| Description: | Summary:
The remote host is missing an update for the 'nss'
package(s) announced via the referenced advisory.
Vulnerability Insight:
Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications.
A flaw was found in the way the TLS protocol composes the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)
Note: This update forces the TLS/SSL client implementation in NSS to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Future updates may raise this limit to
1024 bits.
The nss and nss-util packages have been upgraded to upstream versions
3.19.1. The upgraded versions provide a number of bug fixes and
enhancements over the previous versions.
Users of nss and nss-util are advised to upgrade to these updated packages,
which fix these security flaws, bugs, and add these enhancements.
Affected Software/OS:
nss on Red Hat Enterprise Linux Desktop (v. 6),
Red Hat Enterprise Linux Server (v. 6),
Red Hat Enterprise Linux Server (v. 7),
Red Hat Enterprise Linux Workstation (v. 6)
Solution:
Please Install the Updated Packages.
CVSS Score:
4.3
CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
