Summary
The remote host is missing an update to nss
announced via advisory USN-810-1.
Solution
The problem can be corrected by upgrading your system to the following package versions:
Ubuntu 8.04 LTS:
libnss3-1d 3.12.3.1-0ubuntu0.8.04.1
Ubuntu 8.10:
libnss3-1d 3.12.3.1-0ubuntu0.8.10.1
Ubuntu 9.04:
libnss3-1d 3.12.3.1-0ubuntu0.9.04.1
After a standard system upgrade you need to restart an applications that use NSS, such as Firefox, to effect the necessary changes.
https://secure1.securityspace.com/smysecure/catid.html?in=USN-810-1
Insight
Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program.
(CVE-2009-2404)
Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.
(CVE-2009-2408)
Dan Kaminsky discovered NSS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. (CVE-2009-2409)
Severity
Classification
-
CVE CVE-2009-2404, CVE-2009-2408, CVE-2009-2409 -
CVSS Base Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C
Related Vulnerabilities
- Ubuntu Update for dhcp vulnerability USN-531-1
- Ubuntu Update for apturl, Epiphany, gecko-sharp, gnome-python-extras, liferea, rhythmbox, totem, ubufox, yelp update USN-930-2
- Ubuntu Update for enscript vulnerability USN-660-1
- Ubuntu Update for cupsys vulnerabilities USN-656-1
- Ubuntu Update for Firefox 3.0 and Xulrunner vulnerabilities USN-920-1