ID

VAR-201303-0327

CVE

CVE-2013-2566

TITLE

TLS  Protocol and  SSL  Used in the protocol  RC4  Vulnerability to execute plaintext recovery attack in algorithm

DESCRIPTION

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext. The RC4 algorithm, as used in SSL/TLS, is prone to a security weakness that may allow attackers to recover plain-text. Successfully exploiting this issue in conjunction with other latent vulnerabilities may allow attackers to gain access to sensitive information that may aid in further attacks. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05289935 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c05289935 Version: 1 HPSBHF03654 rev.1 - HPE iMC PLAT Network Products using SSL/TLS, Multiple Remote Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2016-09-26 Last Updated: 2016-09-26 Potential Security Impact: Multiple Remote Vulnerabilities Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HPE iMC PLAT network products using SSL/TLS. - The RC4 stream cipher vulnerability in SSL/TLS known as "Bar Mitzvah" could be exploited remotely to allow disclosure of information. References: - CVE-2004-2761 - SSL/TLS MD5 Algorithm is not collision resistant - CVE-2013-2566 - SSL/TLS RC4 algorithm vulnerability - CVE-2015-2808 - SSL/TLS RC4 stream vulnerability known as "Bar Mitzvah" - PSRT110210 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE iMC PLAT - Please refer to the RESOLUTION below for a list of impacted products. All product versions are impacted prior to the fixed version listed. BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2004-2761 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE-2013-2566 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVE-2015-2808 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has made the following software available to resolve the vulnerabilities in the iMC PLAT network products listed. + **iMC PLAT - Version: IMC PLAT 7.2, E0403P10** - JD125A HP IMC Std S/W Platform w/100-node - JD126A HP IMC Ent S/W Platform w/100-node - JD808A HP IMC Ent Platform w/100-node License - JD814A HP A-IMC Enterprise Edition Software DVD Media - JD815A HP IMC Std Platform w/100-node License - JD816A HP A-IMC Standard Edition Software DVD Media - JF288AAE HP Network Director to Intelligent Management Center Upgrade E-LTU - JF289AAE HP Enterprise Management System to Intelligent Management Center Upgrade E-LTU - JF377A HP IMC Std S/W Platform w/100-node Lic - JF377AAE HP IMC Std S/W Pltfrm w/100-node E-LTU - JF378A HP IMC Ent S/W Platform w/200-node Lic - JF378AAE HP IMC Ent S/W Pltfrm w/200-node E-LTU - JG546AAE HP IMC Basic SW Platform w/50-node E-LTU - JG548AAE HP PCM+ to IMC Bsc Upgr w/50-node E-LTU - JG549AAE HP PCM+ to IMC Std Upgr w/200-node E-LTU - JG747AAE HP IMC Std SW Plat w/ 50 Nodes E-LTU - JG748AAE HP IMC Ent SW Plat w/ 50 Nodes E-LTU - JG550AAE HPE PCM+ Mobility Manager to IMC Basic WLAN Platform Upgrade 50-node and 150-AP E-LTU - JG590AAE HPE IMC Basic WLAN Manager Software Platform 50 Access Point E-LTU - JG660AAE HP IMC Smart Connect with Wireless Manager Virtual Appliance Edition E-LTU - JG766AAE HP IMC Smart Connect Virtual Appliance Edition E-LTU - JG767AAE HP IMC Smart Connect with Wireless Manager Virtual Appliance Edition E-LTU - JG768AAE HPE PCM+ to IMC Standard Software Platform Upgrade with 200-node E-LTU **Note:** Please contact HPE Technical Support if any assistance is needed acquiring the software updates. HISTORY Version:1 (rev.1) - 26 September 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJX6Y+0AAoJEGIGBBYqRO9/dA8IAKidS/RY8sNSoWI47dDiKZAb GprSFEHJ9iAPoWjomMK6244VcLcz3UQUfyrlI9fNZDJSZbnsUrXlJEhpy69kPDQL GpxzIonv3O/aji6sV5DYOLSm7YUQcL7ioNI3IzNKM88BicAvAhHKn7ukQ+cfS1bx ij2Njird7EWOWVO9BiugDr3g9+9DLhC/ohNzxKoHZP2vOpXY009K9EIG4PLSyF35 R+Rqz67MkWPx4LdNTvhrE68UMIUtRiEQulvJ5DDT6lREEmfYXoMwcbIxeY3pX6Nf NM7AqsSJgOlOHqelc49CQbGF6XpZs1TIOq4SnZsug4nLRlN/QjtheRrA8ds0C2I= =ZppV -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:269 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : firefox Date : November 20, 2013 Affected: Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple security issues was identified and fixed in mozilla NSPR, NSS and firefox: Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure (CVE-2013-1739). The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate (CVE-2013-5606). Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741 (CVE-2013-5607). The mozilla firefox packages has been upgraded to the latest ESR version (17.0.11), the NSPR packages has been upgraded to the 4.10.2 version and the NSS packages has been upgraded to the 3.15.3 version which is unaffected by these security flaws. Additionally the rootcerts packages has been upgraded with the latest certdata.txt file as of 2013/11/11 from mozilla. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607 https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes http://www.mozilla.org/security/announce/2013/mfsa2013-103.html https://bugs.mageia.org/show_bug.cgi?id=11669 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 98d939ae04bc01c23565ddc46a825c15 mes5/i586/firefox-17.0.11-0.1mdvmes5.2.i586.rpm 0b459c73329c613f2c1b4dc17b33ada2 mes5/i586/firefox-af-17.0.11-0.1mdvmes5.2.i586.rpm f88215705f021ebb3229328c60983ad4 mes5/i586/firefox-ar-17.0.11-0.1mdvmes5.2.i586.rpm 95e2c448436254741b35af364d198f06 mes5/i586/firefox-be-17.0.11-0.1mdvmes5.2.i586.rpm 112215c8dc2bae1356b511da0b6b2c57 mes5/i586/firefox-bg-17.0.11-0.1mdvmes5.2.i586.rpm b910f005c7159eeb7190bb12c281ad5d mes5/i586/firefox-bn-17.0.11-0.1mdvmes5.2.i586.rpm fe96c703acc4b63da2d5918083e0a731 mes5/i586/firefox-ca-17.0.11-0.1mdvmes5.2.i586.rpm e69cf663621e2675e53744d9c389e9af mes5/i586/firefox-cs-17.0.11-0.1mdvmes5.2.i586.rpm 8f82803b5da2941eeaa7299a0d65bbda mes5/i586/firefox-cy-17.0.11-0.1mdvmes5.2.i586.rpm 268e1f8020381332ebdb78b89a43a142 mes5/i586/firefox-da-17.0.11-0.1mdvmes5.2.i586.rpm df4883fa19740eebe3b3fb2285c88a7f mes5/i586/firefox-de-17.0.11-0.1mdvmes5.2.i586.rpm 260ec5cd0c12fb7440b26142e45a7fc2 mes5/i586/firefox-devel-17.0.11-0.1mdvmes5.2.i586.rpm f6952624bbbb85a08a4170f1f37a559a mes5/i586/firefox-el-17.0.11-0.1mdvmes5.2.i586.rpm e2f8bedc55e4225eaf58a5df952312e8 mes5/i586/firefox-en_GB-17.0.11-0.1mdvmes5.2.i586.rpm b2694a2339513e3d20ea6c919cde79c9 mes5/i586/firefox-eo-17.0.11-0.1mdvmes5.2.i586.rpm 8b3ff01104426d614cd8a63150bedbc6 mes5/i586/firefox-es_AR-17.0.11-0.1mdvmes5.2.i586.rpm 5569f869f3e18e3b3c09ffc3c6ea62e0 mes5/i586/firefox-es_ES-17.0.11-0.1mdvmes5.2.i586.rpm 5f9d49910eb06e354922679ea7ff45d3 mes5/i586/firefox-et-17.0.11-0.1mdvmes5.2.i586.rpm 98571b643c27c5da36b5628a643dd48d mes5/i586/firefox-eu-17.0.11-0.1mdvmes5.2.i586.rpm 6083f48fbc04eca94ceae21315140b63 mes5/i586/firefox-fi-17.0.11-0.1mdvmes5.2.i586.rpm 20db0038222f92d3428ee4f934d1581a mes5/i586/firefox-fr-17.0.11-0.1mdvmes5.2.i586.rpm 31483ea3983ea9487bfbb537a5cf8518 mes5/i586/firefox-fy-17.0.11-0.1mdvmes5.2.i586.rpm 7ff7f7a0377fac320aa2bf0c953f0c19 mes5/i586/firefox-ga_IE-17.0.11-0.1mdvmes5.2.i586.rpm 5d7b510ca207232a924e1e9cf259568c mes5/i586/firefox-gl-17.0.11-0.1mdvmes5.2.i586.rpm dbe9e8cc768d7f056a0904c32c14a47c mes5/i586/firefox-gu_IN-17.0.11-0.1mdvmes5.2.i586.rpm c69b1f932d9f74909a9a57ca5a0642d1 mes5/i586/firefox-he-17.0.11-0.1mdvmes5.2.i586.rpm 6d00c3b0c3906f0834a5f0d6e99cff36 mes5/i586/firefox-hi-17.0.11-0.1mdvmes5.2.i586.rpm 9e2733f4c6f98cca8af6094ba7e3eb71 mes5/i586/firefox-hu-17.0.11-0.1mdvmes5.2.i586.rpm 2e495497d4fb5ef4f26b4c26f4153809 mes5/i586/firefox-id-17.0.11-0.1mdvmes5.2.i586.rpm 59ee3123f2577ce462f82512eebf8b6f mes5/i586/firefox-is-17.0.11-0.1mdvmes5.2.i586.rpm 4e7a3e76c885bb04d86899e699f18e75 mes5/i586/firefox-it-17.0.11-0.1mdvmes5.2.i586.rpm bb09a8615792cb10448ecca561ff317f mes5/i586/firefox-ja-17.0.11-0.1mdvmes5.2.i586.rpm 28673daaf69f430af5a53842e58b27f2 mes5/i586/firefox-kn-17.0.11-0.1mdvmes5.2.i586.rpm f18a8f56bf4c0cb88fdbb20fb0a9ca29 mes5/i586/firefox-ko-17.0.11-0.1mdvmes5.2.i586.rpm c2cb17187d22b7cdd12e2230a97a9145 mes5/i586/firefox-ku-17.0.11-0.1mdvmes5.2.i586.rpm 9b11d3e8f0f93f43c01a9d6a0e2a5daf mes5/i586/firefox-lt-17.0.11-0.1mdvmes5.2.i586.rpm ab381ab55299d66159700aa2c4a2046a mes5/i586/firefox-lv-17.0.11-0.1mdvmes5.2.i586.rpm 342e06d1cbea5c6ab1d30686c0389516 mes5/i586/firefox-mk-17.0.11-0.1mdvmes5.2.i586.rpm 2590ca728b93389b8cffba776a5dd9c9 mes5/i586/firefox-mr-17.0.11-0.1mdvmes5.2.i586.rpm ac0a6e389d8033f46315a42c20ef9a6e mes5/i586/firefox-nb_NO-17.0.11-0.1mdvmes5.2.i586.rpm 89614ea8fa5e5a3fca7e21121afa2a1a mes5/i586/firefox-nl-17.0.11-0.1mdvmes5.2.i586.rpm 7df827eda683e97575d2492ba715c4e7 mes5/i586/firefox-nn_NO-17.0.11-0.1mdvmes5.2.i586.rpm 0f512cb6fa939ca3614153846a881fb1 mes5/i586/firefox-pa_IN-17.0.11-0.1mdvmes5.2.i586.rpm a210e141701b09b1c27674a5b4d3dc08 mes5/i586/firefox-pl-17.0.11-0.1mdvmes5.2.i586.rpm 41943a7ca14e9a78135a6158e2097199 mes5/i586/firefox-pt_BR-17.0.11-0.1mdvmes5.2.i586.rpm 29d9a3d4ab5b73eeb311a32893e4d15c mes5/i586/firefox-pt_PT-17.0.11-0.1mdvmes5.2.i586.rpm a276af26769941da64a4e891b25a57d4 mes5/i586/firefox-ro-17.0.11-0.1mdvmes5.2.i586.rpm 9b58c9734acf55f73a812189d75e57a1 mes5/i586/firefox-ru-17.0.11-0.1mdvmes5.2.i586.rpm a849604683edc31f3849d7bef45f3b02 mes5/i586/firefox-si-17.0.11-0.1mdvmes5.2.i586.rpm a0ed9006b7ef363e04dc070ada37199d mes5/i586/firefox-sk-17.0.11-0.1mdvmes5.2.i586.rpm 4f433223249a0bd6918afdcf39717e12 mes5/i586/firefox-sl-17.0.11-0.1mdvmes5.2.i586.rpm b0e5705b572811cdcd9b600d8d190bdb mes5/i586/firefox-sq-17.0.11-0.1mdvmes5.2.i586.rpm db72ade6cfbb77b346149d87a6696b57 mes5/i586/firefox-sr-17.0.11-0.1mdvmes5.2.i586.rpm 9ea30a0050a01e3f1a53f53a2abef63b mes5/i586/firefox-sv_SE-17.0.11-0.1mdvmes5.2.i586.rpm dab599fadb356adfe680033684ea40b7 mes5/i586/firefox-te-17.0.11-0.1mdvmes5.2.i586.rpm 529b48d19a981b3f35bf812d91cd8494 mes5/i586/firefox-th-17.0.11-0.1mdvmes5.2.i586.rpm eb2765c864dbcc7ea969894312baa94d mes5/i586/firefox-tr-17.0.11-0.1mdvmes5.2.i586.rpm dd1be3bc7b800c3a72fb9e93e9ae2273 mes5/i586/firefox-uk-17.0.11-0.1mdvmes5.2.i586.rpm 503713356957be7884be3f42154025bc mes5/i586/firefox-zh_CN-17.0.11-0.1mdvmes5.2.i586.rpm c7dfe5119f736165fe2f7e867a76f625 mes5/i586/firefox-zh_TW-17.0.11-0.1mdvmes5.2.i586.rpm 2068ce659c6bc44f17d5b684789eed0d mes5/i586/icedtea-web-1.3.2-0.8mdvmes5.2.i586.rpm 2eb735576ea6b374b3e80a470a4caa7f mes5/i586/icedtea-web-javadoc-1.3.2-0.8mdvmes5.2.i586.rpm e4b662d4c2e6c665a3550b04c229deb0 mes5/i586/libnspr4-4.10.2-0.1mdvmes5.2.i586.rpm cf5906a61fb1df7d4c920b7ac2c40b85 mes5/i586/libnspr-devel-4.10.2-0.1mdvmes5.2.i586.rpm 7952dad5868f5d2b04ffb446684f01e7 mes5/i586/libnss3-3.15.3-0.1mdvmes5.2.i586.rpm 773bfcae741660032f83057c6edc8984 mes5/i586/libnss-devel-3.15.3-0.1mdvmes5.2.i586.rpm cb27f4054099c8a863a85e39ead80ad6 mes5/i586/libnss-static-devel-3.15.3-0.1mdvmes5.2.i586.rpm 5a754fb5f34083e7fa293f5af6c50eed mes5/i586/libxulrunner17.0.11-17.0.11-0.1mdvmes5.2.i586.rpm 3c0d729636fbb10368cee605d4f1092f mes5/i586/libxulrunner-devel-17.0.11-0.1mdvmes5.2.i586.rpm 05d4bd244584088673219156c53ca66a mes5/i586/nss-3.15.3-0.1mdvmes5.2.i586.rpm 0d596a8aaa04425d4f7e79a2cdb714f5 mes5/i586/nss-doc-3.15.3-0.1mdvmes5.2.i586.rpm 5e7495f597332d4e1ff9388e16319b28 mes5/i586/rootcerts-20131111.00-1mdvmes5.2.i586.rpm 70d132ca98f124246a01a062a1a44a24 mes5/i586/rootcerts-java-20131111.00-1mdvmes5.2.i586.rpm 4e908537f58859fe8e0220938ae80c53 mes5/i586/xulrunner-17.0.11-0.1mdvmes5.2.i586.rpm ac24b150455c7374fafffcd65b55f987 mes5/SRPMS/firefox-17.0.11-0.1mdvmes5.2.src.rpm c09ed5c99dd9e5d11f2643394e342d8d mes5/SRPMS/firefox-l10n-17.0.11-0.1mdvmes5.2.src.rpm c917a8f169a51fb304d7350327e65c2f mes5/SRPMS/icedtea-web-1.3.2-0.8mdvmes5.2.src.rpm 1459af367b4b46936141d1a344d55bb7 mes5/SRPMS/nspr-4.10.2-0.1mdvmes5.2.src.rpm 97c1a3158bfeaac68345532349c9b757 mes5/SRPMS/nss-3.15.3-0.1mdvmes5.2.src.rpm 2be5eb4ceda2663d9738f467d19c24cc mes5/SRPMS/rootcerts-20131111.00-1mdvmes5.2.src.rpm 56be9d91652e670c63ecc9142f967cc1 mes5/SRPMS/xulrunner-17.0.11-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 5f22a88aad805e999514dfd676ef6276 mes5/x86_64/firefox-17.0.11-0.1mdvmes5.2.x86_64.rpm b8a05de57682e51aeb8c6bc028857a78 mes5/x86_64/firefox-af-17.0.11-0.1mdvmes5.2.x86_64.rpm 6fcfdb0a3d29999eb5af10df7226ffef mes5/x86_64/firefox-ar-17.0.11-0.1mdvmes5.2.x86_64.rpm af483759e9e794d4e069deb541d9d3c6 mes5/x86_64/firefox-be-17.0.11-0.1mdvmes5.2.x86_64.rpm ac05e0efa9ddf7605212a60bd1eca8dc mes5/x86_64/firefox-bg-17.0.11-0.1mdvmes5.2.x86_64.rpm 2db65fb2244ff2f667a129c95672d105 mes5/x86_64/firefox-bn-17.0.11-0.1mdvmes5.2.x86_64.rpm f7c4f966929e5833353e6d5bc22f27ae mes5/x86_64/firefox-ca-17.0.11-0.1mdvmes5.2.x86_64.rpm 5c8f538712645b0454389ec7c2973004 mes5/x86_64/firefox-cs-17.0.11-0.1mdvmes5.2.x86_64.rpm 30ae3d55ae2284b7c76cb91f2d0b5b12 mes5/x86_64/firefox-cy-17.0.11-0.1mdvmes5.2.x86_64.rpm 5577119d8cd9e431d37442ebe96734a3 mes5/x86_64/firefox-da-17.0.11-0.1mdvmes5.2.x86_64.rpm c01b28611fe7aeb9077a78be447c09a9 mes5/x86_64/firefox-de-17.0.11-0.1mdvmes5.2.x86_64.rpm 805da07ff63b00bea146ce766d0ad538 mes5/x86_64/firefox-devel-17.0.11-0.1mdvmes5.2.x86_64.rpm 43eb463822438eb762808711eca25081 mes5/x86_64/firefox-el-17.0.11-0.1mdvmes5.2.x86_64.rpm 916ad801df73ad0cd563cebd1f8a3423 mes5/x86_64/firefox-en_GB-17.0.11-0.1mdvmes5.2.x86_64.rpm b45ed219d2db5bb19818a39869195de8 mes5/x86_64/firefox-eo-17.0.11-0.1mdvmes5.2.x86_64.rpm 46ac5ae4a0313e1cdf8fdf125af7836f mes5/x86_64/firefox-es_AR-17.0.11-0.1mdvmes5.2.x86_64.rpm 68c8f0b9269cabf61f6a63b255114105 mes5/x86_64/firefox-es_ES-17.0.11-0.1mdvmes5.2.x86_64.rpm 52fb742089282d0db5869cd06dd5091d mes5/x86_64/firefox-et-17.0.11-0.1mdvmes5.2.x86_64.rpm 11e1942b216f5cb9d88554fbc5713f6b mes5/x86_64/firefox-eu-17.0.11-0.1mdvmes5.2.x86_64.rpm 508b8c275e7c555da1bec1e26bdc32f3 mes5/x86_64/firefox-fi-17.0.11-0.1mdvmes5.2.x86_64.rpm 8c631487712c157de84fb9f22c560db9 mes5/x86_64/firefox-fr-17.0.11-0.1mdvmes5.2.x86_64.rpm d4910d41246a5f54dba56b68c8457ed9 mes5/x86_64/firefox-fy-17.0.11-0.1mdvmes5.2.x86_64.rpm f61a266a04d384c73e80d10fb0737f85 mes5/x86_64/firefox-ga_IE-17.0.11-0.1mdvmes5.2.x86_64.rpm de33e6dab3b62b40e315be128f4eb726 mes5/x86_64/firefox-gl-17.0.11-0.1mdvmes5.2.x86_64.rpm c71b25b9e0044df0707e00db6e3e29f9 mes5/x86_64/firefox-gu_IN-17.0.11-0.1mdvmes5.2.x86_64.rpm 6a8d9093788fd978fd88f604389b5ac7 mes5/x86_64/firefox-he-17.0.11-0.1mdvmes5.2.x86_64.rpm 07acf858841339ce6844cadab5f60970 mes5/x86_64/firefox-hi-17.0.11-0.1mdvmes5.2.x86_64.rpm e9fbeca8e5d2f112a76e7b0f577be72c mes5/x86_64/firefox-hu-17.0.11-0.1mdvmes5.2.x86_64.rpm 7cfb5b62b051312dc1c53aa4fbdb2a09 mes5/x86_64/firefox-id-17.0.11-0.1mdvmes5.2.x86_64.rpm bdd198ae51c856e9f3730dd743e94c8f mes5/x86_64/firefox-is-17.0.11-0.1mdvmes5.2.x86_64.rpm f782536d5bf3870d45914deeec2daf6e mes5/x86_64/firefox-it-17.0.11-0.1mdvmes5.2.x86_64.rpm a8d4bd20c42eca45a785133f8b831221 mes5/x86_64/firefox-ja-17.0.11-0.1mdvmes5.2.x86_64.rpm ff52f798c7f8c15ce9c0badbdccb93db mes5/x86_64/firefox-kn-17.0.11-0.1mdvmes5.2.x86_64.rpm e76470059097feeed18864a5256bcc85 mes5/x86_64/firefox-ko-17.0.11-0.1mdvmes5.2.x86_64.rpm 4f08fb67711323815d9b0b0308291593 mes5/x86_64/firefox-ku-17.0.11-0.1mdvmes5.2.x86_64.rpm 88c1d99fac5f60f8259ab1105f6d28c3 mes5/x86_64/firefox-lt-17.0.11-0.1mdvmes5.2.x86_64.rpm 8155c5f35bbfb09c73d91a3e14e1574d mes5/x86_64/firefox-lv-17.0.11-0.1mdvmes5.2.x86_64.rpm 0a4d302d34df1627a9d5ee41ab102837 mes5/x86_64/firefox-mk-17.0.11-0.1mdvmes5.2.x86_64.rpm f95023d7c98fa249a545a40782e8198f mes5/x86_64/firefox-mr-17.0.11-0.1mdvmes5.2.x86_64.rpm 23a64013a75c9035eeb42e0fa4117c55 mes5/x86_64/firefox-nb_NO-17.0.11-0.1mdvmes5.2.x86_64.rpm 90bb47a671c7d4eca7f6e197b9e30e79 mes5/x86_64/firefox-nl-17.0.11-0.1mdvmes5.2.x86_64.rpm 674662dfc36198a35a93add69c6a7358 mes5/x86_64/firefox-nn_NO-17.0.11-0.1mdvmes5.2.x86_64.rpm 7107814ee75722f717ba07a97c72fc08 mes5/x86_64/firefox-pa_IN-17.0.11-0.1mdvmes5.2.x86_64.rpm 9b9a7af181387080647b4fa9eee991d2 mes5/x86_64/firefox-pl-17.0.11-0.1mdvmes5.2.x86_64.rpm 0869b614b43ed4bf344c9898ad06dbc4 mes5/x86_64/firefox-pt_BR-17.0.11-0.1mdvmes5.2.x86_64.rpm 976d270fe9350da6ecc3f7dd7f132720 mes5/x86_64/firefox-pt_PT-17.0.11-0.1mdvmes5.2.x86_64.rpm 07bb3d07823cc8c43a1eaa0598daeba0 mes5/x86_64/firefox-ro-17.0.11-0.1mdvmes5.2.x86_64.rpm a6798ad03b3608b26eca67102a218827 mes5/x86_64/firefox-ru-17.0.11-0.1mdvmes5.2.x86_64.rpm 295bc28984a2f2b8ceaceefe2bd347bb mes5/x86_64/firefox-si-17.0.11-0.1mdvmes5.2.x86_64.rpm 15a965d5c835bb6f3465b0d5e60ffd25 mes5/x86_64/firefox-sk-17.0.11-0.1mdvmes5.2.x86_64.rpm c52ad3a3ca20343eb1345f82cb04dd60 mes5/x86_64/firefox-sl-17.0.11-0.1mdvmes5.2.x86_64.rpm 0b8091de7fcda8f50f349ba42e0fd24f mes5/x86_64/firefox-sq-17.0.11-0.1mdvmes5.2.x86_64.rpm 9ece6a534b436b57ee1cdce38ee9ba86 mes5/x86_64/firefox-sr-17.0.11-0.1mdvmes5.2.x86_64.rpm f4469d86ec2719f34b6d9487a680fb0c mes5/x86_64/firefox-sv_SE-17.0.11-0.1mdvmes5.2.x86_64.rpm 3b081e19c4e7dde83e39af324d27cf6a mes5/x86_64/firefox-te-17.0.11-0.1mdvmes5.2.x86_64.rpm 53b6c5f6417e1e4199b75d49f1a901b4 mes5/x86_64/firefox-th-17.0.11-0.1mdvmes5.2.x86_64.rpm 19d6d2e175df1e78186d9e63f1921431 mes5/x86_64/firefox-tr-17.0.11-0.1mdvmes5.2.x86_64.rpm a16592c4c5ae6d03474e18058d51c395 mes5/x86_64/firefox-uk-17.0.11-0.1mdvmes5.2.x86_64.rpm e3c6c1231c7d77618fe01b72f7d126ee mes5/x86_64/firefox-zh_CN-17.0.11-0.1mdvmes5.2.x86_64.rpm 9dbad8efb3e40c242d7ee3cba853a327 mes5/x86_64/firefox-zh_TW-17.0.11-0.1mdvmes5.2.x86_64.rpm 4cd9396a340bc18b56c4dd188b4250d3 mes5/x86_64/icedtea-web-1.3.2-0.8mdvmes5.2.x86_64.rpm f831da567ef41c69068b5dcad8bc555c mes5/x86_64/icedtea-web-javadoc-1.3.2-0.8mdvmes5.2.x86_64.rpm edcbf42c10f70ecd2b0a900c7d3487d4 mes5/x86_64/lib64nspr4-4.10.2-0.1mdvmes5.2.x86_64.rpm 919bc752d169c60f0b9bdd32d01e1b84 mes5/x86_64/lib64nspr-devel-4.10.2-0.1mdvmes5.2.x86_64.rpm 4c0bf8bb02e6c3779d313211242ca3bd mes5/x86_64/lib64nss3-3.15.3-0.1mdvmes5.2.x86_64.rpm 156d5c567ab22ba8e8593c04c20e03b4 mes5/x86_64/lib64nss-devel-3.15.3-0.1mdvmes5.2.x86_64.rpm 8737149a8db74e81339be4a3bf6baedb mes5/x86_64/lib64nss-static-devel-3.15.3-0.1mdvmes5.2.x86_64.rpm 136f10e0f452876b268f752917dbbcea mes5/x86_64/lib64xulrunner17.0.11-17.0.11-0.1mdvmes5.2.x86_64.rpm 76154845049baf7b045db3ab9adf8520 mes5/x86_64/lib64xulrunner-devel-17.0.11-0.1mdvmes5.2.x86_64.rpm cbf595fc5f9d825b5f5d1717a3714ba0 mes5/x86_64/nss-3.15.3-0.1mdvmes5.2.x86_64.rpm 2dcf89f4a40070de77e5a80c1fffc9e9 mes5/x86_64/nss-doc-3.15.3-0.1mdvmes5.2.x86_64.rpm 23fb7cd695ecb88f68c23544033aed69 mes5/x86_64/rootcerts-20131111.00-1mdvmes5.2.x86_64.rpm e52fc67db76620fb95ad045223e70697 mes5/x86_64/rootcerts-java-20131111.00-1mdvmes5.2.x86_64.rpm dd2c01cd919348fad2cf4c79a23edd4c mes5/x86_64/xulrunner-17.0.11-0.1mdvmes5.2.x86_64.rpm ac24b150455c7374fafffcd65b55f987 mes5/SRPMS/firefox-17.0.11-0.1mdvmes5.2.src.rpm c09ed5c99dd9e5d11f2643394e342d8d mes5/SRPMS/firefox-l10n-17.0.11-0.1mdvmes5.2.src.rpm c917a8f169a51fb304d7350327e65c2f mes5/SRPMS/icedtea-web-1.3.2-0.8mdvmes5.2.src.rpm 1459af367b4b46936141d1a344d55bb7 mes5/SRPMS/nspr-4.10.2-0.1mdvmes5.2.src.rpm 97c1a3158bfeaac68345532349c9b757 mes5/SRPMS/nss-3.15.3-0.1mdvmes5.2.src.rpm 2be5eb4ceda2663d9738f467d19c24cc mes5/SRPMS/rootcerts-20131111.00-1mdvmes5.2.src.rpm 56be9d91652e670c63ecc9142f967cc1 mes5/SRPMS/xulrunner-17.0.11-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFSjJyJmqjQ0CJFipgRAvbSAJ91LFVslg1vytBBUjnT7MM7/MaQQwCbBrZZ DRKImB9DU0Tlp7Volbxnkww= =hS5R -----END PGP SIGNATURE----- . Background ========== Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the =E2=80=98Mozilla Application Suite=E2=80=99. Furthermore, a remote attacker may be able to perform Man-in-the-Middle attacks, obtain sensitive information, spoof the address bar, conduct clickjacking attacks, bypass security restrictions and protection mechanisms, or have other unspecified impact. ============================================================================ Ubuntu Security Notice USN-2031-1 November 20, 2013 firefox vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 13.04 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Firefox. (CVE-2013-1741, CVE-2013-2566, CVE-2013-5605, CVE-2013-5607) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: firefox 25.0.1+build1-0ubuntu0.13.10.1 Ubuntu 13.04: firefox 25.0.1+build1-0ubuntu0.13.04.1 Ubuntu 12.10: firefox 25.0.1+build1-0ubuntu0.12.10.1 Ubuntu 12.04 LTS: firefox 25.0.1+build1-0ubuntu0.12.04.1 After a standard system update you need to restart Firefox to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2031-1 CVE-2013-1741, CVE-2013-2566, CVE-2013-5605, CVE-2013-5607, https://launchpad.net/bugs/1251576 Package Information: https://launchpad.net/ubuntu/+source/firefox/25.0.1+build1-0ubuntu0.13.10.1 https://launchpad.net/ubuntu/+source/firefox/25.0.1+build1-0ubuntu0.13.04.1 https://launchpad.net/ubuntu/+source/firefox/25.0.1+build1-0ubuntu0.12.10.1 https://launchpad.net/ubuntu/+source/firefox/25.0.1+build1-0ubuntu0.12.04.1 . Background ========== The Mozilla Network Security Service is a library implementing security features like SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME and X.509 certificates. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-libs/nss < 3.15.3 >= 3.15.3 Description =========== Multiple vulnerabilities have been discovered in the Mozilla Network Security Service. Please review the CVE identifiers referenced below for more details about the vulnerabilities. Impact ====== A remote attacker can cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Mozilla Network Security Service users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.15.3" Packages which depend on this library may need to be recompiled. Tools such as revdep-rebuild may assist in identifying some of these packages. References ========== [ 1 ] CVE-2013-1620 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1620 [ 2 ] CVE-2013-1739 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1739 [ 3 ] CVE-2013-1741 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1741 [ 4 ] CVE-2013-2566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2566 [ 5 ] CVE-2013-5605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5605 [ 6 ] CVE-2013-5606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5606 [ 7 ] CVE-2013-5607 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5607 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201406-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

AFFECTED PRODUCTS