Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
centosCentOS ProjectCESA-2014:1948
HistoryDec 03, 2014 - 10:45 p.m.

nss security update

2014-12-0322:45:56
CentOS Project
lists.centos.org
83

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

JSON

CentOS Errata and Security Advisory CESA-2014:1948

Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
applications. Netscape Portable Runtime (NSPR) provides platform
independence for non-GUI operating system facilities.

This update adds support for the TLS Fallback Signaling Cipher Suite Value
(TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade
attacks against applications which re-connect using a lower SSL/TLS
protocol version when the initial connection indicating the highest
supported protocol version fails.

This can prevent a forceful downgrade of the communication to SSL 3.0.
The SSL 3.0 protocol was found to be vulnerable to the padding oracle
attack when using block cipher suites in cipher block chaining (CBC) mode.
This issue is identified as CVE-2014-3566, and also known under the alias
POODLE. This SSL 3.0 protocol flaw will not be addressed in a future
update; it is recommended that users configure their applications to
require at least TLS protocol version 1.0 for secure communication.

For additional information about this flaw, see the Knowledgebase article
at https://access.redhat.com/articles/1232123

The nss, nss-util, and nss-softokn packages have been upgraded to upstream
version 3.16.2.3, which provides a number of bug fixes and enhancements
over the previous version, and adds the support for Mozilla Firefox 31.3.
(BZ#1158159, BZ#1165003, BZ#1165525)

Users of nss, nss-util, and nss-softokn are advised to upgrade to these
updated packages, which contain a backported patch to mitigate the
CVE-2014-3566 issue, fix these bugs, and add these enhancements. After
installing this update, applications using NSS or NSPR must be restarted
for this update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2014-December/082957.html
https://lists.centos.org/pipermail/centos-announce/2014-December/082962.html
https://lists.centos.org/pipermail/centos-announce/2014-December/082964.html

Affected packages:
nss
nss-devel
nss-pkcs11-devel
nss-softokn
nss-softokn-devel
nss-softokn-freebl
nss-softokn-freebl-devel
nss-sysinit
nss-tools
nss-util
nss-util-devel

Upstream details at:
https://access.redhat.com/errata/RHSA-2014:1948

OSVersionArchitecturePackageVersionFilename
CentOS5i386nss< 3.16.2.3-1.el5_11nss-3.16.2.3-1.el5_11.i386.rpm
CentOS5i386nss-devel< 3.16.2.3-1.el5_11nss-devel-3.16.2.3-1.el5_11.i386.rpm
CentOS5i386nss-pkcs11-devel< 3.16.2.3-1.el5_11nss-pkcs11-devel-3.16.2.3-1.el5_11.i386.rpm
CentOS5i386nss-tools< 3.16.2.3-1.el5_11nss-tools-3.16.2.3-1.el5_11.i386.rpm
CentOS5i386nss< 3.16.2.3-1.el5_11nss-3.16.2.3-1.el5_11.i386.rpm
CentOS5x86_64nss< 3.16.2.3-1.el5_11nss-3.16.2.3-1.el5_11.x86_64.rpm
CentOS5i386nss-devel< 3.16.2.3-1.el5_11nss-devel-3.16.2.3-1.el5_11.i386.rpm
CentOS5x86_64nss-devel< 3.16.2.3-1.el5_11nss-devel-3.16.2.3-1.el5_11.x86_64.rpm
CentOS5i386nss-pkcs11-devel< 3.16.2.3-1.el5_11nss-pkcs11-devel-3.16.2.3-1.el5_11.i386.rpm
CentOS5x86_64nss-pkcs11-devel< 3.16.2.3-1.el5_11nss-pkcs11-devel-3.16.2.3-1.el5_11.x86_64.rpm
Rows per page:
1-10 of 501

Related

nessus 41
openvas 21
fedora 16
ibm 94
veracode 2
seebug 1
citrix 1
osv 1
redhat 3
amazon 1
f5 1
hackerone 3
cvelist 1
cert 1
suse 1
cisco 1
centos 1
freebsd 1
nvd 1
paloalto 1
securityvulns 2
threatpost 1
hp 1
debiancve 1
ubuntucve 1
nessus
nessus
Cisco Wireless LAN Controllers 5500 Series (POODLE)
2014-12-03 00:00:00
SuSE 11.3 Security Update : suseRegister (SAT Patch Number 10008)
2015-01-06 00:00:00
Fedora 20 : libuv-0.10.29-1.fc20 / nodejs-0.10.33-1.fc20 (2014-15379) (POODLE)
2014-12-15 00:00:00
openvas
openvas
Fedora Update for nodejs FEDORA-2014-15379
2014-12-15 00:00:00
Fedora Update for python-rhsm FEDORA-2014-13781
2014-11-07 00:00:00
SUSE: Security Advisory for suseRegister (SUSE-SU-2015:0010-1)
2015-10-13 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: python-rhsm-1.13.6-1.fc21
2014-11-10 06:34:40
[SECURITY] Fedora 21 Update: libetpan-1.6-1.fc21
2014-11-10 06:34:14
[SECURITY] Fedora 20 Update: claws-mail-plugins-3.11.1-1.fc20
2014-11-10 06:30:28
ibm
ibm
Security Bulletin: Vulnerability in SSLv3 affects TS3310 (CVE-2014-3566)
2018-06-18 00:08:53
Security Bulletin: Vulnerability in SSLv3 affects IBM i (CVE-2014-3566)
2019-12-18 14:26:38
Security Bulletin: Vulnerability in SSLv3 affects Rational DOORS Web Access (CVE-2014-3566)
2020-05-01 08:19:24
veracode
veracode
Information Disclosure
2017-02-07 00:05:45
POODLE Attack
2017-05-03 05:12:56
seebug
seebug
SSL 3.0 POODLE(CVE-2014-3566)
2017-02-17 00:00:00
citrix
citrix
CVE-2014-3566 - Citrix Security Advisory for SSLv3 Protocol Flaw
2014-10-14 04:00:00
osv
osv
lighttpd - security update
2015-07-25 00:00:00
redhat
redhat
(RHSA-2015:1546) Important: node.js security update
2015-08-04 00:00:00
(RHSA-2014:1653) Moderate: openssl security update
2014-10-16 00:00:00
(RHSA-2014:1948) Important: nss, nss-util, and nss-softokn security, bug fix, and enhancement update
2014-12-02 00:00:00
amazon
amazon
Important: openssl
2014-10-14 22:32:00
f5
f5
K15702 : SSLv3 vulnerability CVE-2014-3566
2015-09-18 00:00:00
hackerone
hackerone
New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2017-03-26 19:08:23
X (Formerly Twitter): POODLE SSLv3 bug on multiple twitter smtp servers (mx3.twitter.com,199.59.148.204,199.16.156.108 and 199.59.148.204)
2017-11-09 21:44:16
Semrush: SSLv3 Poodle Attack on Ip Of semrush
2018-02-22 16:43:36
cvelist
cvelist
CVE-2014-3566
2014-10-15 00:00:00
cert
cert
POODLE vulnerability in SSL 3.0
2014-10-17 00:00:00
suse
suse
Security update for suseRegister (important)
2015-01-05 21:04:43
cisco
cisco
SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2014-10-15 18:30:00
centos
centos
openssl security update
2014-10-16 15:21:39
freebsd
freebsd
davmail -- fix potential CVE-2014-3566 vulnerability (POODLE)
2014-10-27 00:00:00
nvd
nvd
CVE-2014-3566
2014-10-15 00:55:02
paloalto
paloalto
SSL 3.0 MITM Attack
2014-10-20 07:00:00
securityvulns
securityvulns
APPLE-SA-2014-10-16-2 Security Update 2014-005
2014-10-18 00:00:00
APPLE-SA-2014-10-16-5 OS X Server v2.2.5
2014-10-18 00:00:00
threatpost
threatpost
OpenSSL Releases Patch for POODLE Attack
2014-10-16 10:29:53
hp
hp
HPSBPI03360 rev.5 - HP LaserJet Printers and MFPs, HP OfficeJet Printers and MFPs, and HP JetDirect Networking cards using OpenSSL, Remote Disclosure of Information
2015-06-19 00:00:00
debiancve
debiancve
CVE-2014-3566
2014-10-15 00:55:02
ubuntucve
ubuntucve
CVE-2014-3566
2014-10-14 00:00:00

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

3.4 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

JSON
Related for CESA-2014:1948
nessus41openvas21fedora16ibm94veracode2seebug1citrix1osv1redhat3amazon1f51hackerone3cvelist1cert1suse1cisco1centos1freebsd1nvd1paloalto1securityvulns2threatpost1hp1debiancve1ubuntucve1