Advisory Published

RHSA-2009:1190: Critical: nspr and nss security and bug fix update

First published: Fri Jul 31 2009(Updated: )

Netscape Portable Runtime (NSPR) provides platform independence for non-GUI<br>operating system facilities. These facilities include threads, thread<br>synchronization, normal file and network I/O, interval timing, calendar<br>time, basic memory management (malloc and free), and shared library linking.<br>Network Security Services (NSS) is a set of libraries designed to support<br>the cross-platform development of security-enabled client and server<br>applications. Applications built with NSS can support SSLv2, SSLv3, TLS,<br>and other security standards.<br>These updated packages upgrade NSS from the previous version, 3.12.2, to a<br>prerelease of version 3.12.4. The version of NSPR has also been upgraded<br>from 4.7.3 to 4.7.4.<br>Moxie Marlinspike reported a heap overflow flaw in a regular expression<br>parser in the NSS library used by browsers such as Mozilla Firefox to match<br>common names in certificates. A malicious website could present a<br>carefully-crafted certificate in such a way as to trigger the heap<br>overflow, leading to a crash or, possibly, arbitrary code execution with<br>the permissions of the user running the browser. (CVE-2009-2404)<br>Note: in order to exploit this issue without further user interaction in<br>Firefox, the carefully-crafted certificate would need to be signed by a<br>Certificate Authority trusted by Firefox, otherwise Firefox presents the<br>victim with a warning that the certificate is untrusted. Only if the user<br>then accepts the certificate will the overflow take place.<br>Dan Kaminsky discovered flaws in the way browsers such as Firefox handle<br>NULL characters in a certificate. If an attacker is able to get a<br>carefully-crafted certificate signed by a Certificate Authority trusted by<br>Firefox, the attacker could use the certificate during a man-in-the-middle<br>attack and potentially confuse Firefox into accepting it by mistake.<br>(CVE-2009-2408)<br>Dan Kaminsky found that browsers still accept certificates with MD2 hash<br>signatures, even though MD2 is no longer considered a cryptographically<br>strong algorithm. This could make it easier for an attacker to create a<br>malicious certificate that would be treated as trusted by a browser. NSS<br>now disables the use of MD2 and MD4 algorithms inside signatures by<br>default. (CVE-2009-2409)<br>These version upgrades also provide fixes for the following bugs:<br><li> SSL client authentication failed against an Apache server when it was </li> using the mod_nss module and configured for NSSOCSP. On the client side,<br>the user agent received an error message that referenced "Error Code:<br><li>12271" and stated that establishing an encrypted connection had failed</li> because the certificate had been rejected by the host.<br>On the server side, the nss_error_log under /var/log/httpd/ contained the<br>following message:<br>[error] Re-negotiation handshake failed: Not accepted by client!?<br>Also, /var/log/httpd/error_log contained this error:<br>SSL Library Error: -8071 The OCSP server experienced an internal error<br>With these updated packages, the dependency problem which caused this<br>failure has been resolved so that SSL client authentication with an<br>Apache web server using mod_nss which is configured for NSSOCSP succeeds<br>as expected. Note that if the presented client certificate is expired,<br>then access is denied, the user agent is presented with an error message<br>about the invalid certificate, and the OCSP queries are seen in the OCSP<br>responder. Also, similar OCSP status verification happens for SSL server<br>certificates used in Apache upon instance start or restart. (BZ#508026)<br><li> NSS uses a software integrity test to detect code corruption. RPM</li> transactions and system link optimization daemons (such as prelink) can<br>change the contents of libraries, causing the software integrity test to<br>fail. In combination with the updated prelink package (RHBA-2009:1041),<br>these updated packages can now prevent software integrity test failures.<br>(BZ#495938)<br>All users of nspr and nss are advised to upgrade to these updated packages,<br>which resolve these issues.

Affected SoftwareAffected VersionHow to fix
redhat/nspr<4.7.4-1.el4_7.1
4.7.4-1.el4_7.1
redhat/nss<3.12.3.99.3-1.el4_7.6
3.12.3.99.3-1.el4_7.6
redhat/nspr<4.7.4-1.el4_7.1
4.7.4-1.el4_7.1
redhat/nspr-devel<4.7.4-1.el4_7.1
4.7.4-1.el4_7.1
redhat/nss<3.12.3.99.3-1.el4_7.6
3.12.3.99.3-1.el4_7.6
redhat/nss-devel<3.12.3.99.3-1.el4_7.6
3.12.3.99.3-1.el4_7.6
redhat/nspr-devel<4.7.4-1.el4_7.1
4.7.4-1.el4_7.1
redhat/nss-devel<3.12.3.99.3-1.el4_7.6
3.12.3.99.3-1.el4_7.6

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203