17974 – nss new security issue CVE-2016-1950

Bug 17974 - nss new security issue CVE-2016-1950

Summary: nss new security issue CVE-2016-1950

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	advisory MGA5-32-OK mga5-64-ok
Keywords:	validated_update

Depends on:
Blocks:	18006
	Show dependency tree / graph

Reported:	2016-03-12 20:59 CET by David Walser
Modified:	2016-06-28 00:30 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	rootcerts, nss
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-03-12 20:59:41 CET

One of the NSS security issues that was supposed to have been fixed in the previous Firefox update Bug 17900 was actually fixed in the next NSS version *after* the one we shipped in that update.  This error was made due to a mistake in Mozilla's advisory.

The nss update also comes with a rootcerts update.

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated rootcerts and nss packages fix security vulnerability:

A heap-based buffer overflow flaw was found in the way NSS parsed certain
ASN.1 structures. An attacker could use this flaw to create a specially
crafted certificate which, when parsed by NSS, could cause it to crash, or
execute arbitrary code, using the permissions of the user running an
application compiled against the NSS library (CVE-2016-1950).

This issue was supposed to have been fixed in MGASA-2016-0105, but Mozilla
did not include the fix until the following nss releases.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1950
https://www.mozilla.org/en-US/security/advisories/mfsa2016-35/
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes
http://advisories.mageia.org/MGASA-2016-0105.html
========================

Updated packages in core/updates_testing:
========================
rootcerts-20160225.00-1.mga5
rootcerts-java-20160225.00-1.mga5
nss-3.23.0-1.mga5
nss-doc-3.23.0-1.mga5
libnss3-3.23.0-1.mga5
libnss-devel-3.23.0-1.mga5
libnss-static-devel-3.23.0-1.mga5

from SRPMS:
rootcerts-20160225.00-1.mga5.src.rpm
nss-3.23.0-1.mga5.src.rpm

Comment 1 David Walser 2016-03-14 13:02:20 CET

Firefox working fine with the updated packages.

Whiteboard: (none) => MGA5-32-OK

David Walser 2016-03-15 15:06:08 CET

Blocks: (none) => 18006

Comment 2 claire robinson 2016-03-15 19:14:01 CET

Adding OK mga5 64 as Len tested with Thunderbird in bug 18006

Whiteboard: MGA5-32-OK => MGA5-32-OK mga5-64-ok

Comment 3 claire robinson 2016-03-15 19:18:36 CET

Validating. Advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK mga5-64-ok => advisory MGA5-32-OK mga5-64-ok
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2016-03-16 19:08:25 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0114.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2016-06-28 00:30:47 CEST

This also fixed CVE-2016-2834:
http://lwn.net/Vulnerabilities/692857/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-61/

Note You need to log in before you can comment on or make changes to this bug.