Mandriva Linux Security Advisory : nss (MDVSA-2014:252)

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Updated nss packages fix security vulnerabilities :

In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of
lengths is too permissive, allowing undetected smuggling of arbitrary
data (CVE-2014-1569).

This update adds support for the TLS Fallback Signaling Cipher Suite
Value (TLS_FALLBACK_SCSV) in NSS, which can be used to prevent
protocol downgrade attacks against applications which re-connect using
a lower SSL/TLS protocol version when the initial connection
indicating the highest supported protocol version fails. This can
prevent a forceful downgrade of the communication to SSL 3.0,
mitigating CVE-2014-3566, also known as POODLE. SSL 3.0 support has
also been disabled by default in this Firefox and Thunderbird update,
further mitigating POODLE.

See also :

http://advisories.mageia.org/MGASA-2014-0507.html
http://www.nessus.org/u?6d78ddde

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Mandriva Local Security Checks

Nessus Plugin ID: 80041 ()

Bugtraq ID:

CVE ID: CVE-2014-1569

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now