|Summary:||<dev-libs/nss-3.14: add TLS 1.1-support for BEAST-attack (CVE-2011-3389)|
|Product:||Gentoo Security||Reporter:||Hanno Böck <hanno>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||443450|
Description Hanno Böck 2012-10-25 07:30:17 UTC
nss 3.14 has been released by upstream. I'm opening this as a security bug, because this is the first version to support TLS 1.1 and that's the only way to properly fix the BEAST attack. There are workarounds for BEAST already in place in most client applications, but that doesn't hide the fact that the underlying IV problem is part of TLS 1.0 and thus I'd consider this a security update.
Comment 1 GLSAMaker/CVETool Bot 2012-10-25 12:17:45 UTC
Comment 2 Jory A. Pratt 2012-11-02 12:49:56 UTC
3.14 is in the tree feel free to take it stable.
Comment 3 Sean Amoss (RETIRED) 2012-11-15 20:17:17 UTC
(In reply to comment #2) > 3.14 is in the tree feel free to take it stable. Thanks, Jory. Arches, please test and mark stable: =dev-libs/nss-3.14 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Vicente Olivert Riera (RETIRED) 2012-11-15 21:43:26 UTC
Tested amd64: looks fine here. Tested ppc: looks fine here. Tested x86: looks fine here. I have recompiled some packages against nss-3.14 and eveything is fine. =dev-libs/nss-3.14 calls AR and RANLIB directly. bug 440260 In that bug there is a patch that fixes the problem. Maybe it would be a good idea to resolv that bug at the same time as we mark this package stable.
Comment 5 Agostino Sarubbo 2012-11-15 23:06:15 UTC
Comment 6 Jeroen Roovers (RETIRED) 2012-11-16 16:25:27 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo 2012-11-21 10:15:23 UTC
Comment 8 Markus Meier 2012-11-21 21:59:20 UTC
Comment 9 Raúl Porcel (RETIRED) 2012-11-25 19:01:05 UTC
Comment 10 Agostino Sarubbo 2012-11-29 16:59:25 UTC
Comment 11 Anthony Basile 2012-11-29 23:31:16 UTC
stable ppc64, closing
Comment 12 Sean Amoss (RETIRED) 2012-11-30 13:04:20 UTC
Thanks, everyone. GLSA vote: yes, with the Mozilla GLSA.
Comment 13 Tim Sammut (RETIRED) 2012-12-17 03:36:59 UTC
GLSA Vote: yes too. Added to mozilla GLSA draft.
Comment 14 GLSAMaker/CVETool Bot 2013-01-08 01:05:48 UTC
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).