Amazon Linux 1 Security Advisory: ALAS-2013-216
Advisory Release Date: 2013-08-07 21:23 Pacific
Advisory Updated Date: 2014-09-15 23:19 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
It was discovered that NSS leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. (CVE-2013-1620)
An out-of-bounds memory read flaw was found in the way NSS decoded certain certificates. If an application using NSS decoded a malformed certificate, it could cause the application to crash. (CVE-2013-0791)
Affected Packages:
nspr
Issue Correction:
Run yum update nspr to update your system.
i686:
nspr-4.9.5-2.17.amzn1.i686
nspr-devel-4.9.5-2.17.amzn1.i686
nspr-debuginfo-4.9.5-2.17.amzn1.i686
src:
nspr-4.9.5-2.17.amzn1.src
x86_64:
nspr-devel-4.9.5-2.17.amzn1.x86_64
nspr-debuginfo-4.9.5-2.17.amzn1.x86_64
nspr-4.9.5-2.17.amzn1.x86_64