USN-3372-1: NSS vulnerability

31 July 2017

Several security issues were fixed in NSS.

Releases

Packages

  • nss - Network Security Service library

Details

It was discovered that NSS incorrectly handled certain empty SSLv2
messages. A remote attacker could possibly use this issue to cause NSS to
crash, resulting in a denial of service. (CVE-2017-7502)

Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES
ciphers were vulnerable to birthday attacks. A remote attacker could
possibly use this flaw to obtain clear text data from long encrypted
sessions. This update causes NSS to limit use of the same symmetric key.
(CVE-2016-2183)

It was discovered that NSS incorrectly handled Base64 decoding. A remote
attacker could use this flaw to cause NSS to crash, resulting in a denial
of service, or possibly execute arbitrary code. (CVE-2017-5461)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

Related notices

  • USN-3260-1: firefox
  • USN-3198-1: icedtea-6-jre-cacao, icedtea-6-jre-jamvm, openjdk-6, openjdk-6-jre-zero, openjdk-6-jdk, openjdk-6-jre, openjdk-6-jre-headless, openjdk-6-jre-lib
  • USN-3179-1: openjdk-8-jre, openjdk-8-jdk, openjdk-8-jre-headless, openjdk-8, openjdk-8-jdk-headless, openjdk-8-jre-jamvm, openjdk-8-jre-zero
  • USN-3194-1: openjdk-7-jre, openjdk-7-jre-zero, openjdk-7-jre-headless, openjdk-7, icedtea-7-jre-jamvm, openjdk-7-jdk
  • USN-3336-1: libnss3, nss
  • USN-3270-1: libnss3, nss
  • USN-3087-1: openssl, libssl1.0.0
  • USN-3278-1: thunderbird