EGI SVG Advisories

Advisory-SVG-CVE-2016-1950

Title:   EGI SVG Advisory **UPDATE** [TLP:White] 'CRITICAL' risk NSS heap
         buffer overflow vulnerability [EGI-SVG-CVE-2016-1950]

Date:    2016-03-11
Updated: 2016-03-14


Affected Software and Risk
==========================

CRITICAL risk vulnerability concerning NSS heap buffer overflow

Package : NSS
CVE ID  : CVE-2016-1950

All versions of NSS.

Actions Required/Recommended
============================

**UPDATE**

Patches should now be available for all versions of Linux, so all sites should
update if they have not done so already.

All running resources MUST be either patched or software removed by 2016-03-22
00:00 UTC

Sites failing to act and/or failing to respond to requests from the EGI CSIRT
team risk site suspension.

Sites should note that it is necessary to re-start all services, it may be
simplest to re-boot after installation of the updates.


Affected software Details.
==========================

As far as we know, all versions of NSS released with all linux versions prior
to vendor patches to address the issue.

More information
================

As stated in [R 1] An attacker could use this flaw to create a specially
crafted certificate which, when parsed by NSS, could cause it to crash, or
execute arbitrary code, using the permissions of the user running an
application compiled against the NSS library.


Mitigation
==========

N/A


Component installation information
==================================

See Vendors web sites

For RedHat see [R 1], [R 2]

For Debian see [R 3]

For Ubuntu see [R 4]

Patches for Scientific Linux are not available yet.


URL
===

URL:   https://advisories.egi.eu/Advisory-SVG-CVE-2016-1950

Minor updates may be made without re-distribution to the sites

** WHITE information - Unlimited distribution - see
https://go.egi.eu/tlp for distribution restrictions **

Credit
======

SVG was alerted to this vulnerability by  Vincent Brillault from CERN who is a
member of SVG.

References
==========

[R 1] https://access.redhat.com/security/cve/CVE-2016-1950

[R 2] https://rhn.redhat.com/errata/RHSA-2016-0370.html

[R 3] https://security-tracker.debian.org/tracker/CVE-2016-1950

[R 4] http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1950.html



Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of a vulnerability which is relevant to EGI you may
report it by e-mail to:-

report-vulnerability at egi.eu

the EGI Software Vulnerability Group will take a look.


Timeline
========

Yyyy-mm-dd  [EGI-SVG-CVE-2016-1950]

2016-03-09 SVG alerted to this issue by Vincent Brillault from CERN
2016-03-09 Investigation of vulnerability and relevance to EGI carried out by
           (as appropriate)
2016-03-10 EGI SVG Risk Assessment completed
2016-03-10 Updated packages available for RedHat, Ubuntu, Debian,
2016-03-11 Advisory/Alert sent to sites
2016-03-14 Updated with link to SL.


On behalf of the EGI SVG,