[Full-disclosure] [ MDVSA-2009:197 ] nss




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:197
http://www.mandriva.com/security/
_______________________________________________________________________

Package : nss
Date : August 7, 2009
Affected: 2008.1
_______________________________________________________________________

Problem Description:

Security issues in nss prior to 3.12.3 could lead to a
man-in-the-middle attack via a spoofed X.509 certificate
(CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also
cause a denial-of-service and possible code execution via a long
domain name in X.509 certificate (CVE-2009-2404).

This update provides the latest versions of NSS and NSPR libraries
which are not vulnerable to those attacks.

Update:

This update also provides fixed packages for Mandriva Linux 2008.1
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.1:
9228daed5355d9175cbd25faf90a1323 2008.1/i586/libnspr4-4.7.5-0.1mdv2008.1.i586.rpm
58c5ec5d221d0013254d144272162ece 2008.1/i586/libnspr-devel-4.7.5-0.1mdv2008.1.i586.rpm
910b4ddc4285154103c7fd251feac41e 2008.1/i586/libnss3-3.12.3.1-0.1mdv2008.1.i586.rpm
1ef05d27d0d04facfcbf1f13cc84c166 2008.1/i586/libnss-devel-3.12.3.1-0.1mdv2008.1.i586.rpm
1add6ba2355ec0a0571407571f02226e 2008.1/i586/libnss-static-devel-3.12.3.1-0.1mdv2008.1.i586.rpm
18de04c0e62a1e09800b25f045de726e 2008.1/i586/nss-3.12.3.1-0.1mdv2008.1.i586.rpm
daa825f74749ae4e255e7783eb590b90 2008.1/SRPMS/nspr-4.7.5-0.1mdv2008.1.src.rpm
0d17f86fabf84c9ae04f7e520bc0a679 2008.1/SRPMS/nss-3.12.3.1-0.1mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
58d390af357253669d802b948adcd728 2008.1/x86_64/lib64nspr4-4.7.5-0.1mdv2008.1.x86_64.rpm
81b4060266dc9451903c1ba359b49ebe 2008.1/x86_64/lib64nspr-devel-4.7.5-0.1mdv2008.1.x86_64.rpm
ddb36ba3de5f39010481bc71c8c6b6f1 2008.1/x86_64/lib64nss3-3.12.3.1-0.1mdv2008.1.x86_64.rpm
404e5c1d07c1838c7cfcc03d4ca0d94a 2008.1/x86_64/lib64nss-devel-3.12.3.1-0.1mdv2008.1.x86_64.rpm
ad4bd40e77dd746fe9cddfb4c34d2f62 2008.1/x86_64/lib64nss-static-devel-3.12.3.1-0.1mdv2008.1.x86_64.rpm
cbad5d086771ecd927edd51eda1fd36c 2008.1/x86_64/nss-3.12.3.1-0.1mdv2008.1.x86_64.rpm
daa825f74749ae4e255e7783eb590b90 2008.1/SRPMS/nspr-4.7.5-0.1mdv2008.1.src.rpm
0d17f86fabf84c9ae04f7e520bc0a679 2008.1/SRPMS/nss-3.12.3.1-0.1mdv2008.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKnUuBmqjQ0CJFipgRAo4ZAJ9NgZWnA+od3Avaz/JL0AUPsLuifwCg4Ko7
xlh7P0f6Beuzo4/4fxPw+EU=
=I1n/
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] [ MDVSA-2011:079 ] firefox
    ... Chris Evans of the Chrome Security Team reported that the XSLT ... Packages for 2009.0 are provided as of the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ... If you want to report vulnerabilities, ...
    (Full-Disclosure)
  • [ MDVSA-2011:079 ] firefox
    ... Chris Evans of the Chrome Security Team reported that the XSLT ... Packages for 2009.0 are provided as of the Extended Maintenance ... Mandriva Linux 2009.0/X86_64: ... If you want to report vulnerabilities, ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2009:197-2 ] nss
    ... Package: nss ... This update also provides fixed packages for Mandriva Linux 2008.1 ... All packages are signed by Mandriva for security. ...
    (Full-Disclosure)
  • [ MDVSA-2009:197-2 ] nss
    ... Package: nss ... This update also provides fixed packages for Mandriva Linux 2008.1 ... All packages are signed by Mandriva for security. ...
    (Bugtraq)
  • [ MDVSA-2009:197 ] nss
    ... Package: nss ... This update also provides fixed packages for Mandriva Linux 2008.1 ... All packages are signed by Mandriva for security. ...
    (Bugtraq)