Sicherheit: Ausführen beliebiger Kommandos in NSS

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============2182479912548030802==
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="StAjPTHP0ERl9XlJmBHMQwH43HnL1rVUr"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--StAjPTHP0ERl9XlJmBHMQwH43HnL1rVUr
Content-Type: multipart/mixed;
boundary="rs648Q0JoPunrG70o6jOpKEkAsJMO5eQ8";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: "ubuntu-security-announce@lists.ubuntu.com"
<ubuntu-security-announce@lists.ubuntu.com>
Message-ID: <3c1374b9-859a-7eee-833d-5fd6663e2388@canonical.com>
Subject: [USN-3431-1] NSS vulnerability

--rs648Q0JoPunrG70o6jOpKEkAsJMO5eQ8
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3431-1
October 02, 2017

nss vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.04
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

NSS could be made to crash or run programs if it received specially crafted
network traffic.

Software Description:
- nss: Network Security Service library

Details:

Martin Thomson discovered that NSS incorrectly generated handshake hashes.
A remote attacker could use this issue to cause NSS to crash, resulting in
a denial of service, or possibly execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
libnss3 2:3.28.4-0ubuntu0.17.04.3

Ubuntu 16.04 LTS:
libnss3 2:3.28.4-0ubuntu0.16.04.3

Ubuntu 14.04 LTS:
libnss3 2:3.28.4-0ubuntu0.14.04.3

After a standard system update you need to restart any applications
that use NSS, such as Evolution and Chromium, to make all the necessary
changes.

References:
https://www.ubuntu.com/usn/usn-3431-1
CVE-2017-7805

Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.17.04.3
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.16.04.3
https://launchpad.net/ubuntu/+source/nss/2:3.28.4-0ubuntu0.14.04.3

--rs648Q0JoPunrG70o6jOpKEkAsJMO5eQ8--

--StAjPTHP0ERl9XlJmBHMQwH43HnL1rVUr
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJZ0lcRAAoJEGVp2FWnRL6TsuoP/3GHDsxVyhUfzENvceNjAIML
OmeyThE6T1khNnfnEOQQmP5Irs+I86faSn4pxcaeBd/iCU64S9mizeeU3dhqYeTp
NbyF66Tk8G78ZqMvsrdAmuYp+yUbT8huXL4+Y6u0ZPuwrRGe2lsZCGVIBMxIFwv5
M+BxuOPfRjQvCDIroSq7CXkzU/9BFrdg+I2UqwczIsRHNEFxg4/fJU6s/lHq8z0J
J0XGzu8LAg4TEUUt7c1IcQQAt2LZ/njICngI7Y5pBayNKNG/WM/uK96l3FEWUrgg
YhyhFJ4MD21RLE0Cyxa2qE5ZPjqBnwdtH+WfCqEimRC3RdI7MkrTD/qbTTV8D14F
K79hR73lN3IYSd/CzddfBWomArTFFfQ6ufBZx0uaEN+cA5pmWDYbSa6SgYB5ZyJg
8BalvTW5EGxDjfrqk76K1ihf5Mz94E/R3jjgguBKsx9he0J9URqLn8J0y1l3bdyY
HqJTmSTG7+QsmG+if8ebQXLw+07x9clrcYoZLMmm3PWC0mg3EB+F8v3dAyizcSqU
Ygf/RaELnFt1sb6o6F1fI0As0EmWs8DXmgQxbJZi2ZiwQZxAxhEy/qm2mRxG0lrX
EuonU3T5erfTU330Id4TFX898l0QaOzANu1ZsMrUlKOUD+uarGvjpUzmyyOVvJtk
yDxVjPZh0Mr2+XZu69EL
=NElS
-----END PGP SIGNATURE-----

--StAjPTHP0ERl9XlJmBHMQwH43HnL1rVUr--

--===============2182479912548030802==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============2182479912548030802==--