Mandriva Linux Security Advisory 2014-066 - A vulnerability has been found and corrected in mozilla NSS. In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. The updated packages have been upgraded to the latest NSPR and NSS versions which is not vulnerable to this issue. Additionally the rootcerts package has also been updated to version 1.97, which adds, removes, and distrusts several certificates.
3744078e3d10024e3dbb4c8a6fcc1632a55fb1a945271f81437b6a35e2bcc023-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:066
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : nss
Date : March 20, 2014
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in mozilla NSS:
In a wildcard certificate, the wildcard character should not be
embedded within the U-label of an internationalized domain name. See
the last bullet point in RFC 6125, Section 7.2 (CVE-2014-1492).
The updated packages have been upgraded to the latest NSPR (4.10.4)
and NSS (3.16) versions which is not vulnerable to this issue.
Additionally the rootcerts package has also been updated to version
1.97, which adds, removes, and distrusts several certificates.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
https://bugzilla.mozilla.org/show_bug.cgi?id=903885
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
8738aaf947b7c6c0fa8287b0f96b8ddc mes5/i586/libnspr4-4.10.4-0.1mdvmes5.2.i586.rpm
1ac8455fe46e3f7bcec09a6f87f1720a mes5/i586/libnspr-devel-4.10.4-0.1mdvmes5.2.i586.rpm
3bc5399622a54a2e5f6803502a82b19f mes5/i586/libnss3-3.16.0-0.1mdvmes5.2.i586.rpm
ea7bfa46a2882105f2cfe0a26e42b1ea mes5/i586/libnss-devel-3.16.0-0.1mdvmes5.2.i586.rpm
9cd3708423846d3f82db60151e14a467 mes5/i586/libnss-static-devel-3.16.0-0.1mdvmes5.2.i586.rpm
2e2a82c9a95b050b7de739a1c1beffc2 mes5/i586/nss-3.16.0-0.1mdvmes5.2.i586.rpm
98b4c278fd3c9d7087297326eff87b6a mes5/i586/nss-doc-3.16.0-0.1mdvmes5.2.i586.rpm
ed3ff055035453d23157578988d3c49e mes5/i586/rootcerts-20140318.00-1mdvmes5.2.i586.rpm
be1ef91bcd1e6d8b351c03b17ece1c39 mes5/i586/rootcerts-java-20140318.00-1mdvmes5.2.i586.rpm
bf65eeba97981710fad16238c21da263 mes5/SRPMS/nspr-4.10.4-0.1mdvmes5.2.src.rpm
4154b4793f9b606d208d92b5907b43f0 mes5/SRPMS/nss-3.16.0-0.1mdvmes5.2.src.rpm
6db90539b764add06aaef701dea833ac mes5/SRPMS/rootcerts-20140318.00-1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
8c3517a3a0ef0116fcf2f61d52c4a525 mes5/x86_64/lib64nspr4-4.10.4-0.1mdvmes5.2.x86_64.rpm
a00da7fecfe9ece4f1bdbd354207e8a5 mes5/x86_64/lib64nspr-devel-4.10.4-0.1mdvmes5.2.x86_64.rpm
d77190996863e11f7e9dc1a922478f5b mes5/x86_64/lib64nss3-3.16.0-0.1mdvmes5.2.x86_64.rpm
f600a5d968cd472173dc296f15b9ee84 mes5/x86_64/lib64nss-devel-3.16.0-0.1mdvmes5.2.x86_64.rpm
0d7bcc34e999d5ec7c9e78a9c2cd01ba mes5/x86_64/lib64nss-static-devel-3.16.0-0.1mdvmes5.2.x86_64.rpm
98b6d5589ec58f9eca1e7f928f52d7dc mes5/x86_64/nss-3.16.0-0.1mdvmes5.2.x86_64.rpm
f99edb8b077c1b0486317f1a73b5fd4a mes5/x86_64/nss-doc-3.16.0-0.1mdvmes5.2.x86_64.rpm
5e3cafa689a4138db3bf4cca24562f28 mes5/x86_64/rootcerts-20140318.00-1mdvmes5.2.x86_64.rpm
8f9f11c3d2049912aec0097e5c33c287 mes5/x86_64/rootcerts-java-20140318.00-1mdvmes5.2.x86_64.rpm
bf65eeba97981710fad16238c21da263 mes5/SRPMS/nspr-4.10.4-0.1mdvmes5.2.src.rpm
4154b4793f9b606d208d92b5907b43f0 mes5/SRPMS/nss-3.16.0-0.1mdvmes5.2.src.rpm
6db90539b764add06aaef701dea833ac mes5/SRPMS/rootcerts-20140318.00-1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFTKxT3mqjQ0CJFipgRAo4BAKCuBFcWolEbqGdUVwaVYTumVyeYFQCgz86O
uqAZHLu9OH0gxVEblX+eoh0=
=N99Y
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed