| 1 |
claire |
618 |
type: security |
| 2 |
|
|
subject: Updated firefox, rootcerts, nspr & nss packages fix security vulnerabilities |
| 3 |
|
|
CVE: |
| 4 |
|
|
- CVE-2013-1741 |
| 5 |
|
|
- CVE-2013-2566 |
| 6 |
|
|
- CVE-2013-5605 |
| 7 |
|
|
- CVE-2013-5606 |
| 8 |
|
|
- CVE-2013-5607 |
| 9 |
|
|
src: |
| 10 |
|
|
2: |
| 11 |
|
|
core: |
| 12 |
|
|
- rootcerts-20131111.00-1.mga2 |
| 13 |
|
|
- nspr-4.10.2-1.mga2 |
| 14 |
|
|
- nss-3.15.3-1.mga2 |
| 15 |
|
|
- firefox-24.1.1-1.mga2 |
| 16 |
|
|
- firefox-l10n-24.1.1-1.mga2 |
| 17 |
|
|
3: |
| 18 |
|
|
core: |
| 19 |
|
|
- rootcerts-20131111.00-1.mga3 |
| 20 |
|
|
- nspr-4.10.2-1.mga3 |
| 21 |
|
|
- nss-3.15.3-1.mga3 |
| 22 |
|
|
- firefox-24.1.1-1.mga3 |
| 23 |
|
|
- firefox-l10n-24.1.1-1.mga3 |
| 24 |
|
|
description: | |
| 25 |
|
|
Updated nspr and nss packages fix security vulnerabilities: |
| 26 |
|
|
|
| 27 |
|
|
Potentially exploitable buffer overflow in NSS before 3.15.3 that allows |
| 28 |
|
|
remote attackers to cause a denial of service or possibly have unspecified |
| 29 |
|
|
other impact via invalid handshake packets (CVE-2013-5605). |
| 30 |
|
|
|
| 31 |
|
|
The CERT_VerifyCert function in lib/certhigh/certvfy.c in NSS before 3.15.3 |
| 32 |
|
|
provides an unexpected return value for an incompatible key-usage certificate |
| 33 |
|
|
when the CERTVerifyLog argument is valid, which might allow remote attackers |
| 34 |
|
|
to bypass intended access restrictions via a crafted certificate |
| 35 |
|
|
(CVE-2013-5606). |
| 36 |
|
|
|
| 37 |
|
|
Runaway memset due to an integer truncation in certificate parsing on 64-bit |
| 38 |
|
|
computers in NSS before 3.15.3 leading to a crash by attempting to write 4Gb |
| 39 |
|
|
of nulls (CVE-2013-1741). |
| 40 |
|
|
|
| 41 |
|
|
Integer overflow in NSPR before 4.10.2 due to unsigned integer wrapping in |
| 42 |
|
|
PL_ArenaAllocate (CVE-2013-5607). |
| 43 |
|
|
|
| 44 |
|
|
NSS lowered the priority of RC4 in cipher suite advertisement so that more |
| 45 |
|
|
secure ciphers instead of RC4 are likely to be chosen by the server, because |
| 46 |
|
|
of plaintext recovery attacks possible with RC4 (CVE-2013-2566). |
| 47 |
|
|
|
| 48 |
|
|
This also updates to the latest root certificate data from Mozilla. |
| 49 |
|
|
|
| 50 |
|
|
Additionally, The latest Firefox ESR version, which fixes an issue with |
| 51 |
|
|
translated strings not being used in some cases, is also being provided. |
| 52 |
|
|
references: |
| 53 |
|
|
- https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/_8AcygMEjSA |
| 54 |
|
|
- https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes |
| 55 |
|
|
- http://www.mozilla.org/security/announce/2013/mfsa2013-103.html |
| 56 |
|
|
- https://bugzilla.mozilla.org/show_bug.cgi?id=932310 |
| 57 |
|
|
- https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/ |
| 58 |
|
|
- https://bugs.mageia.org/show_bug.cgi?id=11669 |
| 59 |
tmb |
628 |
ID: MGASA-2013-0337 |
Parent Directory
| 
Revision Log