- Vulnerability/
- RHSA-2013:1144
RHSA-2013:1144: Moderate: nss, nss-util, nss-softokn, and nspr security update
First published: Wed Aug 07 2013(Updated: )
Network Security Services (NSS) is a set of libraries designed to support<br>the cross-platform development of security-enabled client and server<br>applications. Netscape Portable Runtime (NSPR) provides platform<br>independence for non-GUI operating system facilities. nss-softokn provides<br>an NSS softoken cryptographic module.<br>It was discovered that NSS leaked timing information when decrypting<br>TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites<br>were used. A remote attacker could possibly use this flaw to retrieve plain<br>text from the encrypted packets by using a TLS/SSL or DTLS server as a<br>padding oracle. (CVE-2013-1620)<br>An out-of-bounds memory read flaw was found in the way NSS decoded certain<br>certificates. If an application using NSS decoded a malformed certificate,<br>it could cause the application to crash. (CVE-2013-0791)<br>Red Hat would like to thank the Mozilla project for reporting<br>CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter<br>of CVE-2013-0791.<br>This update also fixes the following bugs:<br><li> The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented</li> the use of certificates that have an MD5 signature. This caused problems in<br>certain environments. With this update, certificates that have an MD5<br>signature are once again allowed. To prevent the use of certificates that<br>have an MD5 signature, set the "NSS_HASH_ALG_SUPPORT" environment variable<br>to "-MD5". (BZ#957603)<br><li> Previously, the sechash.h header file was missing, preventing certain</li> source RPMs (such as firefox and xulrunner) from building. (BZ#948715)<br><li> A memory leak in the nssutil_ReadSecmodDB() function has been fixed.</li> (BZ#984967)<br>In addition, the nss package has been upgraded to upstream version 3.14.3,<br>the nss-util package has been upgraded to upstream version 3.14.3, the<br>nss-softokn package has been upgraded to upstream version 3.14.3, and the<br>nspr package has been upgraded to upstream version 4.9.5. These updates<br>provide a number of bug fixes and enhancements over the previous versions.<br>(BZ#927157, BZ#927171, BZ#927158, BZ#927186)<br>Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to<br>these updated packages, which fix these issues and add these enhancements.<br>After installing this update, applications using NSS, NSPR, nss-util, or<br>nss-softokn must be restarted for this update to take effect.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nspr | <4.9.5-2.el6_4 | 4.9.5-2.el6_4 |
| redhat/nss | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-softokn | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-util | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nspr | <4.9.5-2.el6_4 | 4.9.5-2.el6_4 |
| redhat/nspr-debuginfo | <4.9.5-2.el6_4 | 4.9.5-2.el6_4 |
| redhat/nspr-debuginfo | <4.9.5-2.el6_4 | 4.9.5-2.el6_4 |
| redhat/nspr-devel | <4.9.5-2.el6_4 | 4.9.5-2.el6_4 |
| redhat/nspr-devel | <4.9.5-2.el6_4 | 4.9.5-2.el6_4 |
| redhat/nss | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-debuginfo | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-debuginfo | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-devel | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-devel | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-pkcs11-devel | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-pkcs11-devel | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-softokn | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-softokn-debuginfo | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-softokn-debuginfo | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-softokn-devel | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-softokn-devel | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-softokn-freebl | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-softokn-freebl | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-softokn-freebl-devel | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-softokn-freebl-devel | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-sysinit | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-tools | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-util | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-util-debuginfo | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-util-debuginfo | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-util-devel | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-util-devel | <3.14.3-3.el6_4 | 3.14.3-3.el6_4 |
| redhat/nss-sysinit | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
| redhat/nss-tools | <3.14.3-4.el6_4 | 3.14.3-4.el6_4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=908234
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=927157
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=927158
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=927171
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=927186
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=946947
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=984967
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=985955
- https://access.redhat.com/security/updates/classification/#moderate
- https://rhn.redhat.com/errata/RHBA-2013-0445.html
- https://access.redhat.com/errata/RHSA-2013:1144 (Advisory)
- collector/redhat-errata
- anchor-id/RHSA-2013:1144
- agent/severity
- agent/title
- agent/references
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- package-manager/redhat