ALAS-2015-569


Amazon Linux AMI Security Advisory: ALAS-2015-569
Advisory Release Date: 2015-07-22 10:00 Pacific
Severity: Medium

Issue Overview:

A flaw was found in the way the TLS protocol composes the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000 )

Please note that this update forces the TLS/SSL client implementation in NSS to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Future updates may raise this limit to 1024 bits.


Affected Packages:

nss,nss-util


Issue Correction:
Run yum update nss nss-util to update your system.

New Packages:
i686:
    nss-util-3.19.1-1.41.amzn1.i686
    nss-util-devel-3.19.1-1.41.amzn1.i686
    nss-util-debuginfo-3.19.1-1.41.amzn1.i686
    nss-sysinit-3.19.1-3.71.amzn1.i686
    nss-tools-3.19.1-3.71.amzn1.i686
    nss-devel-3.19.1-3.71.amzn1.i686
    nss-pkcs11-devel-3.19.1-3.71.amzn1.i686
    nss-3.19.1-3.71.amzn1.i686
    nss-debuginfo-3.19.1-3.71.amzn1.i686

src:
    nss-util-3.19.1-1.41.amzn1.src
    nss-3.19.1-3.71.amzn1.src

x86_64:
    nss-util-debuginfo-3.19.1-1.41.amzn1.x86_64
    nss-util-3.19.1-1.41.amzn1.x86_64
    nss-util-devel-3.19.1-1.41.amzn1.x86_64
    nss-pkcs11-devel-3.19.1-3.71.amzn1.x86_64
    nss-tools-3.19.1-3.71.amzn1.x86_64
    nss-devel-3.19.1-3.71.amzn1.x86_64
    nss-sysinit-3.19.1-3.71.amzn1.x86_64
    nss-3.19.1-3.71.amzn1.x86_64
    nss-debuginfo-3.19.1-3.71.amzn1.x86_64