Rapid7 Vulnerability & Exploit Database

RHSA-2015:1664: nss security, bug fix, and enhancement update

Back to Search

RHSA-2015:1664: nss security, bug fix, and enhancement update

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
07/05/2015
Created
07/25/2018
Added
08/26/2015
Modified
07/04/2017

Description

Network Security Services (NSS) is a set of libraries designed to supportcross-platform development of security-enabled client and serverapplications.It was found that NSS permitted skipping of the ServerKeyExchange packetduring a handshake involving ECDHE (Elliptic Curve Diffie-Hellman keyExchange). A remote attacker could use this flaw to bypass theforward-secrecy of a TLS/SSL connection. (CVE-2015-2721)A flaw was found in the way NSS verified certain ECDSA (Elliptic CurveDigital Signature Algorithm) signatures. Under certain conditions, anattacker could use this flaw to conduct signature forgery attacks.(CVE-2015-2730)Red Hat would like to thank the Mozilla project for reporting this issue.Upstream acknowledges Karthikeyan Bhargavan as the original reporter ofCVE-2015-2721, and Watson Ladd as the original reporter of CVE-2015-2730.The nss packages have been upgraded to upstream version 3.19.1, whichprovides a number of bug fixes and enhancements over the previous version.All nss users are advised to upgrade to these updated packages, whichcorrect these issues.

Solution(s)

  • redhat-upgrade-nss
  • redhat-upgrade-nss-debuginfo
  • redhat-upgrade-nss-devel
  • redhat-upgrade-nss-pkcs11-devel
  • redhat-upgrade-nss-tools

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;