Oracle Linux 7 : mod_nss (ELSA-2016-2602)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing a security update.

Description :

From Red Hat Security Advisory 2016:2602 :

An update for mod_nss is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Low. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

The mod_nss module provides strong cryptography for the Apache HTTP
Server via the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols, using the Network Security Services (NSS) security
library.

The following packages have been upgraded to a newer upstream version:
mod_nss (1.0.14). (BZ#1299063)

Security Fix(es) :

* A flaw was found in the way mod_nss parsed certain OpenSSL-style
cipher strings. As a result, mod_nss could potentially use ciphers
that were not intended to be enabled. (CVE-2016-3099)

This issue was discovered by Rob Crittenden (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

See also :

https://oss.oracle.com/pipermail/el-errata/2016-November/006490.html

Solution :

Update the affected mod_nss package.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Oracle Linux Local Security Checks

Nessus Plugin ID: 94721 ()

Bugtraq ID:

CVE ID: CVE-2016-3099

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now