[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NzJIL-0001l3-6Q@titan.mandriva.com>
Date: Wed, 07 Apr 2010 02:39:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:069 ] nss
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:069
http://www.mandriva.com/security/
_______________________________________________________________________
Package : nss
Date : April 6, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in nss:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
3.12.4 and earlier, and other products, does not properly associate
renegotiation handshakes with an existing connection, which allows
man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by
sending an unauthenticated request that is processed retroactively
by a server in a post-renegotiation context, related to a plaintext
injection attack, aka the Project Mogul issue (CVE-2009-3555).
Additionally the NSPR package has been upgraded to 4.8.4 that brings
numerous upstream fixes.
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
This update provides the latest versions of NSS and NSPR libraries
and for which NSS is not vulnerable to this attack.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://www.mozilla.org/security/announce/2010/mfsa2010-22.html
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
5808950f475b3f2469675520f8a526c9 2008.0/i586/libnspr4-4.8.4-0.1mdv2008.0.i586.rpm
f09e7355e612a626c4e30baf851200e2 2008.0/i586/libnspr-devel-4.8.4-0.1mdv2008.0.i586.rpm
414e4e7e64202a7a01ce122f40fdbfa9 2008.0/i586/libnss3-3.12.6-0.1mdv2008.0.i586.rpm
37eb4d97e617dd78834801d5e3e2411e 2008.0/i586/libnss-devel-3.12.6-0.1mdv2008.0.i586.rpm
1186fe6aec619702ce3b3f76ad0a03a2 2008.0/i586/libnss-static-devel-3.12.6-0.1mdv2008.0.i586.rpm
f2fc05e8cf4ef840229536a95397c02d 2008.0/i586/nss-3.12.6-0.1mdv2008.0.i586.rpm
157d696865f82a05167a98ff75d3bb05 2008.0/SRPMS/nspr-4.8.4-0.1mdv2008.0.src.rpm
3f4fb184412ba28e84334765300d48cf 2008.0/SRPMS/nss-3.12.6-0.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
8f61146ebf97dfaa93a8d8973c2c2f49 2008.0/x86_64/lib64nspr4-4.8.4-0.1mdv2008.0.x86_64.rpm
6375eb3bd5fac3fe5648e6083018f62f 2008.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2008.0.x86_64.rpm
b5c368f59fae314c472d1bd40613738d 2008.0/x86_64/lib64nss3-3.12.6-0.1mdv2008.0.x86_64.rpm
b947d236395ffbc0f750c32705b39ae2 2008.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2008.0.x86_64.rpm
c797275a9d57e4fefc2bc5942a0c1860 2008.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2008.0.x86_64.rpm
9b5565826ca817fedc4c16866e0b432a 2008.0/x86_64/nss-3.12.6-0.1mdv2008.0.x86_64.rpm
157d696865f82a05167a98ff75d3bb05 2008.0/SRPMS/nspr-4.8.4-0.1mdv2008.0.src.rpm
3f4fb184412ba28e84334765300d48cf 2008.0/SRPMS/nss-3.12.6-0.1mdv2008.0.src.rpm
Mandriva Linux 2009.0:
d668c97cdd4c6f2a54364185689bc9c3 2009.0/i586/libnspr4-4.8.4-0.1mdv2009.0.i586.rpm
213e3167d01de2e3153282ec09448101 2009.0/i586/libnspr-devel-4.8.4-0.1mdv2009.0.i586.rpm
3416bcd2b299a4573a0de8920edee34f 2009.0/i586/libnss3-3.12.6-0.1mdv2009.0.i586.rpm
76324be5f2dc503848e15651c9201990 2009.0/i586/libnss-devel-3.12.6-0.1mdv2009.0.i586.rpm
eb77fab010cf83b2a803c542595ef9d5 2009.0/i586/libnss-static-devel-3.12.6-0.1mdv2009.0.i586.rpm
a2e0e29a6565534dd4470b8b8fe348e0 2009.0/i586/nss-3.12.6-0.1mdv2009.0.i586.rpm
ef8c68c639efec98dedf89557d542730 2009.0/SRPMS/nspr-4.8.4-0.1mdv2009.0.src.rpm
7840542c10c58531c2e5007defe85b8e 2009.0/SRPMS/nss-3.12.6-0.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
c268178467753eb950ec3fc6c2fcf7c4 2009.0/x86_64/lib64nspr4-4.8.4-0.1mdv2009.0.x86_64.rpm
1cad4bd917e64990d862bee35b773d29 2009.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2009.0.x86_64.rpm
9dafd05dbae7859a91cb53f9f9add679 2009.0/x86_64/lib64nss3-3.12.6-0.1mdv2009.0.x86_64.rpm
d624418468c98b63d058898f9dc68e1f 2009.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2009.0.x86_64.rpm
d9b103d310dfd8b8847694613068485d 2009.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2009.0.x86_64.rpm
268e8d10f6184442b9a66672148f5687 2009.0/x86_64/nss-3.12.6-0.1mdv2009.0.x86_64.rpm
ef8c68c639efec98dedf89557d542730 2009.0/SRPMS/nspr-4.8.4-0.1mdv2009.0.src.rpm
7840542c10c58531c2e5007defe85b8e 2009.0/SRPMS/nss-3.12.6-0.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
f2fc77ff32d9cc4dd3839c2644e3cad1 2009.1/i586/libnspr4-4.8.4-0.1mdv2009.1.i586.rpm
e110eaa263397b81bff4873e8badf3b9 2009.1/i586/libnspr-devel-4.8.4-0.1mdv2009.1.i586.rpm
37eaded0314c7b3c0bc9d0b24d0add88 2009.1/i586/libnss3-3.12.6-0.1mdv2009.1.i586.rpm
0d5cf958f159251ecc3b88254b042181 2009.1/i586/libnss-devel-3.12.6-0.1mdv2009.1.i586.rpm
17fcbbdc5f818450da24c371ffba02a2 2009.1/i586/libnss-static-devel-3.12.6-0.1mdv2009.1.i586.rpm
7b297c2234b4b36ee796570630b819bc 2009.1/i586/nss-3.12.6-0.1mdv2009.1.i586.rpm
1c7837b4ebb442de506de9f3e530f093 2009.1/SRPMS/nspr-4.8.4-0.1mdv2009.1.src.rpm
61548957bb2121a16b9dd0d840f1a19c 2009.1/SRPMS/nss-3.12.6-0.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
c61401ffeba102ddba8139175c964687 2009.1/x86_64/lib64nspr4-4.8.4-0.1mdv2009.1.x86_64.rpm
5c1365625f929e36f5e59213877aac9d 2009.1/x86_64/lib64nspr-devel-4.8.4-0.1mdv2009.1.x86_64.rpm
94944b1ef725591c3634d3f2af540840 2009.1/x86_64/lib64nss3-3.12.6-0.1mdv2009.1.x86_64.rpm
07c3a4ee676d96659119aa9f5d65da37 2009.1/x86_64/lib64nss-devel-3.12.6-0.1mdv2009.1.x86_64.rpm
0bcc455a76d8769754203d1b4938c40c 2009.1/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2009.1.x86_64.rpm
3a324386025aa54470683e3e7729ee18 2009.1/x86_64/nss-3.12.6-0.1mdv2009.1.x86_64.rpm
1c7837b4ebb442de506de9f3e530f093 2009.1/SRPMS/nspr-4.8.4-0.1mdv2009.1.src.rpm
61548957bb2121a16b9dd0d840f1a19c 2009.1/SRPMS/nss-3.12.6-0.1mdv2009.1.src.rpm
Mandriva Linux 2010.0:
1b34e86e948e76f814ead17dc7b18759 2010.0/i586/libnspr4-4.8.4-0.1mdv2010.0.i586.rpm
d0b5d749ddc685643512bd2a2ed1c969 2010.0/i586/libnspr-devel-4.8.4-0.1mdv2010.0.i586.rpm
f64c138b1dd4273e6ff173a46801e606 2010.0/i586/libnss3-3.12.6-0.1mdv2010.0.i586.rpm
d287d303ef943afca97f78794b204b4c 2010.0/i586/libnss-devel-3.12.6-0.1mdv2010.0.i586.rpm
9d7ba97ad7b69324fdaea1aae7e638e9 2010.0/i586/libnss-static-devel-3.12.6-0.1mdv2010.0.i586.rpm
b1d48fefb674dd2e3c40ca0e6ebdf38f 2010.0/i586/nss-3.12.6-0.1mdv2010.0.i586.rpm
b4c9c09b108d0f9052099848da17d9b6 2010.0/SRPMS/nspr-4.8.4-0.1mdv2010.0.src.rpm
8239f2289f9cf226b870374d418c0874 2010.0/SRPMS/nss-3.12.6-0.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
83b1a7447d49f79c42f0eee2683dcd60 2010.0/x86_64/lib64nspr4-4.8.4-0.1mdv2010.0.x86_64.rpm
a62678fb78e46d99a9ec57c330ad5c6f 2010.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2010.0.x86_64.rpm
c351fd08ab9b7b4303b157b64ba42ae3 2010.0/x86_64/lib64nss3-3.12.6-0.1mdv2010.0.x86_64.rpm
e9c37c13bb2427b234fb6f262f5acea0 2010.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2010.0.x86_64.rpm
b975d408159979874866ece89f06cd38 2010.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2010.0.x86_64.rpm
b4b549eb112359219f946bb1379357f5 2010.0/x86_64/nss-3.12.6-0.1mdv2010.0.x86_64.rpm
b4c9c09b108d0f9052099848da17d9b6 2010.0/SRPMS/nspr-4.8.4-0.1mdv2010.0.src.rpm
8239f2289f9cf226b870374d418c0874 2010.0/SRPMS/nss-3.12.6-0.1mdv2010.0.src.rpm
Mandriva Enterprise Server 5:
eb965867c7614f2b5d20b492b0d31f5a mes5/i586/libnspr4-4.8.4-0.1mdvmes5.i586.rpm
e9d155d0ceae9f3b34d673bcb5a41a0f mes5/i586/libnspr-devel-4.8.4-0.1mdvmes5.i586.rpm
4c516d6e8090e86432612d4e9bebeda9 mes5/i586/libnss3-3.12.6-0.1mdvmes5.i586.rpm
a2e490654d19daeb34dc7be49e84cc27 mes5/i586/libnss-devel-3.12.6-0.1mdvmes5.i586.rpm
884712b382e6ebec9e3e44ec9de9433d mes5/i586/libnss-static-devel-3.12.6-0.1mdvmes5.i586.rpm
efc2bae5196b057aba91eb3357aaa513 mes5/i586/nss-3.12.6-0.1mdvmes5.i586.rpm
b114168aab9b0154d5573e167074581e mes5/SRPMS/nspr-4.8.4-0.1mdvmes5.1.src.rpm
397f2bc60121455633c45b31529aeb9e mes5/SRPMS/nss-3.12.6-0.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
87d9de03b4f6bf92269b52f934246b15 mes5/x86_64/lib64nspr4-4.8.4-0.1mdvmes5.x86_64.rpm
b59b316d078d66dd7ff9f9d5ebbde669 mes5/x86_64/lib64nspr-devel-4.8.4-0.1mdvmes5.x86_64.rpm
3b90e3e62fe96485a7b0be2e9da40f35 mes5/x86_64/lib64nss3-3.12.6-0.1mdvmes5.x86_64.rpm
e557ca44f13c20b952c01d9516cb9e17 mes5/x86_64/lib64nss-devel-3.12.6-0.1mdvmes5.x86_64.rpm
8484d1fd45fc925c650ab9e85e8da34d mes5/x86_64/lib64nss-static-devel-3.12.6-0.1mdvmes5.x86_64.rpm
40bdcd337c3a39d7d611f2a189ea7065 mes5/x86_64/nss-3.12.6-0.1mdvmes5.x86_64.rpm
b114168aab9b0154d5573e167074581e mes5/SRPMS/nspr-4.8.4-0.1mdvmes5.1.src.rpm
397f2bc60121455633c45b31529aeb9e mes5/SRPMS/nss-3.12.6-0.1mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLu6RomqjQ0CJFipgRAvAsAKDsKNbgAtUmeiJhUkz1wVL5AoB6dwCgpvKo
XDOMAYHTh7eJGefnK6VDoRc=
=f0Zu
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists