Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS-2016-702

Related Vulnerabilities: CVE-2016-1978   CVE-2016-1979  

A use-after-free flaw was found in the way NSS handled DHE (DiffieHellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application. (CVE-2016-1978) A use-after-free flaw was found in the way NSS processed certain DER (Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use this flaw to create a specially crafted DER encoded certificate which, when parsed by an application compiled against the NSS library, could cause that application to crash, or execute arbitrary code using the permissions of the user running the application. (CVE-2016-1979)

Source

ALAS-2016-702

Amazon Linux AMI Security Advisory: ALAS-2016-702
Advisory Release Date: 2016-05-18 14:00 Pacific
Advisory Updated Date: 2016-05-18 14:00 Pacific
Severity: Medium
Issue Overview:

A use-after-free flaw was found in the way NSS handled DHE (DiffieHellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application. (CVE-2016-1978)

A use-after-free flaw was found in the way NSS processed certain DER (Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use this flaw to create a specially crafted DER encoded certificate which, when parsed by an application compiled against the NSS library, could cause that application to crash, or execute arbitrary code using the permissions of the user running the application. (CVE-2016-1979)


Affected Packages:

nspr, nss-util, nss, nss-softokn


Issue Correction:
Run yum update nspr to update your system.
Run yum update nss-util to update your system.
Run yum update nss to update your system.
Run yum update nss-softokn to update your system.

New Packages:
i686:
    nspr-devel-4.11.0-1.37.amzn1.i686
    nspr-4.11.0-1.37.amzn1.i686
    nspr-debuginfo-4.11.0-1.37.amzn1.i686
    nss-util-devel-3.21.0-2.2.50.amzn1.i686
    nss-util-debuginfo-3.21.0-2.2.50.amzn1.i686
    nss-util-3.21.0-2.2.50.amzn1.i686
    nss-softokn-debuginfo-3.16.2.3-14.2.38.amzn1.i686
    nss-softokn-devel-3.16.2.3-14.2.38.amzn1.i686
    nss-softokn-3.16.2.3-14.2.38.amzn1.i686
    nss-softokn-freebl-devel-3.16.2.3-14.2.38.amzn1.i686
    nss-softokn-freebl-3.16.2.3-14.2.38.amzn1.i686
    nss-pkcs11-devel-3.21.0-9.76.amzn1.i686
    nss-tools-3.21.0-9.76.amzn1.i686
    nss-3.21.0-9.76.amzn1.i686
    nss-debuginfo-3.21.0-9.76.amzn1.i686
    nss-sysinit-3.21.0-9.76.amzn1.i686
    nss-devel-3.21.0-9.76.amzn1.i686

src:
    nspr-4.11.0-1.37.amzn1.src
    nss-util-3.21.0-2.2.50.amzn1.src
    nss-softokn-3.16.2.3-14.2.38.amzn1.src
    nss-3.21.0-9.76.amzn1.src

x86_64:
    nspr-debuginfo-4.11.0-1.37.amzn1.x86_64
    nspr-4.11.0-1.37.amzn1.x86_64
    nspr-devel-4.11.0-1.37.amzn1.x86_64
    nss-util-debuginfo-3.21.0-2.2.50.amzn1.x86_64
    nss-util-3.21.0-2.2.50.amzn1.x86_64
    nss-util-devel-3.21.0-2.2.50.amzn1.x86_64
    nss-softokn-freebl-3.16.2.3-14.2.38.amzn1.x86_64
    nss-softokn-3.16.2.3-14.2.38.amzn1.x86_64
    nss-softokn-debuginfo-3.16.2.3-14.2.38.amzn1.x86_64
    nss-softokn-freebl-devel-3.16.2.3-14.2.38.amzn1.x86_64
    nss-softokn-devel-3.16.2.3-14.2.38.amzn1.x86_64
    nss-3.21.0-9.76.amzn1.x86_64
    nss-pkcs11-devel-3.21.0-9.76.amzn1.x86_64
    nss-sysinit-3.21.0-9.76.amzn1.x86_64
    nss-tools-3.21.0-9.76.amzn1.x86_64
    nss-debuginfo-3.21.0-9.76.amzn1.x86_64
    nss-devel-3.21.0-9.76.amzn1.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started