nss-3.28.4-4.AXS4

エラータID: AXSA:2017-2306:02

Release date: 
Monday, October 9, 2017 - 23:13
Subject: 
nss-3.28.4-4.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Network Security Services (NSS) is a set of libraries designed to support the
cross-platform development of security-enabled client and server applications.

Security Fix(es):

* A use-after-free flaw was found in the TLS 1.2 implementation in the NSS library when client authentication was used. A malicious client could use this flaw to cause an application compiled against NSS to crash or, potentially, execute arbitrary code with the permission of the user running the application. (CVE-2017-7805)

Asianux would like to thank the Mozilla project for reporting this issue.
Upstream acknowledges Martin Thomson as the original reporter.

CVE-2017-7805
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2017-7805
During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4.
Additional Info: 

N/A

Download: 

SRPMS
  1. nss-3.28.4-4.AXS4.src.rpm
    MD5: ddc3f75e41976298c1bf8aeab01563c6
    SHA-256: 3360be35f2fc8400139e153c7024413724586f45a27e53378e602cf0670988b7
    Size: 7.26 MB

Asianux Server 4 for x86
  1. nss-3.28.4-4.AXS4.i686.rpm
    MD5: 439235858c9d5a677b39300ea50ce35d
    SHA-256: ef5034ec701dbcd78d707aa70e2595415628fb541a18be6abd9ba9822827aa82
    Size: 881.58 kB
  2. nss-devel-3.28.4-4.AXS4.i686.rpm
    MD5: 4b97d51843541819a0f6f1fabcde2d31
    SHA-256: d08dac8d4c80db420073756085f356fddfc58a7b9304ab1145719ff7359c0df3
    Size: 212.72 kB
  3. nss-sysinit-3.28.4-4.AXS4.i686.rpm
    MD5: 9b907689adce342ae7cb31ffd809f8bd
    SHA-256: a73470c0ff682eea3213044b622c02228622290a34240c84a26694df971c40e9
    Size: 50.75 kB
  4. nss-tools-3.28.4-4.AXS4.i686.rpm
    MD5: bdb53be595ac70c1bae522d1d6db7512
    SHA-256: 0c12ce9aa1dfbe75d58872153cedf97b071ffa9cb733fe68a36a565e40dadf0a
    Size: 453.23 kB

Asianux Server 4 for x86_64
  1. nss-3.28.4-4.AXS4.x86_64.rpm
    MD5: 19e742bbfd6518a3f86b43b1e53f62d8
    SHA-256: 63103908785e4659988b9c3a2a5f3d03d57f953701115b1a558ebaa24af35622
    Size: 878.19 kB
  2. nss-devel-3.28.4-4.AXS4.x86_64.rpm
    MD5: 697671e06af4b512b11868f7101836f1
    SHA-256: 7174e421ef79451f799616d42213dc0cb34a847c6b3ba15cb7f2c83d9df6703d
    Size: 210.84 kB
  3. nss-sysinit-3.28.4-4.AXS4.x86_64.rpm
    MD5: 012e410b27ddb144156c3d46c6133463
    SHA-256: 9eb0db3ccb7548409b989728a73dac96e2dcc49e58bf6ebeb3b64ee3011fb0c5
    Size: 50.36 kB
  4. nss-tools-3.28.4-4.AXS4.x86_64.rpm
    MD5: 4c6b0cacfb2ab344df9f48b5b5e7acee
    SHA-256: 810d03978c873237885699bb8341093d83c2bcef0b9706c644824abdf31fba1a
    Size: 445.72 kB
  5. nss-3.28.4-4.AXS4.i686.rpm
    MD5: 439235858c9d5a677b39300ea50ce35d
    SHA-256: ef5034ec701dbcd78d707aa70e2595415628fb541a18be6abd9ba9822827aa82
    Size: 881.58 kB
  6. nss-devel-3.28.4-4.AXS4.i686.rpm
    MD5: 4b97d51843541819a0f6f1fabcde2d31
    SHA-256: d08dac8d4c80db420073756085f356fddfc58a7b9304ab1145719ff7359c0df3
    Size: 212.72 kB