Difference between revisions of "SVG:Advisory-SVG-CVE-2016-1950"
Jump to navigation
Jump to search
(Created page with "{{svg-header}} <pre> Title: EGI SVG Advisory/'Heads up' [TLP:White] 'CRITICAL' risk NSS heap buffer overflow vulnerability [EGI-SVG-CVE-2016-1950] Date: 2016-03-1...") |
|||
Line 3: | Line 3: | ||
<pre> | <pre> | ||
Title: EGI SVG Advisory/'Heads up' [TLP:White] 'CRITICAL' risk NSS heap buffer overflow vulnerability [EGI-SVG-CVE-2016-1950] | Title: EGI SVG Advisory/'Heads up' [TLP:White] 'CRITICAL' risk NSS heap buffer overflow vulnerability | ||
[EGI-SVG-CVE-2016-1950] | |||
Date: 2016-03-11 | Date: 2016-03-11 | ||
Line 30: | Line 31: | ||
Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. | Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. | ||
Sites should note that it is necessary to re-start all services, it may be simplest to re-boot after installation of the updates. | Sites should note that it is necessary to re-start all services, it may be simplest to re-boot after installation | ||
of the updates. | |||
Line 41: | Line 43: | ||
================ | ================ | ||
As stated in [R 1] An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. | As stated in [R 1] An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, | ||
could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled | |||
against the NSS library. | |||
Revision as of 16:38, 11 March 2016
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-1950
Title: EGI SVG Advisory/'Heads up' [TLP:White] 'CRITICAL' risk NSS heap buffer overflow vulnerability [EGI-SVG-CVE-2016-1950] Date: 2016-03-11 Updated: Affected Software and Risk ========================== CRITICAL risk vulnerability concerning NSS heap buffer overflow Package : NSS CVE ID : CVE-2016-1950 All versions of NSS. Actions Required/Recommended ============================ Sites should patch as soon as possible after the patches are available for the versions of linux being run. This may be considered to be a 'Heads up' for versions of linux where no patch is available yet. All running resources MUST be either patched or software removed by 2016-03-22 00:00 UTC Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Sites should note that it is necessary to re-start all services, it may be simplest to re-boot after installation of the updates. Affected software Details. ========================== As far as we know, all versions of NSS released with all linux versions prior to vendor patches to address the issue. More information ================ As stated in [R 1] An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. Mitigation ========== N/A Component installation information ================================== See Vendors web sites For RedHat see [R 1], [R 2] For Debian see [R 3] For Ubuntu see [R 4] Patches for Scientific Linux are not available yet. URL === URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-1950 Minor updates may be made without re-distribution to the sites ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** Credit ====== SVG was alerted to this vulnerability by Vincent Brillault from CERN who is a member of SVG. References ========== [R 1] https://access.redhat.com/security/cve/CVE-2016-1950 [R 2] https://rhn.redhat.com/errata/RHSA-2016-0370.html [R 3] https://security-tracker.debian.org/tracker/CVE-2016-1950 [R 4] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1950.html Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to:- report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2016-1950] 2016-03-09 SVG alerted to this issue by Vincent Brillault from CERN 2016-03-09 Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 2016-03-10 EGI SVG Risk Assessment completed 2016-03-10 Updated packages available for RedHat, Ubuntu, Debian, 2016-03-11 Advisory/Alert sent to sites On behalf of the EGI SVG,