lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20090804212307.GA18082@severus.strandboge.com>
Date: Tue, 4 Aug 2009 16:23:07 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-810-1] NSS vulnerabilities

===========================================================
Ubuntu Security Notice USN-810-1            August 04, 2009
nss vulnerabilities
CVE-2009-2404, CVE-2009-2408, CVE-2009-2409
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  libnss3-1d                      3.12.3.1-0ubuntu0.8.04.1

Ubuntu 8.10:
  libnss3-1d                      3.12.3.1-0ubuntu0.8.10.1

Ubuntu 9.04:
  libnss3-1d                      3.12.3.1-0ubuntu0.9.04.1

After a standard system upgrade you need to restart an applications that
use NSS, such as Firefox, to effect the necessary changes.

Details follow:

Moxie Marlinspike discovered that NSS did not properly handle regular
expressions in certificate names. A remote attacker could create a
specially crafted certificate to cause a denial of service (via application
crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)

Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did
not properly handle certificates with NULL characters in the certificate
name. An attacker could exploit this to perform a man in the middle attack
to view sensitive information or alter encrypted communications.
(CVE-2009-2408)

Dan Kaminsky discovered NSS would still accept certificates with MD2 hash
signatures. As a result, an attacker could potentially create a malicious
trusted certificate to impersonate another site. (CVE-2009-2409)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1-0ubuntu0.8.04.1.diff.gz
      Size/MD5:    37286 f4041d128d758f5506197b1cf0f1214f
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1-0ubuntu0.8.04.1.dsc
      Size/MD5:     2012 401475ce9f7efa228d7b61671aa69c11
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1.orig.tar.gz
      Size/MD5:  5316068 cc5607243fdfdbc80ebbbf6dbb33f784

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:    18232 49a5581a19be7771ecdc65fb943e86d7
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:  3166090 074734f6e0fd51257999bdc0e38010f3
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:  1147016 ddc8dfd4f0cc77c129c5bb4b18b6612c
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:   257780 f6d735c7c95478fe2992178e0d7781d4
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.04.1_amd64.deb
      Size/MD5:   312528 05d78cad52b8c5464350c9b191528e0e

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.04.1_i386.deb
      Size/MD5:    18200 2c088a165372b431416a5b6d9f54b80b
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.04.1_i386.deb
      Size/MD5:  3012554 50978f6f10b9f4c3918822d864d41aed
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.04.1_i386.deb
      Size/MD5:  1040016 f0a52f96bd4f7bb7d8001b7ca5ace8d0
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.04.1_i386.deb
      Size/MD5:   254880 c2151ff8a86f4119fcefa1f6c9ee7add
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.04.1_i386.deb
      Size/MD5:   295096 f6fde2292ca35df9e6cac822d158e512

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:    18190 cbc624cedbae82a39d3c47aaa8ffee38
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:  3041822 533fda14ea785417cababc58419a8fec
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:  1016224 1ed477ec2ffe3ac642cb7c29413842ab
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:   253574 b9756509dcdeea8433a0f6bbe2dc27b7
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.04.1_lpia.deb
      Size/MD5:   292466 55f2cf8c33f19f17cae613aca3ce71c1

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:    20678 a26907dda711e1d13e8d597bee4689e0
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:  3125800 102117180150342cecff38e653963f66
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:  1143852 f96cab41f4bf24cf4fa4686b3a963464
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:   256600 e19a891112bea8df4f27fe569da9c951
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.04.1_powerpc.deb
      Size/MD5:   324934 9aaac74bc3f6ec7f990f78d556c5ec09

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:    18292 7e17d87ea08f93759ed7784705d82453
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:  2834720 02b6284e651dcf2e6556378dcb730689
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:  1019944 ee1829f9195609b3912994fc76788243
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:   251578 09583a51b0814b53959af6d79a1b4f8c
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.04.1_sparc.deb
      Size/MD5:   299484 0d12ed86aae10c56300bd7cefb2884ef

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1-0ubuntu0.8.10.1.diff.gz
      Size/MD5:    32769 d4e1fb5ca38687ad1e7532c457febc11
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1-0ubuntu0.8.10.1.dsc
      Size/MD5:     2012 f98ccd513ae480ac7b56d7a4793758d3
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1.orig.tar.gz
      Size/MD5:  5316068 cc5607243fdfdbc80ebbbf6dbb33f784

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.10.1_amd64.deb
      Size/MD5:  3310610 9f8e4b95d1019e3956a88745ce3888c4
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.10.1_amd64.deb
      Size/MD5:  1195070 21daa67a1f51cc4a942e41beb2da001f
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.10.1_amd64.deb
      Size/MD5:   257586 89d972c2b67679eca265abac76d0687d
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.10.1_amd64.deb
      Size/MD5:    18296 8c1d95902c4f0e85c47a3ca941f0b48a
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.10.1_amd64.deb
      Size/MD5:   317026 11f10cc940951638cf5cac0e6e2f7ded

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.10.1_i386.deb
      Size/MD5:  3137262 2ae6e2fa5e934a5fa27e14cedcdc74b6
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.10.1_i386.deb
      Size/MD5:  1076898 59318f3e92b12686695704ef33074dc0
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.10.1_i386.deb
      Size/MD5:   254686 b0dc3ec378ea87afff4a6d46fafca34f
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.10.1_i386.deb
      Size/MD5:    18248 7a86d451f0cc722f66ca51f9894c81e2
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.10.1_i386.deb
      Size/MD5:   300214 88f4442427f4ad5b1e507f24a872d7d5

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.10.1_lpia.deb
      Size/MD5:  3173686 65714f22fc4908727cd58fa917cff249
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.10.1_lpia.deb
      Size/MD5:  1050748 c55a36fa65b311364ddfc5f9bcacc3e9
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.10.1_lpia.deb
      Size/MD5:   253226 0b49775e55163a5c6fa22fba288eded7
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.10.1_lpia.deb
      Size/MD5:    18220 8fd881d7744299014a919437d9edaf87
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.10.1_lpia.deb
      Size/MD5:   296154 fce2927b08d43ba6d2188bf927dfb4d6

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.10.1_powerpc.deb
      Size/MD5:  3284430 e411ebc5e3848a9a28fdb7bcf55af833
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.10.1_powerpc.deb
      Size/MD5:  1165792 f6a9ba644f3fb0cd888bf4b425522633
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.10.1_powerpc.deb
      Size/MD5:   256434 19a95ab61e462058ecaf05cbebd11c8a
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.10.1_powerpc.deb
      Size/MD5:    20666 abe014ba1940180af1051006e4d293fd
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.10.1_powerpc.deb
      Size/MD5:   320710 0f3c730279a7e731e72986d15fa2fcc2

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.8.10.1_sparc.deb
      Size/MD5:  2942578 3d396922de5283db749fd41036403ead
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.8.10.1_sparc.deb
      Size/MD5:  1038356 9d291947a8ef7d02c8c1a9746c1309d4
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.8.10.1_sparc.deb
      Size/MD5:   251226 c09de8036a434e93488b5c1b77108246
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.8.10.1_sparc.deb
      Size/MD5:    18380 0d18623f50973af22fd4e44e0d042bf4
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.8.10.1_sparc.deb
      Size/MD5:   301438 430f4a9aef7a540fac80629656572ea9

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1-0ubuntu0.9.04.1.diff.gz
      Size/MD5:    35980 b64ec10add3d7fbbc7335b0f85b9fb00
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1-0ubuntu0.9.04.1.dsc
      Size/MD5:     2012 a889688996d5530e8bf1eb181683137e
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/nss_3.12.3.1.orig.tar.gz
      Size/MD5:  5316068 cc5607243fdfdbc80ebbbf6dbb33f784

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.9.04.1_amd64.deb
      Size/MD5:  3309788 d48afcfa4139fe94b4c0af67c8d9c850
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.9.04.1_amd64.deb
      Size/MD5:  1196740 7ace44202680241529edaeb226d0dec1
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.9.04.1_amd64.deb
      Size/MD5:   258240 54d581c61ba7608526790263545e1b1c
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.9.04.1_amd64.deb
      Size/MD5:    17404 bfbb39c275bb15dcef644991c6af7e7b
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.9.04.1_amd64.deb
      Size/MD5:   317668 9d55ed9607359667cf963e04ccb834d5

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.9.04.1_i386.deb
      Size/MD5:  3137602 af5d5d420c440bf53de79f8952ee17d0
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.9.04.1_i386.deb
      Size/MD5:  1078336 706162a5436e733e4ce57d51baf163fb
    http://security.ubuntu.com/ubuntu/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.9.04.1_i386.deb
      Size/MD5:   255338 140b54235689f93baa3971add5401a42
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.9.04.1_i386.deb
      Size/MD5:    17412 fb6ca266988f45378c41455fa5207a85
    http://security.ubuntu.com/ubuntu/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.9.04.1_i386.deb
      Size/MD5:   300808 7b06b74c327641634d4f8f1f61b7d432

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.9.04.1_lpia.deb
      Size/MD5:  3171676 ad44dc80ef0066d3da2edede234b0210
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.9.04.1_lpia.deb
      Size/MD5:  1052136 727ab68dd03bec2ae01b4611c5f98309
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.9.04.1_lpia.deb
      Size/MD5:   253840 15198ca066b229b42ced8cb5f4307a53
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.9.04.1_lpia.deb
      Size/MD5:    17408 fdf85ab9c62a3d3999d4f49bf0172243
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.9.04.1_lpia.deb
      Size/MD5:   296796 ecc392b5e6b2b2b5b5ef6d9f93f3ad30

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.9.04.1_powerpc.deb
      Size/MD5:  3282216 5399927c4f40c9369fcb58d3038cc3ec
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.9.04.1_powerpc.deb
      Size/MD5:  1167866 477cd3a3cb2ec7c5cf791208e096de93
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.9.04.1_powerpc.deb
      Size/MD5:   257080 85844f856588609fba74ec37044f9c35
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.9.04.1_powerpc.deb
      Size/MD5:    17410 98059af1adbd24026a4dab4faa27ddd1
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.9.04.1_powerpc.deb
      Size/MD5:   321372 b7afef4b3c7dc27dceb12668458629d8

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d-dbg_3.12.3.1-0ubuntu0.9.04.1_sparc.deb
      Size/MD5:  2942004 2e8c7c62ef1119b9326564fe50389b8d
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-1d_3.12.3.1-0ubuntu0.9.04.1_sparc.deb
      Size/MD5:  1039416 ad6d7c7f3a2301c7e46a1102098fdbaf
    http://ports.ubuntu.com/pool/main/n/nss/libnss3-dev_3.12.3.1-0ubuntu0.9.04.1_sparc.deb
      Size/MD5:   251874 4a70da68d8ae2e444b7aaf6836d50eba
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-0d_3.12.3.1-0ubuntu0.9.04.1_sparc.deb
      Size/MD5:    17410 9921067423eeb95bea428bf9f471559c
    http://ports.ubuntu.com/pool/universe/n/nss/libnss3-tools_3.12.3.1-0ubuntu0.9.04.1_sparc.deb
      Size/MD5:   301814 302527f9bbcb164d12b13d25719a9ab9



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ