The following security-relevant bugs have been resolved in NSS 3.15.2. Users are encouraged to upgrade immediately. * Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure.
Bring in the teams, it has been added to tree.
Arches, please test and mark stable: =dev-libs/nss-3.15.2 Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 ~s390 sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
ia64 stable
alpha stable
ppc stable
arm stable
ppc64 stable
sparc stable
Cleanup, please.
CVE-2013-1739 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1739): Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure.
+ 24 Oct 2013; Lars Wendler <polynomial-c@gentoo.org> -nss-3.14.3.ebuild, + -nss-3.15.1-r1.ebuild: + Removed vulnerable versions (bug #486114). +
Do we want to add back 3.14.4? https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes
(In reply to Dirkjan Ochtman from comment #15) > Do we want to add back 3.14.4? > > https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes Please don't. nss-3.15 introduced TLS-1.2 which is the only TLS implementation out there that AFAIK has no known attack vector. And besides, nss-3.15.2 is already stable where it's necessary.
I have no problem with that, but I thought we might have stuff in the tree that depends on the 3.14 slot.
(In reply to Dirkjan Ochtman from comment #17) > I have no problem with that, but I thought we might have stuff in the tree > that depends on the 3.14 slot. if we do, it's not specified in *DEPEND -- if it was then repoman would've caught it. I also grepped the tree just to be safe and didn't get any hits.
Arches and Mainter(s), Thank you for your work. Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201406-19 at http://security.gentoo.org/glsa/glsa-201406-19.xml by GLSA coordinator Mikle Kolyada (Zlogene).