Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 292034

Summary: <dev-libs/nss-3.12.5 TLS Session Renegotiation MITM vulnerability (CVE-2009-3555)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: kjackie
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://extendedsubset.com/?p=8
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 300606    
Bug Blocks: 292023    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-06 00:25:30 UTC 
+++ This bug was initially created as a clone of Bug #292023 +++

From $URL:
Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. [...]

This is tracked upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=524596 which is restricted still -> anarchy, rbu
Comment 1 Tomas Hoger 2009-11-12 15:26:26 UTC 
(In reply to comment #0)
> This is tracked upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=524596
> which is restricted still -> anarchy, rbu

https://bugzilla.mozilla.org/show_bug.cgi?id=526689 should be the right one and is public now.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-01-17 20:09:49 UTC 
Stabilization via 300606
Comment 3 Hanno Böck gentoo-dev 2010-03-27 18:18:05 UTC 
300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed.
mozilla-team: Is stabilizing 3.6.2 an option at the moment?
Comment 4 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-03-27 21:27:47 UTC 
(In reply to comment #3)
> 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and
> breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed.
> mozilla-team: Is stabilizing 3.6.2 an option at the moment?
> 

Don't really know; there hasn't been a 3.12.6 tarball released yet, we're using an artificial nss-3.12.6-gentoo extracted from the ff 3.2.6 sources for that. I want Anarchy's opinion before putting that up for stabilization.

There's also a few packages that are broken with xulrunner-1.9.2*; I've yet to look at those from a stable perspective (there's no tracker bug for instance...)
Comment 5 Jory A. Pratt gentoo-dev 2010-03-28 04:24:40 UTC 
(In reply to comment #4)
> (In reply to comment #3)
> > 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and
> > breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed.
> > mozilla-team: Is stabilizing 3.6.2 an option at the moment?
> > 
> 
> Don't really know; there hasn't been a 3.12.6 tarball released yet, we're using
> an artificial nss-3.12.6-gentoo extracted from the ff 3.2.6 sources for that. I
> want Anarchy's opinion before putting that up for stabilization.
> 
> There's also a few packages that are broken with xulrunner-1.9.2*; I've yet to
> look at those from a stable perspective (there's no tracker bug for
> instance...)
> 

Actually it has been officially released on the 25th. We will work to finish cleaning up for breakage and work to move to 3.6.x in 2 weeks.
Comment 6 Jory A. Pratt gentoo-dev 2010-03-28 14:53:53 UTC 
(In reply to comment #3)
> 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and
> breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed.
> mozilla-team: Is stabilizing 3.6.2 an option at the moment?
> 

I have added official support for 3.12.6 to tree which replaces the  incomplete snapshot. I do not see why you feel we must stabilize firefox-3.6.2 at this time, if you wanted we could fast track 3.12.6-r1 to stable and still allow for proper renegotiation.
Comment 7 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:28 UTC 
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:37:58 UTC 
GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:36 UTC 
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).