lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1XX4dg-000244-DP@titan.mandriva.com>
Date: Thu, 25 Sep 2014 10:43:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:189 ] nss

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:189
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : nss
 Date    : September 25, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been discovered and corrected in Mozilla NSS:
 
 Antoine Delignat-Lavaud, security researcher at Inria Paris in
 team Prosecco, reported an issue in Network Security Services (NSS)
 libraries affecting all versions. He discovered that NSS is vulnerable
 to a variant of a signature forgery attack previously published
 by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1
 values involved in a signature and could lead to the forging of RSA
 certificates (CVE-2014-1568).
 
 The updated NSPR packages have been upgraded to the latest 4.10.7
 version.
 
 The updated NSS packages have been upgraded to the latest 3.17.1
 version which is not vulnerable to this issue.
 
 Additionally the rootcerts package has also been updated to the latest
 version as of 2014-08-05.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568
 https://www.mozilla.org/security/announce/2014/mfsa2014-73.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 d532128922a8701f24f1d1a22b8e544c  mbs1/x86_64/lib64nspr4-4.10.7-1.mbs1.x86_64.rpm
 86c469bff7f47669ecfbe711fced774c  mbs1/x86_64/lib64nspr-devel-4.10.7-1.mbs1.x86_64.rpm
 a5384df3378e1d282d24520fe9234804  mbs1/x86_64/lib64nss3-3.17.1-1.mbs1.x86_64.rpm
 63722882484c4e4a4b438ddb33911fe8  mbs1/x86_64/lib64nss-devel-3.17.1-1.mbs1.x86_64.rpm
 5a9c51abf5c3650926e4cdb8997ec2b1  mbs1/x86_64/lib64nss-static-devel-3.17.1-1.mbs1.x86_64.rpm
 8b639de0098277bc211ed8b9f83c9516  mbs1/x86_64/nss-3.17.1-1.mbs1.x86_64.rpm
 edd4b951a0f68c4264137489f0dada31  mbs1/x86_64/nss-doc-3.17.1-1.mbs1.noarch.rpm
 32f6ffafd4984d00b01b43e9b38fe344  mbs1/x86_64/rootcerts-20140805.00-1.mbs1.x86_64.rpm
 fa908930395265a0dbad1029252679ef  mbs1/x86_64/rootcerts-java-20140805.00-1.mbs1.x86_64.rpm 
 fb338172cf421a95728ec28412d2fed1  mbs1/SRPMS/nspr-4.10.7-1.mbs1.src.rpm
 3c721493672c05aa7960aca11e3b1533  mbs1/SRPMS/nss-3.17.1-1.mbs1.src.rpm
 8b79fa2baeaac0b531d7cb01c5a419b4  mbs1/SRPMS/rootcerts-20140805.00-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUI8eWmqjQ0CJFipgRAsdxAJ4r/Y2zGrBkhKZhJ03LZA0ftgiU3QCgu8eh
cZVDnrGL7yJkMqWtAZmkh7A=
=5QVQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ