Mandriva Linux Security Advisory : nss (MDVSA-2013:050)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Google reported to Mozilla that TURKTRUST, a certificate authority in
Mozillas root program, had mis-issued two intermediate certificates to
customers. The issue was not specific to Firefox but there was
evidence that one of the certificates was used for man-in-the-middle
(MITM) traffic management of domain names that the customer did not
legitimately own or control. This issue was resolved by revoking the
trust for these specific mis-issued certificates (CVE-2013-0743).

The rootcerts package has been upgraded to address this flaw and the
Mozilla NSS package has been rebuilt to pickup the changes.

The TLS implementation in Mozilla Network Security Services (NSS) does
not properly consider timing side-channel attacks on a noncompliant
MAC check operation during the processing of malformed CBC padding,
which allows remote attackers to conduct distinguishing attacks and
plaintext-recovery attacks via statistical analysis of timing data for
crafted packets, a related issue to CVE-2013-0169 (CVE-2013-1620).

The NSPR package has been upgraded to the 4.9.5 version due to
dependecies of newer NSS.

The NSS package has been upgraded to the 3.14.3 version which is not
vulnerable to this issue.

The sqlite3 update addresses a crash when using svn commit after
export MALLOC_CHECK_=3.

See also :

http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0234

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 66064 ()

Bugtraq ID: 57258
57777

CVE ID: CVE-2013-1620

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now