Detections
Analytics
Mandriva Linux Security Advisory : nss (MDVSA-2013:050)
medium Nessus Plugin ID 66064
Language:
Synopsis
The remote Mandriva Linux host is missing one or more security updates.Description
Google reported to Mozilla that TURKTRUST, a certificate authority in Mozillas root program, had mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates (CVE-2013-0743).The rootcerts package has been upgraded to address this flaw and the Mozilla NSS package has been rebuilt to pickup the changes.
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169 (CVE-2013-1620).
The NSPR package has been upgraded to the 4.9.5 version due to dependecies of newer NSS.
The NSS package has been upgraded to the 3.14.3 version which is not vulnerable to this issue.
The sqlite3 update addresses a crash when using svn commit after export MALLOC_CHECK_=3.
Solution
Update the affected packages.See Also
https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0234
http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
Plugin Details
Severity: Medium
ID: 66064
File Name: mandriva_MDVSA-2013-050.nasl
Version: 1.9
Type: local
Family: Mandriva Local Security Checks
Published: 4/20/2013
Updated: 1/6/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.4
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
Vulnerability Information
CPE: p-cpe:/a:mandriva:linux:sqlite3-tcl, p-cpe:/a:mandriva:linux:sqlite3-tools, cpe:/o:mandriva:business_server:1, p-cpe:/a:mandriva:linux:lemon, p-cpe:/a:mandriva:linux:lib64nspr-devel, p-cpe:/a:mandriva:linux:lib64nspr4, p-cpe:/a:mandriva:linux:lib64nss-devel, p-cpe:/a:mandriva:linux:lib64nss-static-devel, p-cpe:/a:mandriva:linux:lib64nss3, p-cpe:/a:mandriva:linux:lib64sqlite3-devel, p-cpe:/a:mandriva:linux:lib64sqlite3-static-devel, p-cpe:/a:mandriva:linux:lib64sqlite3_0, p-cpe:/a:mandriva:linux:nss, p-cpe:/a:mandriva:linux:nss-doc, p-cpe:/a:mandriva:linux:rootcerts, p-cpe:/a:mandriva:linux:rootcerts-java
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 4/5/2013
Reference Information
CVE: CVE-2013-1620
MDVSA: 2013:050