Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2009:1190 - Security Advisory
Issued:
2009-07-31
Updated:
2009-07-31

RHSA-2009:1190 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Critical: nspr and nss security and bug fix update

Type/Severity

Security Advisory: Critical

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated nspr and nss packages that fix security issues and bugs are now
available for Red Hat Enterprise Linux 4.7 Extended Update Support.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Description

Netscape Portable Runtime (NSPR) provides platform independence for non-GUI
operating system facilities. These facilities include threads, thread
synchronization, normal file and network I/O, interval timing, calendar
time, basic memory management (malloc and free), and shared library linking.

Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Applications built with NSS can support SSLv2, SSLv3, TLS,
and other security standards.

These updated packages upgrade NSS from the previous version, 3.12.2, to a
prerelease of version 3.12.4. The version of NSPR has also been upgraded
from 4.7.3 to 4.7.4.

Moxie Marlinspike reported a heap overflow flaw in a regular expression
parser in the NSS library used by browsers such as Mozilla Firefox to match
common names in certificates. A malicious website could present a
carefully-crafted certificate in such a way as to trigger the heap
overflow, leading to a crash or, possibly, arbitrary code execution with
the permissions of the user running the browser. (CVE-2009-2404)

Note: in order to exploit this issue without further user interaction in
Firefox, the carefully-crafted certificate would need to be signed by a
Certificate Authority trusted by Firefox, otherwise Firefox presents the
victim with a warning that the certificate is untrusted. Only if the user
then accepts the certificate will the overflow take place.

Dan Kaminsky discovered flaws in the way browsers such as Firefox handle
NULL characters in a certificate. If an attacker is able to get a
carefully-crafted certificate signed by a Certificate Authority trusted by
Firefox, the attacker could use the certificate during a man-in-the-middle
attack and potentially confuse Firefox into accepting it by mistake.
(CVE-2009-2408)

Dan Kaminsky found that browsers still accept certificates with MD2 hash
signatures, even though MD2 is no longer considered a cryptographically
strong algorithm. This could make it easier for an attacker to create a
malicious certificate that would be treated as trusted by a browser. NSS
now disables the use of MD2 and MD4 algorithms inside signatures by
default. (CVE-2009-2409)

These version upgrades also provide fixes for the following bugs:

  • SSL client authentication failed against an Apache server when it was

using the mod_nss module and configured for NSSOCSP. On the client side,
the user agent received an error message that referenced "Error Code:

  • 12271" and stated that establishing an encrypted connection had failed

because the certificate had been rejected by the host.

On the server side, the nss_error_log under /var/log/httpd/ contained the
following message:

[error] Re-negotiation handshake failed: Not accepted by client!?

Also, /var/log/httpd/error_log contained this error:

SSL Library Error: -8071 The OCSP server experienced an internal error

With these updated packages, the dependency problem which caused this
failure has been resolved so that SSL client authentication with an
Apache web server using mod_nss which is configured for NSSOCSP succeeds
as expected. Note that if the presented client certificate is expired,
then access is denied, the user agent is presented with an error message
about the invalid certificate, and the OCSP queries are seen in the OCSP
responder. Also, similar OCSP status verification happens for SSL server
certificates used in Apache upon instance start or restart. (BZ#508026)

  • NSS uses a software integrity test to detect code corruption. RPM

transactions and system link optimization daemons (such as prelink) can
change the contents of libraries, causing the software integrity test to
fail. In combination with the updated prelink package (RHBA-2009:1041),
these updated packages can now prevent software integrity test failures.
(BZ#495938)

All users of nspr and nss are advised to upgrade to these updated packages,
which resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 i386
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7 s390
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.7 ppc

Fixes

  • BZ - 495938 - seamonkey/nss FIPS mode failure, update prelink and nss
  • BZ - 508026 - rhcs80beta TPS and mod_nss with NSSOCSP has ssl errors and unable to use agent service
  • BZ - 510197 - CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)
  • BZ - 510251 - CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly
  • BZ - 512912 - CVE-2009-2404 nss regexp heap overflow

CVEs

  • CVE-2009-2404
  • CVE-2009-2408
  • CVE-2009-2409

References

  • http://www.redhat.com/security/updates/classification/#critical
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7

SRPM
nspr-4.7.4-1.el4_7.1.src.rpm SHA-256: 061d5e55c3d3d43dde3656b206f9a7086098201107a2a4988adb423dfb2c85ec
nss-3.12.3.99.3-1.el4_7.6.src.rpm SHA-256: 3450e31723514c3963d33a86bbffeb2bec4cec8d54c6195d05084de364829ec7
x86_64
nspr-4.7.4-1.el4_7.1.i386.rpm SHA-256: 25da81132583431290347f02b097510f778bc2ca5f1896abd485fe89d2319414
nspr-4.7.4-1.el4_7.1.i386.rpm SHA-256: 25da81132583431290347f02b097510f778bc2ca5f1896abd485fe89d2319414
nspr-4.7.4-1.el4_7.1.x86_64.rpm SHA-256: 463840e02c4817d82a9e73bf49be499f920ca8ea7f2bfaec7470c41801874ead
nspr-4.7.4-1.el4_7.1.x86_64.rpm SHA-256: 463840e02c4817d82a9e73bf49be499f920ca8ea7f2bfaec7470c41801874ead
nspr-devel-4.7.4-1.el4_7.1.x86_64.rpm SHA-256: 3b01f6e87a966fcf9b662ad5374ded681ce34e164e000737c301dbea0c44cfb6
nspr-devel-4.7.4-1.el4_7.1.x86_64.rpm SHA-256: 3b01f6e87a966fcf9b662ad5374ded681ce34e164e000737c301dbea0c44cfb6
nss-3.12.3.99.3-1.el4_7.6.i386.rpm SHA-256: fba8bb54a7928b033061ae95bd8facba5d1be213b279ebda1549a413e9e1936e
nss-3.12.3.99.3-1.el4_7.6.i386.rpm SHA-256: fba8bb54a7928b033061ae95bd8facba5d1be213b279ebda1549a413e9e1936e
nss-3.12.3.99.3-1.el4_7.6.x86_64.rpm SHA-256: ed82347c2b0837c70ca1f572dcee1f367120ececeafefb79e1483073edd96e5b
nss-3.12.3.99.3-1.el4_7.6.x86_64.rpm SHA-256: ed82347c2b0837c70ca1f572dcee1f367120ececeafefb79e1483073edd96e5b
nss-devel-3.12.3.99.3-1.el4_7.6.x86_64.rpm SHA-256: 10c51478083abddaab1a20283f709d2af24aee9dbf190e9011eb00df7ed2c159
nss-devel-3.12.3.99.3-1.el4_7.6.x86_64.rpm SHA-256: 10c51478083abddaab1a20283f709d2af24aee9dbf190e9011eb00df7ed2c159
ia64
nspr-4.7.4-1.el4_7.1.i386.rpm SHA-256: 25da81132583431290347f02b097510f778bc2ca5f1896abd485fe89d2319414
nspr-4.7.4-1.el4_7.1.i386.rpm SHA-256: 25da81132583431290347f02b097510f778bc2ca5f1896abd485fe89d2319414
nspr-4.7.4-1.el4_7.1.ia64.rpm SHA-256: edc93fca6729230a8e89c540a56c667723dca2f5da87372b9206abd2f8b30055
nspr-4.7.4-1.el4_7.1.ia64.rpm SHA-256: edc93fca6729230a8e89c540a56c667723dca2f5da87372b9206abd2f8b30055
nspr-devel-4.7.4-1.el4_7.1.ia64.rpm SHA-256: 63db2cd788fe3064a63b76d3bba957b7f230e5f29212ce1210ddb780d7583480
nspr-devel-4.7.4-1.el4_7.1.ia64.rpm SHA-256: 63db2cd788fe3064a63b76d3bba957b7f230e5f29212ce1210ddb780d7583480
nss-3.12.3.99.3-1.el4_7.6.i386.rpm SHA-256: fba8bb54a7928b033061ae95bd8facba5d1be213b279ebda1549a413e9e1936e
nss-3.12.3.99.3-1.el4_7.6.i386.rpm SHA-256: fba8bb54a7928b033061ae95bd8facba5d1be213b279ebda1549a413e9e1936e
nss-3.12.3.99.3-1.el4_7.6.ia64.rpm SHA-256: d17ff19dd39b925cc2a2bf2260b6f2e85da8a628e75f7ac63f399a273ba001ac
nss-3.12.3.99.3-1.el4_7.6.ia64.rpm SHA-256: d17ff19dd39b925cc2a2bf2260b6f2e85da8a628e75f7ac63f399a273ba001ac
nss-devel-3.12.3.99.3-1.el4_7.6.ia64.rpm SHA-256: 8c115c25be76a423f60c451f6922870c2ea84f97c8f799e23f6d6cc508586a33
nss-devel-3.12.3.99.3-1.el4_7.6.ia64.rpm SHA-256: 8c115c25be76a423f60c451f6922870c2ea84f97c8f799e23f6d6cc508586a33
i386
nspr-4.7.4-1.el4_7.1.i386.rpm SHA-256: 25da81132583431290347f02b097510f778bc2ca5f1896abd485fe89d2319414
nspr-4.7.4-1.el4_7.1.i386.rpm SHA-256: 25da81132583431290347f02b097510f778bc2ca5f1896abd485fe89d2319414
nspr-devel-4.7.4-1.el4_7.1.i386.rpm SHA-256: 9c18b52ed716f28971ace7bcb927d68e6b4ea5ad453c671b0eff08be72b4c881
nspr-devel-4.7.4-1.el4_7.1.i386.rpm SHA-256: 9c18b52ed716f28971ace7bcb927d68e6b4ea5ad453c671b0eff08be72b4c881
nss-3.12.3.99.3-1.el4_7.6.i386.rpm SHA-256: fba8bb54a7928b033061ae95bd8facba5d1be213b279ebda1549a413e9e1936e
nss-3.12.3.99.3-1.el4_7.6.i386.rpm SHA-256: fba8bb54a7928b033061ae95bd8facba5d1be213b279ebda1549a413e9e1936e
nss-devel-3.12.3.99.3-1.el4_7.6.i386.rpm SHA-256: 47b1cec15d2a5779bb8cf092667386429db48c259c511333ed41d68ffd55d0c9
nss-devel-3.12.3.99.3-1.el4_7.6.i386.rpm SHA-256: 47b1cec15d2a5779bb8cf092667386429db48c259c511333ed41d68ffd55d0c9

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7

SRPM
nspr-4.7.4-1.el4_7.1.src.rpm SHA-256: 061d5e55c3d3d43dde3656b206f9a7086098201107a2a4988adb423dfb2c85ec
nss-3.12.3.99.3-1.el4_7.6.src.rpm SHA-256: 3450e31723514c3963d33a86bbffeb2bec4cec8d54c6195d05084de364829ec7
s390x
nspr-4.7.4-1.el4_7.1.s390.rpm SHA-256: f9fd5c19c17cdcfbd881ffcfdff512b3080e57c139e14fdea1339184e2419272
nspr-4.7.4-1.el4_7.1.s390x.rpm SHA-256: 89c8ccb505ff4bb91975a951da22071eba993d1af93db6e27d4990e1f6386e2a
nspr-devel-4.7.4-1.el4_7.1.s390x.rpm SHA-256: dc3ef771c758ab919b0ab473ea7a1c8c1580677add7f1478b8e0c8edbe233c97
nss-3.12.3.99.3-1.el4_7.6.s390.rpm SHA-256: 4e6d61ab8c63c664a51810c9b7640cde30bfed36944fe613ad74bf287144132a
nss-3.12.3.99.3-1.el4_7.6.s390x.rpm SHA-256: 96504237e74d1d0400d3f376a03e0587aecbd87df03c1a958ab473b1e0ccee35
nss-devel-3.12.3.99.3-1.el4_7.6.s390x.rpm SHA-256: ae83f75420a6b53b1d38a67c2cab388e3292eaacdb0b6622e0770b01ba044336
s390
nspr-4.7.4-1.el4_7.1.s390.rpm SHA-256: f9fd5c19c17cdcfbd881ffcfdff512b3080e57c139e14fdea1339184e2419272
nspr-devel-4.7.4-1.el4_7.1.s390.rpm SHA-256: 748fb48a401fb7a94807103c2552445c4115f93aea9b8b33db5542c66b8ab0c8
nss-3.12.3.99.3-1.el4_7.6.s390.rpm SHA-256: 4e6d61ab8c63c664a51810c9b7640cde30bfed36944fe613ad74bf287144132a
nss-devel-3.12.3.99.3-1.el4_7.6.s390.rpm SHA-256: 3eb6b73b448d1546c8c028cebf5d80c672e6b088d11c90dc76bb1e56522a77ca

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.7

SRPM
nspr-4.7.4-1.el4_7.1.src.rpm SHA-256: 061d5e55c3d3d43dde3656b206f9a7086098201107a2a4988adb423dfb2c85ec
nss-3.12.3.99.3-1.el4_7.6.src.rpm SHA-256: 3450e31723514c3963d33a86bbffeb2bec4cec8d54c6195d05084de364829ec7
ppc
nspr-4.7.4-1.el4_7.1.ppc.rpm SHA-256: e2ce75022f029ce6c76394651a1ae96bc66499eaf7c4b1e0bd286ee4c7231b34
nspr-4.7.4-1.el4_7.1.ppc64.rpm SHA-256: 56f6af695a0b7fbd8d3c35c84c68a0c346f7b350ebaf753d682be77ea92990f4
nspr-devel-4.7.4-1.el4_7.1.ppc.rpm SHA-256: cb8114307bb6407a6899563de62d3e71d1662c7c4b757f0d463a64176c557b22
nss-3.12.3.99.3-1.el4_7.6.ppc.rpm SHA-256: e018fdcb3559c2304f74f27f8e6889c3452bd5fda81d0da496001489c1ca4043
nss-3.12.3.99.3-1.el4_7.6.ppc64.rpm SHA-256: 72dfbbe53fe591a2bd36e32bf225eace0844c7000b5710630ec8c98b59978e10
nss-devel-3.12.3.99.3-1.el4_7.6.ppc.rpm SHA-256: bd916090415ec1e94dfa25f9f0457ed16c29a3701905766cd976fae018978230

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter