[Mandriva] Designschwaeche im SSL/TLS Protokoll betrifft Network Security Services (NSS) – MDVSA-2010:069

[Mandriva] Designschwaeche im SSL/TLS Protokoll betrifft Network Security Services (NSS) - MDVSA-2010:069

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Advisory von Mandriva Security. Wir
geben diese Informationen unveraendert an Sie weiter.

Mit diesem Update auf Version 3.12.6 verwenden die Network Security
Services (NSS) eine RFC 5746 konforme Version der TLS Renegotiation
Indication Extension, welche die Designschwaeche behebt. Fruehere
Updates haben die Schwachstelle dadurch behoben, dass die TLS
Renegotiation vollstaendig deaktiviert wurde.

CVE-2009-3555 – Designschwaeche im SSLv3/TSLv1 Protokoll bei der
Renegotiation

Bei der Neuaushandlung von Parametern in einer SSL oder TLS Session
(Renegotiation) wird das Client Zertifikat geprueft. Allerdings ist es
aufgrund einer Schwachstelle im TLS-Protokoll unter Umstaenden moeglich,
dass vorher beliebige Daten in die TLS-Session eingeschleust werden. Dies
ermoeglicht Man-in-the-Middle Angriffe auf die TLS-Session. Beim HTTPS
Protokoll kann ein Angreifer so den HTTP-Request des Benutzers faelschen.

Dies kann ein Angreifer dazu ausnutzen, um an vertrauliche Daten zu
gelangen, Operationen mit den Rechten des Benutzers auf dem Server
auszufuehren, dem Benutzer falsche Informationen anzuzeigen.

Diese Schwachstelle wird bereits aktiv von Angreifern ausgenutzt.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket nss

Mandriva Linux 2008.0
Mandriva Linux 2008.0/X86_64
Mandriva Linux 2009.0
Mandriva Linux 2009.0/X86_64
Mandriva Linux 2009.1
Mandriva Linux 2009.1/X86_64
Mandriva Linux 2010.0
Mandriva Linux 2010.0/X86_64
Mandriva Enterprise Server 5
Mandriva Enterprise Server 5/X86_64

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
http://www.mandriva.com/security/advisories?name=MDVSA-2010:069

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Michael Groening, DFN-CERT
– —

Michael Groening (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:069
http://www.mandriva.com/security/
_______________________________________________________________________

Package : nss
Date : April 6, 2010
Affected: 2008.0, 2009.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

A vulnerability has been found and corrected in nss:

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
3.12.4 and earlier, and other products, does not properly associate
renegotiation handshakes with an existing connection, which allows
man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by
sending an unauthenticated request that is processed retroactively
by a server in a post-renegotiation context, related to a plaintext
injection attack, aka the Project Mogul issue (CVE-2009-3555).

Additionally the NSPR package has been upgraded to 4.8.4 that brings
numerous upstream fixes.

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

This update provides the latest versions of NSS and NSPR libraries
and for which NSS is not vulnerable to this attack.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
http://www.mozilla.org/security/announce/2010/mfsa2010-22.html
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
5808950f475b3f2469675520f8a526c9 2008.0/i586/libnspr4-4.8.4-0.1mdv2008.0.i586.rpm
f09e7355e612a626c4e30baf851200e2 2008.0/i586/libnspr-devel-4.8.4-0.1mdv2008.0.i586.rpm
414e4e7e64202a7a01ce122f40fdbfa9 2008.0/i586/libnss3-3.12.6-0.1mdv2008.0.i586.rpm
37eb4d97e617dd78834801d5e3e2411e 2008.0/i586/libnss-devel-3.12.6-0.1mdv2008.0.i586.rpm
1186fe6aec619702ce3b3f76ad0a03a2 2008.0/i586/libnss-static-devel-3.12.6-0.1mdv2008.0.i586.rpm
f2fc05e8cf4ef840229536a95397c02d 2008.0/i586/nss-3.12.6-0.1mdv2008.0.i586.rpm
157d696865f82a05167a98ff75d3bb05 2008.0/SRPMS/nspr-4.8.4-0.1mdv2008.0.src.rpm
3f4fb184412ba28e84334765300d48cf 2008.0/SRPMS/nss-3.12.6-0.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
8f61146ebf97dfaa93a8d8973c2c2f49 2008.0/x86_64/lib64nspr4-4.8.4-0.1mdv2008.0.x86_64.rpm
6375eb3bd5fac3fe5648e6083018f62f 2008.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2008.0.x86_64.rpm
b5c368f59fae314c472d1bd40613738d 2008.0/x86_64/lib64nss3-3.12.6-0.1mdv2008.0.x86_64.rpm
b947d236395ffbc0f750c32705b39ae2 2008.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2008.0.x86_64.rpm
c797275a9d57e4fefc2bc5942a0c1860 2008.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2008.0.x86_64.rpm
9b5565826ca817fedc4c16866e0b432a 2008.0/x86_64/nss-3.12.6-0.1mdv2008.0.x86_64.rpm
157d696865f82a05167a98ff75d3bb05 2008.0/SRPMS/nspr-4.8.4-0.1mdv2008.0.src.rpm
3f4fb184412ba28e84334765300d48cf 2008.0/SRPMS/nss-3.12.6-0.1mdv2008.0.src.rpm

Mandriva Linux 2009.0:
d668c97cdd4c6f2a54364185689bc9c3 2009.0/i586/libnspr4-4.8.4-0.1mdv2009.0.i586.rpm
213e3167d01de2e3153282ec09448101 2009.0/i586/libnspr-devel-4.8.4-0.1mdv2009.0.i586.rpm
3416bcd2b299a4573a0de8920edee34f 2009.0/i586/libnss3-3.12.6-0.1mdv2009.0.i586.rpm
76324be5f2dc503848e15651c9201990 2009.0/i586/libnss-devel-3.12.6-0.1mdv2009.0.i586.rpm
eb77fab010cf83b2a803c542595ef9d5 2009.0/i586/libnss-static-devel-3.12.6-0.1mdv2009.0.i586.rpm
a2e0e29a6565534dd4470b8b8fe348e0 2009.0/i586/nss-3.12.6-0.1mdv2009.0.i586.rpm
ef8c68c639efec98dedf89557d542730 2009.0/SRPMS/nspr-4.8.4-0.1mdv2009.0.src.rpm
7840542c10c58531c2e5007defe85b8e 2009.0/SRPMS/nss-3.12.6-0.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
c268178467753eb950ec3fc6c2fcf7c4 2009.0/x86_64/lib64nspr4-4.8.4-0.1mdv2009.0.x86_64.rpm
1cad4bd917e64990d862bee35b773d29 2009.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2009.0.x86_64.rpm
9dafd05dbae7859a91cb53f9f9add679 2009.0/x86_64/lib64nss3-3.12.6-0.1mdv2009.0.x86_64.rpm
d624418468c98b63d058898f9dc68e1f 2009.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2009.0.x86_64.rpm
d9b103d310dfd8b8847694613068485d 2009.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2009.0.x86_64.rpm
268e8d10f6184442b9a66672148f5687 2009.0/x86_64/nss-3.12.6-0.1mdv2009.0.x86_64.rpm
ef8c68c639efec98dedf89557d542730 2009.0/SRPMS/nspr-4.8.4-0.1mdv2009.0.src.rpm
7840542c10c58531c2e5007defe85b8e 2009.0/SRPMS/nss-3.12.6-0.1mdv2009.0.src.rpm

Mandriva Linux 2009.1:
f2fc77ff32d9cc4dd3839c2644e3cad1 2009.1/i586/libnspr4-4.8.4-0.1mdv2009.1.i586.rpm
e110eaa263397b81bff4873e8badf3b9 2009.1/i586/libnspr-devel-4.8.4-0.1mdv2009.1.i586.rpm
37eaded0314c7b3c0bc9d0b24d0add88 2009.1/i586/libnss3-3.12.6-0.1mdv2009.1.i586.rpm
0d5cf958f159251ecc3b88254b042181 2009.1/i586/libnss-devel-3.12.6-0.1mdv2009.1.i586.rpm
17fcbbdc5f818450da24c371ffba02a2 2009.1/i586/libnss-static-devel-3.12.6-0.1mdv2009.1.i586.rpm
7b297c2234b4b36ee796570630b819bc 2009.1/i586/nss-3.12.6-0.1mdv2009.1.i586.rpm
1c7837b4ebb442de506de9f3e530f093 2009.1/SRPMS/nspr-4.8.4-0.1mdv2009.1.src.rpm
61548957bb2121a16b9dd0d840f1a19c 2009.1/SRPMS/nss-3.12.6-0.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
c61401ffeba102ddba8139175c964687 2009.1/x86_64/lib64nspr4-4.8.4-0.1mdv2009.1.x86_64.rpm
5c1365625f929e36f5e59213877aac9d 2009.1/x86_64/lib64nspr-devel-4.8.4-0.1mdv2009.1.x86_64.rpm
94944b1ef725591c3634d3f2af540840 2009.1/x86_64/lib64nss3-3.12.6-0.1mdv2009.1.x86_64.rpm
07c3a4ee676d96659119aa9f5d65da37 2009.1/x86_64/lib64nss-devel-3.12.6-0.1mdv2009.1.x86_64.rpm
0bcc455a76d8769754203d1b4938c40c 2009.1/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2009.1.x86_64.rpm
3a324386025aa54470683e3e7729ee18 2009.1/x86_64/nss-3.12.6-0.1mdv2009.1.x86_64.rpm
1c7837b4ebb442de506de9f3e530f093 2009.1/SRPMS/nspr-4.8.4-0.1mdv2009.1.src.rpm
61548957bb2121a16b9dd0d840f1a19c 2009.1/SRPMS/nss-3.12.6-0.1mdv2009.1.src.rpm

Mandriva Linux 2010.0:
1b34e86e948e76f814ead17dc7b18759 2010.0/i586/libnspr4-4.8.4-0.1mdv2010.0.i586.rpm
d0b5d749ddc685643512bd2a2ed1c969 2010.0/i586/libnspr-devel-4.8.4-0.1mdv2010.0.i586.rpm
f64c138b1dd4273e6ff173a46801e606 2010.0/i586/libnss3-3.12.6-0.1mdv2010.0.i586.rpm
d287d303ef943afca97f78794b204b4c 2010.0/i586/libnss-devel-3.12.6-0.1mdv2010.0.i586.rpm
9d7ba97ad7b69324fdaea1aae7e638e9 2010.0/i586/libnss-static-devel-3.12.6-0.1mdv2010.0.i586.rpm
b1d48fefb674dd2e3c40ca0e6ebdf38f 2010.0/i586/nss-3.12.6-0.1mdv2010.0.i586.rpm
b4c9c09b108d0f9052099848da17d9b6 2010.0/SRPMS/nspr-4.8.4-0.1mdv2010.0.src.rpm
8239f2289f9cf226b870374d418c0874 2010.0/SRPMS/nss-3.12.6-0.1mdv2010.0.src.rpm

Mandriva Linux 2010.0/X86_64:
83b1a7447d49f79c42f0eee2683dcd60 2010.0/x86_64/lib64nspr4-4.8.4-0.1mdv2010.0.x86_64.rpm
a62678fb78e46d99a9ec57c330ad5c6f 2010.0/x86_64/lib64nspr-devel-4.8.4-0.1mdv2010.0.x86_64.rpm
c351fd08ab9b7b4303b157b64ba42ae3 2010.0/x86_64/lib64nss3-3.12.6-0.1mdv2010.0.x86_64.rpm
e9c37c13bb2427b234fb6f262f5acea0 2010.0/x86_64/lib64nss-devel-3.12.6-0.1mdv2010.0.x86_64.rpm
b975d408159979874866ece89f06cd38 2010.0/x86_64/lib64nss-static-devel-3.12.6-0.1mdv2010.0.x86_64.rpm
b4b549eb112359219f946bb1379357f5 2010.0/x86_64/nss-3.12.6-0.1mdv2010.0.x86_64.rpm
b4c9c09b108d0f9052099848da17d9b6 2010.0/SRPMS/nspr-4.8.4-0.1mdv2010.0.src.rpm
8239f2289f9cf226b870374d418c0874 2010.0/SRPMS/nss-3.12.6-0.1mdv2010.0.src.rpm

Mandriva Enterprise Server 5:
eb965867c7614f2b5d20b492b0d31f5a mes5/i586/libnspr4-4.8.4-0.1mdvmes5.i586.rpm
e9d155d0ceae9f3b34d673bcb5a41a0f mes5/i586/libnspr-devel-4.8.4-0.1mdvmes5.i586.rpm
4c516d6e8090e86432612d4e9bebeda9 mes5/i586/libnss3-3.12.6-0.1mdvmes5.i586.rpm
a2e490654d19daeb34dc7be49e84cc27 mes5/i586/libnss-devel-3.12.6-0.1mdvmes5.i586.rpm
884712b382e6ebec9e3e44ec9de9433d mes5/i586/libnss-static-devel-3.12.6-0.1mdvmes5.i586.rpm
efc2bae5196b057aba91eb3357aaa513 mes5/i586/nss-3.12.6-0.1mdvmes5.i586.rpm
b114168aab9b0154d5573e167074581e mes5/SRPMS/nspr-4.8.4-0.1mdvmes5.1.src.rpm
397f2bc60121455633c45b31529aeb9e mes5/SRPMS/nss-3.12.6-0.1mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
87d9de03b4f6bf92269b52f934246b15 mes5/x86_64/lib64nspr4-4.8.4-0.1mdvmes5.x86_64.rpm
b59b316d078d66dd7ff9f9d5ebbde669 mes5/x86_64/lib64nspr-devel-4.8.4-0.1mdvmes5.x86_64.rpm
3b90e3e62fe96485a7b0be2e9da40f35 mes5/x86_64/lib64nss3-3.12.6-0.1mdvmes5.x86_64.rpm
e557ca44f13c20b952c01d9516cb9e17 mes5/x86_64/lib64nss-devel-3.12.6-0.1mdvmes5.x86_64.rpm
8484d1fd45fc925c650ab9e85e8da34d mes5/x86_64/lib64nss-static-devel-3.12.6-0.1mdvmes5.x86_64.rpm
40bdcd337c3a39d7d611f2a189ea7065 mes5/x86_64/nss-3.12.6-0.1mdvmes5.x86_64.rpm
b114168aab9b0154d5573e167074581e mes5/SRPMS/nspr-4.8.4-0.1mdvmes5.1.src.rpm
397f2bc60121455633c45b31529aeb9e mes5/SRPMS/nss-3.12.6-0.1mdvmes5.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team

– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLu6RomqjQ0CJFipgRAvAsAKDsKNbgAtUmeiJhUkz1wVL5AoB6dwCgpvKo
XDOMAYHTh7eJGefnK6VDoRc=
=f0Zu
– —–END PGP SIGNATURE—–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLvKUaWmhIvjFb90URAhGyAJ4siSlSoRIIslnHnMeggbCCzcOSbQCglGu/
CoK6OMwGeMXJgBvT+ytYKwY=
=Vrdt
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben