Amazon Linux AMI : nss Multiple Vulnerabilities (ALAS-2012-102)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

It was found that a Certificate Authority (CA) issued a subordinate CA
certificate to its customer, that could be used to issue certificates
for any name. This update renders the subordinate CA certificate as
untrusted. (BZ#798533)

Note: This fix only applies to applications using the NSS Builtin
Object Token. It does not render the certificates untrusted for
applications that use the NSS library, but do not use the NSS Builtin
Object Token.

The nspr package has been upgraded to upstream version 4.9, which
provides a number of bug fixes and enhancements over the previous
version. (BZ#799193)

The nss-util package has been upgraded to upstream version 3.13.3,
which provides a number of bug fixes and enhancements over the
previous version. (BZ#799192)

The nss package has been upgraded to upstream version 3.13.3, which
provides numerous bug fixes and enhancements over the previous
version. In particular, SSL 2.0 is now disabled by default, support
for SHA-224 has been added, PORT_ErrorToString and PORT_ErrorToName
now return the error message and symbolic name of an NSS error code,
and NSS_GetVersion now returns the NSS version string. (BZ#744070)

See also :

https://bugzilla.redhat.com/show_bug.cgi?id=744070
https://bugzilla.redhat.com/show_bug.cgi?id=798533
https://bugzilla.redhat.com/show_bug.cgi?id=799192
https://bugzilla.redhat.com/show_bug.cgi?id=799193
http://www.nessus.org/u?5086c7ce

Solution :

Run 'yum update nss' to update your system.

Risk factor :

High

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 69592 ()

Bugtraq ID:

CVE ID: