Vulnerability & Exploit Database

Back to search

RHSA-2010:0165: nss security update

Severity CVSS Published Added Modified
6 (AV:N/AC:M/Au:N/C:N/I:P/A:P) November 09, 2009 April 06, 2010 July 04, 2017


Network Security Services (NSS) is a set of libraries designed to supportthe cross-platform development of security-enabled client and serverapplications. Applications built with NSS can support SSLv2, SSLv3, TLS,and other security standards.Netscape Portable Runtime (NSPR) provides platform independence for non-GUIoperating system facilities. These facilities include threads, threadsynchronization, normal file and network I/O, interval timing, calendartime, basic memory management (malloc and free), and shared librarylinking.A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handled session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. This update addresses this flaw by implementing theTLS Renegotiation Indication Extension, as defined in RFC 5746.(CVE-2009-3555)Refer to the following Knowledgebase article for additional details aboutthis flaw: of Red Hat Certificate System 7.3 and 8.0 should review the followingKnowledgebase article before installing this update: users of NSS are advised to upgrade to these updated packages, whichupdate NSS to version 3.12.6. This erratum also updates the NSPR packagesto the version required by NSS 3.12.6. All running applications using theNSS library must be restarted for this update to take effect.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial




Related Vulnerabilities