Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 439586

Summary: <dev-libs/nss-3.14: add TLS 1.1-support for BEAST-attack (CVE-2011-3389)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 443450    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2012-10-25 07:30:17 UTC
nss 3.14 has been released by upstream.

I'm opening this as a security bug, because this is the first version to support TLS 1.1 and that's the only way to properly fix the BEAST attack. There are workarounds for BEAST already in place in most client applications, but that doesn't hide the fact that the underlying IV problem is part of TLS 1.0 and thus I'd consider this a security update.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-10-25 12:17:45 UTC
CVE-2011-3389 (
  The SSL protocol, as used in certain configurations in Microsoft Windows and
  Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and
  other products, encrypts data by using CBC mode with chained initialization
  vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP
  headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session,
  in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API,
  (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a
  "BEAST" attack.
Comment 2 Jory A. Pratt gentoo-dev 2012-11-02 12:49:56 UTC
3.14 is in the tree feel free to take it stable.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-15 20:17:17 UTC
(In reply to comment #2)
> 3.14 is in the tree feel free to take it stable.

Thanks, Jory.

Arches, please test and mark stable:
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Vicente Olivert Riera (RETIRED) gentoo-dev 2012-11-15 21:43:26 UTC
Tested amd64: looks fine here.
Tested   ppc: looks fine here.
Tested   x86: looks fine here.

I have recompiled some packages against nss-3.14 and eveything is fine.

=dev-libs/nss-3.14 calls AR and RANLIB directly. bug 440260
In that bug there is a patch that fixes the problem. Maybe it would be a good idea to resolv that bug at the same time as we mark this package stable.
Comment 5 Agostino Sarubbo gentoo-dev 2012-11-15 23:06:15 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-16 16:25:27 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2012-11-21 10:15:23 UTC
x86 stable
Comment 8 Markus Meier gentoo-dev 2012-11-21 21:59:20 UTC
arm stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-11-25 19:01:05 UTC
alpha/ia64/sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2012-11-29 16:59:25 UTC
ppc stable
Comment 11 Anthony Basile gentoo-dev 2012-11-29 23:31:16 UTC
stable ppc64, closing
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-30 13:04:20 UTC
Thanks, everyone.

GLSA vote: yes, with the Mozilla GLSA.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2012-12-17 03:36:59 UTC
GLSA Vote: yes too. Added to mozilla GLSA draft.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:48 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at
by GLSA coordinator Sean Amoss (ackle).