Executive Summary
| Summary | |
|---|---|
| Title | nss security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-2339 | First vendor Publication | 2011-11-07 |
| Vendor | Debian | Last vendor Modification | 2011-11-07 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 9.3 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| This update to the NSS cryptographic libraries revokes the trust in the "DigiCert Sdn. Bhd" certificate authority. More information can be found in the Mozilla Security Blog: http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/ This update also fixes an insecure load path for pkcs11.txt configuration file (CVE-2011-3640). For the oldstable distribution (lenny), this problem has been fixed in version 3.12.3.1-0lenny7. For the stable distribution (squeeze), this problem has been fixed in version 3.12.8-1+squeeze4. For the unstable distribution (sid), this problem has been fixed in version 3.13.1.with.ckbi.1.88-1. We recommend that you upgrade your nss packages. |
Original Source
| Url : http://www.debian.org/security/2011/dsa-2339 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-426 | Untrusted Search Path |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13414 | |||
| Oval ID: | oval:org.mitre.oval:def:13414 | ||
| Title: | ** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was "Strange behavior, but we're not treating this as a security bug." | ||
| Description: | ** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was "Strange behavior, but we're not treating this as a security bug." | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2011-3640 | Version: | 15 |
| Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 | Product(s): | Google Chrome |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:14689 | |||
| Oval ID: | oval:org.mitre.oval:def:14689 | ||
| Title: | DSA-2339-1 nss -- several | ||
| Description: | This update to the NSS cryptographic libraries revokes the trust in the "DigiCert Sdn. Bhd" certificate authority | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2339-1 CVE-2011-3640 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | nss |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-02-11 | Name : Debian Security Advisory DSA 2339-1 (nss) File : nvt/deb_2339_1.nasl |
| 2011-11-11 | Name : Mandriva Update for mozilla MDVSA-2011:169 (mozilla) File : nvt/gb_mandriva_MDVSA_2011_169.nasl |
| 2011-11-03 | Name : Google Chrome Mozilla Network Security Services Privilege Escalation Vulnerab... File : nvt/gb_google_chrome_nss_priv_escalation_vuln_macosx.nasl |
| 2011-11-03 | Name : Google Chrome Mozilla Network Security Services Privilege Escalation Vulnerab... File : nvt/gb_google_chrome_nss_priv_escalation_vuln_win.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 76858 | Mozilla Network Security Services (NSS) Trojaned pkcs11.txt File Local Privil... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_libfreebl3-111108.nasl - Type : ACT_GATHER_INFO |
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_nss-201112-111220.nasl - Type : ACT_GATHER_INFO |
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_seamonkey-111130.nasl - Type : ACT_GATHER_INFO |
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_libfreebl3-111108.nasl - Type : ACT_GATHER_INFO |
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_nss-201112-111220.nasl - Type : ACT_GATHER_INFO |
| 2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_seamonkey-111130.nasl - Type : ACT_GATHER_INFO |
| 2013-01-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201301-01.nasl - Type : ACT_GATHER_INFO |
| 2011-11-10 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-169.nasl - Type : ACT_GATHER_INFO |
| 2011-11-08 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2339.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:30:33 |
|
