lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NzJIL-0001l3-6Q@titan.mandriva.com>
Date: Wed, 07 Apr 2010 02:39:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:069 ] nss


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:069
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : nss
 Date    : April 6, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability has been found and corrected in nss:
 
 The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
 used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
 in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
 GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
 3.12.4 and earlier, and other products, does not properly associate
 renegotiation handshakes with an existing connection, which allows
 man-in-the-middle attackers to insert data into HTTPS sessions,
 and possibly other types of sessions protected by TLS or SSL, by
 sending an unauthenticated request that is processed retroactively
 by a server in a post-renegotiation context, related to a plaintext
 injection attack, aka the Project Mogul issue (CVE-2009-3555).
 
 Additionally the NSPR package has been upgraded to 4.8.4 that brings
 numerous upstream fixes.
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 This update provides the latest versions of NSS and NSPR libraries
 and for which NSS is not vulnerable to this attack.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
 http://www.mozilla.org/security/announce/2010/mfsa2010-22.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 5808950f475b3f2469675520f8a526c9  2008.0/i586/libnspr4-4.8.4-0.1mdv2008.0.i586.rpm
 f09e7355e612a626c4e30baf851200e2  2008.0/i586/libnspr-devel-4.8.4-0.1mdv2008.0.i586.rpm
 414e4e7e64202a7a01ce122f40fdbfa9  2008.0/i586/libnss3-3.12.6-0.1mdv2008.0.i586.rpm
 37eb4d97e617dd78834801d5e3e2411e  2008.0/i586/libnss-devel-3.12.6-0.1mdv2008.0.i586.rpm
 1186fe6aec619702ce3b3f76ad0a03a2  2008.0/i586/libnss-static-devel-3.12.6-0.1mdv2008.0.i586.rpm
 f2fc05e8cf4ef840229536a95397c02d  2008.0/i586/nss-3.12.6-0.1mdv2008.0.i586.rpm 
 157d696865f82a05167a98ff75d3bb05  2008.0/SRPMS/nspr-4.8.4-0.1mdv2008.0.src.rpm
 3f4fb184412ba28e84334765300d48cf  2008.0/SRPMS/nss-3.12.6-0.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 8f61146ebf97dfaa93a8d8973c2c2f49  2008.0/x86_64/lib64nspr4-4.8.4-0.1mdv2008.0.x86_64.rpm
 6375eb3bd5fac3fe5648e6083018f62f  2008.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2008.0.x86_64.rpm
 b5c368f59fae314c472d1bd40613738d  2008.0/x86_64/lib64nss3-3.12.6-0.1mdv2008.0.x86_64.rpm
 b947d236395ffbc0f750c32705b39ae2  2008.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2008.0.x86_64.rpm
 c797275a9d57e4fefc2bc5942a0c1860  2008.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2008.0.x86_64.rpm
 9b5565826ca817fedc4c16866e0b432a  2008.0/x86_64/nss-3.12.6-0.1mdv2008.0.x86_64.rpm 
 157d696865f82a05167a98ff75d3bb05  2008.0/SRPMS/nspr-4.8.4-0.1mdv2008.0.src.rpm
 3f4fb184412ba28e84334765300d48cf  2008.0/SRPMS/nss-3.12.6-0.1mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 d668c97cdd4c6f2a54364185689bc9c3  2009.0/i586/libnspr4-4.8.4-0.1mdv2009.0.i586.rpm
 213e3167d01de2e3153282ec09448101  2009.0/i586/libnspr-devel-4.8.4-0.1mdv2009.0.i586.rpm
 3416bcd2b299a4573a0de8920edee34f  2009.0/i586/libnss3-3.12.6-0.1mdv2009.0.i586.rpm
 76324be5f2dc503848e15651c9201990  2009.0/i586/libnss-devel-3.12.6-0.1mdv2009.0.i586.rpm
 eb77fab010cf83b2a803c542595ef9d5  2009.0/i586/libnss-static-devel-3.12.6-0.1mdv2009.0.i586.rpm
 a2e0e29a6565534dd4470b8b8fe348e0  2009.0/i586/nss-3.12.6-0.1mdv2009.0.i586.rpm 
 ef8c68c639efec98dedf89557d542730  2009.0/SRPMS/nspr-4.8.4-0.1mdv2009.0.src.rpm
 7840542c10c58531c2e5007defe85b8e  2009.0/SRPMS/nss-3.12.6-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 c268178467753eb950ec3fc6c2fcf7c4  2009.0/x86_64/lib64nspr4-4.8.4-0.1mdv2009.0.x86_64.rpm
 1cad4bd917e64990d862bee35b773d29  2009.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2009.0.x86_64.rpm
 9dafd05dbae7859a91cb53f9f9add679  2009.0/x86_64/lib64nss3-3.12.6-0.1mdv2009.0.x86_64.rpm
 d624418468c98b63d058898f9dc68e1f  2009.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2009.0.x86_64.rpm
 d9b103d310dfd8b8847694613068485d  2009.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2009.0.x86_64.rpm
 268e8d10f6184442b9a66672148f5687  2009.0/x86_64/nss-3.12.6-0.1mdv2009.0.x86_64.rpm 
 ef8c68c639efec98dedf89557d542730  2009.0/SRPMS/nspr-4.8.4-0.1mdv2009.0.src.rpm
 7840542c10c58531c2e5007defe85b8e  2009.0/SRPMS/nss-3.12.6-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 f2fc77ff32d9cc4dd3839c2644e3cad1  2009.1/i586/libnspr4-4.8.4-0.1mdv2009.1.i586.rpm
 e110eaa263397b81bff4873e8badf3b9  2009.1/i586/libnspr-devel-4.8.4-0.1mdv2009.1.i586.rpm
 37eaded0314c7b3c0bc9d0b24d0add88  2009.1/i586/libnss3-3.12.6-0.1mdv2009.1.i586.rpm
 0d5cf958f159251ecc3b88254b042181  2009.1/i586/libnss-devel-3.12.6-0.1mdv2009.1.i586.rpm
 17fcbbdc5f818450da24c371ffba02a2  2009.1/i586/libnss-static-devel-3.12.6-0.1mdv2009.1.i586.rpm
 7b297c2234b4b36ee796570630b819bc  2009.1/i586/nss-3.12.6-0.1mdv2009.1.i586.rpm 
 1c7837b4ebb442de506de9f3e530f093  2009.1/SRPMS/nspr-4.8.4-0.1mdv2009.1.src.rpm
 61548957bb2121a16b9dd0d840f1a19c  2009.1/SRPMS/nss-3.12.6-0.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 c61401ffeba102ddba8139175c964687  2009.1/x86_64/lib64nspr4-4.8.4-0.1mdv2009.1.x86_64.rpm
 5c1365625f929e36f5e59213877aac9d  2009.1/x86_64/lib64nspr-devel-4.8.4-0.1mdv2009.1.x86_64.rpm
 94944b1ef725591c3634d3f2af540840  2009.1/x86_64/lib64nss3-3.12.6-0.1mdv2009.1.x86_64.rpm
 07c3a4ee676d96659119aa9f5d65da37  2009.1/x86_64/lib64nss-devel-3.12.6-0.1mdv2009.1.x86_64.rpm
 0bcc455a76d8769754203d1b4938c40c  2009.1/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2009.1.x86_64.rpm
 3a324386025aa54470683e3e7729ee18  2009.1/x86_64/nss-3.12.6-0.1mdv2009.1.x86_64.rpm 
 1c7837b4ebb442de506de9f3e530f093  2009.1/SRPMS/nspr-4.8.4-0.1mdv2009.1.src.rpm
 61548957bb2121a16b9dd0d840f1a19c  2009.1/SRPMS/nss-3.12.6-0.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 1b34e86e948e76f814ead17dc7b18759  2010.0/i586/libnspr4-4.8.4-0.1mdv2010.0.i586.rpm
 d0b5d749ddc685643512bd2a2ed1c969  2010.0/i586/libnspr-devel-4.8.4-0.1mdv2010.0.i586.rpm
 f64c138b1dd4273e6ff173a46801e606  2010.0/i586/libnss3-3.12.6-0.1mdv2010.0.i586.rpm
 d287d303ef943afca97f78794b204b4c  2010.0/i586/libnss-devel-3.12.6-0.1mdv2010.0.i586.rpm
 9d7ba97ad7b69324fdaea1aae7e638e9  2010.0/i586/libnss-static-devel-3.12.6-0.1mdv2010.0.i586.rpm
 b1d48fefb674dd2e3c40ca0e6ebdf38f  2010.0/i586/nss-3.12.6-0.1mdv2010.0.i586.rpm 
 b4c9c09b108d0f9052099848da17d9b6  2010.0/SRPMS/nspr-4.8.4-0.1mdv2010.0.src.rpm
 8239f2289f9cf226b870374d418c0874  2010.0/SRPMS/nss-3.12.6-0.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 83b1a7447d49f79c42f0eee2683dcd60  2010.0/x86_64/lib64nspr4-4.8.4-0.1mdv2010.0.x86_64.rpm
 a62678fb78e46d99a9ec57c330ad5c6f  2010.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2010.0.x86_64.rpm
 c351fd08ab9b7b4303b157b64ba42ae3  2010.0/x86_64/lib64nss3-3.12.6-0.1mdv2010.0.x86_64.rpm
 e9c37c13bb2427b234fb6f262f5acea0  2010.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2010.0.x86_64.rpm
 b975d408159979874866ece89f06cd38  2010.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2010.0.x86_64.rpm
 b4b549eb112359219f946bb1379357f5  2010.0/x86_64/nss-3.12.6-0.1mdv2010.0.x86_64.rpm 
 b4c9c09b108d0f9052099848da17d9b6  2010.0/SRPMS/nspr-4.8.4-0.1mdv2010.0.src.rpm
 8239f2289f9cf226b870374d418c0874  2010.0/SRPMS/nss-3.12.6-0.1mdv2010.0.src.rpm

 Mandriva Enterprise Server 5:
 eb965867c7614f2b5d20b492b0d31f5a  mes5/i586/libnspr4-4.8.4-0.1mdvmes5.i586.rpm
 e9d155d0ceae9f3b34d673bcb5a41a0f  mes5/i586/libnspr-devel-4.8.4-0.1mdvmes5.i586.rpm
 4c516d6e8090e86432612d4e9bebeda9  mes5/i586/libnss3-3.12.6-0.1mdvmes5.i586.rpm
 a2e490654d19daeb34dc7be49e84cc27  mes5/i586/libnss-devel-3.12.6-0.1mdvmes5.i586.rpm
 884712b382e6ebec9e3e44ec9de9433d  mes5/i586/libnss-static-devel-3.12.6-0.1mdvmes5.i586.rpm
 efc2bae5196b057aba91eb3357aaa513  mes5/i586/nss-3.12.6-0.1mdvmes5.i586.rpm 
 b114168aab9b0154d5573e167074581e  mes5/SRPMS/nspr-4.8.4-0.1mdvmes5.1.src.rpm
 397f2bc60121455633c45b31529aeb9e  mes5/SRPMS/nss-3.12.6-0.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 87d9de03b4f6bf92269b52f934246b15  mes5/x86_64/lib64nspr4-4.8.4-0.1mdvmes5.x86_64.rpm
 b59b316d078d66dd7ff9f9d5ebbde669  mes5/x86_64/lib64nspr-devel-4.8.4-0.1mdvmes5.x86_64.rpm
 3b90e3e62fe96485a7b0be2e9da40f35  mes5/x86_64/lib64nss3-3.12.6-0.1mdvmes5.x86_64.rpm
 e557ca44f13c20b952c01d9516cb9e17  mes5/x86_64/lib64nss-devel-3.12.6-0.1mdvmes5.x86_64.rpm
 8484d1fd45fc925c650ab9e85e8da34d  mes5/x86_64/lib64nss-static-devel-3.12.6-0.1mdvmes5.x86_64.rpm
 40bdcd337c3a39d7d611f2a189ea7065  mes5/x86_64/nss-3.12.6-0.1mdvmes5.x86_64.rpm 
 b114168aab9b0154d5573e167074581e  mes5/SRPMS/nspr-4.8.4-0.1mdvmes5.1.src.rpm
 397f2bc60121455633c45b31529aeb9e  mes5/SRPMS/nss-3.12.6-0.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLu6RomqjQ0CJFipgRAvAsAKDsKNbgAtUmeiJhUkz1wVL5AoB6dwCgpvKo
XDOMAYHTh7eJGefnK6VDoRc=
=f0Zu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ