nss-3.16.1-4.AXS4, nss-util-3.16.1-1.AXS4,nspr-4.10.6-1.AXS4

エラータID: AXSA:2014-467:02

Release date: 
Friday, July 25, 2014 - 18:40
Subject: 
nss-3.16.1-4.AXS4, nss-util-3.16.1-1.AXS4,nspr-4.10.6-1.AXS4
Affected Channels: 
Asianux Server 4 for x86
Asianux Server 4 for x86_64
Severity: 
High
Description: 

Description :
nss
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.

nspr
NSPR provides platform independence for non-GUI operating system
facilities. These facilities include threads, thread synchronization,
normal file and network I/O, interval timing and calendar time, basic
memory management (malloc and free) and shared library linking.

nss-util
Utilities for Network Security Services and the Softoken module

Security issues fixed with this release:

CVE-2013-1740
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.

CVE-2014-1490
Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.

CVE-2014-1491
Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.

CVE-2014-1492
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

CVE-2014-1544
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.

CVE-2014-1545
Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.

enhancement;
The nss ans nss-util package has been upgraded to upstream version 3.16.1,
and the nspr package has been upgraded to upstream version 4.10.6.

Solution: 

update packages.

CVEs: 
CVE-2013-1740
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
CVE-2014-1490
Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.
CVE-2014-1491
Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.
CVE-2014-1492
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
CVE-2014-1544
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger certain improper removal of an NSSCertificate structure from a trust domain.
CVE-2014-1545
Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via vectors involving the sprintf and console functions.




Additional Info: 

N/A

Download: 

SRPMS
  1. nspr-4.10.6-1.AXS4.src.rpm
    MD5: a348c645a37fd3d9efd6d1def77018c1
    SHA-256: 61673c72877e022dfa2567d361d74748fc9207d74098760f392fb9b0bb47137a
    Size: 874.63 kB
  2. nss-util-3.16.1-1.AXS4.src.rpm
    MD5: 3cc4e8fa032b2d431df4a3c8e39db292
    SHA-256: 0051b882b1aa5ed2fef2d56574306a4f7f5440ab50dfc2b42b5e3d7afcd6a611
    Size: 334.18 kB
  3. nss-3.16.1-4.AXS4.src.rpm
    MD5: 0b441539f5b3fe879b8fd96c543fbf1f
    SHA-256: 370428b92a145e04cd113e86a96428858623c66757ebd98bcd6b700a31cf9d28
    Size: 4.89 MB

Asianux Server 4 for x86
  1. nspr-4.10.6-1.AXS4.i686.rpm
    MD5: 78c1e38bf5f3a3b12eeff84b9148754c
    SHA-256: 9fbf1f878467d3e81f17a881e53aef19f2c98b1f4d97871464a1750d7a73e2ca
    Size: 115.09 kB
  2. nspr-devel-4.10.6-1.AXS4.i686.rpm
    MD5: f63ac15c7fb12827d9dd71cf2411fc22
    SHA-256: dff210e902d07f947d06996121b4694b4d115a51d8f97d0d21f20d8f1c6c775d
    Size: 110.44 kB
  3. nss-util-3.16.1-1.AXS4.i686.rpm
    MD5: 7abaefc254ecf5bbf8b3665596180729
    SHA-256: 244c4924db9ea25f7f3ce534580106d3b9bd6d1b35abe1aec5309110e765d25a
    Size: 63.36 kB
  4. nss-util-devel-3.16.1-1.AXS4.i686.rpm
    MD5: f677083a7291aa572d0d47c3615fdcab
    SHA-256: 1470614b2a2d117a45c9a6ade27552f9a2687d921df0f9cabd630bb6f28864b4
    Size: 65.75 kB
  5. nss-3.16.1-4.AXS4.i686.rpm
    MD5: f3b9d5eb6997186467d14d2b27690bec
    SHA-256: 99113bf970913cbe5aca2cd345b48159a903f07b20b55b798305ea96a17863e6
    Size: 835.40 kB
  6. nss-devel-3.16.1-4.AXS4.i686.rpm
    MD5: 504c6a8662f37378ec025088c0f94806
    SHA-256: 5cf54c1cb93ccbad7a071d2c1669e47b738ead784fbdfce58be671bceff2e4b8
    Size: 192.16 kB
  7. nss-sysinit-3.16.1-4.AXS4.i686.rpm
    MD5: 6f195aac8fb77fbe1e428df16ab48d57
    SHA-256: 013b09128e48aa2292d8597d651060c9c7e7d74a39a86a9c89c7ee27a00fcf0b
    Size: 40.32 kB
  8. nss-tools-3.16.1-4.AXS4.i686.rpm
    MD5: e4fd7be2b5238562f3c71853730c9516
    SHA-256: 5d60c2e74811c4820cbf9dd568c2edbbb6201be1a602110e5603aaf4c46ec5ab
    Size: 367.87 kB

Asianux Server 4 for x86_64
  1. nspr-4.10.6-1.AXS4.x86_64.rpm
    MD5: 6d8cca8b6ed328bd744e7dc087947138
    SHA-256: cb1623b42f77a0cc70165967cfa67c9626c0fb8f2b000b6e01f51017f8261159
    Size: 112.33 kB
  2. nspr-devel-4.10.6-1.AXS4.x86_64.rpm
    MD5: c94f55bfdcb7021da38311955a49d578
    SHA-256: 70f1aaca25d0eab60c8b82de189ba7550e9cd0ddc783cf477e69a13e204159fb
    Size: 110.04 kB
  3. nspr-4.10.6-1.AXS4.i686.rpm
    MD5: 78c1e38bf5f3a3b12eeff84b9148754c
    SHA-256: 9fbf1f878467d3e81f17a881e53aef19f2c98b1f4d97871464a1750d7a73e2ca
    Size: 115.09 kB
  4. nspr-devel-4.10.6-1.AXS4.i686.rpm
    MD5: f63ac15c7fb12827d9dd71cf2411fc22
    SHA-256: dff210e902d07f947d06996121b4694b4d115a51d8f97d0d21f20d8f1c6c775d
    Size: 110.44 kB
  5. nss-util-3.16.1-1.AXS4.x86_64.rpm
    MD5: 3e884e5167ae3626d0387d042677c3f8
    SHA-256: 34089585026ae02f07acb8098d3d820b4378f7f7d0d8b77d62aea2e9f85fc675
    Size: 63.33 kB
  6. nss-util-devel-3.16.1-1.AXS4.x86_64.rpm
    MD5: 3a9179b7b8e9603fe83b3a9f83f2b375
    SHA-256: 1e1a1ad385e3e7538ec5d546c5789c427822fa581268a45327f9e9828db92a84
    Size: 65.31 kB
  7. nss-util-3.16.1-1.AXS4.i686.rpm
    MD5: 7abaefc254ecf5bbf8b3665596180729
    SHA-256: 244c4924db9ea25f7f3ce534580106d3b9bd6d1b35abe1aec5309110e765d25a
    Size: 63.36 kB
  8. nss-util-devel-3.16.1-1.AXS4.i686.rpm
    MD5: f677083a7291aa572d0d47c3615fdcab
    SHA-256: 1470614b2a2d117a45c9a6ade27552f9a2687d921df0f9cabd630bb6f28864b4
    Size: 65.75 kB
  9. nss-3.16.1-4.AXS4.x86_64.rpm
    MD5: 0789168b2fd5c6eee2ac1e2bdfed37d3
    SHA-256: 1264478ddf9737fa176c02e08de4f6c81a3f69ba36fde46a65eded37833ca731
    Size: 831.19 kB
  10. nss-devel-3.16.1-4.AXS4.x86_64.rpm
    MD5: f7dc898d0e28cec68e621c49ffcbdf74
    SHA-256: 0dfaadc9cf03c271f17f35758080543ed25d0bf51ac5105b0c61173e2519b9e1
    Size: 190.32 kB
  11. nss-sysinit-3.16.1-4.AXS4.x86_64.rpm
    MD5: dedb19d27a48a073d1a7cebfbd99ca52
    SHA-256: 03a4988341f77e094c1dcfd65add11ec60a80edf473b5ded4de7e638ada29501
    Size: 39.94 kB
  12. nss-tools-3.16.1-4.AXS4.x86_64.rpm
    MD5: 82eb71dd9d078cd141291cb25c96dd08
    SHA-256: 486bf73ed0f5b01e5a242660ab55aa8a6356e151548ce1cb876eac81a81d1ee0
    Size: 359.27 kB
  13. nss-3.16.1-4.AXS4.i686.rpm
    MD5: f3b9d5eb6997186467d14d2b27690bec
    SHA-256: 99113bf970913cbe5aca2cd345b48159a903f07b20b55b798305ea96a17863e6
    Size: 835.40 kB
  14. nss-devel-3.16.1-4.AXS4.i686.rpm
    MD5: 504c6a8662f37378ec025088c0f94806
    SHA-256: 5cf54c1cb93ccbad7a071d2c1669e47b738ead784fbdfce58be671bceff2e4b8
    Size: 192.16 kB