Test ID:	1.3.6.1.4.1.25623.1.0.120691
Category:	Amazon Linux Local Security Checks
Title:	Amazon Linux: Security Advisory (ALAS-2016-702)
Summary:	The remote host is missing an update for the 'nspr, nss-util, nss, nss-softokn' package(s) announced via the ALAS-2016-702 advisory.
Description:	Summary: The remote host is missing an update for the 'nspr, nss-util, nss, nss-softokn' package(s) announced via the ALAS-2016-702 advisory. Vulnerability Insight: A use-after-free flaw was found in the way NSS handled DHE (DiffieHellman key exchange) and ECDHE (Elliptic Curve Diffie-Hellman key exchange) handshake messages. A remote attacker could send a specially crafted handshake message that, when parsed by an application linked against NSS, would cause that application to crash or, under certain special conditions, execute arbitrary code using the permissions of the user running the application. (CVE-2016-1978) A use-after-free flaw was found in the way NSS processed certain DER (Distinguished Encoding Rules) encoded cryptographic keys. An attacker could use this flaw to create a specially crafted DER encoded certificate which, when parsed by an application compiled against the NSS library, could cause that application to crash, or execute arbitrary code using the permissions of the user running the application. (CVE-2016-1979) Affected Software/OS: 'nspr, nss-util, nss, nss-softokn' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2016-1978 BugTraq ID: 84275 http://www.securityfocus.com/bid/84275 BugTraq ID: 91787 http://www.securityfocus.com/bid/91787 Debian Security Information: DSA-3688 (Google Search) http://www.debian.org/security/2016/dsa-3688 https://security.gentoo.org/glsa/201605-06 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes RedHat Security Advisories: RHSA-2016:0591 http://rhn.redhat.com/errata/RHSA-2016-0591.html RedHat Security Advisories: RHSA-2016:0684 http://rhn.redhat.com/errata/RHSA-2016-0684.html RedHat Security Advisories: RHSA-2016:0685 http://rhn.redhat.com/errata/RHSA-2016-0685.html http://www.securitytracker.com/id/1035258 SuSE Security Announcement: SUSE-SU-2016:0727 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00027.html SuSE Security Announcement: SUSE-SU-2016:0777 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00050.html SuSE Security Announcement: SUSE-SU-2016:0820 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00068.html SuSE Security Announcement: SUSE-SU-2016:0909 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00093.html http://www.ubuntu.com/usn/USN-2973-1 Common Vulnerability Exposure (CVE) ID: CVE-2016-1979 BugTraq ID: 84221 http://www.securityfocus.com/bid/84221 Debian Security Information: DSA-3576 (Google Search) http://www.debian.org/security/2016/dsa-3576 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.1_release_notes http://www.securitytracker.com/id/1035215 SuSE Security Announcement: openSUSE-SU-2016:0731 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00029.html SuSE Security Announcement: openSUSE-SU-2016:0733 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00031.html
Copyright	Copyright (C) 2016 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.