Debian DSA-3336-1 : nss - security update

medium Nessus Plugin ID 85466

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library. The Common Vulnerabilities and Exposures project identifies the following problems :

- CVE-2015-2721 Karthikeyan Bhargavan discovered that NSS incorrectly handles state transitions for the TLS state machine. A man-in-the-middle attacker could exploit this flaw to skip the ServerKeyExchange message and remove the forward-secrecy property.

- CVE-2015-2730 Watson Ladd discovered that NSS does not properly perform Elliptical Curve Cryptography (ECC) multiplication, allowing a remote attacker to potentially spoof ECDSA signatures.

Solution

Upgrade the nss packages.

For the oldstable distribution (wheezy), these problems have been fixed in version 2:3.14.5-1+deb7u5.

For the stable distribution (jessie), these problems have been fixed in version 2:3.17.2-1.1+deb8u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2015-2721

https://security-tracker.debian.org/tracker/CVE-2015-2730

https://packages.debian.org/source/wheezy/nss

https://packages.debian.org/source/jessie/nss

https://www.debian.org/security/2015/dsa-3336

Plugin Details

Severity: Medium

ID: 85466

File Name: debian_DSA-3336.nasl

Version: 2.5

Type: local

Agent: unix

Published: 8/18/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:nss, cpe:/o:debian:debian_linux:7.0, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/17/2015

Reference Information

CVE: CVE-2015-2721, CVE-2015-2730

DSA: 3336