| |||||||||||||||||||
Pardus alert 2010-20 (nss)
------------------------------------------------------------------------ Pardus Linux Security Advisory 2010-20 security@pardus.org.tr ------------------------------------------------------------------------ Date: 2010-02-04 Severity: 4 Type: Remote ------------------------------------------------------------------------ Summary ======= A serious vulnerability was found in TLS/SSLv3 protocol as implemented in nss, which can be used by man-in-the-middle attackers to send arbitrary requests to the server as if legitimate user. [UPDATE] The issue is fixed in Pardus 2008 Description =========== The TLS/SSLv3 protocol as implemented in nss prior to this update was not able to associate already sent data to a renegotiated connection. This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed. For example Apache's mod_ssl was vulnerable to this kind of attack because it uses openssl. NOTE: This is the same as PLSA-2009-191.With this update,renegotiation is completely disabled. Affected packages: Pardus 2009: nss, all before 3.12.5.0-29-8 Resolution ========== There are update(s) for nss. You can update them via Package Manager or with a single command from console: pisi up nss References ========== * http://bugs.pardus.org.tr/show_bug.cgi?id=12147 * http://bugs.pardus.org.tr/show_bug.cgi?id=11515 * https://developer.mozilla.org/NSS_3.12.5_release_notes * https://bugzilla.mozilla.org/show_bug.cgi?id=526689 ------------------------------------------------------------------------ _______________________________________________ Pardus-security mailing list Pardus-security@pardus.org.tr http://liste.pardus.org.tr/mailman/listinfo/pardus-security (Log in to post comments)
|
|||||||||||||||||||