SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Netscape Portable Runtime API Vendors:   Mozilla.org
(CentOS Issues Fix for Netscape Portable Runtime API) Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1035687
SecurityTracker URL:  http://securitytracker.com/id/1035687
CVE Reference:   CVE-2016-1978   (Links to External Site)
Date:  Apr 26 2016
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Network Security Services (NSS). A remote user may be able to execute arbitrary code on the target system. Netscape Portable Runtime API is affected.

A remote user can send specially crafted DHE and ECDHE handshake data to trigger a user-after-free memory error when the target system's available memory is low and potentially execute arbitrary code on the target system.

Eric Rescorla reported this vulnerability vulnerability.

Impact:   A remote user may be able to execute arbitrary code on the target system.
Solution:   CentOS has issued a fix for Netscape Portable Runtime API.

i386:
2542e599e93d78a8b51ee1e9ad58b24edf8d70029defc49f8b032e4b5782c6bf nspr-4.11.0-1.el5_11.i386.rpm
5dedec41a954bc0562095cd6d5c43165056c256a66cf1389df0d8414e7c96105 nspr-devel-4.11.0-1.el5_11.i386.rpm

x86_64:
2542e599e93d78a8b51ee1e9ad58b24edf8d70029defc49f8b032e4b5782c6bf nspr-4.11.0-1.el5_11.i386.rpm
f54f893419cc8223d491056a96e33c327a1a6b3e6585c9d91edcaf227a546dc3 nspr-4.11.0-1.el5_11.x86_64.rpm
5dedec41a954bc0562095cd6d5c43165056c256a66cf1389df0d8414e7c96105 nspr-devel-4.11.0-1.el5_11.i386.rpm
d0bc78381c24c31a38ea4297e6ec8f6b2dceb676fa83be84d07d8213f9b1c441 nspr-devel-4.11.0-1.el5_11.x86_64.rpm

Source:
27c20b9b8a0d828b87cf67ca091669580d1506904edac211c643a8ab5f2fcaa6 nspr-4.11.0-1.el5_11.src.rpm

x86_64:
daf7526f2f1ccc56ec97e57940cde39049a4a111951b01197b2c18b4bc7ec1cb nspr-4.11.0-1.el7_2.i686.rpm
d784f223e384f756a5c594925512c5fd6d46aaad66f85936b51453a0dc2dbd8a nspr-4.11.0-1.el7_2.x86_64.rpm
56037499e8d01dd812e5ff3a2752c9aa108dd45fd816269abae28fd6eaa751b1 nspr-devel-4.11.0-1.el7_2.i686.rpm
5b3fbd8326f1249e287423a753d2b249e4d7281c669943c367a62d6f839dfde5 nspr-devel-4.11.0-1.el7_2.x86_64.rpm

Source:
6520f99cd5afa95d605bcc653f47c828e2fb491a548e057d0c99e91a57a1dac3 nspr-4.11.0-1.el7_2.src.rpm

Cause:   Access control error
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  5, 7

Message History:   This archive entry is a follow-up to the message listed below.
Mar 14 2016 Network Security Services (NSS) SSL DHE/ECDHE Use-After-Free Memory Error May Let Remote Users Execute Arbitrary Code on the Target System



 Source Message Contents

Subject:  [CentOS-announce] CESA-2016:0684 Moderate CentOS 5 nspr Security Update


CentOS Errata and Security Advisory 2016:0684 Moderate

Upstream details at : https://rhn.redhat.com/errata/RHSA-2016-0684.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
2542e599e93d78a8b51ee1e9ad58b24edf8d70029defc49f8b032e4b5782c6bf  nspr-4.11.0-1.el5_11.i386.rpm
5dedec41a954bc0562095cd6d5c43165056c256a66cf1389df0d8414e7c96105  nspr-devel-4.11.0-1.el5_11.i386.rpm

x86_64:
2542e599e93d78a8b51ee1e9ad58b24edf8d70029defc49f8b032e4b5782c6bf  nspr-4.11.0-1.el5_11.i386.rpm
f54f893419cc8223d491056a96e33c327a1a6b3e6585c9d91edcaf227a546dc3  nspr-4.11.0-1.el5_11.x86_64.rpm
5dedec41a954bc0562095cd6d5c43165056c256a66cf1389df0d8414e7c96105  nspr-devel-4.11.0-1.el5_11.i386.rpm
d0bc78381c24c31a38ea4297e6ec8f6b2dceb676fa83be84d07d8213f9b1c441  nspr-devel-4.11.0-1.el5_11.x86_64.rpm

Source:
27c20b9b8a0d828b87cf67ca091669580d1506904edac211c643a8ab5f2fcaa6  nspr-4.11.0-1.el5_11.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC