ID CVE-2013-1741
Summary Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value.
References
Vulnerable Configurations
  • Mozilla Network Security Services 3.15
    cpe:2.3:a:mozilla:network_security_services:3.15
  • Mozilla Network Security Services 3.15.1
    cpe:2.3:a:mozilla:network_security_services:3.15.1
  • Mozilla Network Security Services 3.15.2
    cpe:2.3:a:mozilla:network_security_services:3.15.2
CVSS
Base: 7.5 (as of 19-11-2015 - 12:40)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0066.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix SSL_DH_MIN_P_BITS in more places. - Keep SSL_DH_MIN_P_BITS at 768 as in the previously released build. - Run SSL tests - Add compatility patches to prevent regressions - Ensure all ssl.sh tests are executed - Rebase to nss 3.21 - Resolves: Bug 1297944 - Rebase RHEL 5.11.z to NSS 3.21 in preparation for Firefox 45 - Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ... - Include the fix for CVE-2016-1950 from NSS 3.19.2.3 - Resolves: Bug 1269354 - CVE-2015-7182 (CVE-2015-7181) - Rebase nss to 3.19.1 - Pick up upstream fix for client auth. regression caused by 3.19.1 - Revert upstream change to minimum key sizes - Remove patches that rendered obsolote by the rebase - Update existing patches on account of the rebase - Pick up upstream patch from nss-3.19.1 - Resolves: Bug 1236954 - CVE-2015-2730 NSS: ECDSA signature validation fails to handle some signatures correctly (MFSA 2015-64) - Resolves: Bug 1236967 - CVE-2015-2721 NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2015-71) - On RHEL 6.x keep the TLS version defaults unchanged. - Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1) - Copy PayPalICA.cert and PayPalRootCA.cert to nss/tests/libpkix/certs - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] - Update and reeneable nss-646045.patch on account of the rebase - Enable additional ssl test cycles and document why some aren't enabled - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] - Fix shell syntax error on nss/tests/all.sh - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] - Replace expired PayPal test certificate that breaks the build - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] - Resolves: Bug 1158159 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 - Adjust softokn patch to be compatible with legacy softokn API. - Resolves: Bug 1145430 - (CVE-2014-1568) - Add patches published with NSS 3.16.2.1 - Resolves: Bug 1145430 - (CVE-2014-1568) - Backport nss-3.12.6 upstream fix required by Firefox 31 ESR - Resolves: Bug 1110860 - Rebase to nss-3.16.1 for FF31 - Resolves: Bug 1110860 - Rebase nss in RHEL 5.11 to NSS 3.16.1, required for FF 31 - Remove unused and obsolete patches - Related: Bug 1032468 - Improve shell code for error detection on %check section - Resolves: Bug 1035281 - Suboptimal shell code in nss.spec - Revoke trust in one mis-issued anssi certificate - Resolves: Bug 1042684 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) - Pick up corrections made in the rhel-10.Z branch, remove an unused patch - Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11] - Remove unused patch and retag for update to nss-3.15.3 - Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11] - Update to nss-3.15.3 - Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11] - Remove unused patches - Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x) - Rebase to nss-3.15.1 - Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x) - Resolves: rhbz#1015864 - [Regression] NSS no longer trusts MD5 certificates - Split %check section tests in two: freebl/softoken and rest of nss tests - Adjust various patches and spec file steps on account of the rebase - Add various patches and remove obsoleted ones on account of the rebase - Renumber patches so freeb/softoken ones match the corresponding ones in rhel-6 nss-softokn - Make the freebl sources identical to the corresponding ones for rhel-6.5 - Related: rhbz#987131 - Adjust the patches to complete the syncup with upstrean nss - Use NSS_DISABLE_HW_GCM on the patch as we do on the spec file - Ensure softoken/freebl code is the same on nss side as on the softoken side - Related: rhbz#987131 - Add disable_hw_gcm.patch and in the spec file export NSS_DISABLE_HW_GCM=1 - Disable HW GCM on RHEL-5 as the older kernel lacks support for it - Related: rhbz#987131 - Related: rhbz#987131 - Display cpuifo as part of the tests - Resolves: rhbz#987131 - Pick up various upstream GCM code fixes applied since nss-3.14.3 was released - Roll back to 79c87e69caa7454cbcf5f8161a628c538ff3cab3 - Peviously added patch hasn't solved the sporadic core dumps - Related: rhbz#983766 - nssutil_ReadSecmodDB leaks memory - Resolves: rhbz#983766 - nssutil_ReadSecmodDB leaks memory - Add patch to get rid of sporadic blapitest core dumps - Restore 'export NO_FORK_CHECK=1' required for binary compatibility on RHEL-5 - Remove an unused patch - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 - Resolves: rhbz#807419 - nss-tools certutil -H does not list all options - Apply upstream fixes for ecc enabling and aes gcm - Rename two macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream - Apply several upstream AES GCM fixes - Resolves: rhbz#960241 - Enable ECC in nss and freebl - Resolves: rhbz#918948 - [RFE][RHEL5] - Enable ECC support limited to suite b - Export NSS_ENABLE_ECC=1 in the %check section to properly test ecc - Resolves: rhbz#960241 - Enable ECC in nss and freebl - Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue - Remove obsolete nss-nochktest.patch - Related: rhbz#960241 - Enable ECC in nss and freebl - Enable ECC by using the unstripped sources - Resolves: rhbz#960241 - Enable ECC in nss and freebl - Fix rpmdiff test reported failures and remove other unwanted changes - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue - Mon Apr 22 2013 Elio Maldonado - 3.14.3-3 - Update to NSS_3_14_3_RTM - Rework the rebase to preserve needed idiosynchracies - Ensure we install frebl/softoken from the extra build tree - Don't include freebl static library or its private headers - Add patch to deal with system sqlite not being recent enough - Don't install nss-sysinit nor sharedb - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue - Mon Apr 01 2013 Elio Maldonado - 3.14.3-2 - Restore the freebl-softoken source tar ball updated to 3.14.3 - Renumbering of some sources for clarity - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue - Update to NSS_3_14_3_RTM - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue - Resolves: rhbz#891150 - Dis-trust TURKTRUST mis-issued *.google.com certificate - Update to NSS_3_13_6_RTM - Resolves: rhbz#883788 - [RFE] [RHEL5] Rebase to NSS >= 3.13.6 - Resolves: rhbz#820684 - Fix last entry in attrFlagsArray to be [NAME_SIZE(unextractable), PK11_ATTR_UNEXTRACTABLE] - Resolves: rhbz#820684 - Enable certutil handle user supplied flags for PKCS #11 attributes. - This will enable certutil to generate keys in fussy hardware tokens. - fix an error in the patch meta-information area (no code change) - Related: rhbz#830304 - Fix ia64 / i386 multilib nss install failure - Remove no longer needed %pre and %preun scriplets meant for nss updates from RHEL-5.0 - Related: rhbz#830304 - Fix the changes to the %post line - Having multiple commands requires that /sbin/lconfig be the beginning of the scriptlet - Resolves: rhbz#830304 - Fix multilib and scriptlet problems - Fix %post and %postun lines per packaging guildelines - Add %[?_isa] to tools Requires: per packaging guidelines - Fix explicit-lib-dependency zlib error reported by rpmlint - Resolves: rhbz#830304 - Remove unwanted change to nss.pc.in - Update to NSS_3_13_5_RTM - Resolves: rhbz#830304 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 for Mozilla 10.0.6 - Resolves: rhbz#797939 - Protect NSS_Shutdown from clients that fail to initialize nss - Resolves: Bug 788039 - retagging to prevent update problems - Resolves: Bug 788039 - rebase nss to make firefox 10 LTS rebase possible - Update to 4.8.9 - Resolves: Bug 713373 - File descriptor leak after service httpd reload - Don't initialize nss if already initialized or if there are no dbs - Retagging for a Y-stream version higher than the RHEL-5-7-Z branch - Retagging to keep the n-v-r as high as that for the RHEL-5-7-Z branch - Update builtins certs to those from NSSCKBI_1_88_RTM - Plug file descriptor leaks on httpd reloads - Update builtins certs to those from NSSCKBI_1_87_RTM - Update builtins certs to those from NSSCKBI_1_86_RTM - Update builtins certs to NSSCKBI_1_85_RTM - Update to 3.12.10 - Fix libcrmf hard-coded maximum size for wrapped private keys - Update builtin certs to NSS_3.12.9_WITH_CKBI_1_82_RTM via a patch - Update builtin certs to those from NSS_3.12.9_WITH_CKBI_1_82_RTM - Update to 3.12.8
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 91747
    published 2016-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91747
    title OracleVM 3.2 : nss (OVMSA-2016-0066)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0015.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Update to nss-3.16.1 - Resolves: rhbz#1112136 - Update to NSS_3_15_3_RTM - Resolves: rhbz#1032470 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) - Preserve existing permissions when replacing existing pkcs11.txt file, but keep strict default permissions for new files - Resolves: rhbz#990631 - file permissions of pkcs11.txt/secmod.db must be kept when modified by NSS
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 79538
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79538
    title OracleVM 3.3 : nss-util (OVMSA-2014-0015)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0014.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Added nss-vendor.patch to change vendor - Update some patches on account of the rebase - Resolves: Bug 1099619 - Backport nss-3.12.6 upstream fix required by Firefox 31 - Resolves: Bug 1099619 - Remove two unused patches and apply a needed one that was missed - Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1 - Update to nss-3.16.1 - Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1 - Make pem's derEncodingsMatch function work with encrypted keys - Resolves: Bug 1048713 - [PEM] active FTPS with encrypted client key ends up with SSL_ERROR_TOKEN_INSERTION_REMOVAL - Remove unused patches - Resolves: Bug 1048713 - Resolves: Bug 1048713 - [PEM] active FTPS with encrypted client key ends up with SSL_ERROR_TOKEN_INSERTION_REMOVAL - Revoke trust in one mis-issued anssi certificate - Resolves: Bug 1042685 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-6.6] - Enable patch with fix for deadlock in trust domain lock and object lock - Resolves: Bug 1036477 - deadlock in trust domain lock and object lock - Disable hw gcm on rhel-5 based build environments where OS lacks support - Rollback changes to build nss without softokn until Bug 689919 is approved - Cipher suite was run as part of the nss-softokn build - Update to NSS_3_15_3_RTM - Resolves: Bug 1032470 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) - Using export NSS_DISABLE_HW_GCM=1 to deal with some problemmatic build systems - Resolves: rhbz#1016044 - nss.s390: primary link for libnssckbi.so must be /usr/lib64/libnssckbi.so - Add s390x and ia64 to the %define multilib_arches list used for defining alt_ckbi - Resolves: rhbz#1016044 - nss.s390: primary link for libnssckbi.so must be /usr/lib64/libnssckbi.so - Add zero default value to DISABLETEST check and fix the TEST_FAILURES check and reporting - Resolves: rhbz#990631 - file permissions of pkcs11.txt/secmod.db must be kept when modified by NSS - Related: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Add a zero default value to the DISABLETEST and TEST_FAILURES checks - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Fix the test for zero failures in the %check section - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Restore a mistakenly removed patch - Resolves: rhbz#961659 - SQL backend does not reload certificates - Rebuild for the pem module to link with freel from nss-softokn-3.14.3-6.el6 - Related: rhbz#993441 - NSS needs to conform to new FIPS standard. - Related: rhbz#1010224 - NSS 3.15 breaks SSL in OpenLDAP clients - Don't require nss-softokn-fips - Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. - Additional syntax fixes in nss-versus-softoken-test.patch - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Fix all.sh test for which application was last build by updating nss-versus-softoken-test.path - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Disable the cipher suite already run as part of the nss-softokn build - Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. - Require nss-softokn-fips - Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard.
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 79537
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79537
    title OracleVM 3.3 : nss (OVMSA-2014-0014)
  • NASL family Windows
    NASL id SEAMONKEY_2221.NASL
    description The installed version of SeaMonkey is a version prior to 2.22.1 and is, therefore, potentially affected by the following vulnerabilities : - An error exists related to handling input greater than half the maximum size of the 'PRUint32' value. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - An integer truncation error exists in the function 'PL_ArenaAllocate' in the Netscape Portable Runtime (NSPR) library. (CVE-2013-5607)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 70950
    published 2013-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70950
    title SeaMonkey < 2.22.1 NSS and NSPR Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2032-1.NASL
    description Multiple security issues were discovered in Thunderbird. If a user were tricked into connecting to a malicious server, an attacker could possibly exploit these to cause a denial of service via application crash, potentially execute arbitrary code, or lead to information disclosure. (CVE-2013-1741, CVE-2013-2566, CVE-2013-5605, CVE-2013-5607). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 71036
    published 2013-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71036
    title Ubuntu 12.04 LTS / 12.10 / 13.04 / 13.10 : thunderbird vulnerabilities (USN-2032-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-265.NASL
    description A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741 , CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606)
    last seen 2019-01-16
    modified 2018-04-18
    plugin id 71577
    published 2013-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71577
    title Amazon Linux AMI : nss (ALAS-2013-265)
  • NASL family Windows
    NASL id MOZILLA_THUNDERBIRD_24_1_1.NASL
    description The installed version of Thunderbird is earlier than 24.1.1 and is, therefore, potentially affected the following vulnerabilities: - An error exists related to handling input greater than half the maximum size of the 'PRUint32' value. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - An integer truncation error exists in the function 'PL_ArenaAllocate' in the Netscape Portable Runtime (NSPR) library. (CVE-2013-5607)
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 71045
    published 2013-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71045
    title Mozilla Thunderbird < 24.1.1 NSS and NSPR Multiple Vulnerabilities
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0023.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : nss - Added nss-vendor.patch to change vendor - Replace expired PayPal test certificate that breaks the build - Resolves: Bug 1145431 - (CVE-2014-1568) - Resolves: Bug 1145431 - (CVE-2014-1568) - Removed listed but unused patches detected by the rpmdiff test - Resolves: Bug 1099619 - Update some patches on account of the rebase - Resolves: Bug 1099619 - Backport nss-3.12.6 upstream fix required by Firefox 31 - Resolves: Bug 1099619 - Remove two unused patches and apply a needed one that was missed - Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1 - Update to nss-3.16.1 - Resolves: Bug 1112136 - Rebase nss in RHEL 6.5.Z to NSS 3.16.1 - Make pem's derEncodingsMatch function work with encrypted keys - Resolves: Bug 1048713 - [PEM] active FTPS with encrypted client key ends up with SSL_ERROR_TOKEN_INSERTION_REMOVAL - Remove unused patches - Resolves: Bug 1048713 - Resolves: Bug 1048713 - [PEM] active FTPS with encrypted client key ends up with SSL_ERROR_TOKEN_INSERTION_REMOVAL - Revoke trust in one mis-issued anssi certificate - Resolves: Bug 1042685 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-6.6] - Enable patch with fix for deadlock in trust domain lock and object lock - Resolves: Bug 1036477 - deadlock in trust domain lock and object lock - Disable hw gcm on rhel-5 based build environments where OS lacks support - Rollback changes to build nss without softokn until Bug 689919 is approved - Cipher suite was run as part of the nss-softokn build - Update to NSS_3_15_3_RTM - Resolves: Bug 1032470 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) - Using export NSS_DISABLE_HW_GCM=1 to deal with some problemmatic build systems - Resolves: rhbz#1016044 - nss.s390: primary link for libnssckbi.so must be /usr/lib64/libnssckbi.so - Add s390x and ia64 to the %define multilib_arches list used for defining alt_ckbi - Resolves: rhbz#1016044 - nss.s390: primary link for libnssckbi.so must be /usr/lib64/libnssckbi.so - Add zero default value to DISABLETEST check and fix the TEST_FAILURES check and reporting - Resolves: rhbz#990631 - file permissions of pkcs11.txt/secmod.db must be kept when modified by NSS - Related: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Add a zero default value to the DISABLETEST and TEST_FAILURES checks - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Fix the test for zero failures in the %check section - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Restore a mistakenly removed patch - Resolves: rhbz#961659 - SQL backend does not reload certificates - Rebuild for the pem module to link with freel from nss-softokn-3.14.3-6.el6 - Related: rhbz#993441 - NSS needs to conform to new FIPS standard. - Related: rhbz#1010224 - NSS 3.15 breaks SSL in OpenLDAP clients - Don't require nss-softokn-fips - Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. - Additional syntax fixes in nss-versus-softoken-test.patch - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Fix all.sh test for which application was last build by updating nss-versus-softoken-test.path - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Disable the cipher suite already run as part of the nss-softokn build - Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. - Require nss-softokn-fips - Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. - Require nspr-4.10.0 - Related: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Fix relative path in %check section to prevent undetected test failures - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Rebase to NSS_3.15.1_RTM - Resolves: rhbz#1002645 - Rebase RHEL 6 to NSS 3.15.1 (for FF 24.x) - Update patches on account of the shallow tree with the rebase to 3.15.1 - Update the pem module sources nss-pem-20130405.tar.bz2 with latest patches applied - Remove patches rendered obsolete by the nss rebase and the updated nss-pem sources - Enable the iquote.patch to access newly introduced types - Do not hold issuer certificate handles in the crl cache - Resolves: rhbz#961659 - SQL backend does not reload certificates - Resolves: rhbz#977341 - nss-tools certutil -H does not list all options - Resolves: rhbz#702083 - don't require unique file basenames - Fix race condition in cert code related to smart cards - Resolves: rhbz#903017 - Firefox hang when CAC/PIV smart card certificates are viewed in the certificate manager - Configure libnssckbi.so to use the alternatives system in order to prepare for a drop in replacement. Please ensure that older packages that don't use the alternatives system for libnssckbi.so have a smaller n-v-r. - Syncup with uptream changes for aes gcm and ecc suiteb - Enable ecc support for suite b - Apply several upstream AES GCM fixes - Use the pristine nss upstream sources with ecc included - Export NSS_ENABLE_ECC=1 in both the build and the check sections - Make failed requests for unsupoprted ssl pkcs 11 bypass non fatal - Resolves: rhbz#882408 - NSS_NO_PKCS11_BYPASS must preserve ABI - Related: rhbz#918950 - rebase nss to 3.14.3 nss-softokn - Adjust patch to be compatible with legacy softokn API. - Resolves: Bug 1145431 - (CVE-2014-1568) - Resolves: Bug 1145431 - (CVE-2014-1568) - Skip calls to CHECK_FORK in [C & NSC]_GetFunctionList - Resolves: Bug 1082900 - Admin server segfault when configuration DS configured on SSL port - Add workaround to %check unset DISPLAY section for RHEL-5 based build machines where kernel lacks support for hardware GCM - back out -fips package changes - Enable new packaging but don't apply nss-fips-post.patch - Related: rhbz#1008513 - Unable to login in fips mode - Fix the PR_Access stub to actually access the correct permissions - Resolves: rhbz#1008513 - Unable to login in fips mode - Run the lowhash tests - Require nspr-4.0.0 and nss-util-3.15.1 - create -fips packages - patch submitted by Bob Relyea - fix the script that splits softoken off from nss - patch nss/cmd/lib/basicutil.c to build against nss-util-3.15.1 - Resolves: rhbz#993441 - NSS needs to conform to new FIPS standard. - Resolves: rhbz#976572 - Pick up various upstream GCM code fixes applied since nss-3.14.3 was released - Display cpuifo as part of the tests and make NSS_DISABLE_HW_GCM the environment variable to test for - When appling the patches use a backup file suffix that better describes the patch purpose - Enable ECC support for suite b and add upstream fixes for aec gcm - Use the unstripped upstream sources with ecc support - Limit the ECC support to suite b - Apply several upstream aes gcm fixes - Rename macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream - Resolves: rhbz#960208 - Enable ECC in nss-softoken - Related: rhbz#919172 nss-util - Resolves: bug 1145431 - (CVE-2014-1568) - Update to nss-3.16.1 - Resolves: rhbz#1112136 - Update to NSS_3_15_3_RTM - Resolves: rhbz#1032470 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) - Preserve existing permissions when replacing existing pkcs11.txt file, but keep strict default permissions for new files - Resolves: rhbz#990631 - file permissions of pkcs11.txt/secmod.db must be kept when modified by NSS
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 79540
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79540
    title OracleVM 3.3 : nss (OVMSA-2014-0023)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20131205_NSS_AND_NSPR_ON_SL5_X.NASL
    description A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via SLSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) In addition, the nss package has been upgraded to upstream version 3.15.3, and the nspr package has been upgraded to upstream version 4.10.2. These updates provide a number of bug fixes and enhancements over the previous versions. This update also fixes the following bug : - The SLBA-2013:1318 update introduced a regression that prevented the use of certificates that have an MD5 signature. This update fixes this regression and certificates that have an MD5 signature are once again supported. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-12-31
    plugin id 71306
    published 2013-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71306
    title Scientific Linux Security Update : nss and nspr on SL5.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-23.NASL
    description CVE-2013-1741 Runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls. CVE-2013-5606 Certificate validation with the verifylog mode did not return validation errors, but instead expected applications to determine the status by looking at the log. CVE-2014-1491 Ticket handling protection mechanisms bypass due to the lack of restriction of public values in Diffie-Hellman key exchanges. CVE-2014-1492 Incorrect IDNA domain name matching for wildcard certificates could allow specially crafted invalid certificates to be considered as valid. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-07-06
    plugin id 82171
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82171
    title Debian DLA-23-1 : nss security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1791.NASL
    description Updated nss and nspr packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) Red Hat would like to thank the Mozilla project for reporting CVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges Tavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as the original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and Wan-Teh Chang as the original reporters of CVE-2013-5607. In addition, the nss package has been upgraded to upstream version 3.15.3, and the nspr package has been upgraded to upstream version 4.10.2. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#1033478, BZ#1020520) This update also fixes the following bug : * The RHBA-2013:1318 update introduced a regression that prevented the use of certificates that have an MD5 signature. This update fixes this regression and certificates that have an MD5 signature are once again supported. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#1033499) Users of NSS and NSPR are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-26
    plugin id 71243
    published 2013-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71243
    title RHEL 5 : nss and nspr (RHSA-2013:1791)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1791.NASL
    description Updated nss and nspr packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) Red Hat would like to thank the Mozilla project for reporting CVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges Tavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as the original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and Wan-Teh Chang as the original reporters of CVE-2013-5607. In addition, the nss package has been upgraded to upstream version 3.15.3, and the nspr package has been upgraded to upstream version 4.10.2. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#1033478, BZ#1020520) This update also fixes the following bug : * The RHBA-2013:1318 update introduced a regression that prevented the use of certificates that have an MD5 signature. This update fixes this regression and certificates that have an MD5 signature are once again supported. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#1033499) Users of NSS and NSPR are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 71237
    published 2013-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71237
    title CentOS 5 : nspr / nss (CESA-2013:1791)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0065.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Rebase to NSPR 4.11 - Resolves: Bug 1297943 - Rebase RHEL 5.11.z to NSPR 4.11 in preparation for Firefox 45 - Resolves: Bug 1269359 - (CVE-2015-7183) - nspr: heap-buffer overflow in PL_ARENA_ALLOCATE can lead to crash (under ASAN), potential memory corruption [rhel-5.11.z] - Rebase to nspr-4.10.8 - Resolves: Bug 1200921 - Rebase nspr to 4.10.8 for Firefox 38 ESR - Rebase to nspr-4.10.6 - Resolves: Bug 1110857 - Rebase nspr in RHEL 5.11 to NSPR 4.10.6 for FF31 - Retagging - Resolves: rhbz#1032468 - Remove an unused patch - Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11] - Update to nspr-4.10.2 - Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11] - Retagging to fix an inconsitency in the release tags - Resolves: rhbz#1002641 - Rebase RHEL 5 to NSPR 4.10 (for FF 24.x) - Rebase to nspr-4.10.0 - Resolves: rhbz#1002641 - Rebase RHEL 5 to NSPR 4.10 (for FF 24.x) - Resolves: rhbz#737704 - Fix spec file test script typo and enable running the test suites - Resolves: rhbz#919183 - Rebase to nspr-4.9.5 - Resolves: rhbz#883777- [RFE] Rebase nspr to 4.9.2 due to Firefox 17 ESR - Resolves: rhbz#633519 - pthread_key_t leak and memory corruption - Resolves: rhbz#831654 - Fix %post and %postun - Updated License: to MPLv2.0 per upstream - Resolves: rhbz#831654 - Pick up fixes from the rhel-5.8 branch - Regenerated nspr-config-pc.patch passes the the rpmdiff tests - Resolves: rhbz#831654 - restore top section of nspr-config-pc.patch - Needed to prevent multilib regressions - Resolves: rhbz#831654 - revert unwanted changes to nspr.pc - Change@/nspr4 to@ in the patch - Update to NSPR_4_9_1_RTM - Resolves: rhbz#831654 - rebuilt - Resolves: Bug 772945 - [RFE] Async update nspr to make firefox 10 LTS rebase possible - Update to 4.8.9 - Bumping the relase tag so it's higher than the one in 5.7-z - Update to 4.8.8
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 91746
    published 2016-06-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91746
    title OracleVM 3.2 : nspr (OVMSA-2016-0065)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2994.NASL
    description Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library : - CVE-2013-1741 Runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls. - CVE-2013-5606 Certificate validation with the verifylog mode did not return validation errors, but instead expected applications to determine the status by looking at the log. - CVE-2014-1491 Ticket handling protection mechanisms bypass due to the lack of restriction of public values in Diffie-Hellman key exchanges. - CVE-2014-1492 Incorrect IDNA domain name matching for wildcard certificates could allow specially crafted invalid certificates to be considered as valid.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 76950
    published 2014-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76950
    title Debian DSA-2994-1 : nss - security update
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201406-19.NASL
    description The remote host is affected by the vulnerability described in GLSA-201406-19 (Mozilla Network Security Service: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in the Mozilla Network Security Service. Please review the CVE identifiers referenced below for more details about the vulnerabilities. Impact : A remote attacker can cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2018-07-13
    plugin id 76178
    published 2014-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76178
    title GLSA-201406-19 : Mozilla Network Security Service: Multiple vulnerabilities
  • NASL family Web Servers
    NASL id GLASSFISH_CPU_JUL_2014.NASL
    description The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities in the following components : - The implementation of Network Security Services (NSS) does not ensure that data structures are initialized, which could result in a denial of service or disclosure of sensitive information. (CVE-2013-1739) - The implementation of Network Security Services (NSS) does not properly handle the TLS False Start feature and could allow man-in-the-middle attacks. (CVE-2013-1740) - Network Security Services (NSS) contains an integer overflow flaw that allows remote attackers to cause a denial of service. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - Oracle Mojarra contains a cross-site scripting vulnerability due to improperly sanitized user-supplied input. This allows an attacker to execute arbitrary script code within the context of the affected site. (CVE-2013-5855) - Network Security Services (NSS) contains a race condition in libssl that occurs during session ticket processing. A remote attacker can exploit this flaw to cause a denial of service. (CVE-2014-1490) - Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491) - An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. This issue allows man-in- the-middle attacks. (CVE-2014-1492)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 76591
    published 2014-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76591
    title Oracle GlassFish Server Multiple Vulnerabilities (July 2014 CPU)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1829.NASL
    description Updated nss, nspr, and nss-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) Red Hat would like to thank the Mozilla project for reporting CVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges Tavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as the original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and Wan-Teh Chang as the original reporters of CVE-2013-5607. All NSS, NSPR, and nss-util users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 71380
    published 2013-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71380
    title CentOS 6 : nspr / nss / nss-util (CESA-2013:1829)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_NSS-201311-131121.NASL
    description Mozilla NSPR and NSS were updated to fix various security bugs that could be used to crash the browser or potentially execute code. Mozilla NSPR 4.10.2 has the following bug fixes : - Bug 770534: Possible pointer overflow in PL_ArenaAllocate(). Fixed by Pascal Cuoq and Kamil Dudka. - Bug 888546: ptio.c:PR_ImportUDPSocket doesn't work. Fixed by Miloslav Trmac. - Bug 915522: VS2013 support for NSPR. Fixed by Makoto Kato. - Bug 927687: Avoid unsigned integer wrapping in PL_ArenaAllocate. (CVE-2013-5607) Mozilla NSS 3.15.3 is a patch release for NSS 3.15 and includes the following bug fixes : - Bug 925100: Ensure a size is <= half of the maximum PRUint32 value. (CVE-2013-1741) - Bug 934016: Handle invalid handshake packets. (CVE-2013-5605) - Bug 910438: Return the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used. (CVE-2013-5606)
    last seen 2019-01-16
    modified 2013-12-03
    plugin id 71172
    published 2013-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71172
    title SuSE 11.2 / 11.3 Security Update : mozilla-nspr, mozilla-nss (SAT Patch Numbers 8572 / 8573)
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_2501.NASL
    description The installed version of Firefox is a version prior to 25.0.1 and is, therefore, potentially affected by the following vulnerabilities : - An error exists related to handling input greater than half the maximum size of the 'PRUint32' value. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - An integer truncation error exists in the function 'PL_ArenaAllocate' in the Netscape Portable Runtime (NSPR) library. (CVE-2013-5607)
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 70949
    published 2013-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70949
    title Firefox < 25.0.1 NSS and NSPR Multiple Vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1829.NASL
    description From Red Hat Security Advisory 2013:1829 : Updated nss, nspr, and nss-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) Red Hat would like to thank the Mozilla project for reporting CVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges Tavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as the original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and Wan-Teh Chang as the original reporters of CVE-2013-5607. All NSS, NSPR, and nss-util users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 71388
    published 2013-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71388
    title Oracle Linux 6 : nspr / nss / nss-util (ELSA-2013-1829)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2030-1.NASL
    description Multiple security issues were discovered in NSS. If a user were tricked into connecting to a malicious server, an attacker could possibly exploit these to cause a denial of service via application crash, potentially execute arbitrary code, or lead to information disclosure. This update also adds TLS v1.2 support to Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, Ubuntu 12.10, and Ubuntu 13.04. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 70962
    published 2013-11-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70962
    title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : nss vulnerabilities (USN-2030-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1791.NASL
    description From Red Hat Security Advisory 2013:1791 : Updated nss and nspr packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) Red Hat would like to thank the Mozilla project for reporting CVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges Tavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as the original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and Wan-Teh Chang as the original reporters of CVE-2013-5607. In addition, the nss package has been upgraded to upstream version 3.15.3, and the nspr package has been upgraded to upstream version 4.10.2. These updates provide a number of bug fixes and enhancements over the previous versions. (BZ#1033478, BZ#1020520) This update also fixes the following bug : * The RHBA-2013:1318 update introduced a regression that prevented the use of certificates that have an MD5 signature. This update fixes this regression and certificates that have an MD5 signature are once again supported. To prevent the use of certificates that have an MD5 signature, set the 'NSS_HASH_ALG_SUPPORT' environment variable to '-MD5'. (BZ#1033499) Users of NSS and NSPR are advised to upgrade to these updated packages, which fix these issues and add these enhancements. After installing this update, applications using NSS or NSPR must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 71241
    published 2013-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71241
    title Oracle Linux 5 : nspr / nss (ELSA-2013-1791)
  • NASL family Misc.
    NASL id ORACLE_TRAFFIC_DIRECTOR_JULY_2014_CPU.NASL
    description The remote host is running an unpatched version of Oracle Traffic Director that is affected by the following vulnerabilities : - The implementation of Network Security Services (NSS) does not ensure that data structures are initialized, which could result in a denial of service or disclosure of sensitive information. (CVE-2013-1739) - The implementation of Network Security Services (NSS) does not properly handle the TLS False Start feature and could allow man-in-the-middle attacks. (CVE-2013-1740) - NSS contains an integer overflow flaw that allows remote attackers to cause a denial of service. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - Network Security Services (NSS) contains a race condition in libssl that occurs during session ticket processing. A remote attacker can exploit this flaw to cause a denial of service. (CVE-2014-1490) - Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491) - An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. This issue could allow man-in- the-middle attacks. (CVE-2014-1492)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 76938
    published 2014-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76938
    title Oracle Traffic Director Multiple Vulnerabilities (July 2014 CPU)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20131212_NSS__NSPR__AND_NSS_UTIL_ON_SL6_X.NASL
    description A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via SLSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-12-31
    plugin id 71424
    published 2013-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71424
    title Scientific Linux Security Update : nss, nspr, and nss-util on SL6.x i386/x86_64
  • NASL family Web Servers
    NASL id SUN_JAVA_WEB_SERVER_7_0_20.NASL
    description According to its self-reported version, the Oracle iPlanet Web Server (formerly Sun Java System Web Server) running on the remote host is 7.0.x prior to 7.0.20. It is, therefore, affected by the following vulnerabilities in the Network Security Services (NSS) : - The implementation of NSS does not ensure that data structures are initialized, which can result in a denial of service or disclosure of sensitive information. (CVE-2013-1739) - An error exists in the ssl_Do1stHandshake() function in file sslsecur.c due to unencrypted data being returned from PR_Recv when the TLS False Start feature is enabled. A man-in-the-middle attacker can exploit this, by using an arbitrary X.509 certificate, to spoof SSL servers during certain handshake traffic. (CVE-2013-1740) - An integer overflow condition exists related to handling input greater than half the maximum size of the 'PRUint32' value. A remote attacker can exploit this to cause a denial of service or possibly have other impact. (CVE-2013-1741) - An error exists in the Null_Cipher() function in the file ssl3con.c related to handling invalid handshake packets. A remote attacker, using a crafted request, can exploit this to execute arbitrary code. (CVE-2013-5605) - An error exists in the CERT_VerifyCert() function in the file certvfy.c when handling trusted certificates with incompatible key usages. A remote attacker, using a crafted request, can exploit this to have an invalid certificates treated as valid. (CVE-2013-5606) - A race condition exists in libssl that occurs during session ticket processing. A remote attacker can exploit this to cause a denial of service. (CVE-2014-1490) - Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491) - An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. A man-in-the-middle attacker, using a crafted certificate, can exploit this to spoof an SSL server. (CVE-2014-1492)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 76593
    published 2014-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76593
    title Oracle iPlanet Web Server 7.0.x < 7.0.20 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-270.NASL
    description Multiple security issues was identified and fixed in mozilla NSPR and NSS : Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure (CVE-2013-1739). Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value (CVE-2013-1741). The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext (CVE-2013-2566). Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets (CVE-2013-5605). The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate (CVE-2013-5606). Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741 (CVE-2013-5607). The NSPR packages has been upgraded to the 4.10.2 version and the NSS packages has been upgraded to the 3.15.3 version which is unaffected by these security flaws. Additionally the rootcerts packages has been upgraded with the latest certdata.txt file as of 2013/11/11 from mozilla.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 70998
    published 2013-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70998
    title Mandriva Linux Security Advisory : nss (MDVSA-2013:270)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FIREFOX_25_0_1.NASL
    description The installed version of Firefox is a version prior to 25.0.1 and is, therefore, potentially affected by the following vulnerabilities : - An error exists related to handling input greater than half the maximum size of the 'PRUint32' value. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - An integer truncation error exists in the function 'PL_ArenaAllocate' in the Netscape Portable Runtime (NSPR) library. (CVE-2013-5607)
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 70946
    published 2013-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70946
    title Firefox < 25.0.1 NSS and NSPR Multiple Vulnerabilities (Mac OS X)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-22756.NASL
    description This update rebases the nss, nss-util, and nss-softokn packages to nss-3.15.3 and nspr to nspr-4.10.2 in order to address security-relevant bugs have been resolved in NSS 3.15.3. For further details please refer to the upstream release notes at https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes Included are some fixes to the manpages. For best results you should upgrade all packages at once including any devel packages. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-24
    plugin id 71423
    published 2013-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71423
    title Fedora 20 : nspr-4.10.2-1.fc20 / nss-3.15.3-2.fc20 / nss-softokn-3.15.3-1.fc20 / etc (2013-22756)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201504-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201504-01 (Mozilla Products: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Firefox, Thunderbird, and SeaMonkey. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to view a specially crafted web page or email, possibly resulting in execution of arbitrary code or a Denial of Service condition. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impact. Workaround : There are no known workarounds at this time.
    last seen 2019-01-16
    modified 2016-11-11
    plugin id 82632
    published 2015-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82632
    title GLSA-201504-01 : Mozilla Products: Multiple vulnerabilities
  • NASL family Windows
    NASL id MOZILLA_FIREFOX_24_1_1_ESR.NASL
    description The installed version of Firefox ESR 24.x is a version prior to 24.1.1, and is, therefore, potentially affected by the following vulnerabilities : - An error exists related to handling input greater than half the maximum size of the 'PRUint32' value. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - An integer truncation error exists in the function 'PL_ArenaAllocate' in the Netscape Portable Runtime (NSPR) library. (CVE-2013-5607)
    last seen 2019-01-16
    modified 2018-07-16
    plugin id 70948
    published 2013-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70948
    title Firefox ESR 24.x < 24.1.1 NSS and NSPR Multiple Vulnerabilities
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-266.NASL
    description A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741 , CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606)
    last seen 2019-01-16
    modified 2018-04-18
    plugin id 71578
    published 2013-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71578
    title Amazon Linux AMI : nspr (ALAS-2013-266)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_FIREFOX_24_1_1_ESR.NASL
    description The installed version of Firefox ESR 24.x is a version prior to 24.1.1 and is, therefore, potentially affected by the following vulnerabilities : - An error exists related to handling input greater than half the maximum size of the 'PRUint32' value. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - An integer truncation error exists in the function 'PL_ArenaAllocate' in the Netscape Portable Runtime (NSPR) library. (CVE-2013-5607)
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 70945
    published 2013-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=70945
    title Firefox ESR 24.x < 24.1.1 NSS and NSPR Multiple Vulnerabilities (Mac OS X)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1829.NASL
    description Updated nss, nspr, and nss-util packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. A flaw was found in the way NSS handled invalid handshake packets. A remote attacker could use this flaw to cause a TLS/SSL client using NSS to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2013-5605) It was found that the fix for CVE-2013-1620 released via RHSA-2013:1135 introduced a regression causing NSS to read uninitialized data when a decryption failure occurred. A remote attacker could use this flaw to cause a TLS/SSL server using NSS to crash. (CVE-2013-1739) An integer overflow flaw was discovered in both NSS and NSPR's implementation of certification parsing on 64-bit systems. A remote attacker could use these flaws to cause an application using NSS or NSPR to crash. (CVE-2013-1741, CVE-2013-5607) It was discovered that NSS did not reject certificates with incompatible key usage constraints when validating them while the verifyLog feature was enabled. An application using the NSS certificate validation API could accept an invalid certificate. (CVE-2013-5606) Red Hat would like to thank the Mozilla project for reporting CVE-2013-1741, CVE-2013-5606, and CVE-2013-5607. Upstream acknowledges Tavis Ormandy as the original reporter of CVE-2013-1741, Camilo Viecco as the original reporter of CVE-2013-5606, and Pascal Cuoq, Kamil Dudka, and Wan-Teh Chang as the original reporters of CVE-2013-5607. All NSS, NSPR, and nss-util users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, applications using NSS, NSPR, or nss-util must be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-26
    plugin id 71390
    published 2013-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71390
    title RHEL 6 : nss, nspr, and nss-util (RHSA-2013:1829)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_THUNDERBIRD_24_1_1.NASL
    description The installed version of Thunderbird is earlier than 24.1.1 and is, therefore, potentially affected by the following vulnerabilities : - An error exists related to handling input greater than half the maximum size of the 'PRUint32' value. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - An integer truncation error exists in the function 'PL_ArenaAllocate' in the Netscape Portable Runtime (NSPR) library. (CVE-2013-5607)
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 71043
    published 2013-11-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71043
    title Thunderbird < 24.1 NSS and NSPR Multiple Vulnerabilities (Mac OS X)
  • NASL family Windows
    NASL id IPLANET_WEB_PROXY_4_0_24.NASL
    description The remote host has a version of Oracle iPlanet Web Proxy Server (formerly Sun Java System Web Proxy Server) 4.0 prior to 4.0.24. It is, therefore, affected by the following vulnerabilities : - The implementation of Network Security Services (NSS) does not ensure that data structures are initialized, which could result in a denial of service or disclosure of sensitive information. (CVE-2013-1739) - The implementation of Network Security Services (NSS) does not properly handle the TLS False Start feature and could allow man-in-the-middle attacks. (CVE-2013-1740) - An error exists related to handling input greater than half the maximum size of the 'PRUint32' value. (CVE-2013-1741) - An error exists in the 'Null_Cipher' function in the file 'ssl/ssl3con.c' related to handling invalid handshake packets that could allow arbitrary code execution. (CVE-2013-5605) - An error exists in the 'CERT_VerifyCert' function in the file 'lib/certhigh/certvfy.c' that could allow invalid certificates to be treated as valid. (CVE-2013-5606) - Network Security Services (NSS) contains a race condition in libssl that occurs during session ticket processing. A remote attacker can exploit this flaw to cause a denial of service. (CVE-2014-1490) - Network Security Services (NSS) does not properly restrict public values in Diffie-Hellman key exchanges, allowing a remote attacker to bypass cryptographic protection mechanisms. (CVE-2014-1491) - An issue exists in the Network Security (NSS) library due to improper handling of IDNA domain prefixes for wildcard certificates. This issue could allow man-in- the-middle attacks. (CVE-2014-1492)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 76592
    published 2014-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76592
    title Oracle iPlanet Web Proxy Server 4.0 < 4.0.24 Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2031-1.NASL
    description Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted page, an attacker could possibly exploit these to cause a denial of service via application crash, potentially execute arbitrary code, or lead to information disclosure. (CVE-2013-1741, CVE-2013-2566, CVE-2013-5605, CVE-2013-5607). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 71021
    published 2013-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71021
    title Ubuntu 12.04 LTS / 12.10 / 13.04 / 13.10 : firefox vulnerabilities (USN-2031-1)
redhat via4
advisories
  • rhsa
    id RHSA-2013:1791
  • rhsa
    id RHSA-2013:1829
rpms
  • nspr-0:4.10.2-2.el5_10
  • nspr-devel-0:4.10.2-2.el5_10
  • nss-0:3.15.3-3.el5_10
  • nss-devel-0:3.15.3-3.el5_10
  • nss-pkcs11-devel-0:3.15.3-3.el5_10
  • nss-tools-0:3.15.3-3.el5_10
  • nspr-0:4.10.2-1.el6_5
  • nspr-devel-0:4.10.2-1.el6_5
  • nss-util-0:3.15.3-1.el6_5
  • nss-util-devel-0:3.15.3-1.el6_5
  • nss-0:3.15.3-2.el6_5
  • nss-devel-0:3.15.3-2.el6_5
  • nss-pkcs11-devel-0:3.15.3-2.el6_5
  • nss-sysinit-0:3.15.3-2.el6_5
  • nss-tools-0:3.15.3-2.el6_5
refmap via4
apple
  • APPLE-SA-2015-06-30-1
  • APPLE-SA-2015-06-30-2
bid 63736
bugtraq 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm
debian DSA-2994
fulldisc 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
gentoo
  • GLSA-201406-19
  • GLSA-201504-01
suse
  • SUSE-SU-2013:1807
  • openSUSE-SU-2013:1732
ubuntu
  • USN-2030-1
  • USN-2031-1
  • USN-2032-1
Last major update 30-12-2016 - 21:59
Published 18-11-2013 - 00:23
Last modified 09-10-2018 - 15:34
Back to Top