1 |
claire |
618 |
type: security |
2 |
|
|
subject: Updated firefox, rootcerts, nspr & nss packages fix security vulnerabilities |
3 |
|
|
CVE: |
4 |
|
|
- CVE-2013-1741 |
5 |
|
|
- CVE-2013-2566 |
6 |
|
|
- CVE-2013-5605 |
7 |
|
|
- CVE-2013-5606 |
8 |
|
|
- CVE-2013-5607 |
9 |
|
|
src: |
10 |
|
|
2: |
11 |
|
|
core: |
12 |
|
|
- rootcerts-20131111.00-1.mga2 |
13 |
|
|
- nspr-4.10.2-1.mga2 |
14 |
|
|
- nss-3.15.3-1.mga2 |
15 |
|
|
- firefox-24.1.1-1.mga2 |
16 |
|
|
- firefox-l10n-24.1.1-1.mga2 |
17 |
|
|
3: |
18 |
|
|
core: |
19 |
|
|
- rootcerts-20131111.00-1.mga3 |
20 |
|
|
- nspr-4.10.2-1.mga3 |
21 |
|
|
- nss-3.15.3-1.mga3 |
22 |
|
|
- firefox-24.1.1-1.mga3 |
23 |
|
|
- firefox-l10n-24.1.1-1.mga3 |
24 |
|
|
description: | |
25 |
|
|
Updated nspr and nss packages fix security vulnerabilities: |
26 |
|
|
|
27 |
|
|
Potentially exploitable buffer overflow in NSS before 3.15.3 that allows |
28 |
|
|
remote attackers to cause a denial of service or possibly have unspecified |
29 |
|
|
other impact via invalid handshake packets (CVE-2013-5605). |
30 |
|
|
|
31 |
|
|
The CERT_VerifyCert function in lib/certhigh/certvfy.c in NSS before 3.15.3 |
32 |
|
|
provides an unexpected return value for an incompatible key-usage certificate |
33 |
|
|
when the CERTVerifyLog argument is valid, which might allow remote attackers |
34 |
|
|
to bypass intended access restrictions via a crafted certificate |
35 |
|
|
(CVE-2013-5606). |
36 |
|
|
|
37 |
|
|
Runaway memset due to an integer truncation in certificate parsing on 64-bit |
38 |
|
|
computers in NSS before 3.15.3 leading to a crash by attempting to write 4Gb |
39 |
|
|
of nulls (CVE-2013-1741). |
40 |
|
|
|
41 |
|
|
Integer overflow in NSPR before 4.10.2 due to unsigned integer wrapping in |
42 |
|
|
PL_ArenaAllocate (CVE-2013-5607). |
43 |
|
|
|
44 |
|
|
NSS lowered the priority of RC4 in cipher suite advertisement so that more |
45 |
|
|
secure ciphers instead of RC4 are likely to be chosen by the server, because |
46 |
|
|
of plaintext recovery attacks possible with RC4 (CVE-2013-2566). |
47 |
|
|
|
48 |
|
|
This also updates to the latest root certificate data from Mozilla. |
49 |
|
|
|
50 |
|
|
Additionally, The latest Firefox ESR version, which fixes an issue with |
51 |
|
|
translated strings not being used in some cases, is also being provided. |
52 |
|
|
references: |
53 |
|
|
- https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/_8AcygMEjSA |
54 |
|
|
- https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes |
55 |
|
|
- http://www.mozilla.org/security/announce/2013/mfsa2013-103.html |
56 |
|
|
- https://bugzilla.mozilla.org/show_bug.cgi?id=932310 |
57 |
|
|
- https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/ |
58 |
|
|
- https://bugs.mageia.org/show_bug.cgi?id=11669 |
59 |
tmb |
628 |
ID: MGASA-2013-0337 |