This security advisory from Sun (released yesterday) is rated highly critical.
From Sun:
Security vulnerabilities in the Network Security Services (NSS) implementation of SSL2 may affect both SSL clients (such as browsers) and SSL servers which make use of this library. As a result, the client or server may exit unexpectedly, which is a type of Denial of Service (DoS). For servers running on Microsoft Windows, they may present a remote code execution vulnerability. These vulnerabilities are in NSS’s implementation of SSL2, not in the SSL2 protocol itself.
Note: NSS is a set of libraries that implement SSL2, SSL 3.0 and TLS (SSL 3.1). NSS is widely used. It is used in the Mozilla family of browsers offered by Sun to Solaris users. It is also used in the “Java Enterprise Server” (JES) family of server products, including Web server, Directory Server, Messaging Server, Application Server, Portal Server, and others. It is used for the built-in LDAPS client in Solaris 9 and 10 which may be used as part of the Solaris login program.This issue is also described in the following documents:
- CVE-2007-0008 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008
- CVE-2007-0009 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009
- CERT VU#377812 at: http://www.kb.cert.org/vuls/id/377812
- CERT VU#592796 at: http://www.kb.cert.org/vuls/id/592796
[tags]Sun, Solaris, Network Security Services, SSL Security[/tags]