-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:197 http://www.mandriva.com/security/ _______________________________________________________________________ Package : nss Date : August 7, 2009 Affected: 2008.1 _______________________________________________________________________ Problem Description: Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate (CVE-2009-2408) and md2 algorithm flaws (CVE-2009-2409), and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate (CVE-2009-2404). This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. Update: This update also provides fixed packages for Mandriva Linux 2008.1 _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2409 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 9228daed5355d9175cbd25faf90a1323 2008.1/i586/libnspr4-4.7.5-0.1mdv2008.1.i586.rpm 58c5ec5d221d0013254d144272162ece 2008.1/i586/libnspr-devel-4.7.5-0.1mdv2008.1.i586.rpm 910b4ddc4285154103c7fd251feac41e 2008.1/i586/libnss3-3.12.3.1-0.1mdv2008.1.i586.rpm 1ef05d27d0d04facfcbf1f13cc84c166 2008.1/i586/libnss-devel-3.12.3.1-0.1mdv2008.1.i586.rpm 1add6ba2355ec0a0571407571f02226e 2008.1/i586/libnss-static-devel-3.12.3.1-0.1mdv2008.1.i586.rpm 18de04c0e62a1e09800b25f045de726e 2008.1/i586/nss-3.12.3.1-0.1mdv2008.1.i586.rpm daa825f74749ae4e255e7783eb590b90 2008.1/SRPMS/nspr-4.7.5-0.1mdv2008.1.src.rpm 0d17f86fabf84c9ae04f7e520bc0a679 2008.1/SRPMS/nss-3.12.3.1-0.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 58d390af357253669d802b948adcd728 2008.1/x86_64/lib64nspr4-4.7.5-0.1mdv2008.1.x86_64.rpm 81b4060266dc9451903c1ba359b49ebe 2008.1/x86_64/lib64nspr-devel-4.7.5-0.1mdv2008.1.x86_64.rpm ddb36ba3de5f39010481bc71c8c6b6f1 2008.1/x86_64/lib64nss3-3.12.3.1-0.1mdv2008.1.x86_64.rpm 404e5c1d07c1838c7cfcc03d4ca0d94a 2008.1/x86_64/lib64nss-devel-3.12.3.1-0.1mdv2008.1.x86_64.rpm ad4bd40e77dd746fe9cddfb4c34d2f62 2008.1/x86_64/lib64nss-static-devel-3.12.3.1-0.1mdv2008.1.x86_64.rpm cbad5d086771ecd927edd51eda1fd36c 2008.1/x86_64/nss-3.12.3.1-0.1mdv2008.1.x86_64.rpm daa825f74749ae4e255e7783eb590b90 2008.1/SRPMS/nspr-4.7.5-0.1mdv2008.1.src.rpm 0d17f86fabf84c9ae04f7e520bc0a679 2008.1/SRPMS/nss-3.12.3.1-0.1mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKnUuBmqjQ0CJFipgRAo4ZAJ9NgZWnA+od3Avaz/JL0AUPsLuifwCg4Ko7 xlh7P0f6Beuzo4/4fxPw+EU= =I1n/ -----END PGP SIGNATURE-----
