BugTraq
[ MDVSA-2014:189 ] nss Sep 25 2014 08:43AM
security mandriva com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:189
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : nss
Date : September 25, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

A vulnerability has been discovered and corrected in Mozilla NSS:

Antoine Delignat-Lavaud, security researcher at Inria Paris in
team Prosecco, reported an issue in Network Security Services (NSS)
libraries affecting all versions. He discovered that NSS is vulnerable
to a variant of a signature forgery attack previously published
by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1
values involved in a signature and could lead to the forging of RSA
certificates (CVE-2014-1568).

The updated NSPR packages have been upgraded to the latest 4.10.7
version.

The updated NSS packages have been upgraded to the latest 3.17.1
version which is not vulnerable to this issue.

Additionally the rootcerts package has also been updated to the latest
version as of 2014-08-05.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568
https://www.mozilla.org/security/announce/2014/mfsa2014-73.html
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
d532128922a8701f24f1d1a22b8e544c mbs1/x86_64/lib64nspr4-4.10.7-1.mbs1.x86_64.rpm
86c469bff7f47669ecfbe711fced774c mbs1/x86_64/lib64nspr-devel-4.10.7-1.mbs1.x86_64.rpm
a5384df3378e1d282d24520fe9234804 mbs1/x86_64/lib64nss3-3.17.1-1.mbs1.x86_64.rpm
63722882484c4e4a4b438ddb33911fe8 mbs1/x86_64/lib64nss-devel-3.17.1-1.mbs1.x86_64.rpm
5a9c51abf5c3650926e4cdb8997ec2b1 mbs1/x86_64/lib64nss-static-devel-3.17.1-1.mbs1.x86_64.rpm
8b639de0098277bc211ed8b9f83c9516 mbs1/x86_64/nss-3.17.1-1.mbs1.x86_64.rpm
edd4b951a0f68c4264137489f0dada31 mbs1/x86_64/nss-doc-3.17.1-1.mbs1.noarch.rpm
32f6ffafd4984d00b01b43e9b38fe344 mbs1/x86_64/rootcerts-20140805.00-1.mbs1.x86_64.rpm
fa908930395265a0dbad1029252679ef mbs1/x86_64/rootcerts-java-20140805.00-1.mbs1.x86_64.rpm
fb338172cf421a95728ec28412d2fed1 mbs1/SRPMS/nspr-4.10.7-1.mbs1.src.rpm
3c721493672c05aa7960aca11e3b1533 mbs1/SRPMS/nss-3.17.1-1.mbs1.src.rpm
8b79fa2baeaac0b531d7cb01c5a419b4 mbs1/SRPMS/rootcerts-20140805.00-1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUI8eWmqjQ0CJFipgRAsdxAJ4r/Y2zGrBkhKZhJ03LZA0ftgiU3QCgu8eh
cZVDnrGL7yJkMqWtAZmkh7A=
=5QVQ
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus