The ESX Service Console (COS) nspr and nss RPMs are updated to
nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving
a security issues.
A Certificate Authority (CA) issued fraudulent SSL certificates and
Netscape Portable Runtime (NSPR) and Network Security Services (NSS)
contain the built-in tokens of this fraudulent Certificate
Authority. This update renders all SSL certificates signed by the
fraudulent CA as untrusted for all uses.
Column 4 of the following table lists the action required to
3. Problem Description
a. Update for Service Console packages nss and nspr
Service console packages for Network Security Services (NSS) and
NetScape Portable Runtime (NSPR) are updated to versions
nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively. This
patch fixes several security issues in the service console
packages for NSS and NSPR.
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nss and nspr RPMs
The Service Console Network Security Services (NSS) and Netscape
Portable Runtime (NSPR) libraries are updated to nspr-4.8.6-1
and nss-3.12.8-4 resolving multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-3170 and CVE-2010-3173 to these
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-3170 CVE-2010-3173
Several vulnerabilities have been discovered in Mozilla's Network
Security Services (NSS) library. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2010-3170
NSS recognizes a wildcard IP address in the subject's Common
Name field of an X.509 certificate, which might allow
Multiple vulnerabilities has been found and corrected in gnutls:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
3.12.4 and earlier, and other products, does not properly associate
renegotiation handshakes with an existing connection, which allows
man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by
sending an unauthenticated request that is processed retroactively
A vulnerability has been identified and corrected in proftpd:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
3.12.4 and earlier, and other products, does not properly associate
renegotiation handshakes with an existing connection, which allows
man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by
sending an unauthenticated request that is processed retroactively
A vulnerability has been found and corrected in nss:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as
used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl
in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l,
GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS)
3.12.4 and earlier, and other products, does not properly associate
renegotiation handshakes with an existing connection, which allows
man-in-the-middle attackers to insert data into HTTPS sessions,
and possibly other types of sessions protected by TLS or SSL, by
sending an unauthenticated request that is processed retroactively
