Executive Summary
Summary | |
---|---|
Title | nss and nspr security, bug fix, and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2013:1791 | First vendor Publication | 2013-12-05 |
Vendor | RedHat | Last vendor Modification | 2013-12-05 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated nss and nspr packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) Red Hat would like to thank the Mozilla project for reporting CVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges Tavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as the original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and Wan-Teh Chang as the original reporters of CVE-2013-5607. In addition, the nss package has been upgraded to upstream version 3.15.3, and the nspr package has been upgraded to upstream version 4.10.2. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#1033478, BZ#1020520) This update also fixes the following bug: * The RHBA-2013:1318 update introduced a regression that prevented the use of certificates that have an MD5 signature. This update fixes this regression and certificates that have an MD5 signature are once again supported. To prevent the use of certificates that have an MD5 signature, set the "NSS_HASH_ALG_SUPPORT" environment variable to "-MD5". (BZ#1033499) Users of NSS and NSPR are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1012740 - CVE-2013-1739 nss: Avoid uninitialized data read in the event of a decryption failure 1030807 - CVE-2013-5605 nss: Null_Cipher() does not respect maxOutputLen (MFSA 2013-103) 1031457 - CVE-2013-5606 nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103) 1031458 - CVE-2013-1741 nss: Integer truncation in certificate parsing (MFSA 2013-103) 1031461 - CVE-2013-5607 nspr: Avoid unsigned integer wrapping in PL_ArenaAllocate (MFSA 2013-103) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2013-1791.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
40 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
20 % | CWE-264 | Permissions, Privileges, and Access Controls |
20 % | CWE-203 | Information Exposure Through Discrepancy |
20 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18127 | |||
Oval ID: | oval:org.mitre.oval:def:18127 | ||
Title: | USN-1763-1 -- nss vulnerability | ||
Description: | NSS could be made to expose sensitive information over the network. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1763-1 CVE-2013-1620 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 | Product(s): | nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19140 | |||
Oval ID: | oval:org.mitre.oval:def:19140 | ||
Title: | DSA-2800-1 nss - buffer overflow | ||
Description: | Andrew Tinits reported a potentially exploitable buffer overflow in the Mozilla Network Security Service library (nss). With a specially crafted request a remote attacker could cause a denial of service or possibly execute arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2800-1 CVE-2013-5605 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19254 | |||
Oval ID: | oval:org.mitre.oval:def:19254 | ||
Title: | Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. | ||
Description: | Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-1739 | Version: | 15 |
Platform(s): | Microsoft Windows 7 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows XP Microsoft Windows 2000 Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla SeaMonkey |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19393 | |||
Oval ID: | oval:org.mitre.oval:def:19393 | ||
Title: | CERT_VerifyCert can SECSuccess for bad certificates | ||
Description: | The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-5606 | Version: | 7 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla Seamonkey |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19523 | |||
Oval ID: | oval:org.mitre.oval:def:19523 | ||
Title: | DSA-2790-1 nss - uninitialised memory read | ||
Description: | A flaw was found in the way the Mozilla Network Security Service library (nss) read uninitialised data when there was a decryption failure. A remote attacker could use this flaw to cause a denial of service (application crash) for applications linked with the nss library. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2790-1 CVE-2013-1739 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19530 | |||
Oval ID: | oval:org.mitre.oval:def:19530 | ||
Title: | Integer truncation in certificate parsing | ||
Description: | Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-1741 | Version: | 7 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla Seamonkey |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19731 | |||
Oval ID: | oval:org.mitre.oval:def:19731 | ||
Title: | Null Cipher buffer overflow | ||
Description: | Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-5605 | Version: | 7 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Thunderbird Mozilla Seamonkey |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19770 | |||
Oval ID: | oval:org.mitre.oval:def:19770 | ||
Title: | USN-2030-1 -- nss vulnerabilities | ||
Description: | Several security issues were fixed in NSS. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2030-1 CVE-2013-1739 CVE-2013-1741 CVE-2013-5605 CVE-2013-5606 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19778 | |||
Oval ID: | oval:org.mitre.oval:def:19778 | ||
Title: | Avoid unsigned integer wrapping in PL_ArenaAllocate | ||
Description: | Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-5607 | Version: | 7 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Mozilla Firefox Mozilla Seamonkey |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19893 | |||
Oval ID: | oval:org.mitre.oval:def:19893 | ||
Title: | USN-2032-1 -- thunderbird vulnerabilities | ||
Description: | Several security issues were fixed in Thunderbird. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2032-1 CVE-2013-1741 CVE-2013-2566 CVE-2013-5605 CVE-2013-5607 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | thunderbird |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19958 | |||
Oval ID: | oval:org.mitre.oval:def:19958 | ||
Title: | USN-2031-1 -- firefox vulnerabilities | ||
Description: | Several security issues were fixed in Firefox. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2031-1 CVE-2013-1741 CVE-2013-2566 CVE-2013-5605 CVE-2013-5607 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | firefox |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20606 | |||
Oval ID: | oval:org.mitre.oval:def:20606 | ||
Title: | RHSA-2013:1829: nss, nspr, and nss-util security update (Important) | ||
Description: | Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1829-00 CESA-2013:1829 CVE-2013-1739 CVE-2013-1741 CVE-2013-5605 CVE-2013-5606 CVE-2013-5607 | Version: | 75 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | nspr nss nss-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21069 | |||
Oval ID: | oval:org.mitre.oval:def:21069 | ||
Title: | DSA-2820-1 nspr - integer overflow | ||
Description: | It was discovered that NSPR, Netscape Portable Runtime library, could crash an application using the library when parsing a certificate that causes an integer overflow. This flaw only affects 64-bit systems. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2820-1 CVE-2013-5607 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | nspr |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21084 | |||
Oval ID: | oval:org.mitre.oval:def:21084 | ||
Title: | RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate) | ||
Description: | The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1135-00 CESA-2013:1135 CVE-2013-0791 CVE-2013-1620 | Version: | 31 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | nspr nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21104 | |||
Oval ID: | oval:org.mitre.oval:def:21104 | ||
Title: | RHSA-2013:1791: nss and nspr security, bug fix, and enhancement update (Important) | ||
Description: | Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1791-00 CESA-2013:1791 CVE-2013-1739 CVE-2013-1741 CVE-2013-5605 CVE-2013-5606 CVE-2013-5607 | Version: | 73 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | nspr nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21177 | |||
Oval ID: | oval:org.mitre.oval:def:21177 | ||
Title: | RHSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate) | ||
Description: | The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1144-00 CESA-2013:1144 CVE-2013-0791 CVE-2013-1620 | Version: | 31 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | nspr nss nss-softokn nss-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22452 | |||
Oval ID: | oval:org.mitre.oval:def:22452 | ||
Title: | USN-2087-1 -- nspr vulnerability | ||
Description: | NSPR could be made to crash or run programs if it received a specially crafted certificate. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2087-1 CVE-2013-5607 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | nspr |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22788 | |||
Oval ID: | oval:org.mitre.oval:def:22788 | ||
Title: | ELSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate) | ||
Description: | The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1135-00 CVE-2013-0791 CVE-2013-1620 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | nspr nss |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23177 | |||
Oval ID: | oval:org.mitre.oval:def:23177 | ||
Title: | ELSA-2013:1791: nss and nspr security, bug fix, and enhancement update (Important) | ||
Description: | Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1791-00 CVE-2013-1739 CVE-2013-1741 CVE-2013-5605 CVE-2013-5606 CVE-2013-5607 | Version: | 25 |
Platform(s): | Oracle Linux 5 | Product(s): | nspr nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24119 | |||
Oval ID: | oval:org.mitre.oval:def:24119 | ||
Title: | ELSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate) | ||
Description: | The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1144-00 CVE-2013-0791 CVE-2013-1620 | Version: | 13 |
Platform(s): | Oracle Linux 6 | Product(s): | nspr nss nss-softokn nss-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24183 | |||
Oval ID: | oval:org.mitre.oval:def:24183 | ||
Title: | ELSA-2013:1829: nss, nspr, and nss-util security update (Important) | ||
Description: | Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1829-00 CVE-2013-1739 CVE-2013-1741 CVE-2013-5605 CVE-2013-5606 CVE-2013-5607 | Version: | 25 |
Platform(s): | Oracle Linux 6 | Product(s): | nspr nss nss-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27219 | |||
Oval ID: | oval:org.mitre.oval:def:27219 | ||
Title: | DEPRECATED: ELSA-2013-1829 -- nss, nspr, and nss-util security update (important) | ||
Description: | nspr [4.10.0-2] - Rebase to nspr-4.10.2 - Resolves: rhbz#1032485 - CVE-2013-5607 (MFSA 2013-103) Avoid unsigned integer wrapping in PL_ArenaAllocate (MFSA 2013-103) nss [3.15.3-2.0.1] - Added nss-vendor.patch to change vendor [3.15.3-2] - Enable patch with fix for deadlock in trust domain lock and object lock - Resolves: Bug 1036477 - deadlock in trust domain lock and object lock - Disable hw gcm on rhel-5 based build environments where OS lacks support - Rollback changes to build nss without softokn until Bug 689919 is approved - Cipher suite was run as part of the nss-softokn build [3.15.3-1] - Update to NSS_3_15_3_RTM - Resolves: Bug 1032470 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss-util [3.15.3-1] - Update to NSS_3_15_3_RTM - Resolves: rhbz#1032470 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1829 CVE-2013-1739 CVE-2013-1741 CVE-2013-5605 CVE-2013-5606 CVE-2013-5607 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | nspr nss nss-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27269 | |||
Oval ID: | oval:org.mitre.oval:def:27269 | ||
Title: | DEPRECATED: ELSA-2013-1144 -- nss, nss-util, nss-softokn, and nspr security update (moderate) | ||
Description: | It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1144 CVE-2013-0791 CVE-2013-1620 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | nspr nss nss-softokn nss-util |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27325 | |||
Oval ID: | oval:org.mitre.oval:def:27325 | ||
Title: | DEPRECATED: ELSA-2013-1791 -- nss and nspr security, bug fix, and enhancement update (important) | ||
Description: | nspr [4.10.2-2] - Fix changelog comments - Resolves: rhbz#1032466 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [rhel-5.10] | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1791 CVE-2013-1739 CVE-2013-1741 CVE-2013-5605 CVE-2013-5606 CVE-2013-5607 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | nspr nss |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27513 | |||
Oval ID: | oval:org.mitre.oval:def:27513 | ||
Title: | DEPRECATED: ELSA-2013-1135 -- nss and nspr security, bug fix, and enhancement update (moderate) | ||
Description: | nspr [4.9.2-4] - Resolves: rhbz#924741 - Rebase to nspr-4.9.5 nss [3.14.3-6] - Resolves: rhbz#986969 - nssutil_ReadSecmodDB() leaks memory [3.14.3-5] - Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility - Remove the unused and obsolete nss-nochktest.patch - Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue [3.14.3-4] - Fix rpmdiff test reported failures and remove other unwanted changes - Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue [3.14.3-3] - Update to NSS_3_14_3_RTM - Rework the rebase to preserve needed idiosynchracies - Ensure we install frebl/softoken from the extra build tree - Don't include freebl static library or its private headers - Add patch to deal with system sqlite not being recent enough - Don't install nss-sysinit nor sharedb - Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue [3.14.3-2] - Restore the freebl-softoken source tar ball updated to 3.14.3 - Renumbering of some sources for clarity - Resolves: rhbz#918870 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue [3.14.3-1] - Update to NSS_3_14_3_RTM - Resolves: rhbz#918870 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1135 CVE-2013-0791 CVE-2013-1620 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | nspr nss |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-04-17 | IAVM : 2014-A-0055 - Multiple Vulnerabilities in Oracle Fusion Middleware Severity : Category I - VMSKEY : V0049585 |
2014-01-16 | IAVM : 2014-A-0009 - Multiple Vulnerabilities in Oracle Fusion Middleware Severity : Category I - VMSKEY : V0043395 |
2013-11-21 | IAVM : 2013-A-0220 - Multiple Vulnerabilities in Mozilla Products Severity : Category I - VMSKEY : V0042380 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-06-22 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2016-0066.nasl - Type : ACT_GATHER_INFO |
2016-06-22 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2016-0065.nasl - Type : ACT_GATHER_INFO |
2016-03-04 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_esx_VMSA-2013-0015_remote.nasl - Type : ACT_GATHER_INFO |
2015-04-08 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201504-01.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-23.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_nss_20140809.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0014.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2014-0015.nasl - Type : ACT_GATHER_INFO |
2014-11-26 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0023.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-1181.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1840.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1841.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0041.nasl - Type : ACT_GATHER_INFO |
2014-10-31 | Name : The remote host is affected by multiple vulnerabilities. File : oracle_opensso_agent_cpu_oct_2014.nasl - Type : ACT_GATHER_INFO |
2014-10-10 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15630.nasl - Type : ACT_GATHER_INFO |
2014-08-01 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2994.nasl - Type : ACT_GATHER_INFO |
2014-07-31 | Name : The remote host is running software with multiple vulnerabilities. File : oracle_traffic_director_july_2014_cpu.nasl - Type : ACT_GATHER_INFO |
2014-07-18 | Name : The remote web server is affected by multiple vulnerabilities. File : sun_java_web_server_7_0_20.nasl - Type : ACT_GATHER_INFO |
2014-07-18 | Name : A web proxy server on the remote host is affected by multiple vulnerabilities. File : iplanet_web_proxy_4_0_24.nasl - Type : ACT_GATHER_INFO |
2014-07-18 | Name : The remote web server is affected by multiple vulnerabilities. File : glassfish_cpu_jul_2014.nasl - Type : ACT_GATHER_INFO |
2014-06-23 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-19.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-878.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-749.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-309.nasl - Type : ACT_GATHER_INFO |
2014-01-24 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2087-1.nasl - Type : ACT_GATHER_INFO |
2013-12-23 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-23479.nasl - Type : ACT_GATHER_INFO |
2013-12-23 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-266.nasl - Type : ACT_GATHER_INFO |
2013-12-23 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-265.nasl - Type : ACT_GATHER_INFO |
2013-12-18 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2820.nasl - Type : ACT_GATHER_INFO |
2013-12-16 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-23301.nasl - Type : ACT_GATHER_INFO |
2013-12-14 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131212_nss__nspr__and_nss_util_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-12-14 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-22756.nasl - Type : ACT_GATHER_INFO |
2013-12-13 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1829.nasl - Type : ACT_GATHER_INFO |
2013-12-13 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1829.nasl - Type : ACT_GATHER_INFO |
2013-12-13 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1829.nasl - Type : ACT_GATHER_INFO |
2013-12-13 | Name : The remote Fedora host is missing a security update. File : fedora_2013-23139.nasl - Type : ACT_GATHER_INFO |
2013-12-11 | Name : The remote Fedora host is missing a security update. File : fedora_2013-23159.nasl - Type : ACT_GATHER_INFO |
2013-12-10 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131205_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-12-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1791.nasl - Type : ACT_GATHER_INFO |
2013-12-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1791.nasl - Type : ACT_GATHER_INFO |
2013-12-06 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1791.nasl - Type : ACT_GATHER_INFO |
2013-12-06 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2013-0015.nasl - Type : ACT_GATHER_INFO |
2013-12-03 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_nss-201311-131121.nasl - Type : ACT_GATHER_INFO |
2013-11-26 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2800.nasl - Type : ACT_GATHER_INFO |
2013-11-22 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_24_1_1.nasl - Type : ACT_GATHER_INFO |
2013-11-22 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2032-1.nasl - Type : ACT_GATHER_INFO |
2013-11-22 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_17_0_11_esr.nasl - Type : ACT_GATHER_INFO |
2013-11-22 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_17011_esr.nasl - Type : ACT_GATHER_INFO |
2013-11-22 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_24_1_1.nasl - Type : ACT_GATHER_INFO |
2013-11-21 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2031-1.nasl - Type : ACT_GATHER_INFO |
2013-11-21 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-270.nasl - Type : ACT_GATHER_INFO |
2013-11-19 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2030-1.nasl - Type : ACT_GATHER_INFO |
2013-11-18 | Name : The remote Mac OS X host contains a web browser that is potentially affected ... File : macosx_firefox_25_0_1.nasl - Type : ACT_GATHER_INFO |
2013-11-18 | Name : The remote Windows host contains a web browser that is potentially affected b... File : seamonkey_2221.nasl - Type : ACT_GATHER_INFO |
2013-11-18 | Name : The remote Mac OS X host contains a web browser that is potentially affected ... File : macosx_firefox_17_0_11_esr.nasl - Type : ACT_GATHER_INFO |
2013-11-18 | Name : The remote Mac OS X host contains a web browser that is potentially affected ... File : macosx_firefox_24_1_1_esr.nasl - Type : ACT_GATHER_INFO |
2013-11-18 | Name : The remote Windows host contains a web browser that is potentially affected b... File : mozilla_firefox_2501.nasl - Type : ACT_GATHER_INFO |
2013-11-18 | Name : The remote Windows host contains a web browser that is potentially affected b... File : mozilla_firefox_17011_esr.nasl - Type : ACT_GATHER_INFO |
2013-11-18 | Name : The remote Windows host contains a web browser that is potentially affected b... File : mozilla_firefox_24_1_1_esr.nasl - Type : ACT_GATHER_INFO |
2013-11-17 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox-201310-131101.nasl - Type : ACT_GATHER_INFO |
2013-11-17 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox-201310-131108.nasl - Type : ACT_GATHER_INFO |
2013-11-17 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_firefox-201310-131109.nasl - Type : ACT_GATHER_INFO |
2013-11-17 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_mozilla-nss-201310-131029.nasl - Type : ACT_GATHER_INFO |
2013-11-17 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_mozilla-nss-201310-131030.nasl - Type : ACT_GATHER_INFO |
2013-11-04 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2790.nasl - Type : ACT_GATHER_INFO |
2013-11-01 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2010-1.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Windows host contains a web browser that is potentially affected b... File : mozilla_firefox_25.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_81f866ad41a411e3a4af0025905a4771.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Mac OS X host contains a web browser that is potentially affected ... File : macosx_firefox_25.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Mac OS X host contains a web browser that is potentially affected ... File : macosx_firefox_24_1_esr.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Mac OS X host contains a web browser that is potentially affected ... File : macosx_firefox_17_0_10_esr.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_17_0_10_esr.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Mac OS X host contains a mail client that is potentially affected ... File : macosx_thunderbird_24_1.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Windows host contains a web browser that is potentially affected b... File : seamonkey_222.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Windows host contains a web browser that is potentially affected b... File : mozilla_firefox_17010_esr.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_24_1.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Windows host contains a mail client that is potentially affected b... File : mozilla_thunderbird_17010_esr.nasl - Type : ACT_GATHER_INFO |
2013-10-31 | Name : The remote Windows host contains a web browser that is potentially affected b... File : mozilla_firefox_24_1_esr.nasl - Type : ACT_GATHER_INFO |
2013-10-30 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2009-1.nasl - Type : ACT_GATHER_INFO |
2013-10-24 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-257.nasl - Type : ACT_GATHER_INFO |
2013-10-01 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-217.nasl - Type : ACT_GATHER_INFO |
2013-10-01 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-216.nasl - Type : ACT_GATHER_INFO |
2013-08-09 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130807_nss__nss_util__nss_softokn__and_nspr_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-08-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1144.nasl - Type : ACT_GATHER_INFO |
2013-08-08 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1144.nasl - Type : ACT_GATHER_INFO |
2013-08-08 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1144.nasl - Type : ACT_GATHER_INFO |
2013-08-06 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130805_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-08-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1135.nasl - Type : ACT_GATHER_INFO |
2013-08-06 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1135.nasl - Type : ACT_GATHER_INFO |
2013-08-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1135.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-050.nasl - Type : ACT_GATHER_INFO |
2013-03-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1763-1.nasl - Type : ACT_GATHER_INFO |
2013-03-14 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-3079.nasl - Type : ACT_GATHER_INFO |
2013-03-01 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-2929.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2016-01-22 09:26:27 |
|
2014-02-17 11:57:40 |
|
2013-12-05 21:18:38 |
|