SCIENTIFIC-LINUX-ERRATA Archives

July 2014

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV

Options: Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Content-Transfer-Encoding:
7bit
Sender:
Security Errata for Scientific Linux <[log in to unmask]>
Subject:
From:
Pat Riehecky <[log in to unmask]>
Date:
Tue, 22 Jul 2014 21:59:16 +0000
MIME-Version:
1.0
Content-Type:
text/plain; charset="utf-8"
Reply-To:
Parts/Attachments:
text/plain (89 lines)
Synopsis:          Critical: nss and nspr security, bug fix, and enhancement update
Advisory ID:       SLSA-2014:0917-1
Issue Date:        2014-07-22
CVE Numbers:       CVE-2013-1740
                   CVE-2014-1490
                   CVE-2014-1491
                   CVE-2014-1492
                   CVE-2014-1545
                   CVE-2014-1544
--

A race condition was found in the way NSS verified certain certificates. A
remote attacker could use this flaw to crash an application using NSS or,
possibly, execute arbitrary code with the privileges of the user running
that application. (CVE-2014-1544)

A flaw was found in the way TLS False Start was implemented in NSS. An
attacker could use this flaw to potentially return unencrypted information
from the server. (CVE-2013-1740)

A race condition was found in the way NSS implemented session ticket
handling as specified by RFC 5077. An attacker could use this flaw to
crash an application using NSS or, in rare cases, execute arbitrary code
with the privileges of the user running that application. (CVE-2014-1490)

It was found that NSS accepted weak Diffie-Hellman Key exchange (DHKE)
parameters. This could possibly lead to weak encryption being used in
communication between the client and the server. (CVE-2014-1491)

An out-of-bounds write flaw was found in NSPR. A remote attacker could
potentially use this flaw to crash an application using NSPR or, possibly,
execute arbitrary code with the privileges of the user running that
application. This NSPR flaw was not exposed to web content in any shipped
version of Firefox. (CVE-2014-1545)

It was found that the implementation of Internationalizing Domain Names in
Applications (IDNA) hostname matching in NSS did not follow the RFC 6125
recommendations. This could lead to certain invalid certificates with
international characters to be accepted as valid. (CVE-2014-1492)

In addition, the nss package has been upgraded to upstream version 3.16.1,
and the nspr package has been upgraded to upstream version 4.10.6. These
updated packages provide a number of bug fixes and enhancements over the
previous versions.

After installing this update, applications using NSS or NSPR must be
restarted for this update to take effect.
--

SL6
  x86_64
    nspr-4.10.6-1.el6_5.i686.rpm
    nspr-4.10.6-1.el6_5.x86_64.rpm
    nspr-debuginfo-4.10.6-1.el6_5.i686.rpm
    nspr-debuginfo-4.10.6-1.el6_5.x86_64.rpm
    nss-3.16.1-4.el6_5.i686.rpm
    nss-3.16.1-4.el6_5.x86_64.rpm
    nss-debuginfo-3.16.1-4.el6_5.i686.rpm
    nss-debuginfo-3.16.1-4.el6_5.x86_64.rpm
    nss-sysinit-3.16.1-4.el6_5.x86_64.rpm
    nss-tools-3.16.1-4.el6_5.x86_64.rpm
    nss-util-3.16.1-1.el6_5.i686.rpm
    nss-util-3.16.1-1.el6_5.x86_64.rpm
    nss-util-debuginfo-3.16.1-1.el6_5.i686.rpm
    nss-util-debuginfo-3.16.1-1.el6_5.x86_64.rpm
    nspr-devel-4.10.6-1.el6_5.i686.rpm
    nspr-devel-4.10.6-1.el6_5.x86_64.rpm
    nss-devel-3.16.1-4.el6_5.i686.rpm
    nss-devel-3.16.1-4.el6_5.x86_64.rpm
    nss-pkcs11-devel-3.16.1-4.el6_5.i686.rpm
    nss-pkcs11-devel-3.16.1-4.el6_5.x86_64.rpm
    nss-util-devel-3.16.1-1.el6_5.i686.rpm
    nss-util-devel-3.16.1-1.el6_5.x86_64.rpm
  i386
    nspr-4.10.6-1.el6_5.i686.rpm
    nspr-debuginfo-4.10.6-1.el6_5.i686.rpm
    nss-3.16.1-4.el6_5.i686.rpm
    nss-debuginfo-3.16.1-4.el6_5.i686.rpm
    nss-sysinit-3.16.1-4.el6_5.i686.rpm
    nss-tools-3.16.1-4.el6_5.i686.rpm
    nss-util-3.16.1-1.el6_5.i686.rpm
    nss-util-debuginfo-3.16.1-1.el6_5.i686.rpm
    nspr-devel-4.10.6-1.el6_5.i686.rpm
    nss-devel-3.16.1-4.el6_5.i686.rpm
    nss-pkcs11-devel-3.16.1-4.el6_5.i686.rpm
    nss-util-devel-3.16.1-1.el6_5.i686.rpm

- Scientific Linux Development Team

ATOM RSS1 RSS2