Summary: | <dev-libs/nss-3.12.9-r1: blacklisting of fraudulent certificates | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hanno |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/de5774217cc33669# | ||
Whiteboard: | A4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2011-03-24 17:05:19 UTC
Hanno, do you have more information on this? I am unable to find anything about nss and the Comodo fiasco. (In reply to comment #0) > nss 3.12.9 is already in tree, but it seems there's no security bug yet. 3.12.9 was committed in January, which predates this issue by a little while. I don't believe it has the fix/workaround... Help? http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/de5774217cc33669# Strange, it seems they haven't made a new release, but a new module which they bundle with the old release: ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_9_WITH_CKBI_1_82_RTM/ (In reply to comment #2) > Strange, it seems they haven't made a new release, but a new module which they > bundle with the old release: > ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_9_WITH_CKBI_1_82_RTM/ Ah, perfect, thank you. From $URL: > This announcement is related to the same underlying issue as reported in > http://blog.mozilla.com/security/2011/03/22/firefox-blocking-fraudule... > > While the above mentioned hotfix was made at the Mozilla client > application level, we would like to provide a hotfix at the NSS level, too. > > We have created an updated "builtin certificates" module (ckbi) that > includes the fraudulent SSL certificates, and marks them as explicitly > not trusted. (The addbuiltin tool was updated, for that purpose, too.) > > When attempting to verify one of the fraudulent certificates, NSS will > report SEC_ERROR_UNTRUSTED_CERT (this is an pre-existing error code). > > We've combined this updated module with the most recently released > stable version of NSS 3.12.9 > > The cvs tag is: > NSS_3_12_9_WITH_CKBI_1_82_RTM @mozilla, is this something we can use in an -r1 ebuild to stabilize? Thanks! 3.12.9-r1 is in the tree feel free to call archs in to stabilize, you will need to ensure we mark nspr-4.8.7 stable at same time. (In reply to comment #4) > 3.12.9-r1 is in the tree feel free to call archs in to stabilize, you will need > to ensure we mark nspr-4.8.7 stable at same time. Great, thanks. Arches, please test and mark stable: =dev-libs/nss-3.12.9-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =dev-libs/nspr-4.8.7 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" both ok on amd64 amd64 done. Thanks Agostino x86 stable. Thanks Stable for HPPA. alpha/arm/ia64/sparc stable ppc/ppc64 stable, last arch done Thanks, everyone. GLSA Vote: yes. Vote: YES. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |