Executive Summary
Summary | |
---|---|
Title | nss and nspr security, bug fix, and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2016:0684 | First vendor Publication | 2016-04-25 |
Vendor | RedHat | Last vendor Modification | 2016-04-25 |
Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An update for nss and nspr is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop Workstation (v. 5 client) - i386, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. The following packages have been upgraded to a newer upstream version: nss 3.21.0, nspr 4.11.0. (BZ#1297944, BZ#1297943) Security Fix(es): * A use-after-free flaw was found in the way NSS handled DHE (Diffie-Hellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application. (CVE-2016-1978) * A use-after-free flaw was found in the way NSS processed certain DER (Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use this flaw to create a specially crafted DER encoded certificate which, when parsed by an application compiled against the NSS library, could cause that application to crash, or execute arbitrary code using the permissions of the user running the application. (CVE-2016-1979) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Eric Rescorla as the original reporter of CVE-2016-1978; and Tim Taubert as the original reporter of CVE-2016-1979. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, applications using NSS or NSPR (for example, Firefox) must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1297943 - Rebase RHEL 5.11.z to NSPR 4.11 in preparation for Firefox 45. 1297944 - Rebase RHEL 5.11.z to NSS 3.21 in preparation for Firefox 45. 1315202 - CVE-2016-1979 nss: Use-after-free during processing of DER encoded keys in NSS (MFSA 2016-36) 1315565 - CVE-2016-1978 nss: Use-after-free in NSS during SSL connections in low memory (MFSA 2016-15) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2016-0684.html |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2017-05-01 | Name : The remote EulerOS host is missing multiple security updates. File : EulerOS_SA-2016-1017.nasl - Type : ACT_GATHER_INFO |
2016-10-06 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3688.nasl - Type : ACT_GATHER_INFO |
2016-09-02 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL20145801.nasl - Type : ACT_GATHER_INFO |
2016-05-31 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201605-06.nasl - Type : ACT_GATHER_INFO |
2016-05-19 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2973-1.nasl - Type : ACT_GATHER_INFO |
2016-05-19 | Name : The remote Debian host is missing a security update. File : debian_DLA-480.nasl - Type : ACT_GATHER_INFO |
2016-05-19 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2016-702.nasl - Type : ACT_GATHER_INFO |
2016-05-16 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3576.nasl - Type : ACT_GATHER_INFO |
2016-05-16 | Name : The remote Debian host is missing a security update. File : debian_DLA-472.nasl - Type : ACT_GATHER_INFO |
2016-04-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2016-0684.nasl - Type : ACT_GATHER_INFO |
2016-04-27 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20160425_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2016-04-27 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20160425_nss__nspr__nss_softokn__and_nss_util_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2016-04-27 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-0685.nasl - Type : ACT_GATHER_INFO |
2016-04-27 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-0684.nasl - Type : ACT_GATHER_INFO |
2016-04-27 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2016-0685.nasl - Type : ACT_GATHER_INFO |
2016-04-27 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2016-0684.nasl - Type : ACT_GATHER_INFO |
2016-04-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2016-0685.nasl - Type : ACT_GATHER_INFO |
2016-04-07 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20160405_nss__nss_util__and_nspr_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2016-04-07 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2016-0591.nasl - Type : ACT_GATHER_INFO |
2016-04-07 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2016-0591.nasl - Type : ACT_GATHER_INFO |
2016-04-07 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2016-0591.nasl - Type : ACT_GATHER_INFO |
2016-04-01 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0909-1.nasl - Type : ACT_GATHER_INFO |
2016-03-21 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0820-1.nasl - Type : ACT_GATHER_INFO |
2016-03-17 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0777-1.nasl - Type : ACT_GATHER_INFO |
2016-03-15 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2016-0727-1.nasl - Type : ACT_GATHER_INFO |
2016-03-14 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-334.nasl - Type : ACT_GATHER_INFO |
2016-03-14 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-332.nasl - Type : ACT_GATHER_INFO |
2016-03-11 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_45.nasl - Type : ACT_GATHER_INFO |
2016-03-11 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_45.nasl - Type : ACT_GATHER_INFO |
2016-03-09 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_c429276852734f17a267c5fe35125ce4.nasl - Type : ACT_GATHER_INFO |
2016-03-09 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_750915166f4b405998846727023dc366.nasl - Type : ACT_GATHER_INFO |
2016-01-28 | Name : The remote Mac OS X host contains a web browser that is affected by multiple ... File : macosx_firefox_44.nasl - Type : ACT_GATHER_INFO |
2016-01-28 | Name : The remote Windows host contains a web browser that is affected by multiple v... File : mozilla_firefox_44.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-06-27 21:50:31 |
|
2016-04-28 13:28:17 |
|
2016-04-25 17:24:18 |
|