• Close
  • Back to search

    RHSA-2010:0165: nss security update

    Severity CVSS Published Added Modified
    6 (AV:N/AC:M/Au:N/C:N/I:P/A:P) November 08, 2009 April 05, 2010 September 06, 2015


    Network Security Services (NSS) is a set of libraries designed to supportthe cross-platform development of security-enabled client and serverapplications. Applications built with NSS can support SSLv2, SSLv3, TLS,and other security standards.Netscape Portable Runtime (NSPR) provides platform independence for non-GUIoperating system facilities. These facilities include threads, threadsynchronization, normal file and network I/O, interval timing, calendartime, basic memory management (malloc and free), and shared librarylinking.A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handled session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. This update addresses this flaw by implementing theTLS Renegotiation Indication Extension, as defined in RFC 5746.(CVE-2009-3555)Refer to the following Knowledgebase article for additional details aboutthis flaw: http://kbase.redhat.com/faq/docs/DOC-20491Users of Red Hat Certificate System 7.3 and 8.0 should review the followingKnowledgebase article before installing this update:http://kbase.redhat.com/faq/docs/DOC-28439All users of NSS are advised to upgrade to these updated packages, whichupdate NSS to version 3.12.6. This erratum also updates the NSPR packagesto the version required by NSS 3.12.6. All running applications using theNSS library must be restarted for this update to take effect.

    Free Nexpose Download

    Discover, prioritize, and remediate security risks today!

     Download now




    Related Vulnerabilities