Red Hat: 2012:1090-01: nss and nspr: Moderate Advisory

    Date17 Jul 2012
    CategoryRed Hat
    730
    Posted ByJoe Shakespeare
    Updated nss and nspr packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. [More...]
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Moderate: nss and nspr security, bug fix, and enhancement update
    Advisory ID:       RHSA-2012:1090-01
    Product:           Red Hat Enterprise Linux
    Advisory URL:      https://rhn.redhat.com/errata/RHSA-2012-1090.html
    Issue date:        2012-07-17
    CVE Names:         CVE-2012-0441 
    =====================================================================
    
    1. Summary:
    
    Updated nss and nspr packages that fix two security issues, several bugs,
    and add various enhancements are now available for Red Hat
    Enterprise Linux 5.
    
    The Red Hat Security Response Team has rated this update as having moderate
    security impact. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available from the CVE link in
    the References section.
    
    2. Relevant releases/architectures:
    
    RHEL Desktop Workstation (v. 5 client) - i386, x86_64
    Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
    Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
    
    3. Description:
    
    Network Security Services (NSS) is a set of libraries designed to support
    the cross-platform development of security-enabled client and server
    applications. Netscape Portable Runtime (NSPR) provides platform
    independence for non-GUI operating system facilities.
    
    A flaw was found in the way the ASN.1 (Abstract Syntax Notation One)
    decoder in NSS handled zero length items. This flaw could cause the decoder
    to incorrectly skip or replace certain items with a default value, or could
    cause an application to crash if, for example, it received a
    specially-crafted OCSP (Online Certificate Status Protocol) response.
    (CVE-2012-0441)
    
    It was found that a Certificate Authority (CA) issued a subordinate CA
    certificate to its customer, that could be used to issue certificates for
    any name. This update renders the subordinate CA certificate as untrusted.
    (BZ#798533)
    
    Note: The BZ#798533 fix only applies to applications using the NSS Builtin
    Object Token. It does not render the certificates untrusted for
    applications that use the NSS library, but do not use the NSS Builtin
    Object Token.
    
    In addition, the nspr package has been upgraded to upstream version 4.9.1,
    and the nss package has been upgraded to upstream version 3.13.5. These
    updates provide a number of bug fixes and enhancements over the previous
    versions. (BZ#834220, BZ#834219)
    
    All NSS and NSPR users should upgrade to these updated packages, which
    correct these issues and add these enhancements. After installing the
    update, applications using NSS and NSPR must be restarted for the changes
    to take effect.
    
    4. Solution:
    
    Before applying this update, make sure all previously-released errata
    relevant to your system have been applied.
    
    This update is available via the Red Hat Network. Details on how to
    use the Red Hat Network to apply this update are available at
    https://access.redhat.com/knowledge/articles/11258
    
    5. Bugs fixed (http://bugzilla.redhat.com/):
    
    798533 - nss: Distrust MITM subCAs issued by TrustWave
    827833 - CVE-2012-0441 nss: NSS parsing errors with zero length items
    834219 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 for Mozilla 10.0.6
    834220 - Update RHEL 5.x to NSPR 4.9.1 for Mozilla 10.0.6
    
    6. Package List:
    
    Red Hat Enterprise Linux Desktop (v. 5 client):
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nspr-4.9.1-4.el5_8.src.rpm
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.13.5-4.el5_8.src.rpm
    
    i386:
    nspr-4.9.1-4.el5_8.i386.rpm
    nspr-debuginfo-4.9.1-4.el5_8.i386.rpm
    nss-3.13.5-4.el5_8.i386.rpm
    nss-debuginfo-3.13.5-4.el5_8.i386.rpm
    nss-tools-3.13.5-4.el5_8.i386.rpm
    
    x86_64:
    nspr-4.9.1-4.el5_8.i386.rpm
    nspr-4.9.1-4.el5_8.x86_64.rpm
    nspr-debuginfo-4.9.1-4.el5_8.i386.rpm
    nspr-debuginfo-4.9.1-4.el5_8.x86_64.rpm
    nss-3.13.5-4.el5_8.i386.rpm
    nss-3.13.5-4.el5_8.x86_64.rpm
    nss-debuginfo-3.13.5-4.el5_8.i386.rpm
    nss-debuginfo-3.13.5-4.el5_8.x86_64.rpm
    nss-tools-3.13.5-4.el5_8.x86_64.rpm
    
    RHEL Desktop Workstation (v. 5 client):
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nspr-4.9.1-4.el5_8.src.rpm
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nss-3.13.5-4.el5_8.src.rpm
    
    i386:
    nspr-debuginfo-4.9.1-4.el5_8.i386.rpm
    nspr-devel-4.9.1-4.el5_8.i386.rpm
    nss-debuginfo-3.13.5-4.el5_8.i386.rpm
    nss-devel-3.13.5-4.el5_8.i386.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.i386.rpm
    
    x86_64:
    nspr-debuginfo-4.9.1-4.el5_8.i386.rpm
    nspr-debuginfo-4.9.1-4.el5_8.x86_64.rpm
    nspr-devel-4.9.1-4.el5_8.i386.rpm
    nspr-devel-4.9.1-4.el5_8.x86_64.rpm
    nss-debuginfo-3.13.5-4.el5_8.i386.rpm
    nss-debuginfo-3.13.5-4.el5_8.x86_64.rpm
    nss-devel-3.13.5-4.el5_8.i386.rpm
    nss-devel-3.13.5-4.el5_8.x86_64.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.i386.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.x86_64.rpm
    
    Red Hat Enterprise Linux (v. 5 server):
    
    Source:
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nspr-4.9.1-4.el5_8.src.rpm
    ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nss-3.13.5-4.el5_8.src.rpm
    
    i386:
    nspr-4.9.1-4.el5_8.i386.rpm
    nspr-debuginfo-4.9.1-4.el5_8.i386.rpm
    nspr-devel-4.9.1-4.el5_8.i386.rpm
    nss-3.13.5-4.el5_8.i386.rpm
    nss-debuginfo-3.13.5-4.el5_8.i386.rpm
    nss-devel-3.13.5-4.el5_8.i386.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.i386.rpm
    nss-tools-3.13.5-4.el5_8.i386.rpm
    
    ia64:
    nspr-4.9.1-4.el5_8.i386.rpm
    nspr-4.9.1-4.el5_8.ia64.rpm
    nspr-debuginfo-4.9.1-4.el5_8.i386.rpm
    nspr-debuginfo-4.9.1-4.el5_8.ia64.rpm
    nspr-devel-4.9.1-4.el5_8.ia64.rpm
    nss-3.13.5-4.el5_8.i386.rpm
    nss-3.13.5-4.el5_8.ia64.rpm
    nss-debuginfo-3.13.5-4.el5_8.i386.rpm
    nss-debuginfo-3.13.5-4.el5_8.ia64.rpm
    nss-devel-3.13.5-4.el5_8.ia64.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.ia64.rpm
    nss-tools-3.13.5-4.el5_8.ia64.rpm
    
    ppc:
    nspr-4.9.1-4.el5_8.ppc.rpm
    nspr-4.9.1-4.el5_8.ppc64.rpm
    nspr-debuginfo-4.9.1-4.el5_8.ppc.rpm
    nspr-debuginfo-4.9.1-4.el5_8.ppc64.rpm
    nspr-devel-4.9.1-4.el5_8.ppc.rpm
    nspr-devel-4.9.1-4.el5_8.ppc64.rpm
    nss-3.13.5-4.el5_8.ppc.rpm
    nss-3.13.5-4.el5_8.ppc64.rpm
    nss-debuginfo-3.13.5-4.el5_8.ppc.rpm
    nss-debuginfo-3.13.5-4.el5_8.ppc64.rpm
    nss-devel-3.13.5-4.el5_8.ppc.rpm
    nss-devel-3.13.5-4.el5_8.ppc64.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.ppc.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.ppc64.rpm
    nss-tools-3.13.5-4.el5_8.ppc.rpm
    
    s390x:
    nspr-4.9.1-4.el5_8.s390.rpm
    nspr-4.9.1-4.el5_8.s390x.rpm
    nspr-debuginfo-4.9.1-4.el5_8.s390.rpm
    nspr-debuginfo-4.9.1-4.el5_8.s390x.rpm
    nspr-devel-4.9.1-4.el5_8.s390.rpm
    nspr-devel-4.9.1-4.el5_8.s390x.rpm
    nss-3.13.5-4.el5_8.s390.rpm
    nss-3.13.5-4.el5_8.s390x.rpm
    nss-debuginfo-3.13.5-4.el5_8.s390.rpm
    nss-debuginfo-3.13.5-4.el5_8.s390x.rpm
    nss-devel-3.13.5-4.el5_8.s390.rpm
    nss-devel-3.13.5-4.el5_8.s390x.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.s390.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.s390x.rpm
    nss-tools-3.13.5-4.el5_8.s390x.rpm
    
    x86_64:
    nspr-4.9.1-4.el5_8.i386.rpm
    nspr-4.9.1-4.el5_8.x86_64.rpm
    nspr-debuginfo-4.9.1-4.el5_8.i386.rpm
    nspr-debuginfo-4.9.1-4.el5_8.x86_64.rpm
    nspr-devel-4.9.1-4.el5_8.i386.rpm
    nspr-devel-4.9.1-4.el5_8.x86_64.rpm
    nss-3.13.5-4.el5_8.i386.rpm
    nss-3.13.5-4.el5_8.x86_64.rpm
    nss-debuginfo-3.13.5-4.el5_8.i386.rpm
    nss-debuginfo-3.13.5-4.el5_8.x86_64.rpm
    nss-devel-3.13.5-4.el5_8.i386.rpm
    nss-devel-3.13.5-4.el5_8.x86_64.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.i386.rpm
    nss-pkcs11-devel-3.13.5-4.el5_8.x86_64.rpm
    nss-tools-3.13.5-4.el5_8.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/#package
    
    7. References:
    
    https://www.redhat.com/security/data/cve/CVE-2012-0441.html
    https://access.redhat.com/security/updates/classification/#moderate
    http://www.mozilla.org/security/announce/2012/mfsa2012-39.html
    
    8. Contact:
    
    The Red Hat security contact is .  More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2012 Red Hat, Inc.
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    In your opinion, what is the biggest advantage associated with choosing open-source software/products?

    Message!

    Poll results are hidden from public viewing.

    You are not authorized to vote on this poll.

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    /component/communitypolls/?task=poll.vote
    8
    radio
    bottom200

    Advisories

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.