OracleVM 3.3 / 3.4 : nss / nss-util (OVMSA-2017-0065)

This script is Copyright (C) 2017 Tenable Network Security, Inc.

Synopsis :

The remote OracleVM host is missing one or more security updates.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :


- Added nss-vendor.patch to change vendor

- Temporarily disable some tests until expired
PayPalEE.cert is renewed

- Rebase to 3.28.4

- Fix crash with tstclnt -W

- Adjust gtests to run with our old softoken and
downstream patches

- Avoid cipher suite ordering change, spotted by Hubert

- Rebase to 3.28.3

- Remove upstreamed moz-1282627-rh-1294606.patch,
moz-1312141-rh-1387811.patch, moz-1315936.patch, and

- Remove no longer necessary nss-duplicate-ciphers.patch

- Disable X25519 and exclude tests using it

- Catch failed ASN1 decoding of RSA keys, by Kamil Dudka

- Update expired PayPalEE.cert

- Disable unsupported test cases in ssl_gtests

- Adjust the sslstress.txt filename so that it matches
with the disableSSL2tests patch ported from RHEL 7

- Exclude SHA384 and CHACHA20_POLY1305 ciphersuites from
stress tests

- Don't add gtests and ssl_gtests to nss_tests, unless
gtests are enabled

- Add patch to fix SSL CA name leaks, taken from NSS
3.27.2 release

- Add patch to fix bash syntax error in tests/

- Add patch to remove duplicate ciphersuites entries in

- Add patch to abort selfserv/strsclnt/tstclnt on
non-parsable version range

- Build with support for SSLKEYLOGFILE

- Update fix_multiple_open patch to fix regression in
openldap client

- Remove pk11_genobj_leak patch, which caused crash with

- Add comment in the policy file to preserve the last
empty line

- Disable SHA384 ciphersuites when
CKM_TLS12_KEY_AND_MAC_DERIVE is not provided by
softoken this superseds check_hash_impl patch

- Fix problem in check_hash_impl patch

- Add patch to check if hash algorithms are backed by a

- Add patch to disable
have never enabled in the past

- Add upstream patch to fix a crash. Mozilla #1315936

- Disable the use of RSA-PSS with SSL/TLS. #1390161

- Use updated upstream patch for RH bug 1387811

- Added upstream patches to fix RH bugs 1057388, 1294606,

- Enable gtests when requested

- Rebase to NSS 3.27.1

- Remove nss-646045.patch, which is not necessary

- Remove p-disable-md5-590364-reversed.patch, which is
no-op here, because the patched code is removed later in

- Remove disable_hw_gcm.patch, which is no-op here,
because the patched code is removed later in %setup.
Also remove NSS_DISABLE_HW_GCM setting, which was only
required for RHEL 5

- Add Bug-1001841-disable-sslv2-libssl.patch and
Bug-1001841-disable-sslv2-tests.patch, which completedly
disable EXPORT ciphersuites. Ported from RHEL 7

- Remove disable-export-suites-tests.patch, which is
covered by Bug-1001841-disable-sslv2-tests.patch

- Remove nss-ca-2.6-enable-legacy.patch, as we decided to
not allow 1024 legacy CA certificates

- Remove ssl-server-min-key-sizes.patch, as we decided to
support DH key size greater than 1023 bits

- Remove nss-init-ss-sec-certs-null.patch, which appears
to be no-op, as it clears memory area allocated with

- Remove nss-disable-sslv2-libssl.patch,
nss-disable-sslv2-tests.patch, sslauth-no-v2.patch, and
nss-sslstress-txt-ssl3-lower-value-in-range.patch as
SSLv2 is already disabled in upstream

- Remove fix-nss-test-filtering.patch, which is fixed in

- Add nss-check-policy-file.patch from Fedora

- Install policy config in


- Rebase to NSS 3.28.4 to accommodate base64 encoding fix

- Rebase to NSS 3.28.3

- Package new header eccutil.h

- Tolerate policy file without last empty line

- Add missing source files

- Rebase to NSS 3.26.0

- Remove upstreamed patch for (CVE-2016-1950)

- Remove p-disable-md5-590364-reversed.patch for bug

See also :

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
CVSS Temporal Score : 5.0
Public Exploit Available : false

Family: OracleVM Local Security Checks

Nessus Plugin ID: 99568 ()

Bugtraq ID:

CVE ID: CVE-2016-1950

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now