Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

CentOS Update for nspr CESA-2012:0973 centos6

Information

Severity

Severity

Medium

Family

Family

CentOS Local Security Checks

CVSSv2 Base

CVSSv2 Base

6.8

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Solution Type

Solution Type

Vendor Patch

Created

Created

10 years ago

Modified

Modified

4 years ago

Summary

The remote host is missing an update for the 'nspr' package(s) announced via the referenced advisory.

Insight

Insight

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities. It was found that a Certificate Authority (CA) issued a subordinate CA certificate to its customer, that could be used to issue certificates for any name. This update renders the subordinate CA certificate as untrusted. (BZ#798533) Note: This fix only applies to applications using the NSS Builtin Object Token. It does not render the certificates untrusted for applications that use the NSS library, but do not use the NSS Builtin Object Token. The nspr package has been upgraded to upstream version 4.9, which provides a number of bug fixes and enhancements over the previous version. (BZ#799193) The nss-util package has been upgraded to upstream version 3.13.3, which provides a number of bug fixes and enhancements over the previous version. (BZ#799192) The nss package has been upgraded to upstream version 3.13.3, which provides numerous bug fixes and enhancements over the previous version. In particular, SSL 2.0 is now disabled by default, support for SHA-224 has been added, PORT_ErrorToString and PORT_ErrorToName now return the error message and symbolic name of an NSS error code, and NSS_GetVersion now returns the NSS version string. (BZ#744070) These updated nss, nss-util, and nspr packages also provide fixes for the following bugs: * A PEM module internal function did not clean up memory when detecting a non-existent file name. Consequently, memory leaks in client code occurred. The code has been improved to deallocate such temporary objects and as a result the reported memory leakage is gone. (BZ#746632) * Recent changes to NSS re-introduced a problem where applications could not use multiple SSL client certificates in the same process. Therefore, any attempt to run commands that worked with multiple SSL client certificates, such as the 'yum repolist' command, resulted in a re-negotiation handshake failure. With this update, a revised patch correcting this problem has been applied to NSS, and using multiple SSL client certificates in the same process is now possible again. (BZ#761086) * The PEM module did not fully initialize newly constructed objects with function pointers set to NULL. Consequently, a segmentation violation in libcurl was sometimes experienced while accessing a package repository. With this update, the code h ... Description truncated, please see the referenced URL(s) for more information.

Affected Software

Affected Software

nspr on CentOS 6

Solution

Solution

Please install the updated packages.