Mandriva Linux Security Advisory : nss (MDVSA-2013:050)
Medium Nessus Plugin ID 66064
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionGoogle reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates (CVE-2013-0743).
The rootcerts package has been upgraded to address this flaw and the Mozilla NSS package has been rebuilt to pickup the changes.
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169 (CVE-2013-1620).
The NSPR package has been upgraded to the 4.9.5 version due to dependecies of newer NSS.
The NSS package has been upgraded to the 3.14.3 version which is not vulnerable to this issue.
The sqlite3 update addresses a crash when using svn commit after export MALLOC_CHECK_=3.
SolutionUpdate the affected packages.