From ${URL} : Description A security issue has been reported in Network Security Services (NSS), which can be exploited by malicious people to disclose certain information. The security issue is caused due an error within the "ssl_Do1stHandshake()" function (lib/ssl/sslsecur.c) and can be exploited to potentially return unencrypted and unauthenticated data from PR_Recv. Successful exploitation requires that false start is enabled. The security issue is reported in versions prior to 3.15.4. Solution: Update to version 3.15.4. Provided and/or discovered by: Reported by the vendor. Original Advisory: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Arches please test and mark stable =dev-libs/nss-3.15.4 with target KEYWORDS: alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris
Stable for HPPA.
amd64 stable
x86 stable
ppc64 stable
ppc stable
alpha stable
arm stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
+ 27 Jan 2014; Lars Wendler <polynomial-c@gentoo.org> -nss-3.15.2.ebuild, + -nss-3.15.3.ebuild, -nss-3.15.3.1.ebuild, + -files/nss-3.12.6-gentoo-fixup-warnings.patch, + -files/nss-3.14.1-gentoo-fixups-r1.patch, -files/nss-3.14.2-x32.patch, + -files/nss-3.14.3_sync_with_upstream_softokn_changes.patch, + -files/nss-3.15.1-fipstest-warnings.patch: + Removed old... +
CVE-2013-1740 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1740): The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
GLSA vote: no.
GLSA vote: no. Closing as [noglsa]
