Amazon Linux 1 Security Advisory: ALAS-2015-569
Advisory Release Date: 2015-07-22 10:00 Pacific
Advisory Updated Date: 2015-07-22 10:00 Pacific
A flaw was found in the way the TLS protocol composes the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000)
Please note that this update forces the TLS/SSL client implementation in NSS to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Future updates may raise this limit to 1024 bits.
Affected Packages:
nss, nss-util
Issue Correction:
Run yum update nss nss-util to update your system.
i686:
nss-util-3.19.1-1.41.amzn1.i686
nss-util-devel-3.19.1-1.41.amzn1.i686
nss-util-debuginfo-3.19.1-1.41.amzn1.i686
nss-sysinit-3.19.1-3.71.amzn1.i686
nss-tools-3.19.1-3.71.amzn1.i686
nss-devel-3.19.1-3.71.amzn1.i686
nss-pkcs11-devel-3.19.1-3.71.amzn1.i686
nss-3.19.1-3.71.amzn1.i686
nss-debuginfo-3.19.1-3.71.amzn1.i686
src:
nss-util-3.19.1-1.41.amzn1.src
nss-3.19.1-3.71.amzn1.src
x86_64:
nss-util-debuginfo-3.19.1-1.41.amzn1.x86_64
nss-util-3.19.1-1.41.amzn1.x86_64
nss-util-devel-3.19.1-1.41.amzn1.x86_64
nss-pkcs11-devel-3.19.1-3.71.amzn1.x86_64
nss-tools-3.19.1-3.71.amzn1.x86_64
nss-devel-3.19.1-3.71.amzn1.x86_64
nss-sysinit-3.19.1-3.71.amzn1.x86_64
nss-3.19.1-3.71.amzn1.x86_64
nss-debuginfo-3.19.1-3.71.amzn1.x86_64