Mandriva Linux Security Advisory : nss (MDVSA-2013:301)

high Nessus Plugin ID 71608

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

A vulnerability has been discovered and corrected in mozilla NSS :

Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozillas root store, was loaded into a man-in-the-middle (MITM) traffic management device. This certificate was issued by Agence nationale de la scurit des systmes d'information (ANSSI), an agency of the French government and a certificate authority in Mozilla's root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control.

The issue was not specific to Firefox but there was evidence that one of the certificates was used for MITM traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking trust in the intermediate used by the sub-CA to issue the certificate for the MITM device.

The NSS packages has been upgraded to the 3.15.3.1 version which is unaffected by this security flaw.

Additionally the rootcerts packages has been upgraded with the latest certdata.txt file as of 2013/12/04 from mozilla.

Solution

Update the affected packages.

See Also

http://www.mozilla.org/security/announce/2013/mfsa2013-117.html

https://hg.mozilla.org/projects/nss/rev/5a7944776645

https://access.redhat.com/errata/RHSA-2013:1861

Plugin Details

Severity: High

ID: 71608

File Name: mandriva_MDVSA-2013-301.nasl

Version: 1.5

Type: local

Published: 12/23/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64nss-devel, p-cpe:/a:mandriva:linux:lib64nss-static-devel, p-cpe:/a:mandriva:linux:lib64nss3, p-cpe:/a:mandriva:linux:nss, p-cpe:/a:mandriva:linux:nss-doc, p-cpe:/a:mandriva:linux:rootcerts, p-cpe:/a:mandriva:linux:rootcerts-java, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 12/23/2013

Reference Information

MDVSA: 2013:301