Get the LinuxSecurity news you want faster with RSS
Powered By
Pardus: [UPDATE] Nss: TLS Implementation
Posted by Benjamin D. Thomas
A serious vulnerability was found in TLS/SSLv3 protocol as implemented in nss, which can be used by man-in-the-middle attackers to send arbitrary requests to the server as if legitimate user. [UPDATE] The issue is fixed in Pardus 2008
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-20 security@pardus.org.tr
------------------------------------------------------------------------
Date: 2010-02-04
Severity: 4
Type: Remote
------------------------------------------------------------------------
Summary
=======
A serious vulnerability was found in TLS/SSLv3 protocol as implemented
in nss, which can be used by man-in-the-middle attackers to send
arbitrary requests to the server as if legitimate user. [UPDATE] The
issue is fixed in Pardus 2008
Description
===========
The TLS/SSLv3 protocol as implemented in nss prior to this update was
not able to associate already sent data to a renegotiated connection.
This allowed man-in-the-middle attackers to inject HTTP requests in a
HTTPS session without being noticed. For example Apache's mod_ssl was
vulnerable to this kind of attack because it uses openssl.
NOTE: This is the same as PLSA-2009-191.With this update,renegotiation
is completely disabled.
Affected packages:
Pardus 2009:
nss, all before 3.12.5.0-29-8
Resolution
==========
There are update(s) for nss. You can update them via Package Manager or
with a single command from console:
pisi up nss
References
==========
* http://bugs.pardus.org.tr/show_bug.cgi?id=12147
* http://bugs.pardus.org.tr/show_bug.cgi?id=11515
* https://developer.mozilla.org/NSS_3.12.5_release_notes
* https://bugzilla.mozilla.org/show_bug.cgi?id=526689
