Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title nss, nspr, and nss-util security update
Informations
Name RHSA-2013:1829 First vendor Publication 2013-12-12
Vendor RedHat Last vendor Modification 2013-12-12
Severity (Vendor) Important Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated nss, nspr, and nss-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605)

It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739)

An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607)

It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606)

Red Hat would like to thank the Mozilla project for reporting CVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges Tavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as the original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and Wan-Teh Chang as the original reporters of CVE-2013-5607.

All NSS, NSPR, and nss-util users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1012740 - CVE-2013-1739 nss: Avoid uninitialized data read in the event of a decryption failure 1030807 - CVE-2013-5605 nss: Null_Cipher() does not respect maxOutputLen (MFSA 2013-103) 1031457 - CVE-2013-5606 nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103) 1031458 - CVE-2013-1741 nss: Integer truncation in certificate parsing (MFSA 2013-103) 1031461 - CVE-2013-5607 nspr: Avoid unsigned integer wrapping in PL_ArenaAllocate (MFSA 2013-103)

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2013-1829.html

CWE : Common Weakness Enumeration

% Id Name
40 % CWE-189 Numeric Errors (CWE/SANS Top 25)
20 % CWE-264 Permissions, Privileges, and Access Controls
20 % CWE-203 Information Exposure Through Discrepancy
20 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18127
 
Oval ID: oval:org.mitre.oval:def:18127
Title: USN-1763-1 -- nss vulnerability
Description: NSS could be made to expose sensitive information over the network.
Family: unix Class: patch
Reference(s): USN-1763-1
CVE-2013-1620
Version: 7
Platform(s): Ubuntu 12.10
Ubuntu 12.04
Ubuntu 11.10
Ubuntu 10.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19140
 
Oval ID: oval:org.mitre.oval:def:19140
Title: DSA-2800-1 nss - buffer overflow
Description: Andrew Tinits reported a potentially exploitable buffer overflow in the Mozilla Network Security Service library (nss). With a specially crafted request a remote attacker could cause a denial of service or possibly execute arbitrary code.
Family: unix Class: patch
Reference(s): DSA-2800-1
CVE-2013-5605
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19254
 
Oval ID: oval:org.mitre.oval:def:19254
Title: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.
Description: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1739
Version: 15
Platform(s): Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla SeaMonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19393
 
Oval ID: oval:org.mitre.oval:def:19393
Title: CERT_VerifyCert can SECSuccess for bad certificates
Description: The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate.
Family: windows Class: vulnerability
Reference(s): CVE-2013-5606
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19523
 
Oval ID: oval:org.mitre.oval:def:19523
Title: DSA-2790-1 nss - uninitialised memory read
Description: A flaw was found in the way the Mozilla Network Security Service library (nss) read uninitialised data when there was a decryption failure. A remote attacker could use this flaw to cause a denial of service (application crash) for applications linked with the nss library.
Family: unix Class: patch
Reference(s): DSA-2790-1
CVE-2013-1739
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19530
 
Oval ID: oval:org.mitre.oval:def:19530
Title: Integer truncation in certificate parsing
Description: Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.
Family: windows Class: vulnerability
Reference(s): CVE-2013-1741
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19731
 
Oval ID: oval:org.mitre.oval:def:19731
Title: Null Cipher buffer overflow
Description: Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets.
Family: windows Class: vulnerability
Reference(s): CVE-2013-5605
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Thunderbird
Mozilla Seamonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19770
 
Oval ID: oval:org.mitre.oval:def:19770
Title: USN-2030-1 -- nss vulnerabilities
Description: Several security issues were fixed in NSS.
Family: unix Class: patch
Reference(s): USN-2030-1
CVE-2013-1739
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19778
 
Oval ID: oval:org.mitre.oval:def:19778
Title: Avoid unsigned integer wrapping in PL_ArenaAllocate
Description: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.
Family: windows Class: vulnerability
Reference(s): CVE-2013-5607
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Mozilla Firefox
Mozilla Seamonkey
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19893
 
Oval ID: oval:org.mitre.oval:def:19893
Title: USN-2032-1 -- thunderbird vulnerabilities
Description: Several security issues were fixed in Thunderbird.
Family: unix Class: patch
Reference(s): USN-2032-1
CVE-2013-1741
CVE-2013-2566
CVE-2013-5605
CVE-2013-5607
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Product(s): thunderbird
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19958
 
Oval ID: oval:org.mitre.oval:def:19958
Title: USN-2031-1 -- firefox vulnerabilities
Description: Several security issues were fixed in Firefox.
Family: unix Class: patch
Reference(s): USN-2031-1
CVE-2013-1741
CVE-2013-2566
CVE-2013-5605
CVE-2013-5607
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Product(s): firefox
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20606
 
Oval ID: oval:org.mitre.oval:def:20606
Title: RHSA-2013:1829: nss, nspr, and nss-util security update (Important)
Description: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.
Family: unix Class: patch
Reference(s): RHSA-2013:1829-00
CESA-2013:1829
CVE-2013-1739
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
CVE-2013-5607
Version: 75
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): nspr
nss
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21069
 
Oval ID: oval:org.mitre.oval:def:21069
Title: DSA-2820-1 nspr - integer overflow
Description: It was discovered that NSPR, Netscape Portable Runtime library, could crash an application using the library when parsing a certificate that causes an integer overflow. This flaw only affects 64-bit systems.
Family: unix Class: patch
Reference(s): DSA-2820-1
CVE-2013-5607
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): nspr
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21084
 
Oval ID: oval:org.mitre.oval:def:21084
Title: RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate)
Description: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Family: unix Class: patch
Reference(s): RHSA-2013:1135-00
CESA-2013:1135
CVE-2013-0791
CVE-2013-1620
Version: 31
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21104
 
Oval ID: oval:org.mitre.oval:def:21104
Title: RHSA-2013:1791: nss and nspr security, bug fix, and enhancement update (Important)
Description: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.
Family: unix Class: patch
Reference(s): RHSA-2013:1791-00
CESA-2013:1791
CVE-2013-1739
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
CVE-2013-5607
Version: 73
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21177
 
Oval ID: oval:org.mitre.oval:def:21177
Title: RHSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate)
Description: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Family: unix Class: patch
Reference(s): RHSA-2013:1144-00
CESA-2013:1144
CVE-2013-0791
CVE-2013-1620
Version: 31
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): nspr
nss
nss-softokn
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22452
 
Oval ID: oval:org.mitre.oval:def:22452
Title: USN-2087-1 -- nspr vulnerability
Description: NSPR could be made to crash or run programs if it received a specially crafted certificate.
Family: unix Class: patch
Reference(s): USN-2087-1
CVE-2013-5607
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): nspr
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22788
 
Oval ID: oval:org.mitre.oval:def:22788
Title: ELSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate)
Description: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Family: unix Class: patch
Reference(s): ELSA-2013:1135-00
CVE-2013-0791
CVE-2013-1620
Version: 13
Platform(s): Oracle Linux 5
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23177
 
Oval ID: oval:org.mitre.oval:def:23177
Title: ELSA-2013:1791: nss and nspr security, bug fix, and enhancement update (Important)
Description: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.
Family: unix Class: patch
Reference(s): ELSA-2013:1791-00
CVE-2013-1739
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
CVE-2013-5607
Version: 25
Platform(s): Oracle Linux 5
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24119
 
Oval ID: oval:org.mitre.oval:def:24119
Title: ELSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate)
Description: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Family: unix Class: patch
Reference(s): ELSA-2013:1144-00
CVE-2013-0791
CVE-2013-1620
Version: 13
Platform(s): Oracle Linux 6
Product(s): nspr
nss
nss-softokn
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24183
 
Oval ID: oval:org.mitre.oval:def:24183
Title: ELSA-2013:1829: nss, nspr, and nss-util security update (Important)
Description: Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.
Family: unix Class: patch
Reference(s): ELSA-2013:1829-00
CVE-2013-1739
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
CVE-2013-5607
Version: 25
Platform(s): Oracle Linux 6
Product(s): nspr
nss
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25625
 
Oval ID: oval:org.mitre.oval:def:25625
Title: SUSE-SU-2013:1807-1 -- Security update for mozilla-nspr, mozilla-nss
Description: Mozilla NSPR and NSS were updated to fix various security bugs that could be used to crash the browser or potentially execute code.
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1807-1
CVE-2013-5607
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Desktop 11
Product(s): mozilla-nspr
mozilla-nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27219
 
Oval ID: oval:org.mitre.oval:def:27219
Title: DEPRECATED: ELSA-2013-1829 -- nss, nspr, and nss-util security update (important)
Description: nspr [4.10.0-2] - Rebase to nspr-4.10.2 - Resolves: rhbz#1032485 - CVE-2013-5607 (MFSA 2013-103) Avoid unsigned integer wrapping in PL_ArenaAllocate (MFSA 2013-103) nss [3.15.3-2.0.1] - Added nss-vendor.patch to change vendor [3.15.3-2] - Enable patch with fix for deadlock in trust domain lock and object lock - Resolves: Bug 1036477 - deadlock in trust domain lock and object lock - Disable hw gcm on rhel-5 based build environments where OS lacks support - Rollback changes to build nss without softokn until Bug 689919 is approved - Cipher suite was run as part of the nss-softokn build [3.15.3-1] - Update to NSS_3_15_3_RTM - Resolves: Bug 1032470 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss-util [3.15.3-1] - Update to NSS_3_15_3_RTM - Resolves: rhbz#1032470 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741
Family: unix Class: patch
Reference(s): ELSA-2013-1829
CVE-2013-1739
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
CVE-2013-5607
Version: 4
Platform(s): Oracle Linux 6
Product(s): nspr
nss
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27269
 
Oval ID: oval:org.mitre.oval:def:27269
Title: DEPRECATED: ELSA-2013-1144 -- nss, nss-util, nss-softokn, and nspr security update (moderate)
Description: It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791)
Family: unix Class: patch
Reference(s): ELSA-2013-1144
CVE-2013-0791
CVE-2013-1620
Version: 4
Platform(s): Oracle Linux 6
Product(s): nspr
nss
nss-softokn
nss-util
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27325
 
Oval ID: oval:org.mitre.oval:def:27325
Title: DEPRECATED: ELSA-2013-1791 -- nss and nspr security, bug fix, and enhancement update (important)
Description: nspr [4.10.2-2] - Fix changelog comments - Resolves: rhbz#1032466 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [rhel-5.10]
Family: unix Class: patch
Reference(s): ELSA-2013-1791
CVE-2013-1739
CVE-2013-1741
CVE-2013-5605
CVE-2013-5606
CVE-2013-5607
Version: 4
Platform(s): Oracle Linux 5
Product(s): nspr
nss
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27513
 
Oval ID: oval:org.mitre.oval:def:27513
Title: DEPRECATED: ELSA-2013-1135 -- nss and nspr security, bug fix, and enhancement update (moderate)
Description: nspr [4.9.2-4] - Resolves: rhbz#924741 - Rebase to nspr-4.9.5 nss [3.14.3-6] - Resolves: rhbz#986969 - nssutil_ReadSecmodDB() leaks memory [3.14.3-5] - Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility - Remove the unused and obsolete nss-nochktest.patch - Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue [3.14.3-4] - Fix rpmdiff test reported failures and remove other unwanted changes - Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue [3.14.3-3] - Update to NSS_3_14_3_RTM - Rework the rebase to preserve needed idiosynchracies - Ensure we install frebl/softoken from the extra build tree - Don't include freebl static library or its private headers - Add patch to deal with system sqlite not being recent enough - Don't install nss-sysinit nor sharedb - Resolves: rhbz#949845 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue [3.14.3-2] - Restore the freebl-softoken source tar ball updated to 3.14.3 - Renumbering of some sources for clarity - Resolves: rhbz#918870 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue [3.14.3-1] - Update to NSS_3_14_3_RTM - Resolves: rhbz#918870 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
Family: unix Class: patch
Reference(s): ELSA-2013-1135
CVE-2013-0791
CVE-2013-1620
Version: 4
Platform(s): Oracle Linux 5
Product(s): nspr
nss
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 351
Application 14
Application 41
Application 66
Application 203
Application 3
Application 1
Application 1
Application 1
Application 2
Application 1
Application 2
Application 1
Os 4
Os 2
Os 1
Os 2
Os 1
Os 2

Information Assurance Vulnerability Management (IAVM)

Date Description
2014-04-17 IAVM : 2014-A-0055 - Multiple Vulnerabilities in Oracle Fusion Middleware
Severity : Category I - VMSKEY : V0049585
2014-01-16 IAVM : 2014-A-0009 - Multiple Vulnerabilities in Oracle Fusion Middleware
Severity : Category I - VMSKEY : V0043395
2013-11-21 IAVM : 2013-A-0220 - Multiple Vulnerabilities in Mozilla Products
Severity : Category I - VMSKEY : V0042380

Nessus® Vulnerability Scanner

Date Description
2016-06-22 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2016-0066.nasl - Type : ACT_GATHER_INFO
2016-06-22 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2016-0065.nasl - Type : ACT_GATHER_INFO
2016-03-04 Name : The remote VMware ESX / ESXi host is missing a security-related patch.
File : vmware_esx_VMSA-2013-0015_remote.nasl - Type : ACT_GATHER_INFO
2015-04-08 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201504-01.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-23.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_nss_20140809.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2014-0014.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0015.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2014-0023.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2013-1181.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1840.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1841.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0041.nasl - Type : ACT_GATHER_INFO
2014-10-31 Name : The remote host is affected by multiple vulnerabilities.
File : oracle_opensso_agent_cpu_oct_2014.nasl - Type : ACT_GATHER_INFO
2014-10-10 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL15630.nasl - Type : ACT_GATHER_INFO
2014-08-01 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2994.nasl - Type : ACT_GATHER_INFO
2014-07-31 Name : The remote host is running software with multiple vulnerabilities.
File : oracle_traffic_director_july_2014_cpu.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : The remote web server is affected by multiple vulnerabilities.
File : sun_java_web_server_7_0_20.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : A web proxy server on the remote host is affected by multiple vulnerabilities.
File : iplanet_web_proxy_4_0_24.nasl - Type : ACT_GATHER_INFO
2014-07-18 Name : The remote web server is affected by multiple vulnerabilities.
File : glassfish_cpu_jul_2014.nasl - Type : ACT_GATHER_INFO
2014-06-23 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201406-19.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-878.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-749.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-309.nasl - Type : ACT_GATHER_INFO
2014-01-24 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2087-1.nasl - Type : ACT_GATHER_INFO
2013-12-23 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2013-23479.nasl - Type : ACT_GATHER_INFO
2013-12-23 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2013-266.nasl - Type : ACT_GATHER_INFO
2013-12-23 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2013-265.nasl - Type : ACT_GATHER_INFO
2013-12-18 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2820.nasl - Type : ACT_GATHER_INFO
2013-12-16 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2013-23301.nasl - Type : ACT_GATHER_INFO
2013-12-14 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20131212_nss__nspr__and_nss_util_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-12-14 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2013-22756.nasl - Type : ACT_GATHER_INFO
2013-12-13 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1829.nasl - Type : ACT_GATHER_INFO
2013-12-13 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1829.nasl - Type : ACT_GATHER_INFO
2013-12-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1829.nasl - Type : ACT_GATHER_INFO
2013-12-13 Name : The remote Fedora host is missing a security update.
File : fedora_2013-23139.nasl - Type : ACT_GATHER_INFO
2013-12-11 Name : The remote Fedora host is missing a security update.
File : fedora_2013-23159.nasl - Type : ACT_GATHER_INFO
2013-12-10 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20131205_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-12-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1791.nasl - Type : ACT_GATHER_INFO
2013-12-06 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1791.nasl - Type : ACT_GATHER_INFO
2013-12-06 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1791.nasl - Type : ACT_GATHER_INFO
2013-12-06 Name : The remote VMware ESX host is missing one or more security-related patches.
File : vmware_VMSA-2013-0015.nasl - Type : ACT_GATHER_INFO
2013-12-03 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_nss-201311-131121.nasl - Type : ACT_GATHER_INFO
2013-11-26 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2800.nasl - Type : ACT_GATHER_INFO
2013-11-22 Name : The remote Windows host contains a mail client that is potentially affected b...
File : mozilla_thunderbird_24_1_1.nasl - Type : ACT_GATHER_INFO
2013-11-22 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2032-1.nasl - Type : ACT_GATHER_INFO
2013-11-22 Name : The remote Mac OS X host contains a mail client that is potentially affected ...
File : macosx_thunderbird_17_0_11_esr.nasl - Type : ACT_GATHER_INFO
2013-11-22 Name : The remote Windows host contains a mail client that is potentially affected b...
File : mozilla_thunderbird_17011_esr.nasl - Type : ACT_GATHER_INFO
2013-11-22 Name : The remote Mac OS X host contains a mail client that is potentially affected ...
File : macosx_thunderbird_24_1_1.nasl - Type : ACT_GATHER_INFO
2013-11-21 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2031-1.nasl - Type : ACT_GATHER_INFO
2013-11-21 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-270.nasl - Type : ACT_GATHER_INFO
2013-11-19 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2030-1.nasl - Type : ACT_GATHER_INFO
2013-11-18 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_25_0_1.nasl - Type : ACT_GATHER_INFO
2013-11-18 Name : The remote Windows host contains a web browser that is potentially affected b...
File : seamonkey_2221.nasl - Type : ACT_GATHER_INFO
2013-11-18 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_17_0_11_esr.nasl - Type : ACT_GATHER_INFO
2013-11-18 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_24_1_1_esr.nasl - Type : ACT_GATHER_INFO
2013-11-18 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_2501.nasl - Type : ACT_GATHER_INFO
2013-11-18 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_17011_esr.nasl - Type : ACT_GATHER_INFO
2013-11-18 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_24_1_1_esr.nasl - Type : ACT_GATHER_INFO
2013-11-17 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_firefox-201310-131101.nasl - Type : ACT_GATHER_INFO
2013-11-17 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_firefox-201310-131108.nasl - Type : ACT_GATHER_INFO
2013-11-17 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_firefox-201310-131109.nasl - Type : ACT_GATHER_INFO
2013-11-17 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_mozilla-nss-201310-131029.nasl - Type : ACT_GATHER_INFO
2013-11-17 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_mozilla-nss-201310-131030.nasl - Type : ACT_GATHER_INFO
2013-11-04 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2790.nasl - Type : ACT_GATHER_INFO
2013-11-01 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2010-1.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_25.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_81f866ad41a411e3a4af0025905a4771.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_25.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_24_1_esr.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Mac OS X host contains a web browser that is potentially affected ...
File : macosx_firefox_17_0_10_esr.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Mac OS X host contains a mail client that is potentially affected ...
File : macosx_thunderbird_17_0_10_esr.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Mac OS X host contains a mail client that is potentially affected ...
File : macosx_thunderbird_24_1.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Windows host contains a web browser that is potentially affected b...
File : seamonkey_222.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_17010_esr.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Windows host contains a mail client that is potentially affected b...
File : mozilla_thunderbird_24_1.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Windows host contains a mail client that is potentially affected b...
File : mozilla_thunderbird_17010_esr.nasl - Type : ACT_GATHER_INFO
2013-10-31 Name : The remote Windows host contains a web browser that is potentially affected b...
File : mozilla_firefox_24_1_esr.nasl - Type : ACT_GATHER_INFO
2013-10-30 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2009-1.nasl - Type : ACT_GATHER_INFO
2013-10-24 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-257.nasl - Type : ACT_GATHER_INFO
2013-10-01 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2013-217.nasl - Type : ACT_GATHER_INFO
2013-10-01 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2013-216.nasl - Type : ACT_GATHER_INFO
2013-08-09 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130807_nss__nss_util__nss_softokn__and_nspr_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1144.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1144.nasl - Type : ACT_GATHER_INFO
2013-08-08 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1144.nasl - Type : ACT_GATHER_INFO
2013-08-06 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130805_nss_and_nspr_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-08-06 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1135.nasl - Type : ACT_GATHER_INFO
2013-08-06 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1135.nasl - Type : ACT_GATHER_INFO
2013-08-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1135.nasl - Type : ACT_GATHER_INFO
2013-04-20 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-050.nasl - Type : ACT_GATHER_INFO
2013-03-15 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1763-1.nasl - Type : ACT_GATHER_INFO
2013-03-14 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2013-3079.nasl - Type : ACT_GATHER_INFO
2013-03-01 Name : The remote Fedora host is missing one or more security updates.
File : fedora_2013-2929.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2016-01-22 09:26:28
  • Multiple Updates
2014-02-17 11:57:43
  • Multiple Updates
2013-12-12 21:18:31
  • First insertion