-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:069 http://www.mandriva.com/security/ _______________________________________________________________________ Package : nss Date : April 6, 2010 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in nss: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue (CVE-2009-3555). Additionally the NSPR package has been upgraded to 4.8.4 that brings numerous upstream fixes. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides the latest versions of NSS and NSPR libraries and for which NSS is not vulnerable to this attack. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 http://www.mozilla.org/security/announce/2010/mfsa2010-22.html _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 5808950f475b3f2469675520f8a526c9 2008.0/i586/libnspr4-4.8.4-0.1mdv2008.0.i586.rpm f09e7355e612a626c4e30baf851200e2 2008.0/i586/libnspr-devel-4.8.4-0.1mdv2008.0.i586.rpm 414e4e7e64202a7a01ce122f40fdbfa9 2008.0/i586/libnss3-3.12.6-0.1mdv2008.0.i586.rpm 37eb4d97e617dd78834801d5e3e2411e 2008.0/i586/libnss-devel-3.12.6-0.1mdv2008.0.i586.rpm 1186fe6aec619702ce3b3f76ad0a03a2 2008.0/i586/libnss-static-devel-3.12.6-0.1mdv2008.0.i586.rpm f2fc05e8cf4ef840229536a95397c02d 2008.0/i586/nss-3.12.6-0.1mdv2008.0.i586.rpm 157d696865f82a05167a98ff75d3bb05 2008.0/SRPMS/nspr-4.8.4-0.1mdv2008.0.src.rpm 3f4fb184412ba28e84334765300d48cf 2008.0/SRPMS/nss-3.12.6-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 8f61146ebf97dfaa93a8d8973c2c2f49 2008.0/x86_64/lib64nspr4-4.8.4-0.1mdv2008.0.x86_64.rpm 6375eb3bd5fac3fe5648e6083018f62f 2008.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2008.0.x86_64.rpm b5c368f59fae314c472d1bd40613738d 2008.0/x86_64/lib64nss3-3.12.6-0.1mdv2008.0.x86_64.rpm b947d236395ffbc0f750c32705b39ae2 2008.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2008.0.x86_64.rpm c797275a9d57e4fefc2bc5942a0c1860 2008.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2008.0.x86_64.rpm 9b5565826ca817fedc4c16866e0b432a 2008.0/x86_64/nss-3.12.6-0.1mdv2008.0.x86_64.rpm 157d696865f82a05167a98ff75d3bb05 2008.0/SRPMS/nspr-4.8.4-0.1mdv2008.0.src.rpm 3f4fb184412ba28e84334765300d48cf 2008.0/SRPMS/nss-3.12.6-0.1mdv2008.0.src.rpm Mandriva Linux 2009.0: d668c97cdd4c6f2a54364185689bc9c3 2009.0/i586/libnspr4-4.8.4-0.1mdv2009.0.i586.rpm 213e3167d01de2e3153282ec09448101 2009.0/i586/libnspr-devel-4.8.4-0.1mdv2009.0.i586.rpm 3416bcd2b299a4573a0de8920edee34f 2009.0/i586/libnss3-3.12.6-0.1mdv2009.0.i586.rpm 76324be5f2dc503848e15651c9201990 2009.0/i586/libnss-devel-3.12.6-0.1mdv2009.0.i586.rpm eb77fab010cf83b2a803c542595ef9d5 2009.0/i586/libnss-static-devel-3.12.6-0.1mdv2009.0.i586.rpm a2e0e29a6565534dd4470b8b8fe348e0 2009.0/i586/nss-3.12.6-0.1mdv2009.0.i586.rpm ef8c68c639efec98dedf89557d542730 2009.0/SRPMS/nspr-4.8.4-0.1mdv2009.0.src.rpm 7840542c10c58531c2e5007defe85b8e 2009.0/SRPMS/nss-3.12.6-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: c268178467753eb950ec3fc6c2fcf7c4 2009.0/x86_64/lib64nspr4-4.8.4-0.1mdv2009.0.x86_64.rpm 1cad4bd917e64990d862bee35b773d29 2009.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2009.0.x86_64.rpm 9dafd05dbae7859a91cb53f9f9add679 2009.0/x86_64/lib64nss3-3.12.6-0.1mdv2009.0.x86_64.rpm d624418468c98b63d058898f9dc68e1f 2009.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2009.0.x86_64.rpm d9b103d310dfd8b8847694613068485d 2009.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2009.0.x86_64.rpm 268e8d10f6184442b9a66672148f5687 2009.0/x86_64/nss-3.12.6-0.1mdv2009.0.x86_64.rpm ef8c68c639efec98dedf89557d542730 2009.0/SRPMS/nspr-4.8.4-0.1mdv2009.0.src.rpm 7840542c10c58531c2e5007defe85b8e 2009.0/SRPMS/nss-3.12.6-0.1mdv2009.0.src.rpm Mandriva Linux 2009.1: f2fc77ff32d9cc4dd3839c2644e3cad1 2009.1/i586/libnspr4-4.8.4-0.1mdv2009.1.i586.rpm e110eaa263397b81bff4873e8badf3b9 2009.1/i586/libnspr-devel-4.8.4-0.1mdv2009.1.i586.rpm 37eaded0314c7b3c0bc9d0b24d0add88 2009.1/i586/libnss3-3.12.6-0.1mdv2009.1.i586.rpm 0d5cf958f159251ecc3b88254b042181 2009.1/i586/libnss-devel-3.12.6-0.1mdv2009.1.i586.rpm 17fcbbdc5f818450da24c371ffba02a2 2009.1/i586/libnss-static-devel-3.12.6-0.1mdv2009.1.i586.rpm 7b297c2234b4b36ee796570630b819bc 2009.1/i586/nss-3.12.6-0.1mdv2009.1.i586.rpm 1c7837b4ebb442de506de9f3e530f093 2009.1/SRPMS/nspr-4.8.4-0.1mdv2009.1.src.rpm 61548957bb2121a16b9dd0d840f1a19c 2009.1/SRPMS/nss-3.12.6-0.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: c61401ffeba102ddba8139175c964687 2009.1/x86_64/lib64nspr4-4.8.4-0.1mdv2009.1.x86_64.rpm 5c1365625f929e36f5e59213877aac9d 2009.1/x86_64/lib64nspr-devel-4.8.4-0.1mdv2009.1.x86_64.rpm 94944b1ef725591c3634d3f2af540840 2009.1/x86_64/lib64nss3-3.12.6-0.1mdv2009.1.x86_64.rpm 07c3a4ee676d96659119aa9f5d65da37 2009.1/x86_64/lib64nss-devel-3.12.6-0.1mdv2009.1.x86_64.rpm 0bcc455a76d8769754203d1b4938c40c 2009.1/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2009.1.x86_64.rpm 3a324386025aa54470683e3e7729ee18 2009.1/x86_64/nss-3.12.6-0.1mdv2009.1.x86_64.rpm 1c7837b4ebb442de506de9f3e530f093 2009.1/SRPMS/nspr-4.8.4-0.1mdv2009.1.src.rpm 61548957bb2121a16b9dd0d840f1a19c 2009.1/SRPMS/nss-3.12.6-0.1mdv2009.1.src.rpm Mandriva Linux 2010.0: 1b34e86e948e76f814ead17dc7b18759 2010.0/i586/libnspr4-4.8.4-0.1mdv2010.0.i586.rpm d0b5d749ddc685643512bd2a2ed1c969 2010.0/i586/libnspr-devel-4.8.4-0.1mdv2010.0.i586.rpm f64c138b1dd4273e6ff173a46801e606 2010.0/i586/libnss3-3.12.6-0.1mdv2010.0.i586.rpm d287d303ef943afca97f78794b204b4c 2010.0/i586/libnss-devel-3.12.6-0.1mdv2010.0.i586.rpm 9d7ba97ad7b69324fdaea1aae7e638e9 2010.0/i586/libnss-static-devel-3.12.6-0.1mdv2010.0.i586.rpm b1d48fefb674dd2e3c40ca0e6ebdf38f 2010.0/i586/nss-3.12.6-0.1mdv2010.0.i586.rpm b4c9c09b108d0f9052099848da17d9b6 2010.0/SRPMS/nspr-4.8.4-0.1mdv2010.0.src.rpm 8239f2289f9cf226b870374d418c0874 2010.0/SRPMS/nss-3.12.6-0.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: 83b1a7447d49f79c42f0eee2683dcd60 2010.0/x86_64/lib64nspr4-4.8.4-0.1mdv2010.0.x86_64.rpm a62678fb78e46d99a9ec57c330ad5c6f 2010.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2010.0.x86_64.rpm c351fd08ab9b7b4303b157b64ba42ae3 2010.0/x86_64/lib64nss3-3.12.6-0.1mdv2010.0.x86_64.rpm e9c37c13bb2427b234fb6f262f5acea0 2010.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2010.0.x86_64.rpm b975d408159979874866ece89f06cd38 2010.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2010.0.x86_64.rpm b4b549eb112359219f946bb1379357f5 2010.0/x86_64/nss-3.12.6-0.1mdv2010.0.x86_64.rpm b4c9c09b108d0f9052099848da17d9b6 2010.0/SRPMS/nspr-4.8.4-0.1mdv2010.0.src.rpm 8239f2289f9cf226b870374d418c0874 2010.0/SRPMS/nss-3.12.6-0.1mdv2010.0.src.rpm Mandriva Enterprise Server 5: eb965867c7614f2b5d20b492b0d31f5a mes5/i586/libnspr4-4.8.4-0.1mdvmes5.i586.rpm e9d155d0ceae9f3b34d673bcb5a41a0f mes5/i586/libnspr-devel-4.8.4-0.1mdvmes5.i586.rpm 4c516d6e8090e86432612d4e9bebeda9 mes5/i586/libnss3-3.12.6-0.1mdvmes5.i586.rpm a2e490654d19daeb34dc7be49e84cc27 mes5/i586/libnss-devel-3.12.6-0.1mdvmes5.i586.rpm 884712b382e6ebec9e3e44ec9de9433d mes5/i586/libnss-static-devel-3.12.6-0.1mdvmes5.i586.rpm efc2bae5196b057aba91eb3357aaa513 mes5/i586/nss-3.12.6-0.1mdvmes5.i586.rpm b114168aab9b0154d5573e167074581e mes5/SRPMS/nspr-4.8.4-0.1mdvmes5.1.src.rpm 397f2bc60121455633c45b31529aeb9e mes5/SRPMS/nss-3.12.6-0.1mdvmes5.src.rpm Mandriva Enterprise Server 5/X86_64: 87d9de03b4f6bf92269b52f934246b15 mes5/x86_64/lib64nspr4-4.8.4-0.1mdvmes5.x86_64.rpm b59b316d078d66dd7ff9f9d5ebbde669 mes5/x86_64/lib64nspr-devel-4.8.4-0.1mdvmes5.x86_64.rpm 3b90e3e62fe96485a7b0be2e9da40f35 mes5/x86_64/lib64nss3-3.12.6-0.1mdvmes5.x86_64.rpm e557ca44f13c20b952c01d9516cb9e17 mes5/x86_64/lib64nss-devel-3.12.6-0.1mdvmes5.x86_64.rpm 8484d1fd45fc925c650ab9e85e8da34d mes5/x86_64/lib64nss-static-devel-3.12.6-0.1mdvmes5.x86_64.rpm 40bdcd337c3a39d7d611f2a189ea7065 mes5/x86_64/nss-3.12.6-0.1mdvmes5.x86_64.rpm b114168aab9b0154d5573e167074581e mes5/SRPMS/nspr-4.8.4-0.1mdvmes5.1.src.rpm 397f2bc60121455633c45b31529aeb9e mes5/SRPMS/nss-3.12.6-0.1mdvmes5.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLu6RomqjQ0CJFipgRAvAsAKDsKNbgAtUmeiJhUkz1wVL5AoB6dwCgpvKo XDOMAYHTh7eJGefnK6VDoRc= =f0Zu -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/