Bug 17974

Summary: nss new security issue CVE-2016-1950
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-32-OK mga5-64-ok
Source RPM: rootcerts, nss CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 18006    

Description David Walser 2016-03-12 20:59:41 CET 
One of the NSS security issues that was supposed to have been fixed in the previous Firefox update Bug 17900 was actually fixed in the next NSS version *after* the one we shipped in that update.  This error was made due to a mistake in Mozilla's advisory.

The nss update also comes with a rootcerts update.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated rootcerts and nss packages fix security vulnerability:

A heap-based buffer overflow flaw was found in the way NSS parsed certain
ASN.1 structures. An attacker could use this flaw to create a specially
crafted certificate which, when parsed by NSS, could cause it to crash, or
execute arbitrary code, using the permissions of the user running an
application compiled against the NSS library (CVE-2016-1950).

This issue was supposed to have been fixed in MGASA-2016-0105, but Mozilla
did not include the fix until the following nss releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes
http://advisories.mageia.org/MGASA-2016-0105.html
========================

Updated packages in core/updates_testing:
========================
rootcerts-20160225.00-1.mga5
rootcerts-java-20160225.00-1.mga5
nss-3.23.0-1.mga5
nss-doc-3.23.0-1.mga5
libnss3-3.23.0-1.mga5
libnss-devel-3.23.0-1.mga5
libnss-static-devel-3.23.0-1.mga5

from SRPMS:
rootcerts-20160225.00-1.mga5.src.rpm
nss-3.23.0-1.mga5.src.rpm
Comment 1 David Walser 2016-03-14 13:02:20 CET 
Firefox working fine with the updated packages.

Whiteboard: (none) => MGA5-32-OK

David Walser 2016-03-15 15:06:08 CET

Blocks: (none) => 18006

Comment 2 claire robinson 2016-03-15 19:14:01 CET 
Adding OK mga5 64 as Len tested with Thunderbird in bug 18006

Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok

Comment 3 claire robinson 2016-03-15 19:18:36 CET 
Validating. Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK mga5-64-ok => advisory MGA5-32-OK mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-03-16 19:08:25 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0114.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2016-06-28 00:30:47 CEST 
This also fixed CVE-2016-2834:
http://lwn.net/Vulnerabilities/692857/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/