Security Advisory Critical: nspr and nss security update

Advisory: RHSA-2009:1207-1
Type: Security Advisory
Severity: Critical
Issued on: 2009-08-12
Last updated on: 2009-08-12
Affected Products: Red Hat Enterprise Linux EUS (v. 5.2.z server)
CVEs ( CVE-2009-2404


Updated nspr and nss packages that fix security issues are now available
for Red Hat Enterprise Linux 5.2 Extended Update Support.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Netscape Portable Runtime (NSPR) provides platform independence for non-GUI
operating system facilities. These facilities include threads, thread
synchronization, normal file and network I/O, interval timing, calendar
time, basic memory management (malloc and free), and shared library linking.

Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSLv2, SSLv3, TLS,
and other security standards.

These updated packages upgrade NSS from the previous version, 3.12.2, to a
prerelease of version 3.12.4. The version of NSPR has also been upgraded
from 4.7.3 to 4.7.4.

Moxie Marlinspike reported a heap overflow flaw in a regular expression
parser in the NSS library used by browsers such as Mozilla Firefox to match
common names in certificates. A malicious website could present a
carefully-crafted certificate in such a way as to trigger the heap
overflow, leading to a crash or, possibly, arbitrary code execution with
the permissions of the user running the browser. (CVE-2009-2404)

Note: in order to exploit this issue without further user interaction in
Firefox, the carefully-crafted certificate would need to be signed by a
Certificate Authority trusted by Firefox, otherwise Firefox presents the
victim with a warning that the certificate is untrusted. Only if the user
then accepts the certificate will the overflow take place.

Dan Kaminsky discovered flaws in the way browsers such as Firefox handle
NULL characters in a certificate. If an attacker is able to get a
carefully-crafted certificate signed by a Certificate Authority trusted by
Firefox, the attacker could use the certificate during a man-in-the-middle
attack and potentially confuse Firefox into accepting it by mistake.

Dan Kaminsky found that browsers still accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser. NSS
now disables the use of MD2 and MD4 algorithms inside signatures by
default. (CVE-2009-2409)

All users of nspr and nss are advised to upgrade to these updated packages,
which resolve these issues.


Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at

Updated packages

Red Hat Enterprise Linux EUS (v. 5.2.z server)

nspr-4.7.4-1.el5_2.src.rpm     MD5: fa095c8006fcb6dc3cc8ca5ddb5f917a
nss-     MD5: 3f39fe82d3964e844fde465a2d731c8a
nspr-4.7.4-1.el5_2.i386.rpm     MD5: 12514e86c8bf475d511346ea0f90db03
nspr-devel-4.7.4-1.el5_2.i386.rpm     MD5: d77dbeeaa72df84834a986ccd192d3b9
nss-     MD5: 147a600f27e81cc8684c3f5f3413864a
nss-devel-     MD5: 1f3398bc4ce5d5e750bc80ff133273b1
nss-pkcs11-devel-     MD5: ac705e7a9938a4213553cdb4c357ef6a
nss-tools-     MD5: f5b513a4de00addcb6870db176c2db17
nspr-4.7.4-1.el5_2.i386.rpm     MD5: 12514e86c8bf475d511346ea0f90db03
nspr-4.7.4-1.el5_2.ia64.rpm     MD5: c0cc58dbaf9a2def89d7b90d9614b937
nspr-devel-4.7.4-1.el5_2.ia64.rpm     MD5: 088c97b28733001bb0d0d393a23c7f14
nss-     MD5: 147a600f27e81cc8684c3f5f3413864a
nss-     MD5: 21d11d7afb25e816121fd3efa2d5769f
nss-devel-     MD5: f83bb07f610f27fa917886c491c27523
nss-pkcs11-devel-     MD5: 45be1ea1de16c70f87e154a3b9ccd0bd
nss-tools-     MD5: 1a0588c0bd7ab6dd2e04d0d56db4e612
nspr-4.7.4-1.el5_2.ppc.rpm     MD5: 3518cba6cb74d330f083aa9f04c2a29f
nspr-4.7.4-1.el5_2.ppc64.rpm     MD5: cc04bf7fb098e4ba00e73b29ff0088e1
nspr-devel-4.7.4-1.el5_2.ppc.rpm     MD5: 6d7a7f56d87e83a6e1c0eef6728d78cf
nspr-devel-4.7.4-1.el5_2.ppc64.rpm     MD5: be3a08531dae15063e697fe6b1de3852
nss-     MD5: 76633d6c5d3edd2968df919053343815
nss-     MD5: da4ae97dc6fa7dea8b9b707efca80b7c
nss-devel-     MD5: c844d19c10e53af5c9685d64e952a143
nss-devel-     MD5: 21e57b2dab2f5ad7810216a312e2a9ce
nss-pkcs11-devel-     MD5: 4dd05641246bd2afa87cbbe417e4ba5c
nss-pkcs11-devel-     MD5: 0c767c5ebf3469b33164719cea0f5214
nss-tools-     MD5: a7cccd913ac323ff2a2bcd80edc2cfcb
nspr-4.7.4-1.el5_2.s390.rpm     MD5: 52c2ed409b412678e2689c794a038c81
nspr-4.7.4-1.el5_2.s390x.rpm     MD5: 7459077a6f675d9fe9fd38341159616b
nspr-devel-4.7.4-1.el5_2.s390.rpm     MD5: 1db1be4d5ec7a2a49dad1477c5a5c5dd
nspr-devel-4.7.4-1.el5_2.s390x.rpm     MD5: a5a6a8db2ea4e19d813a1dc9bed6e2e2
nss-     MD5: 234970492aa052103646be47a5a76ae1
nss-     MD5: 89bf1f1d92ea25166b06c63f0759177f
nss-devel-     MD5: a97b662b74cc8f86a4715ba4b56136c0
nss-devel-     MD5: 60f77fdda8fefaaa78283bfee7ec4faa
nss-pkcs11-devel-     MD5: ac8029b9de2f94bed4cbd546006cd6bc
nss-pkcs11-devel-     MD5: 13dcaaad509be9996e3fa1e44624135a
nss-tools-     MD5: 320995717d82a1fb5574503481264abe
nspr-4.7.4-1.el5_2.i386.rpm     MD5: 12514e86c8bf475d511346ea0f90db03
nspr-4.7.4-1.el5_2.x86_64.rpm     MD5: 59c6a31b7b9953338b9b851ddc153b82
nspr-devel-4.7.4-1.el5_2.i386.rpm     MD5: d77dbeeaa72df84834a986ccd192d3b9
nspr-devel-4.7.4-1.el5_2.x86_64.rpm     MD5: 4766e6adcb8e53cff5936e1aa30a4b44
nss-     MD5: 147a600f27e81cc8684c3f5f3413864a
nss-     MD5: 249aad715eda6623e847602944d27b69
nss-devel-     MD5: 1f3398bc4ce5d5e750bc80ff133273b1
nss-devel-     MD5: e2736f1f8cecdd13e546622d0c2de569
nss-pkcs11-devel-     MD5: ac705e7a9938a4213553cdb4c357ef6a
nss-pkcs11-devel-     MD5: befe2faee4c5a8c6e17e391e644fd21c
nss-tools-     MD5: 3544465679cfdaf96c3e47d6939466a2
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

510197 - CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
510251 - CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly
512912 - CVE-2009-2404 nss regexp heap overflow


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at