Rapid7 VulnDB

RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update

Back to Search

RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
04/03/2013
Created
07/25/2018
Added
08/07/2013
Modified
07/04/2017

Description

Network Security Services (NSS) is a set of libraries designed to supportthe cross-platform development of security-enabled client and serverapplications. Netscape Portable Runtime (NSPR) provides platformindependence for non-GUI operating system facilities.It was discovered that NSS leaked timing information when decryptingTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suiteswere used. A remote attacker could possibly use this flaw to retrieve plaintext from the encrypted packets by using a TLS/SSL or DTLS server as apadding oracle. (CVE-2013-1620)An out-of-bounds memory read flaw was found in the way NSS decoded certaincertificates. If an application using NSS decoded a malformed certificate,it could cause the application to crash. (CVE-2013-0791)Red Hat would like to thank the Mozilla project for reportingCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporterof CVE-2013-0791.This update also fixes the following bugs:In addition, the nss package has been upgraded to upstream version 3.14.3,and the nspr package has been upgraded to upstream version 4.9.5. Theseupdates provide a number of bug fixes and enhancements over the previousversions. (BZ#949845, BZ#924741)Note that while upstream NSS version 3.14 prevents the use of certificatesthat have an MD5 signature, this erratum includes a patch that allows suchcertificates by default. To prevent the use of certificates that have anMD5 signature, set the "NSS_HASH_ALG_SUPPORT" environment variableto "-MD5".Users of NSS and NSPR are advised to upgrade to these updated packages,which fix these issues and add these enhancements. After installing thisupdate, applications using NSS or NSPR must be restarted for this update totake effect.

Solution(s)

  • redhat-upgrade-nspr
  • redhat-upgrade-nspr-debuginfo
  • redhat-upgrade-nspr-devel
  • redhat-upgrade-nss
  • redhat-upgrade-nss-debuginfo
  • redhat-upgrade-nss-devel
  • redhat-upgrade-nss-pkcs11-devel
  • redhat-upgrade-nss-tools

References

  • redhat-upgrade-nspr
  • redhat-upgrade-nspr-debuginfo
  • redhat-upgrade-nspr-devel
  • redhat-upgrade-nss
  • redhat-upgrade-nss-debuginfo
  • redhat-upgrade-nss-devel
  • redhat-upgrade-nss-pkcs11-devel
  • redhat-upgrade-nss-tools

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;