Rapid7 Vulnerability & Exploit Database

RHSA-2010:0165: nss security update

Back to Search

RHSA-2010:0165: nss security update



Network Security Services (NSS) is a set of libraries designed to supportthe cross-platform development of security-enabled client and serverapplications. Applications built with NSS can support SSLv2, SSLv3, TLS,and other security standards.Netscape Portable Runtime (NSPR) provides platform independence for non-GUIoperating system facilities. These facilities include threads, threadsynchronization, normal file and network I/O, interval timing, calendartime, basic memory management (malloc and free), and shared librarylinking.A flaw was found in the way the TLS/SSL (Transport Layer Security/SecureSockets Layer) protocols handled session renegotiation. A man-in-the-middleattacker could use this flaw to prefix arbitrary plain text to a client'ssession (for example, an HTTPS connection to a website). This could forcethe server to process an attacker's request as if authenticated using thevictim's credentials. This update addresses this flaw by implementing theTLS Renegotiation Indication Extension, as defined in RFC 5746.(CVE-2009-3555)Refer to the following Knowledgebase article for additional details aboutthis flaw: http://kbase.redhat.com/faq/docs/DOC-20491Users of Red Hat Certificate System 7.3 and 8.0 should review the followingKnowledgebase article before installing this update:http://kbase.redhat.com/faq/docs/DOC-28439All users of NSS are advised to upgrade to these updated packages, whichupdate NSS to version 3.12.6. This erratum also updates the NSPR packagesto the version required by NSS 3.12.6. All running applications using theNSS library must be restarted for this update to take effect.


  • redhat-upgrade-nspr
  • redhat-upgrade-nspr-devel
  • redhat-upgrade-nss
  • redhat-upgrade-nss-devel
  • redhat-upgrade-nss-pkcs11-devel
  • redhat-upgrade-nss-tools

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center