nss 3.12.9 has been released to adress the recent issue with fraud certificates by commodo. 3.12.9 blacklists them by their id. See: http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/ nss 3.12.9 is already in tree, but it seems there's no security bug yet.
Hanno, do you have more information on this? I am unable to find anything about nss and the Comodo fiasco. (In reply to comment #0) > nss 3.12.9 is already in tree, but it seems there's no security bug yet. 3.12.9 was committed in January, which predates this issue by a little while. I don't believe it has the fix/workaround... Help?
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/de5774217cc33669# Strange, it seems they haven't made a new release, but a new module which they bundle with the old release: ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_9_WITH_CKBI_1_82_RTM/
(In reply to comment #2) > Strange, it seems they haven't made a new release, but a new module which they > bundle with the old release: > ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_9_WITH_CKBI_1_82_RTM/ Ah, perfect, thank you. From $URL: > This announcement is related to the same underlying issue as reported in > http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudule... > > While the above mentioned hotfix was made at the Mozilla client > application level, we would like to provide a hotfix at the NSS level, too. > > We have created an updated "builtin certificates" module (ckbi) that > includes the fraudulent SSL certificates, and marks them as explicitly > not trusted. (The addbuiltin tool was updated, for that purpose, too.) > > When attempting to verify one of the fraudulent certificates, NSS will > report SEC_ERROR_UNTRUSTED_CERT (this is an pre-existing error code). > > We've combined this updated module with the most recently released > stable version of NSS 3.12.9 > > The cvs tag is: > NSS_3_12_9_WITH_CKBI_1_82_RTM @mozilla, is this something we can use in an -r1 ebuild to stabilize? Thanks!
3.12.9-r1 is in the tree feel free to call archs in to stabilize, you will need to ensure we mark nspr-4.8.7 stable at same time.
(In reply to comment #4) > 3.12.9-r1 is in the tree feel free to call archs in to stabilize, you will need > to ensure we mark nspr-4.8.7 stable at same time. Great, thanks. Arches, please test and mark stable: =dev-libs/nss-3.12.9-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =dev-libs/nspr-4.8.7 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
both ok on amd64
amd64 done. Thanks Agostino
x86 stable. Thanks
Stable for HPPA.
alpha/arm/ia64/sparc stable
ppc/ppc64 stable, last arch done
Thanks, everyone. GLSA Vote: yes.
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).