-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:189 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : nss Date : September 25, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in Mozilla NSS: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates (CVE-2014-1568). The updated NSPR packages have been upgraded to the latest 4.10.7 version. The updated NSS packages have been upgraded to the latest 3.17.1 version which is not vulnerable to this issue. Additionally the rootcerts package has also been updated to the latest version as of 2014-08-05. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568 https://www.mozilla.org/security/announce/2014/mfsa2014-73.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: d532128922a8701f24f1d1a22b8e544c mbs1/x86_64/lib64nspr4-4.10.7-1.mbs1.x86_64.rpm 86c469bff7f47669ecfbe711fced774c mbs1/x86_64/lib64nspr-devel-4.10.7-1.mbs1.x86_64.rpm a5384df3378e1d282d24520fe9234804 mbs1/x86_64/lib64nss3-3.17.1-1.mbs1.x86_64.rpm 63722882484c4e4a4b438ddb33911fe8 mbs1/x86_64/lib64nss-devel-3.17.1-1.mbs1.x86_64.rpm 5a9c51abf5c3650926e4cdb8997ec2b1 mbs1/x86_64/lib64nss-static-devel-3.17.1-1.mbs1.x86_64.rpm 8b639de0098277bc211ed8b9f83c9516 mbs1/x86_64/nss-3.17.1-1.mbs1.x86_64.rpm edd4b951a0f68c4264137489f0dada31 mbs1/x86_64/nss-doc-3.17.1-1.mbs1.noarch.rpm 32f6ffafd4984d00b01b43e9b38fe344 mbs1/x86_64/rootcerts-20140805.00-1.mbs1.x86_64.rpm fa908930395265a0dbad1029252679ef mbs1/x86_64/rootcerts-java-20140805.00-1.mbs1.x86_64.rpm fb338172cf421a95728ec28412d2fed1 mbs1/SRPMS/nspr-4.10.7-1.mbs1.src.rpm 3c721493672c05aa7960aca11e3b1533 mbs1/SRPMS/nss-3.17.1-1.mbs1.src.rpm 8b79fa2baeaac0b531d7cb01c5a419b4 mbs1/SRPMS/rootcerts-20140805.00-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFUI8eWmqjQ0CJFipgRAsdxAJ4r/Y2zGrBkhKZhJ03LZA0ftgiU3QCgu8eh cZVDnrGL7yJkMqWtAZmkh7A= =5QVQ -----END PGP SIGNATURE-----
