Network Security Services (NSS) is a set of libraries designed to supportthe cross-platform development of security-enabled client and serverapplications. Netscape Portable Runtime (NSPR) provides platformindependence for non-GUI operating system facilities.It was discovered that NSS leaked timing information when decryptingTLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suiteswere used. A remote attacker could possibly use this flaw to retrieve plaintext from the encrypted packets by using a TLS/SSL or DTLS server as apadding oracle. (CVE-2013-1620)An out-of-bounds memory read flaw was found in the way NSS decoded certaincertificates. If an application using NSS decoded a malformed certificate,it could cause the application to crash. (CVE-2013-0791)Red Hat would like to thank the Mozilla project for reportingCVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporterof CVE-2013-0791.This update also fixes the following bugs:In addition, the nss package has been upgraded to upstream version 3.14.3,and the nspr package has been upgraded to upstream version 4.9.5. Theseupdates provide a number of bug fixes and enhancements over the previousversions. (BZ#949845, BZ#924741)Note that while upstream NSS version 3.14 prevents the use of certificatesthat have an MD5 signature, this erratum includes a patch that allows suchcertificates by default. To prevent the use of certificates that have anMD5 signature, set the "NSS_HASH_ALG_SUPPORT" environment variableto "-MD5".Users of NSS and NSPR are advised to upgrade to these updated packages,which fix these issues and add these enhancements. After installing thisupdate, applications using NSS or NSPR must be restarted for this update totake effect.