SECUNIA ADVISORY ID:
Network Security Services (NSS) 3.x
Two vulnerabilities have been reported in Network Security Services
(NSS), which potentially can be exploited by malicious people to
compromise a vulnerable system.
1) An integer underflow error when processing SSLv2 server messages
can be exploited to cause a heap-based buffer overflow via a
certificate with a public key too small to encrypt the "Master
2) An integer underflow error when processing SSLv2 client master
keys can be exploited to cause a stack-based buffer overflow via
specially crafted parameters during an SSLv2 handshake.
Successful exploitation of the vulnerabilities may allow execution of
The vulnerabilities are reported in versions 3.10 and 3.11.3. Other
versions may also be affected.
The vulnerabilities will be fixed in version 3.11.5.
PROVIDED AND/OR DISCOVERED BY:
Discovered by regenrecht and reported via iDefense Labs.
Updated spamassassin packages fix DoS vulnerability Feb 23 2007
A bug in the way that SpamAssassin processes HTML emails containing
URIs was discovered in versions 3.1.x. A carefully crafted mail
message could make SpamAssassin consume significant amounts of CPU
resources that could delay or prevent the delivery of mail if a
number of these messages were sent at once.
SpamAssassin has been upgraded to version 3.1.8 to correct this
problem, and other upstream bugs. In addition, an invalid path setting
in local.cf for the auto_whitelist_path has been fixed for Mandriva
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at: