Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 360315 - <dev-libs/nss-3.12.9-r1: blacklisting of fraudulent certificates
Summary: <dev-libs/nss-3.12.9-r1: blacklisting of fraudulent certificates
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://groups.google.com/group/mozill...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-24 17:05 UTC by Hanno Böck
Modified: 2013-01-08 01:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2011-03-24 17:05:19 UTC
nss 3.12.9 has been released to adress the recent issue with fraud certificates by commodo. 3.12.9 blacklists them by their id.
See:
http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudulent-certificates/

nss 3.12.9 is already in tree, but it seems there's no security bug yet.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-03-25 23:24:06 UTC
Hanno, do you have more information on this? I am unable to find anything about nss and the Comodo fiasco. 

(In reply to comment #0)
> nss 3.12.9 is already in tree, but it seems there's no security bug yet.

3.12.9 was committed in January, which predates this issue by a little while. I don't believe it has the fix/workaround...

Help?
Comment 2 Hanno Böck gentoo-dev 2011-03-26 10:22:02 UTC
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/de5774217cc33669#

Strange, it seems they haven't made a new release, but a new module which they bundle with the old release:
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_9_WITH_CKBI_1_82_RTM/
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-03-26 21:05:02 UTC
(In reply to comment #2)
> Strange, it seems they haven't made a new release, but a new module which they
> bundle with the old release:
> ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_9_WITH_CKBI_1_82_RTM/

Ah, perfect, thank you.

From $URL:

> This announcement is related to the same underlying issue as reported in
> http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudule...
> 
> While the above mentioned hotfix was made at the Mozilla client
> application level, we would like to provide a hotfix at the NSS level, too.
> 
> We have created an updated "builtin certificates" module (ckbi) that
> includes the fraudulent SSL certificates, and marks them as explicitly
> not trusted. (The addbuiltin tool was updated, for that purpose, too.)
> 
> When attempting to verify one of the fraudulent certificates, NSS will
> report SEC_ERROR_UNTRUSTED_CERT (this is an pre-existing error code).
> 
> We've combined this updated module with the most recently released
> stable version of NSS 3.12.9
> 
> The cvs tag is:
> NSS_3_12_9_WITH_CKBI_1_82_RTM 

@mozilla, is this something we can use in an -r1 ebuild to stabilize? Thanks!
Comment 4 Jory A. Pratt gentoo-dev 2011-05-03 00:59:09 UTC
3.12.9-r1 is in the tree feel free to call archs in to stabilize, you will need to ensure we mark nspr-4.8.7 stable at same time.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2011-05-03 02:30:55 UTC
(In reply to comment #4)
> 3.12.9-r1 is in the tree feel free to call archs in to stabilize, you will need
> to ensure we mark nspr-4.8.7 stable at same time.

Great, thanks.

Arches, please test and mark stable:
=dev-libs/nss-3.12.9-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=dev-libs/nspr-4.8.7
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 6 Agostino Sarubbo gentoo-dev 2011-05-03 10:45:47 UTC
both ok on amd64
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-05-03 14:09:35 UTC
amd64 done. Thanks Agostino
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2011-05-03 17:03:10 UTC
x86 stable. Thanks
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-05-06 03:09:06 UTC
Stable for HPPA.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-05-07 17:56:52 UTC
alpha/arm/ia64/sparc stable
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-14 16:19:01 UTC
ppc/ppc64 stable, last arch done
Comment 12 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 16:39:29 UTC
Thanks, everyone. GLSA Vote: yes.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:29:58 UTC
Vote: YES. Added to pending GLSA request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:48 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).