Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2012:1090-01] Moderate: nss and nspr security, bug fix, and enhancement update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: nss and nspr security, bug fix, and enhancement update

Advisory ID: RHSA-2012:1090-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1090.html

Issue date: 2012-07-17

CVE Names: CVE-2012-0441

=====================================================================

 

1. Summary:

 

Updated nss and nspr packages that fix two security issues, several bugs,

and add various enhancements are now available for Red Hat

Enterprise Linux 5.

 

The Red Hat Security Response Team has rated this update as having moderate

security impact. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available from the CVE link in

the References section.

 

2. Relevant releases/architectures:

 

RHEL Desktop Workstation (v. 5 client) - i386, x86_64

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

 

3. Description:

 

Network Security Services (NSS) is a set of libraries designed to support

the cross-platform development of security-enabled client and server

applications. Netscape Portable Runtime (NSPR) provides platform

independence for non-GUI operating system facilities.

 

A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)

decoder in NSS handled zero length items. This flaw could cause the decoder

to incorrectly skip or replace certain items with a default value, or could

cause an application to crash if, for example, it received a

specially-crafted OCSP (Online Certificate Status Protocol) response.

(CVE-2012-0441)

 

It was found that a Certificate Authority (CA) issued a subordinate CA

certificate to its customer, that could be used to issue certificates for

any name. This update renders the subordinate CA certificate as untrusted.

(BZ#798533)

 

Note: The BZ#798533 fix only applies to applications using the NSS Builtin

Object Token. It does not render the certificates untrusted for

applications that use the NSS library, but do not use the NSS Builtin

Object Token.

 

In addition, the nspr package has been upgraded to upstream version 4.9.1,

and the nss package has been upgraded to upstream version 3.13.5. These

updates provide a number of bug fixes and enhancements over the previous

versions. (BZ#834220, BZ#834219)

 

All NSS and NSPR users should upgrade to these updated packages, which

correct these issues and add these enhancements. After installing the

update, applications using NSS and NSPR must be restarted for the changes

to take effect.

 

4. Solution:

 

Before applying this update, make sure all previously-released errata

relevant to your system have been applied.

 

This update is available via the Red Hat Network. Details on how to

use the Red Hat Network to apply this update are available at

https://access.redhat.com/knowledge/articles/11258

 

5. Bugs fixed (http://bugzilla.redhat.com/):

 

798533 - nss: Distrust MITM subCAs issued by TrustWave

827833 - CVE-2012-0441 nss: NSS parsing errors with zero length items

834219 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 for Mozilla 10.0.6

834220 - Update RHEL 5.x to NSPR 4.9.1 for Mozilla 10.0.6

 

6. Package List:

 

Red Hat Enterprise Linux Desktop (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nspr-4.9.1-4.el5_8.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.13.5-4.el5_8.src.rpm

 

i386:

nspr-4.9.1-4.el5_8.i386.rpm

nspr-debuginfo-4.9.1-4.el5_8.i386.rpm

nss-3.13.5-4.el5_8.i386.rpm

nss-debuginfo-3.13.5-4.el5_8.i386.rpm

nss-tools-3.13.5-4.el5_8.i386.rpm

 

x86_64:

nspr-4.9.1-4.el5_8.i386.rpm

nspr-4.9.1-4.el5_8.x86_64.rpm

nspr-debuginfo-4.9.1-4.el5_8.i386.rpm

nspr-debuginfo-4.9.1-4.el5_8.x86_64.rpm

nss-3.13.5-4.el5_8.i386.rpm

nss-3.13.5-4.el5_8.x86_64.rpm

nss-debuginfo-3.13.5-4.el5_8.i386.rpm

nss-debuginfo-3.13.5-4.el5_8.x86_64.rpm

nss-tools-3.13.5-4.el5_8.x86_64.rpm

 

RHEL Desktop Workstation (v. 5 client):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nspr-4.9.1-4.el5_8.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.13.5-4.el5_8.src.rpm

 

i386:

nspr-debuginfo-4.9.1-4.el5_8.i386.rpm

nspr-devel-4.9.1-4.el5_8.i386.rpm

nss-debuginfo-3.13.5-4.el5_8.i386.rpm

nss-devel-3.13.5-4.el5_8.i386.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.i386.rpm

 

x86_64:

nspr-debuginfo-4.9.1-4.el5_8.i386.rpm

nspr-debuginfo-4.9.1-4.el5_8.x86_64.rpm

nspr-devel-4.9.1-4.el5_8.i386.rpm

nspr-devel-4.9.1-4.el5_8.x86_64.rpm

nss-debuginfo-3.13.5-4.el5_8.i386.rpm

nss-debuginfo-3.13.5-4.el5_8.x86_64.rpm

nss-devel-3.13.5-4.el5_8.i386.rpm

nss-devel-3.13.5-4.el5_8.x86_64.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.i386.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.x86_64.rpm

 

Red Hat Enterprise Linux (v. 5 server):

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nspr-4.9.1-4.el5_8.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss-3.13.5-4.el5_8.src.rpm

 

i386:

nspr-4.9.1-4.el5_8.i386.rpm

nspr-debuginfo-4.9.1-4.el5_8.i386.rpm

nspr-devel-4.9.1-4.el5_8.i386.rpm

nss-3.13.5-4.el5_8.i386.rpm

nss-debuginfo-3.13.5-4.el5_8.i386.rpm

nss-devel-3.13.5-4.el5_8.i386.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.i386.rpm

nss-tools-3.13.5-4.el5_8.i386.rpm

 

ia64:

nspr-4.9.1-4.el5_8.i386.rpm

nspr-4.9.1-4.el5_8.ia64.rpm

nspr-debuginfo-4.9.1-4.el5_8.i386.rpm

nspr-debuginfo-4.9.1-4.el5_8.ia64.rpm

nspr-devel-4.9.1-4.el5_8.ia64.rpm

nss-3.13.5-4.el5_8.i386.rpm

nss-3.13.5-4.el5_8.ia64.rpm

nss-debuginfo-3.13.5-4.el5_8.i386.rpm

nss-debuginfo-3.13.5-4.el5_8.ia64.rpm

nss-devel-3.13.5-4.el5_8.ia64.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.ia64.rpm

nss-tools-3.13.5-4.el5_8.ia64.rpm

 

ppc:

nspr-4.9.1-4.el5_8.ppc.rpm

nspr-4.9.1-4.el5_8.ppc64.rpm

nspr-debuginfo-4.9.1-4.el5_8.ppc.rpm

nspr-debuginfo-4.9.1-4.el5_8.ppc64.rpm

nspr-devel-4.9.1-4.el5_8.ppc.rpm

nspr-devel-4.9.1-4.el5_8.ppc64.rpm

nss-3.13.5-4.el5_8.ppc.rpm

nss-3.13.5-4.el5_8.ppc64.rpm

nss-debuginfo-3.13.5-4.el5_8.ppc.rpm

nss-debuginfo-3.13.5-4.el5_8.ppc64.rpm

nss-devel-3.13.5-4.el5_8.ppc.rpm

nss-devel-3.13.5-4.el5_8.ppc64.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.ppc.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.ppc64.rpm

nss-tools-3.13.5-4.el5_8.ppc.rpm

 

s390x:

nspr-4.9.1-4.el5_8.s390.rpm

nspr-4.9.1-4.el5_8.s390x.rpm

nspr-debuginfo-4.9.1-4.el5_8.s390.rpm

nspr-debuginfo-4.9.1-4.el5_8.s390x.rpm

nspr-devel-4.9.1-4.el5_8.s390.rpm

nspr-devel-4.9.1-4.el5_8.s390x.rpm

nss-3.13.5-4.el5_8.s390.rpm

nss-3.13.5-4.el5_8.s390x.rpm

nss-debuginfo-3.13.5-4.el5_8.s390.rpm

nss-debuginfo-3.13.5-4.el5_8.s390x.rpm

nss-devel-3.13.5-4.el5_8.s390.rpm

nss-devel-3.13.5-4.el5_8.s390x.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.s390.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.s390x.rpm

nss-tools-3.13.5-4.el5_8.s390x.rpm

 

x86_64:

nspr-4.9.1-4.el5_8.i386.rpm

nspr-4.9.1-4.el5_8.x86_64.rpm

nspr-debuginfo-4.9.1-4.el5_8.i386.rpm

nspr-debuginfo-4.9.1-4.el5_8.x86_64.rpm

nspr-devel-4.9.1-4.el5_8.i386.rpm

nspr-devel-4.9.1-4.el5_8.x86_64.rpm

nss-3.13.5-4.el5_8.i386.rpm

nss-3.13.5-4.el5_8.x86_64.rpm

nss-debuginfo-3.13.5-4.el5_8.i386.rpm

nss-debuginfo-3.13.5-4.el5_8.x86_64.rpm

nss-devel-3.13.5-4.el5_8.i386.rpm

nss-devel-3.13.5-4.el5_8.x86_64.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.i386.rpm

nss-pkcs11-devel-3.13.5-4.el5_8.x86_64.rpm

nss-tools-3.13.5-4.el5_8.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/#package

 

7. References:

 

https://www.redhat.com/security/data/cve/CVE-2012-0441.html

https://access.redhat.com/security/updates/classification/#moderate

http://www.mozilla.org/security/announce/2012/mfsa2012-39.html

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2012 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFQBb2+XlSAg2UNWIIRArMpAKCHV+TfJIxf7TYgLr1viJSliSSWnACfa/VG

D1Wh3QuCxPuTLT5G0vAH09k=

=tklt

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×