Moderate nss / nss-util / nspr security updates

April 6, 2016 — Leave a comment

There have been updates to the nss, nss-util and nspr packages to address moderate security flaws (CVE-2016-1978, CVE-2016-1979). The new packages are syncing through the various mirrors currently.

This affects Red Hat / CentOS 6

Two CVEs were published in reference of these issues:

CVE-2016-1978

A use-after-free flaw was found in the way NSS handled DHE (Diffie-Hellman key
exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake
messages. A remote attacker could send a specially crafted handshake message
that, when parsed by an application linked against NSS, would cause that
application to crash or, under certain special conditions, execute arbitrary
code using the permissions of the user running the application. (CVE-2016-1978)
(via RHN)

CVE-2016-1979

A use-after-free flaw was found in the way NSS processed certain DER
(Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use
this flaw to create a specially crafted DER encoded certificate which, when
parsed by an application compiled against the NSS library, could cause that
application to crash, or execute arbitrary code using the permissions of the
user running the application. (CVE-2016-1979)(via RHN)

Updating your system

In order to update your system, you need to update the three packages (nss, nss-util and nspr) once they are available in the mirrors.

Running the update
Type the following to update the system:

If the updates are available, it will update all three packages. If they are not available keep trying until you see the updates happen. We are seeing them in the mirrors…

Checking for the patches after the update
Once you’ve installed the updates, you want to check to see if you have the patched version or just a newer version that you had previously. You can type the following to check for the patched version:

You can do this for any of the packages below…


Updated package information / versions

nss

nss-util

nspr


More Information

For more information about this, you can visit the following links:
https://rhn.redhat.com/errata/RHSA-2016-0591.html
https://lists.centos.org/pipermail/centos-announce/2016-April/021809.html
https://lists.centos.org/pipermail/centos-announce/2016-April/021808.html
https://lists.centos.org/pipermail/centos-announce/2016-April/021807.html

No Comments

Be the first to start the conversation.

Leave a Reply