CESA-2010:0165 -- centos 5 x86_64 nspr and nssID: oval:org.secpod.oval:def:201931 | Date: (C)2012-01-31 (M)2024-02-19 |
Class: PATCH | Family: unix |
Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSLv2, SSLv3, TLS, and other security standards. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing, calendar time, basic memory management , and shared library linking. A flaw was found in the way the TLS/SSL protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client"s session . This could force the server to process an attacker"s request as if authenticated using the victim"s credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. This erratum also updates the NSPR packages to the version required by NSS 3.12.6. All running applications using the NSS library must be restarted for this update to take effect.