Package name
nss
Date
2013-11-20
Advisory ID
MDVSA-2013:270
Affected versions
MBS1 x86_64

Problem description

Multiple security issues was identified and fixed in mozilla NSPR
and NSS:

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure
that data structures are initialized before read operations, which
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger a decryption failure
(CVE-2013-1739).

Integer overflow in Mozilla Network Security Services (NSS) 3.15 before
3.15.3 allows remote attackers to cause a denial of service or possibly
have unspecified other impact via a large size value (CVE-2013-1741).

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has
many single-byte biases, which makes it easier for remote attackers
to conduct plaintext-recovery attacks via statistical analysis of
ciphertext in a large number of sessions that use the same plaintext
(CVE-2013-2566).

Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15
before 3.15.3 allows remote attackers to cause a denial of service or
possibly have unspecified other impact via invalid handshake packets
(CVE-2013-5605).

The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla
Network Security Services (NSS) 3.15 before 3.15.3 provides an
unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted
certificate (CVE-2013-5606).

Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape
Portable Runtime (NSPR) before 4.10.2, as used in Firefox before
25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and
SeaMonkey before 2.22.1, allows remote attackers to cause a denial of
service (application crash) or possibly have unspecified other impact
via a crafted X.509 certificate, a related issue to CVE-2013-1741
(CVE-2013-5607).

The NSPR packages has been upgraded to the 4.10.2 version and the NSS
packages has been upgraded to the 3.15.3 version which is unaffected
by these security flaws.

Additionally the rootcerts packages has been upgraded with the latest
certdata.txt file as of 2013/11/11 from mozilla.

Updated packages

MBS1 x86_64

 af301c60ddcc18b8ac42c0b4435cbad3  mbs1/x86_64/lib64nspr4-4.10.2-1.mbs1.x86_64.rpm
 a496a08623a9f89d2399d80e4fe868a7  mbs1/x86_64/lib64nspr-devel-4.10.2-1.mbs1.x86_64.rpm
 ae3456fb3d674f99aef454a60dbe282a  mbs1/x86_64/lib64nss3-3.15.3-1.mbs1.x86_64.rpm
 9188809d70b632b2482acee08a4ddc0b  mbs1/x86_64/lib64nss-devel-3.15.3-1.mbs1.x86_64.rpm
 532704e8d72973d2dd61fe2698f893e4  mbs1/x86_64/lib64nss-static-devel-3.15.3-1.mbs1.x86_64.rpm
 8f4ae3f02feb8d9f9c9efc8c257035e8  mbs1/x86_64/nss-3.15.3-1.mbs1.x86_64.rpm
 8ae40ad195e46d8a2b30621dfcef3ace  mbs1/x86_64/nss-doc-3.15.3-1.mbs1.noarch.rpm
 59917a5345c7938ee1ac234a64a4cbfb  mbs1/x86_64/rootcerts-20131111.00-1.mbs1.x86_64.rpm
 e118b1fef3401a9aad6502d31ac38bcc  mbs1/x86_64/rootcerts-java-20131111.00-1.mbs1.x86_64.rpm 
 1cd846051eae1d454f8886ae6472da92  mbs1/SRPMS/nspr-4.10.2-1.mbs1.src.rpm
 f2b93d77bf10bb16f24803677c2a5432  mbs1/SRPMS/nss-3.15.3-1.mbs1.src.rpm
 72294310b8fb899d0e04fe1762e77f75  mbs1/SRPMS/rootcerts-20131111.00-1.mbs1.src.rpm

References