The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
SVG:Advisory-SVG-CVE-2016-1950
Jump to navigation
Jump to search
| Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2016-1950
Title: EGI SVG Advisory **UPDATE** [TLP:White] 'CRITICAL' risk NSS heap buffer overflow vulnerability [EGI-SVG-CVE-2016-1950] Date: 2016-03-11 Updated: 2016-03-14 Affected Software and Risk ========================== CRITICAL risk vulnerability concerning NSS heap buffer overflow Package : NSS CVE ID : CVE-2016-1950 All versions of NSS. Actions Required/Recommended ============================ **UPDATE** Patches should now be available for all versions of Linux, so all sites should update if they have not done so already. All running resources MUST be either patched or software removed by 2016-03-22 00:00 UTC Sites failing to act and/or failing to respond to requests from the EGI CSIRT team risk site suspension. Sites should note that it is necessary to re-start all services, it may be simplest to re-boot after installation of the updates. Affected software Details. ========================== As far as we know, all versions of NSS released with all linux versions prior to vendor patches to address the issue. More information ================ As stated in [R 1] An attacker could use this flaw to create a specially crafted certificate which, when parsed by NSS, could cause it to crash, or execute arbitrary code, using the permissions of the user running an application compiled against the NSS library. Mitigation ========== N/A Component installation information ================================== See Vendors web sites For RedHat see [R 1], [R 2] For Debian see [R 3] For Ubuntu see [R 4] Patches for Scientific Linux are not available yet. URL === URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2016-1950 Minor updates may be made without re-distribution to the sites ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** Credit ====== SVG was alerted to this vulnerability by Vincent Brillault from CERN who is a member of SVG. References ========== [R 1] https://access.redhat.com/security/cve/CVE-2016-1950 [R 2] https://rhn.redhat.com/errata/RHSA-2016-0370.html [R 3] https://security-tracker.debian.org/tracker/CVE-2016-1950 [R 4] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1950.html Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to:- report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look. Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2016-1950] 2016-03-09 SVG alerted to this issue by Vincent Brillault from CERN 2016-03-09 Investigation of vulnerability and relevance to EGI carried out by (as appropriate) 2016-03-10 EGI SVG Risk Assessment completed 2016-03-10 Updated packages available for RedHat, Ubuntu, Debian, 2016-03-11 Advisory/Alert sent to sites 2016-03-14 Updated with link to SL. On behalf of the EGI SVG,