Headline
RHSA-2023:1366: Red Hat Security Advisory: nss security update
An update for nss is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-0767: The Mozilla Foundation Security Advisory describes this flaw as: An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-03-21
Updated:
2023-03-21
RHSA-2023:1366 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: nss security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for nss is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.
Security Fix(es):
- nss: Arbitrary memory write via PKCS 12 (CVE-2023-0767)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing this update, applications using NSS (for example, Firefox) must be restarted for this update to take effect.
Affected Products
- Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
- Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
- Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
Fixes
- BZ - 2170377 - CVE-2023-0767 nss: Arbitrary memory write via PKCS 12
Red Hat Enterprise Linux Server - Extended Life Cycle Support 6
SRPM
nss-3.44.0-13.el6_10.src.rpm
SHA-256: 2233aded7fcf6911318215c3cc669f8c9cf26740e90ca5be765a2d897a7c0d01
x86_64
nss-3.44.0-13.el6_10.i686.rpm
SHA-256: bde230e8bbbf7a36fdc5e27a40553bba7845ba7d74623c6edfa341b97105ab1b
nss-3.44.0-13.el6_10.x86_64.rpm
SHA-256: 42cbf1f4dcf0f2dca7d6b80fdbf7ccb0613eb064fd067061aa715e0eac03d086
nss-debuginfo-3.44.0-13.el6_10.i686.rpm
SHA-256: 2bf686a88109b52a02b330f11d22424f2a8ae2c6011b103ecd38c3cc479995dd
nss-debuginfo-3.44.0-13.el6_10.i686.rpm
SHA-256: 2bf686a88109b52a02b330f11d22424f2a8ae2c6011b103ecd38c3cc479995dd
nss-debuginfo-3.44.0-13.el6_10.x86_64.rpm
SHA-256: 93d3ecf68807d1fcd5df00b1c7cb3030e2e642cbb1e8ff1e3f408f982e6fd784
nss-debuginfo-3.44.0-13.el6_10.x86_64.rpm
SHA-256: 93d3ecf68807d1fcd5df00b1c7cb3030e2e642cbb1e8ff1e3f408f982e6fd784
nss-devel-3.44.0-13.el6_10.i686.rpm
SHA-256: f524729e387eb3ca77fc80b6ce887e031bef031038b529f71ce3dc117c5cedc0
nss-devel-3.44.0-13.el6_10.x86_64.rpm
SHA-256: f6f1eef1f680d887e5ebabcdbffc93dd6748b2a7615c1521bbe2680bd0a48513
nss-pkcs11-devel-3.44.0-13.el6_10.i686.rpm
SHA-256: 320ceb5245add477ad08db44321f3d8c70e29c7ad19f235e8cfb0885ad6d9349
nss-pkcs11-devel-3.44.0-13.el6_10.x86_64.rpm
SHA-256: ea0e454730b84b02f5c5bdb76f776f47552bf52eb7f51ebb3457986c5fcedda7
nss-sysinit-3.44.0-13.el6_10.x86_64.rpm
SHA-256: 316184c06cd100f4a1842a501ac901f94d09058fdae05ee1189653dc3079f70b
nss-tools-3.44.0-13.el6_10.x86_64.rpm
SHA-256: 22dea0a9fd47bb41e480a733834751bbfdb0266d5d73524ed26398b379d09d90
i386
nss-3.44.0-13.el6_10.i686.rpm
SHA-256: bde230e8bbbf7a36fdc5e27a40553bba7845ba7d74623c6edfa341b97105ab1b
nss-debuginfo-3.44.0-13.el6_10.i686.rpm
SHA-256: 2bf686a88109b52a02b330f11d22424f2a8ae2c6011b103ecd38c3cc479995dd
nss-debuginfo-3.44.0-13.el6_10.i686.rpm
SHA-256: 2bf686a88109b52a02b330f11d22424f2a8ae2c6011b103ecd38c3cc479995dd
nss-devel-3.44.0-13.el6_10.i686.rpm
SHA-256: f524729e387eb3ca77fc80b6ce887e031bef031038b529f71ce3dc117c5cedc0
nss-pkcs11-devel-3.44.0-13.el6_10.i686.rpm
SHA-256: 320ceb5245add477ad08db44321f3d8c70e29c7ad19f235e8cfb0885ad6d9349
nss-sysinit-3.44.0-13.el6_10.i686.rpm
SHA-256: c76ddfc5f230a2c5d6223442dc0434c7881006189def7f072e1fde4195a832dc
nss-tools-3.44.0-13.el6_10.i686.rpm
SHA-256: 7fbeeffb33c5a25bd798b774e581886d630f89738d62271b3209fab96ef01143
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6
SRPM
nss-3.44.0-13.el6_10.src.rpm
SHA-256: 2233aded7fcf6911318215c3cc669f8c9cf26740e90ca5be765a2d897a7c0d01
s390x
nss-3.44.0-13.el6_10.s390.rpm
SHA-256: d6dd5f8cbd5f62f67e9c2138c9cb2228ea47f452351cc2412678d4048810082d
nss-3.44.0-13.el6_10.s390x.rpm
SHA-256: 7860e5b563d05ca19a89a537d5456bafb567e5ce805edb5bface3f7a72eae15a
nss-debuginfo-3.44.0-13.el6_10.s390.rpm
SHA-256: 39570052f79bff987f0adc217acdf28053295c7d76f3c18c893cded1a308bfe2
nss-debuginfo-3.44.0-13.el6_10.s390.rpm
SHA-256: 39570052f79bff987f0adc217acdf28053295c7d76f3c18c893cded1a308bfe2
nss-debuginfo-3.44.0-13.el6_10.s390x.rpm
SHA-256: 6742d863d4694c5c3e6335c821c7efcbcf91c8fa89be3635a9e2e04124385c03
nss-debuginfo-3.44.0-13.el6_10.s390x.rpm
SHA-256: 6742d863d4694c5c3e6335c821c7efcbcf91c8fa89be3635a9e2e04124385c03
nss-devel-3.44.0-13.el6_10.s390.rpm
SHA-256: c477658d9a13731f3e8ca3f464524ab84b089bb4f5136855f202addd3817c858
nss-devel-3.44.0-13.el6_10.s390x.rpm
SHA-256: c30adc9be0a65c43a3f904e229916e9a243638f8f17282a768d4ca2b3c7b8cbe
nss-pkcs11-devel-3.44.0-13.el6_10.s390.rpm
SHA-256: 4f3deeee5a06634758decaf9156ed3538843d408965d2b9e28ae9bd31ee817c9
nss-pkcs11-devel-3.44.0-13.el6_10.s390x.rpm
SHA-256: adff3aba752004a7cd900226b093d7a61072d7f1169c74eb9277ea3fad0f3ede
nss-sysinit-3.44.0-13.el6_10.s390x.rpm
SHA-256: 08dd36aebe022031ffcfec65825400b230c808f20c711cbc92a1b0a53d15cfba
nss-tools-3.44.0-13.el6_10.s390x.rpm
SHA-256: 57ccbffbd8a636f2afef24567afed380418aea3ce578a9f14e31a7f13a283390
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).
Gentoo Linux Security Advisory 202305-35 - Multiple vulnerabilities have been discovered in Mozilla Firefox, the worst of which could result in arbitrary code execution. Versions greater than or equal to 102.10.0:esr are affected.
Red Hat Security Advisory 2023-2098-01 - Multicluster Engine for Kubernetes 2.0.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...
Red Hat Security Advisory 2023-1525-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.59.
Red Hat Security Advisory 2023-1409-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.9.
An update for nss is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0767: The Mozilla Foundation Security Advisory describes this flaw as: An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled.
Ubuntu Security Notice 5880-2 - USN-5880-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Christian Holler discovered that Firefox did not properly manage memory when using PKCS 12 Safe Bag attributes. An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes. Johan Carlsson discovered that Firefox did not properly manage child iframe's unredacted URI when using Content-Security-Policy-Report-Only header. An attacker could potentially exploits this to obtain sensitive information. Vitor Torres discovered that Firefox did not properly manage permissions of extensions interaction via ExpandedPrincipals. An attacker could potentially exploits this issue to download malicious files or execute arbitrary code. Irvan Kurniawan discovered that Firefox did not properly validate background script invoking requestFullscreen. An attacker could potentially exploit this issue to perf...
Red Hat Security Advisory 2023-0823-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 102.8.0. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2023-0812-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.8.0 ESR. Issues addressed include a use-after-free vulnerability.
An update for thunderbird is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0616: The Mozilla Foundation Security Advisory describes this flaw as: If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacke...
An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0616: The Mozilla Foundation Security Advisory describes this flaw as: If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted mes...
An update for thunderbird is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0616: The Mozilla Foundation Security Advisory describes this flaw as: If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. ...
An update for firefox is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0767: The Mozilla Foundation Security Advisory describes this flaw as: An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe...
An update for firefox is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-0767: The Mozilla Foundation Security Advisory describes this flaw as: An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. * CVE-2023-25728: The Mozilla Foundation Security Advisory describes this flaw as: The `Content-Se...
Debian Linux Security Advisory 5350-1 - Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.