1 |
type: security |
2 |
subject: Updated firefox, rootcerts, nspr & nss packages fix security vulnerabilities |
3 |
CVE: |
4 |
- CVE-2013-1741 |
5 |
- CVE-2013-2566 |
6 |
- CVE-2013-5605 |
7 |
- CVE-2013-5606 |
8 |
- CVE-2013-5607 |
9 |
src: |
10 |
2: |
11 |
core: |
12 |
- rootcerts-20131111.00-1.mga2 |
13 |
- nspr-4.10.2-1.mga2 |
14 |
- nss-3.15.3-1.mga2 |
15 |
- firefox-24.1.1-1.mga2 |
16 |
- firefox-l10n-24.1.1-1.mga2 |
17 |
3: |
18 |
core: |
19 |
- rootcerts-20131111.00-1.mga3 |
20 |
- nspr-4.10.2-1.mga3 |
21 |
- nss-3.15.3-1.mga3 |
22 |
- firefox-24.1.1-1.mga3 |
23 |
- firefox-l10n-24.1.1-1.mga3 |
24 |
description: | |
25 |
Updated nspr and nss packages fix security vulnerabilities: |
26 |
|
27 |
Potentially exploitable buffer overflow in NSS before 3.15.3 that allows |
28 |
remote attackers to cause a denial of service or possibly have unspecified |
29 |
other impact via invalid handshake packets (CVE-2013-5605). |
30 |
|
31 |
The CERT_VerifyCert function in lib/certhigh/certvfy.c in NSS before 3.15.3 |
32 |
provides an unexpected return value for an incompatible key-usage certificate |
33 |
when the CERTVerifyLog argument is valid, which might allow remote attackers |
34 |
to bypass intended access restrictions via a crafted certificate |
35 |
(CVE-2013-5606). |
36 |
|
37 |
Runaway memset due to an integer truncation in certificate parsing on 64-bit |
38 |
computers in NSS before 3.15.3 leading to a crash by attempting to write 4Gb |
39 |
of nulls (CVE-2013-1741). |
40 |
|
41 |
Integer overflow in NSPR before 4.10.2 due to unsigned integer wrapping in |
42 |
PL_ArenaAllocate (CVE-2013-5607). |
43 |
|
44 |
NSS lowered the priority of RC4 in cipher suite advertisement so that more |
45 |
secure ciphers instead of RC4 are likely to be chosen by the server, because |
46 |
of plaintext recovery attacks possible with RC4 (CVE-2013-2566). |
47 |
|
48 |
This also updates to the latest root certificate data from Mozilla. |
49 |
|
50 |
Additionally, The latest Firefox ESR version, which fixes an issue with |
51 |
translated strings not being used in some cases, is also being provided. |
52 |
references: |
53 |
- https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/_8AcygMEjSA |
54 |
- https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes |
55 |
- http://www.mozilla.org/security/announce/2013/mfsa2013-103.html |
56 |
- https://bugzilla.mozilla.org/show_bug.cgi?id=932310 |
57 |
- https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/ |
58 |
- https://bugs.mageia.org/show_bug.cgi?id=11669 |
59 |
ID: MGASA-2013-0337 |