Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 292034 - <dev-libs/nss-3.12.5 TLS Session Renegotiation MITM vulnerability (CVE-2009-3555)
Summary: <dev-libs/nss-3.12.5 TLS Session Renegotiation MITM vulnerability (CVE-2009-3...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://extendedsubset.com/?p=8
Whiteboard: A3 [glsa]
Keywords:
Depends on: 300606
Blocks: CVE-2009-3555
  Show dependency tree
 
Reported: 2009-11-06 00:25 UTC by Alex Legler (RETIRED)
Modified: 2013-01-08 01:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-06 00:25:30 UTC
+++ This bug was initially created as a clone of Bug #292023 +++

From $URL:
Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. [...]

This is tracked upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=524596 which is restricted still -> anarchy, rbu
Comment 1 Tomas Hoger 2009-11-12 15:26:26 UTC
(In reply to comment #0)
> This is tracked upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=524596
> which is restricted still -> anarchy, rbu

https://bugzilla.mozilla.org/show_bug.cgi?id=526689 should be the right one and is public now.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-17 20:09:49 UTC
Stabilization via 300606
Comment 3 Hanno Böck gentoo-dev 2010-03-27 18:18:05 UTC
300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed.
mozilla-team: Is stabilizing 3.6.2 an option at the moment?
Comment 4 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-03-27 21:27:47 UTC
(In reply to comment #3)
> 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and
> breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed.
> mozilla-team: Is stabilizing 3.6.2 an option at the moment?
> 

Don't really know; there hasn't been a 3.12.6 tarball released yet, we're using an artificial nss-3.12.6-gentoo extracted from the ff 3.2.6 sources for that. I want Anarchy's opinion before putting that up for stabilization.

There's also a few packages that are broken with xulrunner-1.9.2*; I've yet to look at those from a stable perspective (there's no tracker bug for instance...)
Comment 5 Jory A. Pratt gentoo-dev 2010-03-28 04:24:40 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and
> > breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed.
> > mozilla-team: Is stabilizing 3.6.2 an option at the moment?
> > 
> 
> Don't really know; there hasn't been a 3.12.6 tarball released yet, we're using
> an artificial nss-3.12.6-gentoo extracted from the ff 3.2.6 sources for that. I
> want Anarchy's opinion before putting that up for stabilization.
> 
> There's also a few packages that are broken with xulrunner-1.9.2*; I've yet to
> look at those from a stable perspective (there's no tracker bug for
> instance...)
> 

Actually it has been officially released on the 25th. We will work to finish cleaning up for breakage and work to move to 3.6.x in 2 weeks.
Comment 6 Jory A. Pratt gentoo-dev 2010-03-28 14:53:53 UTC
(In reply to comment #3)
> 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and
> breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed.
> mozilla-team: Is stabilizing 3.6.2 an option at the moment?
> 

I have added official support for 3.12.6 to tree which replaces the  incomplete snapshot. I do not see why you feel we must stabilize firefox-3.6.2 at this time, if you wanted we could fast track 3.12.6-r1 to stable and still allow for proper renegotiation.
Comment 7 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:28 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:37:58 UTC
GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:36 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).