Mandriva Linux Security Advisory : nss (MDVSA-2014:252)

High Nessus Plugin ID 80041


The remote Mandriva Linux host is missing one or more security updates.


Updated nss packages fix security vulnerabilities :

In the QuickDER decoder in NSS before 3.17.3, ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data (CVE-2014-1569).

This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV) in NSS, which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails. This can prevent a forceful downgrade of the communication to SSL 3.0, mitigating CVE-2014-3566, also known as POODLE. SSL 3.0 support has also been disabled by default in this Firefox and Thunderbird update, further mitigating POODLE.


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 80041

File Name: mandriva_MDVSA-2014-252.nasl

Version: $Revision: 1.5 $

Type: local

Published: 2014/12/16

Modified: 2015/02/28

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:lib64nss-devel, p-cpe:/a:mandriva:linux:lib64nss-static-devel, p-cpe:/a:mandriva:linux:lib64nss3, p-cpe:/a:mandriva:linux:nss, p-cpe:/a:mandriva:linux:nss-doc, p-cpe:/a:mandriva:linux:rootcerts, p-cpe:/a:mandriva:linux:rootcerts-java, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Patch Publication Date: 2014/12/15

Reference Information

CVE: CVE-2014-1569

MDVSA: 2014:252