ID CVE-2013-1620
Summary The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
References
Vulnerable Configurations
  • Mozilla Network Security Services
    cpe:2.3:a:mozilla:network_security_services
CVSS
Base: 4.3 (as of 11-02-2013 - 10:35)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-2929.NASL
    description Update nss to nss-3.14.3 This is a patch release to address CVE-2013-1620. Detailed descriptions of the bugs fixes on nss-3.14.3 can be found in the upstream release notes at https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 64941
    published 2013-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64941
    title Fedora 18 : nspr-4.9.5-2.fc18 / nss-3.14.3-1.fc18 / nss-softokn-3.14.3-1.fc18 / etc (2013-2929)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1181.NASL
    description An updated rhev-hypervisor6 package that fixes three security issues and various bugs is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization Hypervisor through the 3.2 Manager administration portal, the Host may appear with the status of 'Install Failed'. If this happens, place the host into maintenance mode, then activate it again to get the host back to an 'Up' state. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) It was found that the fix for CVE-2013-0167 released via RHSA-2013:0907 was incomplete. A privileged guest user could potentially use this flaw to make the host the guest is running on unavailable to the management server. (CVE-2013-4236) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. The CVE-2013-4236 issue was found by David Gibson of Red Hat. This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2013-4854 (bind issue) CVE-2012-6544, CVE-2013-2146, CVE-2013-2206, CVE-2013-2224, CVE-2013-2232, and CVE-2013-2237 (kernel issues) This update also contains the fixes from the following errata : * vdsm: RHSA-2013:1155 and RHBA-2013:1158 Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which corrects these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 78969
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78969
    title RHEL 6 : rhev-hypervisor6 (RHSA-2013:1181)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-050.NASL
    description Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates (CVE-2013-0743). The rootcerts package has been upgraded to address this flaw and the Mozilla NSS package has been rebuilt to pickup the changes. The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169 (CVE-2013-1620). The NSPR package has been upgraded to the 4.9.5 version due to dependecies of newer NSS. The NSS package has been upgraded to the 3.14.3 version which is not vulnerable to this issue. The sqlite3 update addresses a crash when using svn commit after export MALLOC_CHECK_=3.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 66064
    published 2013-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66064
    title Mandriva Linux Security Advisory : nss (MDVSA-2013:050)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-3079.NASL
    description Update to nss-3.14.3 This is a patch release to address CVE-2013-1620. Detailed descriptions of the bugs fixed by nss-3.14.3 can be found in the upstream release notes at https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 65532
    published 2013-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65532
    title Fedora 17 : nspr-4.9.5-2.fc17 / nss-3.14.3-1.fc17 / nss-softokn-3.14.3-1.fc17 / etc (2013-3079)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_NSS_20140809.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. (CVE-2013-1620)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80713
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80713
    title Oracle Solaris Third-Party Patch Update : nss (cve_2013_1620_lucky_thirteen)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1763-1.NASL
    description Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in NSS was vulnerable to a timing side-channel attack known as the 'Lucky Thirteen' issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65572
    published 2013-03-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65572
    title Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : nss vulnerability (USN-1763-1)
  • NASL family Misc.
    NASL id VMWARE_ESX_VMSA-2013-0015_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries : - Kernel - Netscape Portable Runtime (NSPR) - Network Security Services (NSS)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 89670
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89670
    title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0015) (remote check)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-217.NASL
    description It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 70221
    published 2013-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70221
    title Amazon Linux AMI : nss (ALAS-2013-217)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1144.NASL
    description From Red Hat Security Advisory 2013:1144 : Updated nss, nss-util, nss-softokn, and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. nss-softokn provides an NSS softoken cryptographic module. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. This update also fixes the following bugs : * The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented the use of certificates that have an MD5 signature. This caused problems in certain environments. With this update, certificates that have an MD5 signature are once again allowed. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603) * Previously, the sechash.h header file was missing, preventing certain source RPMs (such as firefox and xulrunner) from building. (BZ#948715) * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. (BZ#984967) In addition, the nss package has been upgraded to upstream version 3.14.3, the nss-util package has been upgraded to upstream version 3.14.3, the nss-softokn package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#927157, BZ#927171, BZ#927158, BZ#927186) Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS, NSPR, nss-util, or nss-softokn must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 69253
    published 2013-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69253
    title Oracle Linux 6 : nspr / nss / nss-softokn / nss-util (ELSA-2013-1144)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-309.NASL
    description The Mozilla suite received security and bugfix updates : Mozilla Firefox was updated to version 20.0. Mozilla Thunderbird was updated to version 17.0.5. Mozilla SeaMonkey was updated to version 17.0.5. Mozilla XULRunner was updated to version 17.0.5. mozilla-nss was updated to version 3.14.3. mozilla-nspr was updated to version 4.9.6. mozilla-nspr was updated to version 4.9.6 : - aarch64 support - added PL_SizeOfArenaPoolExcludingPool function (bmo#807883) - Auto detect android api version for x86 (bmo#782214) - Initialize Windows CRITICAL_SECTIONs without debug info and with nonzero spin count (bmo#812085) Previous update to version 4.9.5 - bmo#634793: define NSPR's exact-width integer types PRInt{N} and PRUint{N} types to match the exact-width integer types int{N}_t and uint{N}_t. - bmo#782815: passing 'int *' to parameter of type 'unsigned int *' in setsockopt(). - bmo#822932: Port bmo#802527 (NDK r8b support for x86) to NSPR. - bmo#824742: NSPR shouldn't require librt on Android. - bmo#831793: data race on lib->refCount in PR_UnloadLibrary. mozilla-nss was updated to version 3.14.3 : - disable tests with expired certificates - add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements - No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365) - 'certutil -a' was not correctly producing ASCII output as requested. (bmo#840714) - NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch - add arm aarch64 support - added system-sqlite.patch (bmo#837799) - do not depend on latest sqlite just for a #define - enable system sqlite usage again - update to 3.14.2 - required for Firefox >= 20 - removed obsolete nssckbi update patch - MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage - disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution - add nss-sqlitename.patch to avoid any name clash Changes in MozillaFirefox : - update to Firefox 20.0 (bnc#813026) - requires NSPR 4.9.5 and NSS 3.14.3 - MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards - MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library - MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux - MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes - MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure - MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations - MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch) - build fixes for armv7hl : - disable debug build as armv7hl does not have enough memory - disable webrtc on armv7hl as it is non-compiling Changes in MozillaThunderbird : - update to Thunderbird 17.0.5 (bnc#813026) - requires NSPR 4.9.5 and NSS 3.14.3 - MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards - MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library - MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux - MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes - MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations Changes in seamonkey : - update to SeaMonkey 2.17 (bnc#813026) - requires NSPR 4.9.5 and NSS 3.14.3 - MFSA 2013-30/CVE-2013-0788/CVE-2013-0789 Miscellaneous memory safety hazards - MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library - MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux - MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes - MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure - MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations - MFSA 2013-39/CVE-2013-0792 (bmo#722831) Memory corruption while rendering grayscale PNG images - use GStreamer 1.0 starting with 12.3 (mozilla-gstreamer-1.patch) Changes in xulrunner : - update to 17.0.5esr (bnc#813026) - requires NSPR 4.9.5 and NSS 3.14.3 - MFSA 2013-30/CVE-2013-0788 Miscellaneous memory safety hazards - MFSA 2013-31/CVE-2013-0800 (bmo#825721) Out-of-bounds write in Cairo library - MFSA 2013-35/CVE-2013-0796 (bmo#827106) WebGL crash with Mesa graphics driver on Linux - MFSA 2013-36/CVE-2013-0795 (bmo#825697) Bypass of SOW protections allows cloning of protected nodes - MFSA 2013-37/CVE-2013-0794 (bmo#626775) Bypass of tab-modal dialog origin disclosure - MFSA 2013-38/CVE-2013-0793 (bmo#803870) Cross-site scripting (XSS) using timed history navigations
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74965
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74965
    title openSUSE Security Update : Mozilla Firefox and others (openSUSE-SU-2013:0630-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1135.NASL
    description Updated nss and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. This update also fixes the following bugs : * A defect in the FreeBL library implementation of the Diffie-Hellman (DH) protocol previously caused Openswan to drop connections. (BZ#958023) * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. (BZ#986969) In addition, the nss package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#949845, BZ#924741) Note that while upstream NSS version 3.14 prevents the use of certificates that have an MD5 signature, this erratum includes a patch that allows such certificates by default. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. Users of NSS and NSPR are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69222
    published 2013-08-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69222
    title RHEL 5 : nss and nspr (RHSA-2013:1135)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-265.NASL
    description A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741 , CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 71577
    published 2013-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71577
    title Amazon Linux AMI : nss (ALAS-2013-265)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20131205_NSS_AND_NSPR_ON_SL5_X.NASL
    description A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via SLSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) In addition, the nss package has been upgraded to upstream version 3.15.3, and the nspr package has been upgraded to upstream version 4.10.2. These updates provide a number of bug fixes and enhancements over the previous versions. This update also fixes the following bug : - The SLBA-2013:1318 update introduced a regression that prevented the use of certificates that have an MD5 signature. This update fixes this regression and certificates that have an MD5 signature are once again supported. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 71306
    published 2013-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71306
    title Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-216.NASL
    description It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 70220
    published 2013-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70220
    title Amazon Linux AMI : nspr (ALAS-2013-216)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2013-0015.NASL
    description a. Update to ESX service console kernel The ESX service console kernel is updated to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2012-2372, CVE-2012-3552, CVE-2013-2147, CVE-2013-2164, CVE-2013-2206, CVE-2013-2224, CVE-2013-2234, CVE-2013-2237, CVE-2013-2232 to these issues. b. Update to ESX service console NSPR and NSS This patch updates the ESX service console Netscape Portable Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-0791 and CVE-2013-1620 to these issues.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 71245
    published 2013-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71245
    title VMSA-2013-0015 : VMware ESX updates to third-party libraries
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1135.NASL
    description Updated nss and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. This update also fixes the following bugs : * A defect in the FreeBL library implementation of the Diffie-Hellman (DH) protocol previously caused Openswan to drop connections. (BZ#958023) * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. (BZ#986969) In addition, the nss package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#949845, BZ#924741) Note that while upstream NSS version 3.14 prevents the use of certificates that have an MD5 signature, this erratum includes a patch that allows such certificates by default. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. Users of NSS and NSPR are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69215
    published 2013-08-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69215
    title CentOS 5 : nss (CESA-2013:1135)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201406-19.NASL
    description The remote host is affected by the vulnerability described in GLSA-201406-19 (Mozilla Network Security Service: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in the Mozilla Network Security Service. Please review the CVE identifiers referenced below for more details about the vulnerabilities. Impact : A remote attacker can cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 76178
    published 2014-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76178
    title GLSA-201406-19 : Mozilla Network Security Service: Multiple vulnerabilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130805_NSS_AND_NSPR_ON_SL5_X.NASL
    description It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) This update also fixes the following bugs : - A defect in the FreeBL library implementation of the Diffie-Hellman (DH) protocol previously caused Openswan to drop connections. - A memory leak in the nssutil_ReadSecmodDB() function has been fixed. In addition, the nss package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. Note that while upstream NSS version 3.14 prevents the use of certificates that have an MD5 signature, this erratum includes a patch that allows such certificates by default. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 69223
    published 2013-08-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69223
    title Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1144.NASL
    description Updated nss, nss-util, nss-softokn, and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. nss-softokn provides an NSS softoken cryptographic module. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. This update also fixes the following bugs : * The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented the use of certificates that have an MD5 signature. This caused problems in certain environments. With this update, certificates that have an MD5 signature are once again allowed. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603) * Previously, the sechash.h header file was missing, preventing certain source RPMs (such as firefox and xulrunner) from building. (BZ#948715) * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. (BZ#984967) In addition, the nss package has been upgraded to upstream version 3.14.3, the nss-util package has been upgraded to upstream version 3.14.3, the nss-softokn package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#927157, BZ#927171, BZ#927158, BZ#927186) Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS, NSPR, nss-util, or nss-softokn must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 69256
    published 2013-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69256
    title RHEL 6 : nss, nss-util, nss-softokn, and nspr (RHSA-2013:1144)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1144.NASL
    description Updated nss, nss-util, nss-softokn, and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. nss-softokn provides an NSS softoken cryptographic module. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. This update also fixes the following bugs : * The RHBA-2013:0445 update (which upgraded NSS to version 3.14) prevented the use of certificates that have an MD5 signature. This caused problems in certain environments. With this update, certificates that have an MD5 signature are once again allowed. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#957603) * Previously, the sechash.h header file was missing, preventing certain source RPMs (such as firefox and xulrunner) from building. (BZ#948715) * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. (BZ#984967) In addition, the nss package has been upgraded to upstream version 3.14.3, the nss-util package has been upgraded to upstream version 3.14.3, the nss-softokn package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#927157, BZ#927171, BZ#927158, BZ#927186) Users of NSS, NSPR, nss-util, and nss-softokn are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS, NSPR, nss-util, or nss-softokn must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69247
    published 2013-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69247
    title CentOS 6 : nss / nss-util / nss-softokn / nspr (CESA-2013:1144)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1135.NASL
    description From Red Hat Security Advisory 2013:1135 : Updated nss and nspr packages that fix two security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) Red Hat would like to thank the Mozilla project for reporting CVE-2013-0791. Upstream acknowledges Ambroz Bizjak as the original reporter of CVE-2013-0791. This update also fixes the following bugs : * A defect in the FreeBL library implementation of the Diffie-Hellman (DH) protocol previously caused Openswan to drop connections. (BZ#958023) * A memory leak in the nssutil_ReadSecmodDB() function has been fixed. (BZ#986969) In addition, the nss package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#949845, BZ#924741) Note that while upstream NSS version 3.14 prevents the use of certificates that have an MD5 signature, this erratum includes a patch that allows such certificates by default. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. Users of NSS and NSPR are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 69221
    published 2013-08-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69221
    title Oracle Linux 5 : nspr / nss (ELSA-2013-1135)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130807_NSS__NSS_UTIL__NSS_SOFTOKN__AND_NSPR_ON_SL6_X.NASL
    description It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620) An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791) This update also fixes the following bugs : - The SLBA-2013:0445 update (which upgraded NSS to version 3.14) prevented the use of certificates that have an MD5 signature. This caused problems in certain environments. With this update, certificates that have an MD5 signature are once again allowed. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. - Previously, the sechash.h header file was missing, preventing certain source RPMs (such as firefox and xulrunner) from building. - A memory leak in the nssutil_ReadSecmodDB() function has been fixed. In addition, the nss package has been upgraded to upstream version 3.14.3, the nss-util package has been upgraded to upstream version 3.14.3, the nss-softokn package has been upgraded to upstream version 3.14.3, and the nspr package has been upgraded to upstream version 4.9.5. These updates provide a number of bug fixes and enhancements over the previous versions. After installing this update, applications using NSS, NSPR, nss-util, or nss-softokn must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 69279
    published 2013-08-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69279
    title Scientific Linux Security Update : nss, nss-util, nss-softokn, and nspr on SL6.x i386/x86_64
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20131212_NSS__NSPR__AND_NSS_UTIL_ON_SL6_X.NASL
    description A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via SLSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 71424
    published 2013-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71424
    title Scientific Linux Security Update : nss, nspr, and nss-util on SL6.x i386/x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-266.NASL
    description A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741 , CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 71578
    published 2013-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71578
    title Amazon Linux AMI : nspr (ALAS-2013-266)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL15630.NASL
    description The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. (CVE-2013-1620)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 78198
    published 2014-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78198
    title F5 Networks BIG-IP : TLS in Mozilla NSS vulnerability (K15630)
redhat via4
advisories
  • bugzilla
    id 986969
    title nssutil_ReadSecmodDB() leaks memory
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment nspr is earlier than 0:4.9.5-1.el5_9
          oval oval:com.redhat.rhsa:tst:20131135002
        • comment nspr is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20081036022
      • AND
        • comment nspr-devel is earlier than 0:4.9.5-1.el5_9
          oval oval:com.redhat.rhsa:tst:20131135004
        • comment nspr-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20081036024
      • AND
        • comment nss is earlier than 0:3.14.3-6.el5_9
          oval oval:com.redhat.rhsa:tst:20131135006
        • comment nss is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080879012
      • AND
        • comment nss-devel is earlier than 0:3.14.3-6.el5_9
          oval oval:com.redhat.rhsa:tst:20131135010
        • comment nss-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080879016
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.14.3-6.el5_9
          oval oval:com.redhat.rhsa:tst:20131135012
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080879014
      • AND
        • comment nss-tools is earlier than 0:3.14.3-6.el5_9
          oval oval:com.redhat.rhsa:tst:20131135008
        • comment nss-tools is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080879018
    rhsa
    id RHSA-2013:1135
    released 2013-08-05
    severity Moderate
    title RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate)
  • bugzilla
    id 985955
    title nss-softokn: missing partial RELRO [6.4.z]
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment nspr is earlier than 0:4.9.5-2.el6_4
          oval oval:com.redhat.rhsa:tst:20131144005
        • comment nspr is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111444023
      • AND
        • comment nspr-devel is earlier than 0:4.9.5-2.el6_4
          oval oval:com.redhat.rhsa:tst:20131144007
        • comment nspr-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111444025
      • AND
        • comment nss-softokn is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144009
        • comment nss-softokn is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862020
      • AND
        • comment nss-softokn-devel is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144011
        • comment nss-softokn-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862024
      • AND
        • comment nss-softokn-freebl is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144015
        • comment nss-softokn-freebl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862022
      • AND
        • comment nss-softokn-freebl-devel is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144013
        • comment nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131144014
      • AND
        • comment nss is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144017
        • comment nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862006
      • AND
        • comment nss-devel is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144021
        • comment nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862014
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144019
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862010
      • AND
        • comment nss-sysinit is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144023
        • comment nss-sysinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862008
      • AND
        • comment nss-tools is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144025
        • comment nss-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862012
      • AND
        • comment nss-util is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144027
        • comment nss-util is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862016
      • AND
        • comment nss-util-devel is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144029
        • comment nss-util-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862018
    rhsa
    id RHSA-2013:1144
    released 2013-08-07
    severity Moderate
    title RHSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate)
rpms
  • nspr-0:4.9.5-1.el5_9
  • nspr-devel-0:4.9.5-1.el5_9
  • nss-0:3.14.3-6.el5_9
  • nss-devel-0:3.14.3-6.el5_9
  • nss-pkcs11-devel-0:3.14.3-6.el5_9
  • nss-tools-0:3.14.3-6.el5_9
  • nspr-0:4.9.5-2.el6_4
  • nspr-devel-0:4.9.5-2.el6_4
  • nss-softokn-0:3.14.3-3.el6_4
  • nss-softokn-devel-0:3.14.3-3.el6_4
  • nss-softokn-freebl-0:3.14.3-3.el6_4
  • nss-softokn-freebl-devel-0:3.14.3-3.el6_4
  • nss-0:3.14.3-4.el6_4
  • nss-devel-0:3.14.3-4.el6_4
  • nss-pkcs11-devel-0:3.14.3-4.el6_4
  • nss-sysinit-0:3.14.3-4.el6_4
  • nss-tools-0:3.14.3-4.el6_4
  • nss-util-0:3.14.3-3.el6_4
  • nss-util-devel-0:3.14.3-3.el6_4
refmap via4
bid
  • 57777
  • 64758
bugtraq 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm
fulldisc 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
gentoo GLSA-201406-19
misc http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
mlist [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations
suse
  • openSUSE-SU-2013:0630
  • openSUSE-SU-2013:0631
ubuntu USN-1763-1
vmware via4
description This patch updates the ESX service console Netscape Portable Runtime (NSPR) and Network Security Services (NSS) RPMs to resolve multiple security issues.
id VMSA-2013-0015
last_updated 2013-12-05T00:00:00
published 2013-12-05T00:00:00
title Update to ESX service console NSPR and NSS
Last major update 30-12-2016 - 21:59
Published 08-02-2013 - 14:55
Last modified 09-10-2018 - 15:33
Back to Top