Detections
Analytics
OracleVM 3.2 : nss (OVMSA-2016-0066)
critical Nessus Plugin ID 91747
Language:
Synopsis
The remote OracleVM host is missing a security update.Description
The remote OracleVM system is missing necessary patches to address critical security updates :- Fix SSL_DH_MIN_P_BITS in more places.
- Keep SSL_DH_MIN_P_BITS at 768 as in the previously released build.
- Run SSL tests
- Add compatility patches to prevent regressions
- Ensure all ssl.sh tests are executed
- Rebase to nss 3.21
- Resolves: Bug 1297944 - Rebase RHEL 5.11.z to NSS 3.21 in preparation for Firefox 45
- Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ...
- Include the fix for CVE-2016-1950 from NSS 3.19.2.3
- Resolves: Bug 1269354 - CVE-2015-7182 (CVE-2015-7181)
- Rebase nss to 3.19.1
- Pick up upstream fix for client auth. regression caused by 3.19.1
- Revert upstream change to minimum key sizes
- Remove patches that rendered obsolote by the rebase
- Update existing patches on account of the rebase
- Pick up upstream patch from nss-3.19.1
- Resolves: Bug 1236954 - CVE-2015-2730 NSS: ECDSA signature validation fails to handle some signatures correctly (MFSA 2015-64)
- Resolves: Bug 1236967 - CVE-2015-2721 NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2015-71)
- On RHEL 6.x keep the TLS version defaults unchanged.
- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
- Copy PayPalICA.cert and PayPalRootCA.cert to nss/tests/libpkix/certs
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
- Update and reeneable nss-646045.patch on account of the rebase
- Enable additional ssl test cycles and document why some aren't enabled
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
- Fix shell syntax error on nss/tests/all.sh
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
- Replace expired PayPal test certificate that breaks the build
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
- Resolves: Bug 1158159 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
- Adjust softokn patch to be compatible with legacy softokn API.
- Resolves: Bug 1145430 - (CVE-2014-1568)
- Add patches published with NSS 3.16.2.1
- Resolves: Bug 1145430 - (CVE-2014-1568)
- Backport nss-3.12.6 upstream fix required by Firefox 31 ESR
- Resolves: Bug 1110860
- Rebase to nss-3.16.1 for FF31
- Resolves: Bug 1110860 - Rebase nss in RHEL 5.11 to NSS 3.16.1, required for FF 31
- Remove unused and obsolete patches
- Related: Bug 1032468
- Improve shell code for error detection on %check section
- Resolves: Bug 1035281 - Suboptimal shell code in nss.spec
- Revoke trust in one mis-issued anssi certificate
- Resolves: Bug 1042684 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
- Pick up corrections made in the rhel-10.Z branch, remove an unused patch
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11]
- Remove unused patch and retag for update to nss-3.15.3
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11]
- Update to nss-3.15.3
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 (CVE-2013-1741) nss: various flaws [rhel-5.11]
- Remove unused patches
- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)
- Rebase to nss-3.15.1
- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)
- Resolves: rhbz#1015864 - [Regression] NSS no longer trusts MD5 certificates
- Split %check section tests in two: freebl/softoken and rest of nss tests
- Adjust various patches and spec file steps on account of the rebase
- Add various patches and remove obsoleted ones on account of the rebase
- Renumber patches so freeb/softoken ones match the corresponding ones in rhel-6 nss-softokn
- Make the freebl sources identical to the corresponding ones for rhel-6.5
- Related: rhbz#987131
- Adjust the patches to complete the syncup with upstrean nss
- Use NSS_DISABLE_HW_GCM on the patch as we do on the spec file
- Ensure softoken/freebl code is the same on nss side as on the softoken side
- Related: rhbz#987131
- Add disable_hw_gcm.patch and in the spec file export NSS_DISABLE_HW_GCM=1
- Disable HW GCM on RHEL-5 as the older kernel lacks support for it
- Related: rhbz#987131
- Related: rhbz#987131 - Display cpuifo as part of the tests
- Resolves: rhbz#987131 - Pick up various upstream GCM code fixes applied since nss-3.14.3 was released
- Roll back to 79c87e69caa7454cbcf5f8161a628c538ff3cab3
- Peviously added patch hasn't solved the sporadic core dumps
- Related: rhbz#983766 - nssutil_ReadSecmodDB leaks memory
- Resolves: rhbz#983766 - nssutil_ReadSecmodDB leaks memory
- Add patch to get rid of sporadic blapitest core dumps
- Restore 'export NO_FORK_CHECK=1' required for binary compatibility on RHEL-5
- Remove an unused patch
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3
- Resolves: rhbz#807419 - nss-tools certutil -H does not list all options
- Apply upstream fixes for ecc enabling and aes gcm
- Rename two macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream
- Apply several upstream AES GCM fixes
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
- Resolves: rhbz#918948 - [RFE][RHEL5]
- Enable ECC support limited to suite b
- Export NSS_ENABLE_ECC=1 in the %check section to properly test ecc
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
- Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
- Remove obsolete nss-nochktest.patch
- Related: rhbz#960241 - Enable ECC in nss and freebl
- Enable ECC by using the unstripped sources
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
- Fix rpmdiff test reported failures and remove other unwanted changes
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
- Mon Apr 22 2013 Elio Maldonado - 3.14.3-3
- Update to NSS_3_14_3_RTM
- Rework the rebase to preserve needed idiosynchracies
- Ensure we install frebl/softoken from the extra build tree
- Don't include freebl static library or its private headers
- Add patch to deal with system sqlite not being recent enough
- Don't install nss-sysinit nor sharedb
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
- Mon Apr 01 2013 Elio Maldonado - 3.14.3-2
- Restore the freebl-softoken source tar ball updated to 3.14.3
- Renumbering of some sources for clarity
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
- Update to NSS_3_14_3_RTM
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
- Resolves: rhbz#891150 - Dis-trust TURKTRUST mis-issued
*.google.com certificate
- Update to NSS_3_13_6_RTM
- Resolves: rhbz#883788 - [RFE] [RHEL5] Rebase to NSS >= 3.13.6
- Resolves: rhbz#820684
- Fix last entry in attrFlagsArray to be [NAME_SIZE(unextractable), PK11_ATTR_UNEXTRACTABLE]
- Resolves: rhbz#820684
- Enable certutil handle user supplied flags for PKCS #11 attributes.
- This will enable certutil to generate keys in fussy hardware tokens.
- fix an error in the patch meta-information area (no code change)
- Related: rhbz#830304 - Fix ia64 / i386 multilib nss install failure
- Remove no longer needed %pre and %preun scriplets meant for nss updates from RHEL-5.0
- Related: rhbz#830304 - Fix the changes to the %post line
- Having multiple commands requires that /sbin/lconfig be the beginning of the scriptlet
- Resolves: rhbz#830304 - Fix multilib and scriptlet problems
- Fix %post and %postun lines per packaging guildelines
- Add %[?_isa] to tools Requires: per packaging guidelines
- Fix explicit-lib-dependency zlib error reported by rpmlint
- Resolves: rhbz#830304 - Remove unwanted change to nss.pc.in
- Update to NSS_3_13_5_RTM
- Resolves: rhbz#830304 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 for Mozilla 10.0.6
- Resolves: rhbz#797939 - Protect NSS_Shutdown from clients that fail to initialize nss
- Resolves: Bug 788039 - retagging to prevent update problems
- Resolves: Bug 788039 - rebase nss to make firefox 10 LTS rebase possible
- Update to 4.8.9
- Resolves: Bug 713373 - File descriptor leak after service httpd reload
- Don't initialize nss if already initialized or if there are no dbs
- Retagging for a Y-stream version higher than the RHEL-5-7-Z branch
- Retagging to keep the n-v-r as high as that for the RHEL-5-7-Z branch
- Update builtins certs to those from NSSCKBI_1_88_RTM
- Plug file descriptor leaks on httpd reloads
- Update builtins certs to those from NSSCKBI_1_87_RTM
- Update builtins certs to those from NSSCKBI_1_86_RTM
- Update builtins certs to NSSCKBI_1_85_RTM
- Update to 3.12.10
- Fix libcrmf hard-coded maximum size for wrapped private keys
- Update builtin certs to NSS_3.12.9_WITH_CKBI_1_82_RTM via a patch
- Update builtin certs to those from NSS_3.12.9_WITH_CKBI_1_82_RTM
- Update to 3.12.8
Solution
Update the affected nss package.See Also
https://oss.oracle.com/pipermail/oraclevm-errata/2016-June/000488.html
Plugin Details
Severity: Critical
ID: 91747
File Name: oraclevm_OVMSA-2016-0066.nasl
Version: 2.7
Type: local
Family: OracleVM Local Security Checks
Published: 6/22/2016
Updated: 1/4/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:oracle:vm:nss, cpe:/o:oracle:vm_server:3.2
Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 6/21/2016
Vulnerability Publication Date: 11/18/2013
Reference Information
CVE: CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2014-1568, CVE-2015-2721, CVE-2015-2730, CVE-2015-7181, CVE-2015-7182, CVE-2016-1950