SuSE 11.2 / 11.3 Security Update : Mozilla NSS (SAT Patch Numbers 8484 / 8485)

Medium Nessus Plugin ID 70938


The remote SuSE 11 host is missing one or more security updates.


Mozilla NSS has been updated to 3.15.2 (bnc#847708) bringing various features and bugfixes :

The main feature is TLS 1.2 support and its dependent algorithms.

- Support for AES-GCM ciphersuites that use the SHA-256 PRF

- MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs

- Add PK11_CipherFinal macro

- sizeof() used incorrectly

- nssutil_ReadSecmodDB() leaks memory

- Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished.

- Deprecate the SSL cipher policy code

- Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739) Changes coming with version 3.15.1 :

- TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported.

- some bugfixes and improvements Changes with version 3.15

- New Functionality

- Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);

- Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete.

- Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.

- certutil has been updated to support creating name constraints extensions.


Apply SAT patch number 8484 / 8485 as appropriate.

See Also

Plugin Details

Severity: Medium

ID: 70938

File Name: suse_11_mozilla-nss-201310-131030.nasl

Version: $Revision: 1.1 $

Type: local

Agent: unix

Published: 2013/11/17

Modified: 2013/11/18

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:libfreebl3, p-cpe:/a:novell:suse_linux:11:libfreebl3-32bit, p-cpe:/a:novell:suse_linux:11:libsoftokn3, p-cpe:/a:novell:suse_linux:11:libsoftokn3-32bit, p-cpe:/a:novell:suse_linux:11:mozilla-nspr, p-cpe:/a:novell:suse_linux:11:mozilla-nspr-32bit, p-cpe:/a:novell:suse_linux:11:mozilla-nss, p-cpe:/a:novell:suse_linux:11:mozilla-nss-32bit, p-cpe:/a:novell:suse_linux:11:mozilla-nss-tools, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2013/10/30

Reference Information

CVE: CVE-2013-1739