154 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that on September 26, 2014, Oracle released a [Security Alert for CVE-2014-7169 \"Bash\"](<http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html>) and other publicly disclosed vulnerabilities affecting GNU Bash. Customers of affected Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-7169.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "modified": "2014-11-21T00:00:00", "published": "2014-10-14T00:00:00", "id": "ORACLE:CPUOCT2014-1972960", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - October 2014", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-04T21:16:02", "bulletinFamily": "software", "cvelist": ["CVE-2003-0001", "CVE-2004-0230", "CVE-2010-5107", "CVE-2010-5298", "CVE-2011-1944", "CVE-2011-3368", "CVE-2011-3389", "CVE-2011-3607", "CVE-2011-4317", "CVE-2011-4461", "CVE-2012-0053", "CVE-2013-0338", "CVE-2013-1620", "CVE-2013-1739", "CVE-2013-1740", "CVE-2013-1741", "CVE-2013-2186", "CVE-2013-2877", "CVE-2013-4286", "CVE-2013-4545", "CVE-2013-4784", "CVE-2013-5605", "CVE-2013-5606", "CVE-2013-5704", "CVE-2013-6438", "CVE-2013-6449", "CVE-2013-6450", "CVE-2014-0015", "CVE-2014-0050", "CVE-2014-0076", "CVE-2014-0098", "CVE-2014-0114", "CVE-2014-0117", "CVE-2014-0118", "CVE-2014-0191", "CVE-2014-0195", "CVE-2014-0198", "CVE-2014-0221", "CVE-2014-0224", "CVE-2014-0226", "CVE-2014-0231", "CVE-2014-1490", "CVE-2014-1491", "CVE-2014-1492", "CVE-2014-1568", "CVE-2014-3470", "CVE-2014-3566", "CVE-2014-3567", "CVE-2014-4212", "CVE-2014-4259", "CVE-2014-4279", "CVE-2014-5704", "CVE-2014-6480", "CVE-2014-6481", "CVE-2014-6509", "CVE-2014-6510", "CVE-2014-6514", "CVE-2014-6518", "CVE-2014-6521", "CVE-2014-6524", "CVE-2014-6525", "CVE-2014-6526", "CVE-2014-6528", "CVE-2014-6541", "CVE-2014-6548", "CVE-2014-6549", "CVE-2014-6556", "CVE-2014-6565", "CVE-2014-6566", "CVE-2014-6567", "CVE-2014-6568", "CVE-2014-6569", "CVE-2014-6570", "CVE-2014-6571", "CVE-2014-6572", "CVE-2014-6573", "CVE-2014-6574", "CVE-2014-6575", "CVE-2014-6576", "CVE-2014-6577", "CVE-2014-6578", "CVE-2014-6579", "CVE-2014-6580", "CVE-2014-6581", "CVE-2014-6582", "CVE-2014-6583", "CVE-2014-6584", "CVE-2014-6585", "CVE-2014-6586", "CVE-2014-6587", "CVE-2014-6588", "CVE-2014-6589", "CVE-2014-6590", "CVE-2014-6591", "CVE-2014-6592", "CVE-2014-6593", "CVE-2014-6594", "CVE-2014-6595", "CVE-2014-6596", "CVE-2014-6597", "CVE-2014-6598", "CVE-2014-6599", "CVE-2014-6600", "CVE-2014-6601", "CVE-2015-0362", "CVE-2015-0363", "CVE-2015-0364", "CVE-2015-0365", "CVE-2015-0366", "CVE-2015-0367", "CVE-2015-0368", "CVE-2015-0369", "CVE-2015-0370", "CVE-2015-0371", "CVE-2015-0372", "CVE-2015-0373", "CVE-2015-0374", "CVE-2015-0375", "CVE-2015-0376", "CVE-2015-0377", "CVE-2015-0378", "CVE-2015-0379", "CVE-2015-0380", "CVE-2015-0381", "CVE-2015-0382", "CVE-2015-0383", "CVE-2015-0384", "CVE-2015-0385", "CVE-2015-0386", "CVE-2015-0387", "CVE-2015-0388", "CVE-2015-0389", "CVE-2015-0390", "CVE-2015-0391", "CVE-2015-0392", "CVE-2015-0393", "CVE-2015-0394", "CVE-2015-0395", "CVE-2015-0396", "CVE-2015-0397", "CVE-2015-0398", "CVE-2015-0399", "CVE-2015-0400", "CVE-2015-0401", "CVE-2015-0402", "CVE-2015-0403", "CVE-2015-0404", "CVE-2015-0406", "CVE-2015-0407", "CVE-2015-0408", "CVE-2015-0409", "CVE-2015-0410", "CVE-2015-0411", "CVE-2015-0412", "CVE-2015-0413", "CVE-2015-0414", "CVE-2015-0415", "CVE-2015-0416", "CVE-2015-0417", "CVE-2015-0418", "CVE-2015-0419", "CVE-2015-0420", "CVE-2015-0421", "CVE-2015-0422", "CVE-2015-0424", "CVE-2015-0425", "CVE-2015-0426", "CVE-2015-0427", "CVE-2015-0428", "CVE-2015-0429", "CVE-2015-0430", "CVE-2015-0431", "CVE-2015-0432", "CVE-2015-0434", "CVE-2015-0435", "CVE-2015-0436", "CVE-2015-0437"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\nCritical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ https://blogs.oracle.com/security](<https://blogs.oracle.com/security>).\n\nPlease note that on October 16, 2014, Oracle released information for CVE-2014-3566 \"POODLE\" .Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: https://www.oracle.com/security-alerts/cpufaq.html#CVRF.\n", "modified": "2015-01-20T00:00:00", "published": "2015-03-10T00:00:00", "id": "ORACLE:CPUJAN2015", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - January 2015", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:21:04", "bulletinFamily": "software", "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "modified": "2015-01-20T00:00:00", "published": "2015-03-10T00:00:00", "id": "ORACLE:CPUJAN2015-1972971", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - January 2015", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:20:52", "bulletinFamily": "software", "cvelist": ["CVE-2016-0571", "CVE-2016-0528", "CVE-2015-6013", "CVE-2015-4000", "CVE-2016-0608", "CVE-2016-0515", "CVE-2016-0514", "CVE-2016-0600", "CVE-2015-1792", "CVE-2016-0492", "CVE-2016-0611", "CVE-2016-0575", "CVE-2016-0544", "CVE-2016-0599", "CVE-2015-0235", "CVE-2016-0445", "CVE-2016-0500", "CVE-2016-0572", "CVE-2015-1793", "CVE-2016-0592", "CVE-2016-0435", "CVE-2016-0512", "CVE-2015-8126", "CVE-2016-0526", "CVE-2016-0457", "CVE-2016-0594", "CVE-2016-0498", "CVE-2016-0516", "CVE-2016-0580", "CVE-2016-0470", "CVE-2016-0444", "CVE-2016-0577", "CVE-2016-0440", "CVE-2016-0546", "CVE-2015-1789", "CVE-2016-0541", "CVE-2016-0560", "CVE-2016-0428", "CVE-2016-0447", "CVE-2016-0477", "CVE-2016-0568", "CVE-2016-0415", "CVE-2015-0286", "CVE-2016-0489", "CVE-2016-0559", "CVE-2016-0472", "CVE-2016-0578", "CVE-2016-0579", "CVE-2016-0561", "CVE-2014-3583", "CVE-2016-0412", "CVE-2015-3195", "CVE-2016-0449", "CVE-2016-0555", "CVE-2016-0481", "CVE-2016-0511", "CVE-2016-0605", "CVE-2015-4885", "CVE-2016-0455", "CVE-2015-4921", "CVE-2016-0534", "CVE-2016-0414", "CVE-2015-4924", "CVE-2016-0589", "CVE-2016-0474", "CVE-2016-0508", "CVE-2016-0465", "CVE-2016-0553", "CVE-2016-0582", "CVE-2016-0483", "CVE-2013-5855", "CVE-2016-0517", "CVE-2013-5704", "CVE-2016-0454", "CVE-2015-0288", "CVE-2016-0486", "CVE-2013-5605", "CVE-2016-0554", "CVE-2016-0542", "CVE-2016-0591", "CVE-2016-0433", "CVE-2016-0448", "CVE-2016-0506", "CVE-2016-0401", "CVE-2016-0416", "CVE-2016-0437", "CVE-2016-0550", "CVE-2016-0533", "CVE-2016-0403", "CVE-2015-4922", "CVE-2016-0566", "CVE-2016-0606", "CVE-2016-0510", "CVE-2016-0431", "CVE-2015-0285", "CVE-2016-0569", "CVE-2016-0459", "CVE-2016-0471", "CVE-2016-0564", "CVE-2016-0524", "CVE-2016-0563", "CVE-2016-0522", "CVE-2015-3153", "CVE-2016-0616", "CVE-2016-0614", "CVE-2013-1741", "CVE-2015-0207", "CVE-2016-0442", "CVE-2016-0493", "CVE-2016-0443", "CVE-2016-0618", "CVE-2016-0573", "CVE-2016-0527", "CVE-2016-0610", "CVE-2016-0609", "CVE-2016-0570", "CVE-2015-4926", "CVE-2015-0208", "CVE-2015-5307", "CVE-2016-0473", "CVE-2016-0518", "CVE-2013-1740", "CVE-2016-0567", "CVE-2015-7575", "CVE-2016-0558", "CVE-2016-0543", "CVE-2016-0463", "CVE-2016-0487", "CVE-2013-1739", "CVE-2016-0466", "CVE-2016-0462", "CVE-2016-0423", "CVE-2016-0596", "CVE-2016-0535", "CVE-2016-0509", "CVE-2016-0574", "CVE-2014-1492", "CVE-2016-0426", "CVE-2016-0460", "CVE-2016-0504", "CVE-2016-0521", "CVE-2016-0501", "CVE-2013-5606", "CVE-2016-0451", "CVE-2016-0482", "CVE-2015-4808", "CVE-2016-0539", "CVE-2014-0050", "CVE-2016-0404", "CVE-2016-0419", "CVE-2016-0494", "CVE-2015-0293", "CVE-2016-0552", "CVE-2016-0485", "CVE-2014-1490", "CVE-2016-0595", "CVE-2016-0402", "CVE-2016-0480", "CVE-2016-0478", "CVE-2016-0427", "CVE-2015-4919", "CVE-2016-0529", "CVE-2015-7183", "CVE-2016-0503", "CVE-2015-1788", "CVE-2016-0413", "CVE-2016-0476", "CVE-2016-0598", "CVE-2016-0556", "CVE-2015-0209", "CVE-2016-0422", "CVE-2016-0502", "CVE-2016-0601", "CVE-2013-2186", "CVE-2015-3183", "CVE-2015-4920", "CVE-2016-0441", "CVE-2016-0432", "CVE-2016-0484", "CVE-2016-0536", "CVE-2016-0576", "CVE-2015-0204", "CVE-2016-0540", "CVE-2016-0584", "CVE-2016-0537", "CVE-2016-0590", "CVE-2016-0565", "CVE-2016-0420", "CVE-2016-0557", "CVE-2016-0586", "CVE-2016-0417", "CVE-2016-0491", "CVE-2016-0424", "CVE-2015-8472", "CVE-2016-0450", "CVE-2016-0495", "CVE-2016-0520", "CVE-2016-0405", "CVE-2016-0488", "CVE-2015-1790", "CVE-2016-0525", "CVE-2016-0475", "CVE-2016-0499", "CVE-2016-0452", "CVE-2015-6014", "CVE-2016-0548", "CVE-2016-0519", "CVE-2016-0587", "CVE-2016-0461", "CVE-2016-0464", "CVE-2016-0409", "CVE-2016-0438", "CVE-2015-0291", "CVE-2016-0429", "CVE-2016-0497", "CVE-2014-3581", "CVE-2016-0607", "CVE-2015-8370", "CVE-2016-0439", "CVE-2015-0287", "CVE-2014-8109", "CVE-2016-0530", "CVE-2016-0456", "CVE-2016-0496", "CVE-2016-0551", "CVE-2016-0425", "CVE-2016-0421", "CVE-2016-0523", "CVE-2016-0430", "CVE-2015-0289", "CVE-2016-0597", "CVE-2016-0467", "CVE-2016-0581", "CVE-2016-0549", "CVE-2016-0458", "CVE-2014-1491", "CVE-2016-0538", "CVE-2016-0531", "CVE-2015-0292", "CVE-2016-0583", "CVE-2016-0411", "CVE-2016-0507", "CVE-2016-0490", "CVE-2016-0418", "CVE-2014-0107", "CVE-2016-0453", "CVE-2015-7744", "CVE-2016-0513", "CVE-2016-0436", "CVE-2016-0547", "CVE-2016-0588", "CVE-2015-0290", "CVE-2016-0434", "CVE-2016-0446", "CVE-2015-1787", "CVE-2016-0505", "CVE-2015-4852", "CVE-2016-0562", "CVE-2016-0585", "CVE-2015-4923", "CVE-2016-0406", "CVE-2015-1791", "CVE-2015-8104", "CVE-2016-0532", "CVE-2015-4925", "CVE-2015-6015", "CVE-2016-0545", "CVE-2016-0602"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 248 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\n** Please note that on November 10, 2015, Oracle released [Security Alert for CVE-2015-4852](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-4852. **\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "modified": "2016-02-12T00:00:00", "published": "2016-01-19T00:00:00", "id": "ORACLE:CPUJAN2016-2367955", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - January 2016", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-04T21:15:56", "bulletinFamily": "software", "cvelist": ["CVE-2013-1739", "CVE-2013-1740", "CVE-2013-1741", "CVE-2013-2186", "CVE-2013-5605", "CVE-2013-5606", "CVE-2013-5704", "CVE-2013-5855", "CVE-2014-0050", "CVE-2014-0107", "CVE-2014-1490", "CVE-2014-1491", "CVE-2014-1492", "CVE-2014-3581", "CVE-2014-3583", "CVE-2014-8109", "CVE-2015-0204", "CVE-2015-0207", "CVE-2015-0208", "CVE-2015-0209", "CVE-2015-0235", "CVE-2015-0285", "CVE-2015-0286", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0290", "CVE-2015-0291", "CVE-2015-0292", "CVE-2015-0293", "CVE-2015-1787", "CVE-2015-1788", "CVE-2015-1789", "CVE-2015-1790", "CVE-2015-1791", "CVE-2015-1792", "CVE-2015-1793", "CVE-2015-3153", "CVE-2015-3183", "CVE-2015-3195", "CVE-2015-4000", "CVE-2015-4808", "CVE-2015-4852", "CVE-2015-4885", "CVE-2015-4919", "CVE-2015-4920", "CVE-2015-4921", "CVE-2015-4922", "CVE-2015-4923", "CVE-2015-4924", "CVE-2015-4925", "CVE-2015-4926", "CVE-2015-5307", "CVE-2015-6013", "CVE-2015-6014", "CVE-2015-6015", "CVE-2015-7183", "CVE-2015-7575", "CVE-2015-7744", "CVE-2015-8104", "CVE-2015-8126", "CVE-2015-8370", "CVE-2015-8472", "CVE-2016-0401", "CVE-2016-0402", "CVE-2016-0403", "CVE-2016-0404", "CVE-2016-0405", "CVE-2016-0406", "CVE-2016-0409", "CVE-2016-0411", "CVE-2016-0412", "CVE-2016-0413", "CVE-2016-0414", "CVE-2016-0415", "CVE-2016-0416", "CVE-2016-0417", "CVE-2016-0418", "CVE-2016-0419", "CVE-2016-0420", "CVE-2016-0421", "CVE-2016-0422", "CVE-2016-0423", "CVE-2016-0424", "CVE-2016-0425", "CVE-2016-0426", "CVE-2016-0427", "CVE-2016-0428", "CVE-2016-0429", "CVE-2016-0430", "CVE-2016-0431", "CVE-2016-0432", "CVE-2016-0433", "CVE-2016-0434", "CVE-2016-0435", "CVE-2016-0436", "CVE-2016-0437", "CVE-2016-0438", "CVE-2016-0439", "CVE-2016-0440", "CVE-2016-0441", "CVE-2016-0442", "CVE-2016-0443", "CVE-2016-0444", "CVE-2016-0445", "CVE-2016-0446", "CVE-2016-0447", "CVE-2016-0448", "CVE-2016-0449", "CVE-2016-0450", "CVE-2016-0451", "CVE-2016-0452", "CVE-2016-0453", "CVE-2016-0454", "CVE-2016-0455", "CVE-2016-0456", "CVE-2016-0457", "CVE-2016-0458", "CVE-2016-0459", "CVE-2016-0460", "CVE-2016-0461", "CVE-2016-0462", "CVE-2016-0463", "CVE-2016-0464", "CVE-2016-0465", "CVE-2016-0466", "CVE-2016-0467", "CVE-2016-0470", "CVE-2016-0471", "CVE-2016-0472", "CVE-2016-0473", "CVE-2016-0474", "CVE-2016-0475", "CVE-2016-0476", "CVE-2016-0477", "CVE-2016-0478", "CVE-2016-0480", "CVE-2016-0481", "CVE-2016-0482", "CVE-2016-0483", "CVE-2016-0484", "CVE-2016-0485", "CVE-2016-0486", "CVE-2016-0487", "CVE-2016-0488", "CVE-2016-0489", "CVE-2016-0490", "CVE-2016-0491", "CVE-2016-0492", "CVE-2016-0493", "CVE-2016-0494", "CVE-2016-0495", "CVE-2016-0496", "CVE-2016-0497", "CVE-2016-0498", "CVE-2016-0499", "CVE-2016-0500", "CVE-2016-0501", "CVE-2016-0502", "CVE-2016-0503", "CVE-2016-0504", "CVE-2016-0505", "CVE-2016-0506", "CVE-2016-0507", "CVE-2016-0508", "CVE-2016-0509", "CVE-2016-0510", "CVE-2016-0511", "CVE-2016-0512", "CVE-2016-0513", "CVE-2016-0514", "CVE-2016-0515", "CVE-2016-0516", "CVE-2016-0517", "CVE-2016-0518", "CVE-2016-0519", "CVE-2016-0520", "CVE-2016-0521", "CVE-2016-0522", "CVE-2016-0523", "CVE-2016-0524", "CVE-2016-0525", "CVE-2016-0526", "CVE-2016-0527", "CVE-2016-0528", "CVE-2016-0529", "CVE-2016-0530", "CVE-2016-0531", "CVE-2016-0532", "CVE-2016-0533", "CVE-2016-0534", "CVE-2016-0535", "CVE-2016-0536", "CVE-2016-0537", "CVE-2016-0538", "CVE-2016-0539", "CVE-2016-0540", "CVE-2016-0541", "CVE-2016-0542", "CVE-2016-0543", "CVE-2016-0544", "CVE-2016-0545", "CVE-2016-0546", "CVE-2016-0547", "CVE-2016-0548", "CVE-2016-0549", "CVE-2016-0550", "CVE-2016-0551", "CVE-2016-0552", "CVE-2016-0553", "CVE-2016-0554", "CVE-2016-0555", "CVE-2016-0556", "CVE-2016-0557", "CVE-2016-0558", "CVE-2016-0559", "CVE-2016-0560", "CVE-2016-0561", "CVE-2016-0562", "CVE-2016-0563", "CVE-2016-0564", "CVE-2016-0565", "CVE-2016-0566", "CVE-2016-0567", "CVE-2016-0568", "CVE-2016-0569", "CVE-2016-0570", "CVE-2016-0571", "CVE-2016-0572", "CVE-2016-0573", "CVE-2016-0574", "CVE-2016-0575", "CVE-2016-0576", "CVE-2016-0577", "CVE-2016-0578", "CVE-2016-0579", "CVE-2016-0580", "CVE-2016-0581", "CVE-2016-0582", "CVE-2016-0583", "CVE-2016-0584", "CVE-2016-0585", "CVE-2016-0586", "CVE-2016-0587", "CVE-2016-0588", "CVE-2016-0589", "CVE-2016-0590", "CVE-2016-0591", "CVE-2016-0592", "CVE-2016-0594", "CVE-2016-0595", "CVE-2016-0596", "CVE-2016-0597", "CVE-2016-0598", "CVE-2016-0599", "CVE-2016-0600", "CVE-2016-0601", "CVE-2016-0602", "CVE-2016-0605", "CVE-2016-0606", "CVE-2016-0607", "CVE-2016-0608", "CVE-2016-0609", "CVE-2016-0610", "CVE-2016-0611", "CVE-2016-0614", "CVE-2016-0616", "CVE-2016-0618"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\nCritical Patch Updates and Security Alerts for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 248 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n**Please note that on November 10, 2015, Oracle released Security Alert for CVE-2015-4852. Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-4852. **\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: https://www.oracle.com/security-alerts/cpufaq.html#CVRF.\n", "modified": "2016-02-12T00:00:00", "published": "2016-01-19T00:00:00", "id": "ORACLE:CPUJAN2016", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - January 2016", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:40", "bulletinFamily": "unix", "cvelist": ["CVE-2015-0824", "CVE-2014-1505", "CVE-2014-1536", "CVE-2014-1577", "CVE-2014-1513", "CVE-2013-5601", "CVE-2013-5612", "CVE-2015-0831", "CVE-2013-5595", "CVE-2014-1530", "CVE-2014-1590", "CVE-2014-1586", "CVE-2014-1583", "CVE-2015-0832", "CVE-2013-5616", "CVE-2013-5607", "CVE-2014-1510", "CVE-2014-1566", "CVE-2013-5598", "CVE-2013-5613", "CVE-2014-1522", "CVE-2014-1587", "CVE-2014-1567", "CVE-2014-1481", "CVE-2014-1539", "CVE-2014-1487", "CVE-2015-0825", "CVE-2014-1594", "CVE-2014-1538", "CVE-2013-5609", "CVE-2015-0821", "CVE-2014-1525", "CVE-2013-5619", "CVE-2014-1509", "CVE-2014-1494", "CVE-2014-1559", "CVE-2014-1537", "CVE-2014-1582", "CVE-2014-1523", "CVE-2014-1576", "CVE-2014-8631", "CVE-2013-5615", "CVE-2014-1529", "CVE-2015-0828", "CVE-2013-5597", "CVE-2014-1543", "CVE-2014-1486", "CVE-2013-5590", "CVE-2013-5605", "CVE-2013-5610", "CVE-2014-1532", "CVE-2013-6671", "CVE-2014-1548", "CVE-2014-1584", "CVE-2014-1588", "CVE-2015-0826", "CVE-2014-1531", "CVE-2014-1508", "CVE-2014-1502", "CVE-2014-1542", "CVE-2014-1477", "CVE-2014-1578", "CVE-2013-1741", "CVE-2014-1540", "CVE-2014-1534", "CVE-2014-8642", "CVE-2014-1482", "CVE-2014-8637", "CVE-2014-1479", "CVE-2014-1504", "CVE-2014-8636", "CVE-2014-1580", "CVE-2014-1511", "CVE-2015-0819", "CVE-2014-1520", "CVE-2015-0834", "CVE-2014-1545", "CVE-2013-5592", "CVE-2014-1492", "CVE-2014-1556", "CVE-2013-5606", "CVE-2015-0818", "CVE-2014-1563", "CVE-2014-1524", "CVE-2014-8632", "CVE-2014-1512", "CVE-2014-1581", "CVE-2013-5604", "CVE-2014-1514", "CVE-2014-1592", "CVE-2014-8641", "CVE-2014-1490", "CVE-2015-0835", "CVE-2014-1498", "CVE-2014-1589", "CVE-2014-1565", "CVE-2014-1568", "CVE-2014-1555", "CVE-2014-1564", "CVE-2014-1574", "CVE-2014-1558", "CVE-2014-1551", "CVE-2014-1519", "CVE-2014-1547", "CVE-2014-1480", "CVE-2014-5369", "CVE-2014-1500", "CVE-2014-1497", "CVE-2013-5596", "CVE-2014-1478", "CVE-2014-1485", "CVE-2015-0817", "CVE-2014-1493", "CVE-2014-1544", "CVE-2014-8634", "CVE-2013-2566", "CVE-2015-0823", "CVE-2013-5603", "CVE-2013-6673", "CVE-2014-1562", "CVE-2015-0836", "CVE-2014-1541", "CVE-2014-1488", "CVE-2014-1552", "CVE-2013-5599", "CVE-2014-1553", "CVE-2014-8639", "CVE-2015-0829", "CVE-2014-1549", "CVE-2013-5591", "CVE-2013-5602", "CVE-2015-0822", "CVE-2014-1496", "CVE-2014-1554", "CVE-2015-0830", "CVE-2015-0827", "CVE-2014-8640", "CVE-2014-1557", "CVE-2014-1526", "CVE-2013-5593", "CVE-2014-1550", "CVE-2014-1533", "CVE-2014-1491", "CVE-2013-6672", "CVE-2013-5614", "CVE-2014-1575", "CVE-2014-8635", "CVE-2014-8638", "CVE-2014-1560", "CVE-2014-1585", "CVE-2014-1483", "CVE-2014-1489", "CVE-2014-1591", "CVE-2014-1593", "CVE-2015-0820", "CVE-2013-5600", "CVE-2014-1499", "CVE-2014-1518", "CVE-2014-1561", "CVE-2015-0833", "CVE-2013-5618"], "edition": 1, "description": "### Background\n\nMozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the \u2018Mozilla Application Suite\u2019. \n\n### Description\n\nMultiple vulnerabilities have been discovered in Firefox, Thunderbird, and SeaMonkey. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impact. \n\n### Workaround\n\nThere are no known workarounds at this time.\n\n### Resolution\n\nAll firefox users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/firefox-31.5.3\"\n \n\nAll firefox-bin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/firefox-bin-31.5.3\"\n \n\nAll thunderbird users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=mail-client/thunderbird-31.5.0\"\n \n\nAll thunderbird-bin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=mail-client/thunderbird-bin-31.5.0\"\n \n\nAll seamonkey users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/seamonkey-2.33.1\"\n \n\nAll seamonkey-bin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-client/seamonkey-bin-2.33.1\"\n \n\nAll nspr users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/nspr-4.10.6\"", "modified": "2015-04-08T00:00:00", "published": "2015-04-07T00:00:00", "id": "GLSA-201504-01", "href": "https://security.gentoo.org/glsa/201504-01", "type": "gentoo", "title": "Mozilla Products: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
