Mandriva Linux Security Advisory : nss (MDVSA-2013:301)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

A vulnerability has been discovered and corrected in mozilla NSS :

Google notified Mozilla that an intermediate certificate, which chains
up to a root included in Mozillas root store, was loaded into a
man-in-the-middle (MITM) traffic management device. This certificate
was issued by Agence nationale de la scurit des systmes d'information
(ANSSI), an agency of the French government and a certificate
authority in Mozilla's root program. A subordinate certificate
authority of ANSSI mis-issued an intermediate certificate that they
installed on a network monitoring device, which enabled the device to
act as a MITM proxy performing traffic management of domain names or
IP addresses that the certificate holder did not own or control.

The issue was not specific to Firefox but there was evidence that one
of the certificates was used for MITM traffic management of domain
names that the customer did not legitimately own or control. This
issue was resolved by revoking trust in the intermediate used by the
sub-CA to issue the certificate for the MITM device.

The NSS packages has been upgraded to the 3.15.3.1 version which is
unaffected by this security flaw.

Additionally the rootcerts packages has been upgraded with the latest
certdata.txt file as of 2013/12/04 from mozilla.

See also :

http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
https://hg.mozilla.org/projects/nss/rev/5a7944776645
https://rhn.redhat.com/errata/RHSA-2013-1861.html

Solution :

Update the affected packages.

Risk factor :

High

Family: Mandriva Local Security Checks

Nessus Plugin ID: 71608 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now