The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of NSS: multiple vulnerabilities

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of NSS.
Impacted software: Debian, NSS, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this computer vulnerability: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 23/07/2014.
Références of this announce: BID-65332, BID-65335, CVE-2014-1490, CVE-2014-1491, CVE-2014-1544, DSA-2994-1, DSA-3071-1, MDVSA-2014:139, MDVSA-2015:059, MFSA 2014-12, MFSA 2014-63, openSUSE-SU-2014:0939-1, openSUSE-SU-2014:0950-1, RHSA-2014:0915-01, RHSA-2014:0916-01, RHSA-2014:0917-01, RHSA-2014:0979-01, RHSA-2014:1165-01, RHSA-2014:1246-01, SUSE-SU-2014:0960-1, USN-2343-1, VIGILANCE-VUL-15088.

Description of the vulnerability 

Several vulnerabilities were announced in NSS.

An attacker can use a freed memory area via a NSS ticket, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; BID-65332, BID-65335, CVE-2014-1490, CVE-2014-1491, MFSA 2014-12]

An attacker can use a freed memory area in Trusted Cache, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; CVE-2014-1544, MFSA 2014-63]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity weakness impacts software or systems such as Debian, NSS, openSUSE, Solaris, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this security vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this vulnerability bulletin.

Solutions for this threat 

NSS: version 3.16.3.
The version 3.16.3 is fixed:
  https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_3_RTM/src/

Debian 7: new nss packages.
New packages are available:
  Debian 7: nss 2:3.14.5-1+deb7u3

Mandriva BS2: new nss packages.
New packages are available:
  Mandriva BS2: nspr 4.10.8-1.mbs2, nss 3.17.4-1.mbs2

Mandriva: new nss packages.
New packages are available:
  Mandriva BS1: nss 3.16.3-1.mbs1

openSUSE 11.4: new MozillaFirefox, MozillaThunderbird packages.
New packages are available:
  openSUSE 11.4: MozillaFirefox 24.7.0-119.1, MozillaThunderbird 24.7.0-101.1

openSUSE: new MozillaFirefox packages.
New packages are available:
  openSUSE 13.1: MozillaFirefox 31.0-33.1
  openSUSE 12.3: MozillaFirefox 31.0-1.72.1

Red Hat Enterprise Virtualization: new rhev-hypervisor6 packages.
New packages are available:
  RHEL 6: rhev-hypervisor6 6.5-20140725.0.el6ev

RHEL 4: new nss packages.
New packages are available:
  RHEL 4: nss 3.12.10-7.el4

RHEL 5: new nss packages.
New packages are available:
  RHEL 5: nss 3.16.1-2.el5

RHEL 6.5: new nss packages.
New packages are available:
  RHEL 6: nspr 4.10.6-1.el6_5, nss 3.16.1-4.el6_5

RHEL: new nss packages.
New packages are available:
  RHEL 5: nspr 4.10.6-1.el5_10, nss 3.15.3-7.el5_10
  RHEL 6: nss 3.13.1-10.el6_2
  RHEL 7: nspr 4.10.6-1.el7_0, nss 3.15.4-7.el7_0

Solaris: patch for NSS.
A patch is available:
  Solaris 8
    SPARC: 119209-30 125358-19
    X86: 125359-19
  Solaris 9
    SPARC: 119211-30 125358-19
    X86: 119212-30 125359-19
  Solaris 10
    SPARC: 119213-30 125358-19
    X86: 119214-30 125359-19

SUSE LE: new Mozilla Firefox packages.
New packages are available:
  SUSE LE 11: MozillaFirefox 24.7.0esr-0.8.2, mozilla-nss 3.16.2-0.8.1

Ubuntu: new libnss3 packages.
New packages are available:
  Ubuntu 14.04 LTS: libnss3 2:3.15.4-1ubuntu7.1
  Ubuntu 12.04 LTS: libnss3 3.15.4-0ubuntu0.12.04.3
  Ubuntu 10.04 LTS: libnss3-1d 3.15.4-0ubuntu0.10.04.3
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability announce. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.