Skip to navigation

Security Advisory Critical: nspr and nss security and bug fix update

Advisory: RHSA-2009:1190-1
Type: Security Advisory
Severity: Critical
Issued on: 2009-07-31
Last updated on: 2009-07-31
Affected Products: Red Hat Enterprise Linux AS (v. 4.7.z)
Red Hat Enterprise Linux ES (v. 4.7.z)
CVEs (cve.mitre.org): CVE-2009-2404
CVE-2009-2408
CVE-2009-2409

Details

Updated nspr and nss packages that fix security issues and bugs are now
available for Red Hat Enterprise Linux 4.7 Extended Update Support.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Netscape Portable Runtime (NSPR) provides platform independence for non-GUI
operating system facilities. These facilities include threads, thread
synchronization, normal file and network I/O, interval timing, calendar
time, basic memory management (malloc and free), and shared library linking.

Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSLv2, SSLv3, TLS,
and other security standards.

These updated packages upgrade NSS from the previous version, 3.12.2, to a
prerelease of version 3.12.4. The version of NSPR has also been upgraded
from 4.7.3 to 4.7.4.

Moxie Marlinspike reported a heap overflow flaw in a regular expression
parser in the NSS library used by browsers such as Mozilla Firefox to match
common names in certificates. A malicious website could present a
carefully-crafted certificate in such a way as to trigger the heap
overflow, leading to a crash or, possibly, arbitrary code execution with
the permissions of the user running the browser. (CVE-2009-2404)

Note: in order to exploit this issue without further user interaction in
Firefox, the carefully-crafted certificate would need to be signed by a
Certificate Authority trusted by Firefox, otherwise Firefox presents the
victim with a warning that the certificate is untrusted. Only if the user
then accepts the certificate will the overflow take place.

Dan Kaminsky discovered flaws in the way browsers such as Firefox handle
NULL characters in a certificate. If an attacker is able to get a
carefully-crafted certificate signed by a Certificate Authority trusted by
Firefox, the attacker could use the certificate during a man-in-the-middle
attack and potentially confuse Firefox into accepting it by mistake.
(CVE-2009-2408)

Dan Kaminsky found that browsers still accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser. NSS
now disables the use of MD2 and MD4 algorithms inside signatures by
default. (CVE-2009-2409)

These version upgrades also provide fixes for the following bugs:

* SSL client authentication failed against an Apache server when it was
using the mod_nss module and configured for NSSOCSP. On the client side,
the user agent received an error message that referenced "Error Code:
-12271" and stated that establishing an encrypted connection had failed
because the certificate had been rejected by the host.

On the server side, the nss_error_log under /var/log/httpd/ contained the
following message:

[error] Re-negotiation handshake failed: Not accepted by client!?

Also, /var/log/httpd/error_log contained this error:

SSL Library Error: -8071 The OCSP server experienced an internal error

With these updated packages, the dependency problem which caused this
failure has been resolved so that SSL client authentication with an
Apache web server using mod_nss which is configured for NSSOCSP succeeds
as expected. Note that if the presented client certificate is expired,
then access is denied, the user agent is presented with an error message
about the invalid certificate, and the OCSP queries are seen in the OCSP
responder. Also, similar OCSP status verification happens for SSL server
certificates used in Apache upon instance start or restart. (BZ#508026)

* NSS uses a software integrity test to detect code corruption. RPM
transactions and system link optimization daemons (such as prelink) can
change the contents of libraries, causing the software integrity test to
fail. In combination with the updated prelink package (RHBA-2009:1041),
these updated packages can now prevent software integrity test failures.
(BZ#495938)

All users of nspr and nss are advised to upgrade to these updated packages,
which resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux AS (v. 4.7.z)

SRPMS:
nspr-4.7.4-1.el4_7.1.src.rpm     MD5: ebb0fa8ccce2c772a607e91dafad48c9
nss-3.12.3.99.3-1.el4_7.6.src.rpm     MD5: 23f2414c95544b8cc22cef81927b8902
 
IA-32:
nspr-4.7.4-1.el4_7.1.i386.rpm     MD5: 2615c47f1bccdc3af82eb6b108670233
nspr-devel-4.7.4-1.el4_7.1.i386.rpm     MD5: f5dad9a5f79725cd2782b288501615e5
nss-3.12.3.99.3-1.el4_7.6.i386.rpm     MD5: cc71ae84f8f69111b6c8561aef6781b8
nss-devel-3.12.3.99.3-1.el4_7.6.i386.rpm     MD5: e4d41ea74c6f23854e616f6466ca894e
 
IA-64:
nspr-4.7.4-1.el4_7.1.i386.rpm     MD5: 2615c47f1bccdc3af82eb6b108670233
nspr-4.7.4-1.el4_7.1.ia64.rpm     MD5: 7736759b7b291cc5d60f369c43e8ba9c
nspr-devel-4.7.4-1.el4_7.1.ia64.rpm     MD5: 76af0737370495352d7a04e4df6fd96a
nss-3.12.3.99.3-1.el4_7.6.i386.rpm     MD5: cc71ae84f8f69111b6c8561aef6781b8
nss-3.12.3.99.3-1.el4_7.6.ia64.rpm     MD5: 07465affd87896fee4f8f39d68cc322e
nss-devel-3.12.3.99.3-1.el4_7.6.ia64.rpm     MD5: 2829631cdb0d0b4d56133294c5d8e0b7
 
PPC:
nspr-4.7.4-1.el4_7.1.ppc.rpm     MD5: f5342fe48aeea570a7cd9c1cdace2cb2
nspr-4.7.4-1.el4_7.1.ppc64.rpm     MD5: 4add50ee413f9dcf73451bb396be809a
nspr-devel-4.7.4-1.el4_7.1.ppc.rpm     MD5: 11a5679e1d52ea97a86b92c163bc36b3
nss-3.12.3.99.3-1.el4_7.6.ppc.rpm     MD5: d88e6f2124082425a1127313888921d2
nss-3.12.3.99.3-1.el4_7.6.ppc64.rpm     MD5: ac291986ebab8f1dbe846093b7858033
nss-devel-3.12.3.99.3-1.el4_7.6.ppc.rpm     MD5: cfd786135514cb477881631aa7e648ec
 
s390:
nspr-4.7.4-1.el4_7.1.s390.rpm     MD5: 527078688129b41ab3072d6ff287a4fd
nspr-devel-4.7.4-1.el4_7.1.s390.rpm     MD5: 0f19b55ad1ee5c281a715c8fc0bf3113
nss-3.12.3.99.3-1.el4_7.6.s390.rpm     MD5: f574c9cb110ec2ae8f8254689ead66a6
nss-devel-3.12.3.99.3-1.el4_7.6.s390.rpm     MD5: 298facfdc6be10899babab8efebc59c4
 
s390x:
nspr-4.7.4-1.el4_7.1.s390.rpm     MD5: 527078688129b41ab3072d6ff287a4fd
nspr-4.7.4-1.el4_7.1.s390x.rpm     MD5: 2a73d8d75be79c823a28a18507459983
nspr-devel-4.7.4-1.el4_7.1.s390x.rpm     MD5: c26a43bd49747f16e00ef6b47c80b4a4
nss-3.12.3.99.3-1.el4_7.6.s390.rpm     MD5: f574c9cb110ec2ae8f8254689ead66a6
nss-3.12.3.99.3-1.el4_7.6.s390x.rpm     MD5: bf7b41c195237d0973b34f47077aa961
nss-devel-3.12.3.99.3-1.el4_7.6.s390x.rpm     MD5: 01e162fb5414ccf0a0eafd053b6c1dd9
 
x86_64:
nspr-4.7.4-1.el4_7.1.i386.rpm     MD5: 2615c47f1bccdc3af82eb6b108670233
nspr-4.7.4-1.el4_7.1.x86_64.rpm     MD5: f0bc6e91abf90e264ae45279d42d5674
nspr-devel-4.7.4-1.el4_7.1.x86_64.rpm     MD5: 5eb29f92f4fe10c927f24d3c25ecc628
nss-3.12.3.99.3-1.el4_7.6.i386.rpm     MD5: cc71ae84f8f69111b6c8561aef6781b8
nss-3.12.3.99.3-1.el4_7.6.x86_64.rpm     MD5: 0dda12742817bc476737fcbd07bb1ae7
nss-devel-3.12.3.99.3-1.el4_7.6.x86_64.rpm     MD5: d5e2999eff571a0d9a027ebb96d6bb2f
 
Red Hat Enterprise Linux ES (v. 4.7.z)

SRPMS:
nspr-4.7.4-1.el4_7.1.src.rpm     MD5: ebb0fa8ccce2c772a607e91dafad48c9
nss-3.12.3.99.3-1.el4_7.6.src.rpm     MD5: 23f2414c95544b8cc22cef81927b8902
 
IA-32:
nspr-4.7.4-1.el4_7.1.i386.rpm     MD5: 2615c47f1bccdc3af82eb6b108670233
nspr-devel-4.7.4-1.el4_7.1.i386.rpm     MD5: f5dad9a5f79725cd2782b288501615e5
nss-3.12.3.99.3-1.el4_7.6.i386.rpm     MD5: cc71ae84f8f69111b6c8561aef6781b8
nss-devel-3.12.3.99.3-1.el4_7.6.i386.rpm     MD5: e4d41ea74c6f23854e616f6466ca894e
 
IA-64:
nspr-4.7.4-1.el4_7.1.i386.rpm     MD5: 2615c47f1bccdc3af82eb6b108670233
nspr-4.7.4-1.el4_7.1.ia64.rpm     MD5: 7736759b7b291cc5d60f369c43e8ba9c
nspr-devel-4.7.4-1.el4_7.1.ia64.rpm     MD5: 76af0737370495352d7a04e4df6fd96a
nss-3.12.3.99.3-1.el4_7.6.i386.rpm     MD5: cc71ae84f8f69111b6c8561aef6781b8
nss-3.12.3.99.3-1.el4_7.6.ia64.rpm     MD5: 07465affd87896fee4f8f39d68cc322e
nss-devel-3.12.3.99.3-1.el4_7.6.ia64.rpm     MD5: 2829631cdb0d0b4d56133294c5d8e0b7
 
x86_64:
nspr-4.7.4-1.el4_7.1.i386.rpm     MD5: 2615c47f1bccdc3af82eb6b108670233
nspr-4.7.4-1.el4_7.1.x86_64.rpm     MD5: f0bc6e91abf90e264ae45279d42d5674
nspr-devel-4.7.4-1.el4_7.1.x86_64.rpm     MD5: 5eb29f92f4fe10c927f24d3c25ecc628
nss-3.12.3.99.3-1.el4_7.6.i386.rpm     MD5: cc71ae84f8f69111b6c8561aef6781b8
nss-3.12.3.99.3-1.el4_7.6.x86_64.rpm     MD5: 0dda12742817bc476737fcbd07bb1ae7
nss-devel-3.12.3.99.3-1.el4_7.6.x86_64.rpm     MD5: d5e2999eff571a0d9a027ebb96d6bb2f
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

495938 - seamonkey/nss FIPS mode failure, update prelink and nss
508026 - rhcs80beta TPS and mod_nss with NSSOCSP has ssl errors and unable to use agent service
510197 - CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
510251 - CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly
512912 - CVE-2009-2404 nss regexp heap overflow


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/