OracleVM 3.2 : nss (OVMSA-2016-0066)

High Nessus Plugin ID 91747

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote OracleVM host is missing a security update.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- Fix SSL_DH_MIN_P_BITS in more places.

- Keep SSL_DH_MIN_P_BITS at 768 as in the previously released build.

- Run SSL tests

- Add compatility patches to prevent regressions

- Ensure all ssl.sh tests are executed

- Rebase to nss 3.21

- Resolves: Bug 1297944 - Rebase RHEL 5.11.z to NSS 3.21 in preparation for Firefox 45

- Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ...

- Include the fix for CVE-2016-1950 from NSS 3.19.2.3

- Resolves: Bug 1269354 - CVE-2015-7182 (CVE-2015-7181)

- Rebase nss to 3.19.1

- Pick up upstream fix for client auth. regression caused by 3.19.1

- Revert upstream change to minimum key sizes

- Remove patches that rendered obsolote by the rebase

- Update existing patches on account of the rebase

- Pick up upstream patch from nss-3.19.1

- Resolves: Bug 1236954 - CVE-2015-2730 NSS: ECDSA signature validation fails to handle some signatures correctly (MFSA 2015-64)

- Resolves: Bug 1236967 - CVE-2015-2721 NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2015-71)

- On RHEL 6.x keep the TLS version defaults unchanged.

- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)

- Copy PayPalICA.cert and PayPalRootCA.cert to nss/tests/libpkix/certs

- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

- Update and reeneable nss-646045.patch on account of the rebase

- Enable additional ssl test cycles and document why some aren't enabled

- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

- Fix shell syntax error on nss/tests/all.sh

- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

- Replace expired PayPal test certificate that breaks the build

- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]

- Resolves: Bug 1158159 - Upgrade to NSS 3.16.2.3 for Firefox 31.3

- Adjust softokn patch to be compatible with legacy softokn API.

- Resolves: Bug 1145430 - (CVE-2014-1568)

- Add patches published with NSS 3.16.2.1

- Resolves: Bug 1145430 - (CVE-2014-1568)

- Backport nss-3.12.6 upstream fix required by Firefox 31 ESR

- Resolves: Bug 1110860

- Rebase to nss-3.16.1 for FF31

- Resolves: Bug 1110860 - Rebase nss in RHEL 5.11 to NSS 3.16.1, required for FF 31

- Remove unused and obsolete patches

- Related: Bug 1032468

- Improve shell code for error detection on %check section

- Resolves: Bug 1035281 - Suboptimal shell code in nss.spec

- Revoke trust in one mis-issued anssi certificate

- Resolves: Bug 1042684 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)

- Pick up corrections made in the rhel-10.Z branch, remove an unused patch

- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11]

- Remove unused patch and retag for update to nss-3.15.3

- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11]

- Update to nss-3.15.3

- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11]

- Remove unused patches

- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)

- Rebase to nss-3.15.1

- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)

- Resolves: rhbz#1015864 - [Regression] NSS no longer trusts MD5 certificates

- Split %check section tests in two: freebl/softoken and rest of nss tests

- Adjust various patches and spec file steps on account of the rebase

- Add various patches and remove obsoleted ones on account of the rebase

- Renumber patches so freeb/softoken ones match the corresponding ones in rhel-6 nss-softokn

- Make the freebl sources identical to the corresponding ones for rhel-6.5

- Related: rhbz#987131

- Adjust the patches to complete the syncup with upstrean nss

- Use NSS_DISABLE_HW_GCM on the patch as we do on the spec file

- Ensure softoken/freebl code is the same on nss side as on the softoken side

- Related: rhbz#987131

- Add disable_hw_gcm.patch and in the spec file export NSS_DISABLE_HW_GCM=1

- Disable HW GCM on RHEL-5 as the older kernel lacks support for it

- Related: rhbz#987131

- Related: rhbz#987131 - Display cpuifo as part of the tests

- Resolves: rhbz#987131 - Pick up various upstream GCM code fixes applied since nss-3.14.3 was released

- Roll back to 79c87e69caa7454cbcf5f8161a628c538ff3cab3

- Peviously added patch hasn't solved the sporadic core dumps

- Related: rhbz#983766 - nssutil_ReadSecmodDB leaks memory

- Resolves: rhbz#983766 - nssutil_ReadSecmodDB leaks memory

- Add patch to get rid of sporadic blapitest core dumps

- Restore 'export NO_FORK_CHECK=1' required for binary compatibility on RHEL-5

- Remove an unused patch

- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3

- Resolves: rhbz#807419 - nss-tools certutil -H does not list all options

- Apply upstream fixes for ecc enabling and aes gcm

- Rename two macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream

- Apply several upstream AES GCM fixes

- Resolves: rhbz#960241 - Enable ECC in nss and freebl

- Resolves: rhbz#918948 - [RFE][RHEL5]

- Enable ECC support limited to suite b

- Export NSS_ENABLE_ECC=1 in the %check section to properly test ecc

- Resolves: rhbz#960241 - Enable ECC in nss and freebl

- Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility

- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue

- Remove obsolete nss-nochktest.patch

- Related: rhbz#960241 - Enable ECC in nss and freebl

- Enable ECC by using the unstripped sources

- Resolves: rhbz#960241 - Enable ECC in nss and freebl

- Fix rpmdiff test reported failures and remove other unwanted changes

- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue

- Mon Apr 22 2013 Elio Maldonado - 3.14.3-3

- Update to NSS_3_14_3_RTM

- Rework the rebase to preserve needed idiosynchracies

- Ensure we install frebl/softoken from the extra build tree

- Don't include freebl static library or its private headers

- Add patch to deal with system sqlite not being recent enough

- Don't install nss-sysinit nor sharedb

- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue

- Mon Apr 01 2013 Elio Maldonado - 3.14.3-2

- Restore the freebl-softoken source tar ball updated to 3.14.3

- Renumbering of some sources for clarity

- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue

- Update to NSS_3_14_3_RTM

- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue

- Resolves: rhbz#891150 - Dis-trust TURKTRUST mis-issued
*.google.com certificate

- Update to NSS_3_13_6_RTM

- Resolves: rhbz#883788 - [RFE] [RHEL5] Rebase to NSS >= 3.13.6

- Resolves: rhbz#820684

- Fix last entry in attrFlagsArray to be [NAME_SIZE(unextractable), PK11_ATTR_UNEXTRACTABLE]

- Resolves: rhbz#820684

- Enable certutil handle user supplied flags for PKCS #11 attributes.

- This will enable certutil to generate keys in fussy hardware tokens.

- fix an error in the patch meta-information area (no code change)

- Related: rhbz#830304 - Fix ia64 / i386 multilib nss install failure

- Remove no longer needed %pre and %preun scriplets meant for nss updates from RHEL-5.0

- Related: rhbz#830304 - Fix the changes to the %post line

- Having multiple commands requires that /sbin/lconfig be the beginning of the scriptlet

- Resolves: rhbz#830304 - Fix multilib and scriptlet problems

- Fix %post and %postun lines per packaging guildelines

- Add %[?_isa] to tools Requires: per packaging guidelines

- Fix explicit-lib-dependency zlib error reported by rpmlint

- Resolves: rhbz#830304 - Remove unwanted change to nss.pc.in

- Update to NSS_3_13_5_RTM

- Resolves: rhbz#830304 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 for Mozilla 10.0.6

- Resolves: rhbz#797939 - Protect NSS_Shutdown from clients that fail to initialize nss

- Resolves: Bug 788039 - retagging to prevent update problems

- Resolves: Bug 788039 - rebase nss to make firefox 10 LTS rebase possible

- Update to 4.8.9

- Resolves: Bug 713373 - File descriptor leak after service httpd reload

- Don't initialize nss if already initialized or if there are no dbs

- Retagging for a Y-stream version higher than the RHEL-5-7-Z branch

- Retagging to keep the n-v-r as high as that for the RHEL-5-7-Z branch

- Update builtins certs to those from NSSCKBI_1_88_RTM

- Plug file descriptor leaks on httpd reloads

- Update builtins certs to those from NSSCKBI_1_87_RTM

- Update builtins certs to those from NSSCKBI_1_86_RTM

- Update builtins certs to NSSCKBI_1_85_RTM

- Update to 3.12.10

- Fix libcrmf hard-coded maximum size for wrapped private keys

- Update builtin certs to NSS_3.12.9_WITH_CKBI_1_82_RTM via a patch

- Update builtin certs to those from NSS_3.12.9_WITH_CKBI_1_82_RTM

- Update to 3.12.8

Solution

Update the affected nss package.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000488.html

Plugin Details

Severity: High

ID: 91747

File Name: oraclevm_OVMSA-2016-0066.nasl

Version: 2.6

Type: local

Published: 2016/06/22

Updated: 2019/09/27

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 5.9

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:nss, cpe:/o:oracle:vm_server:3.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/06/21

Vulnerability Publication Date: 2013/11/18

Reference Information

CVE: CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2014-1568, CVE-2015-2721, CVE-2015-2730, CVE-2015-7181, CVE-2015-7182, CVE-2016-1950

BID: 63736, 63737, 63738, 70116, 72178, 75541