Univention Bugzilla – Bug 41334
nss: Multiple issues (3.3)
Last modified: 2019-04-11 19:25:49 CEST
+++ This bug was initially created as a clone of Bug #39787 +++ Upstream Debian package version 2:3.14.5-1+deb7u6 fixes these issues: * The sec_asn1d_parse_leaf function improperly restricts access to an unspecified data structure (CVE-2015-7181) * Heap-based buffer overflow in the ASN.1 decoder (CVE-2015-7182) * The s_mp_div function in lib/freebl/mpi/mpi.c in improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms (CVE-2016-1938) * Heap-based buffer overflow allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate (CVE-2016-1950) * Use-after-free vulnerability in the ssl3_HandleECDHServerKeyExchange function allows remote attackers to cause a denial of service or possibly have unspecified other impact by making an SSL (1) DHE or (2) ECDHE handshake at a time of high memory consumption (CVE-2016-1978) * Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding (CVE-2016-1979)
Upstream Debian package version 2:3.14.5-1+deb7u7 fixes this issue: A vulnerability has been found in the Mozilla Network Security Service (nss): CVE-2015-4000 With TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. The solution in nss was to not accept bit lengths less than 1024. This may potentially be a backwards incompatibility issue but such low bit lengths should not be in use so it was deemed acceptable.
Upstream Debian package version 2:3.14.5-1+deb7u8 fixes this aditional issue: * Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2016-2834)
Upstream Debian package has bee updated to version 2:3.26-1+debu7u1 which fixes: The Network Security Service (NSS) libraries uses environment variables to configure lots of things, some of which refer to file system locations. Others can be degrade the operation of NSS in various ways, forcing compatibility modes and so on. Previously, these environment variables were not ignored SUID binaries. This version of NetScape Portable Runtime Library (NSPR) introduce a new API, PR_GetEnVSecure, to address this. Both NSPR and NSS need to be upgraded to address this problem.
UCS 3.3 is out of maintenance.