Mandriva Linux Security Advisory : nss (MDVSA-2013:050)

medium Nessus Plugin ID 66064

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates (CVE-2013-0743).

The rootcerts package has been upgraded to address this flaw and the Mozilla NSS package has been rebuilt to pickup the changes.

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169 (CVE-2013-1620).

The NSPR package has been upgraded to the 4.9.5 version due to dependecies of newer NSS.

The NSS package has been upgraded to the 3.14.3 version which is not vulnerable to this issue.

The sqlite3 update addresses a crash when using svn commit after export MALLOC_CHECK_=3.

Solution

Update the affected packages.

See Also

http://www.mozilla.org/security/announce/2013/mfsa2013-20.html

https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0234

Plugin Details

Severity: Medium

ID: 66064

File Name: mandriva_MDVSA-2013-050.nasl

Version: 1.9

Type: local

Published: 4/20/2013

Updated: 1/6/2021

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lemon, p-cpe:/a:mandriva:linux:lib64nspr-devel, p-cpe:/a:mandriva:linux:lib64nspr4, p-cpe:/a:mandriva:linux:lib64nss-devel, p-cpe:/a:mandriva:linux:lib64nss-static-devel, p-cpe:/a:mandriva:linux:lib64nss3, p-cpe:/a:mandriva:linux:lib64sqlite3-devel, p-cpe:/a:mandriva:linux:lib64sqlite3-static-devel, p-cpe:/a:mandriva:linux:lib64sqlite3_0, p-cpe:/a:mandriva:linux:nss, p-cpe:/a:mandriva:linux:nss-doc, p-cpe:/a:mandriva:linux:rootcerts, p-cpe:/a:mandriva:linux:rootcerts-java, p-cpe:/a:mandriva:linux:sqlite3-tcl, p-cpe:/a:mandriva:linux:sqlite3-tools, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/5/2013

Reference Information

CVE: CVE-2013-1620

BID: 57258, 57777

MDVSA: 2013:050