Mandriva Linux Security Advisory 2013-301 - Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozillas root store, was loaded into a man-in-the-middle traffic management device. This certificate was issued by Agence nationale de la scurit des systmes d'information , an agency of the French government and a certificate authority in Mozilla's root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control. The issue was not specific to Firefox but there was evidence that one of the certificates was used for MITM traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking trust in the intermediate used by the sub-CA to issue the certificate for the MITM device. The NSS packages has been upgraded to the 3.15.3.1 version which is unaffected by this security flaw. Additionally the rootcerts packages has been upgraded with the latest certdata.txt file as of 2013/12/04 from mozilla.
5106dc3e07257f23956e443371826dd7fbe4e2c96c03e8fb81aad03e51d513ae
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:301
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : nss
Date : December 23, 2013
Affected: Business Server 1.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been discovered and corrected in mozilla NSS:
Google notified Mozilla that an intermediate certificate, which
chains up to a root included in Mozillas root store, was loaded into
a man-in-the-middle (MITM) traffic management device. This certificate
was issued by Agence nationale de la scurit des systmes d'information
(ANSSI), an agency of the French government and a certificate authority
in Mozilla's root program. A subordinate certificate authority of
ANSSI mis-issued an intermediate certificate that they installed on a
network monitoring device, which enabled the device to act as a MITM
proxy performing traffic management of domain names or IP addresses
that the certificate holder did not own or control.
The issue was not specific to Firefox but there was evidence that one
of the certificates was used for MITM traffic management of domain
names that the customer did not legitimately own or control. This
issue was resolved by revoking trust in the intermediate used by the
sub-CA to issue the certificate for the MITM device.
The NSS packages has been upgraded to the 3.15.3.1 version which is
unaffected by this security flaw.
Additionally the rootcerts packages has been upgraded with the latest
certdata.txt file as of 2013/12/04 from mozilla.
_______________________________________________________________________
References:
http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
https://hg.mozilla.org/projects/nss/rev/5a7944776645
https://rhn.redhat.com/errata/RHSA-2013-1861.html
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
f64b57e8e1489aca8e36940926d01be2 mes5/i586/libnss3-3.15.3.1-0.1mdvmes5.2.i586.rpm
8ad27ca61cb54273b86a7dcb6080dfd6 mes5/i586/libnss-devel-3.15.3.1-0.1mdvmes5.2.i586.rpm
6f58ffd2e2331a898935f25413bfe916 mes5/i586/libnss-static-devel-3.15.3.1-0.1mdvmes5.2.i586.rpm
3a241e12285e4c8355805d51581d16e1 mes5/i586/nss-3.15.3.1-0.1mdvmes5.2.i586.rpm
8ac2221850ef5f20cde3a2b893c7d415 mes5/i586/nss-doc-3.15.3.1-0.1mdvmes5.2.i586.rpm
919316850cd1791b3af8058e9a3f1013 mes5/i586/rootcerts-20131204.00-1mdvmes5.2.i586.rpm
ce7c9326b10d3d61bf9a10629efe781b mes5/i586/rootcerts-java-20131204.00-1mdvmes5.2.i586.rpm
49d603f56a6376a7f54360c5022ea2d4 mes5/SRPMS/nss-3.15.3.1-0.1mdvmes5.2.src.rpm
77d42ea8c90d1f81b55a88ee502fdf79 mes5/SRPMS/rootcerts-20131204.00-1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
91860057c57d803d570159296548e11f mes5/x86_64/lib64nss3-3.15.3.1-0.1mdvmes5.2.x86_64.rpm
e524aa9f172641dbd1fde18f01665787 mes5/x86_64/lib64nss-devel-3.15.3.1-0.1mdvmes5.2.x86_64.rpm
5dacbc6bdc381431a1a015264bdd6961 mes5/x86_64/lib64nss-static-devel-3.15.3.1-0.1mdvmes5.2.x86_64.rpm
6a412c4b8ad4966b3f6b35981a0ac4e4 mes5/x86_64/nss-3.15.3.1-0.1mdvmes5.2.x86_64.rpm
75e04656ba7919620090aeafd2ad3104 mes5/x86_64/nss-doc-3.15.3.1-0.1mdvmes5.2.x86_64.rpm
d8abc1f91538731821b85aad818d4f8e mes5/x86_64/rootcerts-20131204.00-1mdvmes5.2.x86_64.rpm
d96e3bb5260bb16a53cb980991b82b5e mes5/x86_64/rootcerts-java-20131204.00-1mdvmes5.2.x86_64.rpm
49d603f56a6376a7f54360c5022ea2d4 mes5/SRPMS/nss-3.15.3.1-0.1mdvmes5.2.src.rpm
77d42ea8c90d1f81b55a88ee502fdf79 mes5/SRPMS/rootcerts-20131204.00-1mdvmes5.2.src.rpm
Mandriva Business Server 1/X86_64:
19f335950595f14418deef279a372e25 mbs1/x86_64/lib64nss3-3.15.3.1-1.1.mbs1.x86_64.rpm
3b2d0fa0cbba2c17887b89810f448624 mbs1/x86_64/lib64nss-devel-3.15.3.1-1.1.mbs1.x86_64.rpm
ba6ed68908e1e6229aef25e9a3c90369 mbs1/x86_64/lib64nss-static-devel-3.15.3.1-1.1.mbs1.x86_64.rpm
b4fa8082d49bbaa0473e17f1015e3c3b mbs1/x86_64/nss-3.15.3.1-1.1.mbs1.x86_64.rpm
49161488853273bce95258f88317a82a mbs1/x86_64/nss-doc-3.15.3.1-1.1.mbs1.noarch.rpm
64752a3a71fc8eea81c00234618f98a2 mbs1/x86_64/rootcerts-20131204.00-1.mbs1.x86_64.rpm
421f2f7141eee8d0756ea53fa08f152a mbs1/x86_64/rootcerts-java-20131204.00-1.mbs1.x86_64.rpm
19f967fe9bd21cd801198fc81a483f0a mbs1/SRPMS/nss-3.15.3.1-1.1.mbs1.src.rpm
d43de2a119c08f9e9fbb14890e538de9 mbs1/SRPMS/rootcerts-20131204.00-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFSuAUxmqjQ0CJFipgRAu9+AKC70LvwPTGcphkLK47ty/sw3J0IyACg1wuf
Jk04DS4rCNIzrgSEeBCf8Uc=
=vX/r
-----END PGP SIGNATURE-----