what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2015-059

Mandriva Linux Security Advisory 2015-059
Posted Mar 16, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-059 - Multiple vulnerabilities has been found and corrected in the Mozilla NSS and NSPR packages. The updated packages provides a solution for these security issues.

tags | advisory, vulnerability
systems | linux, mandriva
advisories | CVE-2014-1492, CVE-2014-1544, CVE-2014-1545, CVE-2014-1568, CVE-2014-1569
SHA-256 | 59256243393f23f58ede14a8157f3106d5b951ae5d805857b9f01d335602857b

Mandriva Linux Security Advisory 2015-059

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:059
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : nss
Date : March 13, 2015
Affected: Business Server 2.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in the Mozilla
NSS and NSPR packages:

The cert_TestHostName function in lib/certdb/certdb.c in the
certificate-checking implementation in Mozilla Network Security
Services (NSS) before 3.16 accepts a wildcard character that is
embedded in an internationalized domain name's U-label, which might
allow man-in-the-middle attackers to spoof SSL servers via a crafted
certificate (CVE-2014-1492).

Use-after-free vulnerability in the CERT_DestroyCertificate function
in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used
in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird
before 24.7, allows remote attackers to execute arbitrary code via
vectors that trigger certain improper removal of an NSSCertificate
structure from a trust domain (CVE-2014-1544).

Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x
before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox
before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before
31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2,
Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124
on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does
not properly parse ASN.1 values in X.509 certificates, which makes
it easier for remote attackers to spoof RSA signatures via a crafted
certificate, aka a signature malleability issue (CVE-2014-1568).

The definite_length_decoder function in lib/util/quickder.c in
Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x
before 3.17.3 does not ensure that the DER encoding of an ASN.1
length is properly formed, which allows remote attackers to conduct
data-smuggling attacks by using a long byte sequence for an encoding,
as demonstrated by the SEC_QuickDERDecodeItem function's improper
handling of an arbitrary-length encoding of 0x00 (CVE-2014-1569).

Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote
attackers to execute arbitrary code or cause a denial of service
(out-of-bounds write) via vectors involving the sprintf and console
functions (CVE-2014-1545).

The sqlite3 packages have been upgraded to the 3.8.6 version due to
an prerequisite to nss-3.17.x.

Additionally the rootcerts package has also been updated to the
latest version as of 2014-11-17, which adds, removes, and distrusts
several certificates.

The updated packages provides a solution for these security issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1544
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.2_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.2_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.4_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2014-55/
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 2/X86_64:
2aea53da7622f23ec03faa5605d9672c mbs2/x86_64/lemon-3.8.6-1.mbs2.x86_64.rpm
68cc94d4a95146583d8a6b2849759614 mbs2/x86_64/lib64nspr4-4.10.8-1.mbs2.x86_64.rpm
a6ffe2ebe6de847b6227c8c4c2cb4ba4 mbs2/x86_64/lib64nspr-devel-4.10.8-1.mbs2.x86_64.rpm
78ba63e6a21b897abac8e4b0e975470d mbs2/x86_64/lib64nss3-3.17.4-1.mbs2.x86_64.rpm
aacf8b1f144a7044e77abc5d0be72a7b mbs2/x86_64/lib64nss-devel-3.17.4-1.mbs2.x86_64.rpm
6afff220f7fa93dede0486b76155ae44 mbs2/x86_64/lib64nss-static-devel-3.17.4-1.mbs2.x86_64.rpm
63ffb7675dc414a52a4647f5ed302e3c mbs2/x86_64/lib64sqlite3_0-3.8.6-1.mbs2.x86_64.rpm
cfefad1ef4f83cceeeb34a4f2ffca442 mbs2/x86_64/lib64sqlite3-devel-3.8.6-1.mbs2.x86_64.rpm
e976251ee0ae5c2b2a2f6a163b693e85 mbs2/x86_64/lib64sqlite3-static-devel-3.8.6-1.mbs2.x86_64.rpm
42018611a17d2b6480b63f0a968a796d mbs2/x86_64/nss-3.17.4-1.mbs2.x86_64.rpm
b955454c30e482635944134eb02456e4 mbs2/x86_64/nss-doc-3.17.4-1.mbs2.noarch.rpm
3058267964146b7806c493ff536da63d mbs2/x86_64/rootcerts-20141117.00-1.mbs2.x86_64.rpm
18fc28f1ae18ddd5fe01acb77811d0e6 mbs2/x86_64/rootcerts-java-20141117.00-1.mbs2.x86_64.rpm
200f6a413d13d850ea084a9e42c4fc23 mbs2/x86_64/sqlite3-tcl-3.8.6-1.mbs2.x86_64.rpm
8c88a446098d21cf2675173e32a208e6 mbs2/x86_64/sqlite3-tools-3.8.6-1.mbs2.x86_64.rpm
2e494a940c3189617ff62bc15a2b14fb mbs2/SRPMS/nspr-4.10.8-1.mbs2.src.rpm
0a28d1c9c07909d488c7dabe92c47529 mbs2/SRPMS/nss-3.17.4-1.mbs2.src.rpm
10dcc357bb0bbdc22e7dd308074d037b mbs2/SRPMS/rootcerts-20141117.00-1.mbs2.src.rpm
df412cc892bb40e1d7345079a25c0bbb mbs2/SRPMS/sqlite3-3.8.6-1.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVAvuLmqjQ0CJFipgRArOfAKDn7F7m/ZnJATspmFD0k083yGXQJwCdHAzw
P1QqaGn3HFIH8gKR7XVcRAA=
=ZF+9
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close