Gentoo: GLSA-201701-46: Mozilla Network Security Service (NSS): Multiple vulnerabilities
Summary
Multiple vulnerabilities have been discovered in NSS. Please review the CVE identifiers and technical papers referenced below for details.
Resolution
All NSS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nss-3.28"
References
[ 1 ] CVE-2015-2721 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2721 [ 2 ] CVE-2015-4000 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4000 [ 3 ] CVE-2015-7575 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7575 [ 4 ] CVE-2016-1938 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1938 [ 5 ] CVE-2016-5285 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5285 [ 6 ] CVE-2016-8635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8635 [ 7 ] CVE-2016-9074 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9074 [ 8 ] SLOTH Attack Technical Paper https://www.mitls.org/pages/attacks/SLOTH
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201701-46
Concerns
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
![Dist Gentoo](/images/distros/dist-gentoo.png)
Synopsis
Multiple vulnerabilities have been found in NSS, the worst of which could allow remote attackers to obtain access to private key information.
Background
The Mozilla Network Security Service (NSS) is a library implementing security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME and X.509 certificates.
Affected Packages
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/nss < 3.28 >= 3.28
Impact
===== Remote attackers could conduct man-in-the-middle attacks, obtain access to private key information, or cause a Denial of Service condition.
Workaround
There is no known workaround at this time.