Executive Summary

Informations
Name MDVSA-2014:066 First vendor Publication 2014-03-20
Vendor Mandriva Last vendor Modification 2014-03-20
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability has been found and corrected in mozilla NSS:

In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2 (CVE-2014-1492).

The updated packages have been upgraded to the latest NSPR (4.10.4) and NSS (3.16) versions which is not vulnerable to this issue.

Additionally the rootcerts package has also been updated to version 1.97, which adds, removes, and distrusts several certificates.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2014:066

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:24484
 
Oval ID: oval:org.mitre.oval:def:24484
Title: USN-2159-1 -- nss vulnerability
Description: NSS could be made to expose sensitive information over the network.
Family: unix Class: patch
Reference(s): USN-2159-1
CVE-2014-1492
 Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
 Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24541
 
Oval ID: oval:org.mitre.oval:def:24541
Title: Incorrect IDNA domain name matching for wildcard certificates
Description: The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
Family: windows Class: vulnerability
Reference(s): CVE-2014-1492
 Version: 11
Platform(s): Microsoft Windows Server 2012 R2
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows 8
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
 Product(s): Mozilla Firefox
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25341
 
Oval ID: oval:org.mitre.oval:def:25341
Title: SUSE-SU-2014:0665-2 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox update provides several security and non-security fixes. Mozilla Firefox has been updated to the 24.5.0esr version, which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to version 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0665-2
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
 Version: 5
Platform(s): SUSE Linux Enterprise Server 10
 Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25349
 
Oval ID: oval:org.mitre.oval:def:25349
Title: SUSE-SU-2014:0727-1 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox update provides several security and non-security fixes. MozillaFirefox has been updated to 24.5.0esr, which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0727-1
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
 Version: 5
Platform(s): SUSE Linux Enterprise Server 10
 Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25501
 
Oval ID: oval:org.mitre.oval:def:25501
Title: SUSE-SU-2014:0665-1 -- Security update for Mozilla Firefox
Description: This Mozilla Firefox and Mozilla NSS update fixes several security and non-security issues. Mozilla Firefox has been updated to 24.5.0esr which fixes the following issues: * MFSA 2014-34/CVE-2014-1518 Miscellaneous memory safety hazards * MFSA 2014-37/CVE-2014-1523 Out of bounds read while decoding JPG images * MFSA 2014-38/CVE-2014-1524 Buffer overflow when using non-XBL object as XBL * MFSA 2014-42/CVE-2014-1529 Privilege escalation through Web Notification API * MFSA 2014-43/CVE-2014-1530 Cross-site scripting (XSS) using history navigations * MFSA 2014-44/CVE-2014-1531 Use-after-free in imgLoader while resizing images * MFSA 2014-46/CVE-2014-1532 Use-after-free in nsHostResolver Mozilla NSS has been updated to 3.16 * required for Firefox 29 * CVE-2014-1492_ In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. * Update of root certificates.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0665-1
CVE-2014-1518
CVE-2014-1523
CVE-2014-1524
CVE-2014-1529
CVE-2014-1530
CVE-2014-1531
CVE-2014-1532
CVE-2014-1492
 Version: 5
Platform(s): SUSE Linux Enterprise Server 11
 Product(s): Mozilla Firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26141
 
Oval ID: oval:org.mitre.oval:def:26141
Title: DSA-2994-1 -- nss - security update
Description: Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library.
Family: unix Class: patch
Reference(s): DSA-2994-1
CVE-2013-1741
CVE-2013-5606
CVE-2014-1491
CVE-2014-1492
 Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
 Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26168
 
Oval ID: oval:org.mitre.oval:def:26168
Title: RHSA-2014:1073: nss, nss-util, nss-softokn security, bug fix, and enhancement update (Low)
Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv3, TLS, and other security standards.
Family: unix Class: patch
Reference(s): RHSA-2014:1073-00
CESA-2014:1073
CVE-2014-1492
 Version: 3
Platform(s): Red Hat Enterprise Linux 7
CentOS Linux 7
 Product(s): nss
nss-softokn
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27251
 
Oval ID: oval:org.mitre.oval:def:27251
Title: ELSA-2014-1073 -- nss, nss-util, nss-softokn security, bug fix, and enhancement update (low)
Description: nss [3.16.2-2.0.1.el7_0] - Added nss-vendor.patch to change vendor
Family: unix Class: patch
Reference(s): ELSA-2014-1073
CVE-2014-1492
 Version: 3
Platform(s): Oracle Linux 7
 Product(s): nss
nss-softokn
nss-util
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 70

Nessus® Vulnerability Scanner

Date Description
2016-05-18 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL16716.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-533.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-532.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-531.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-530.nasl - Type : ACT_GATHER_INFO
2015-05-29 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-529.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0727-1.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0665-2.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0665-1.nasl - Type : ACT_GATHER_INFO
2015-04-08 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201504-01.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-23.nasl - Type : ACT_GATHER_INFO
2015-03-19 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-059.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0979.nasl - Type : ACT_GATHER_INFO
2014-10-31 Name : The remote host is affected by multiple vulnerabilities.
File : oracle_opensso_agent_cpu_oct_2014.nasl - Type : ACT_GATHER_INFO
2014-10-01 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-09-29 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140916_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-09-18 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-09-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1246.nasl - Type : ACT_GATHER_INFO
2014-08-19 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1073.nasl - Type : ACT_GATHER_INFO
2014-08-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1073.nasl - Type : ACT_GATHER_INFO
2014-08-19 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1073.nasl - Type : ACT_GATHER_INFO
2014-08-01 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2994.nasl - Type : ACT_GATHER_INFO
2014-07-31 Name : The remote host is running software with multiple vulnerabilities.
File : oracle_traffic_director_july_2014_cpu.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140722_nss_and_nspr_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0917.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : The remote web server is affected by multiple vulnerabilities.
File : sun_java_web_server_7_0_20.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : A web proxy server on the remote host is affected by multiple vulnerabilities.
File : iplanet_web_proxy_4_0_24.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : The remote web server is affected by multiple vulnerabilities.
File : glassfish_cpu_jul_2014.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-354.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-336.nasl - Type : ACT_GATHER_INFO
2014-05-14 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_MozillaFirefox-201404-140501.nasl - Type : ACT_GATHER_INFO
2014-05-03 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2014-5829.nasl - Type : ACT_GATHER_INFO
2014-04-30 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2185-1.nasl - Type : ACT_GATHER_INFO
2014-04-30 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_985d4d6ccfbd11e3a003b4b52fce4ce8.nasl - Type : ACT_GATHER_INFO
2014-04-29 Name : The remote Windows host contains a web browser that is potentially affected b...
File : seamonkey_2_26.nasl - Type : ACT_GATHER_INFO
2014-04-29 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_29.nasl - Type : ACT_GATHER_INFO
2014-04-29 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_29.nasl - Type : ACT_GATHER_INFO
2014-04-03 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2159-1.nasl - Type : ACT_GATHER_INFO
2014-03-31 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-086-04.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2016-01-22 09:26:24
  • Multiple Updates
2014-03-25 21:25:22
  • Multiple Updates
2014-03-20 21:20:12
  • First insertion