Summary: | <dev-libs/nss-{3.16.5,3.17.1} - <www-client/firefox-bin-{24.8.1,31.1.1,32.0.3} - <mail-client/thunderbird-bin-{24.8.1,31.1.2} - <www-client/seamonkey-bin-2.29.1: RSA signature forgery attack (CVE-2014-1568) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ap, arm, boxcars, charles17, chromium, floppym, jdhore, jer, jesse, mozilla |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/security/announce/2014/mfsa2014-73.html | ||
Whiteboard: | A3 [glsa glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 541316 | ||
Bug Blocks: |
Description
Hanno Böck
2014-09-24 21:10:38 UTC
I don't think this part of NSS is bundled in Chrome/Chromium on Linux, which would explain why Google only released an update for Windows and Mac. http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_24.html I do see that we bundle libssl3, but not libnss3. +*nss-3.17.1 (25 Sep 2014) +*nss-3.16.5 (25 Sep 2014) + + 25 Sep 2014; Lars Wendler <polynomial-c@gentoo.org> +nss-3.16.5.ebuild, + +nss-3.17.1.ebuild, +files/nss-3.17.1-gentoo-fixups.patch: + Security bump (bug #523652). RSA signature forgery attack (CVE-2014-1568). + *** Bug 523698 has been marked as a duplicate of this bug. *** May we go ahead with the stabilization? which version(s)? We are bundled nss in firefox-bin/thunderbird-bin and seamonkey-bin. *** Bug 523774 has been marked as a duplicate of this bug. *** oh, that's a Summary fail, then. All ebuilds in the tree. Please stabilize the following: dev-libs/nss-3.16.5 www-client/firefox-bin-24.8.1 mail-client/thunderbird-bin-24.8.1 As seamonkey-bin-2.29 was ~arch we may still need to wait for other issues before 2.29.1 can be stabilized. PolyC can provide guidance on that. oops, apparently ATs were not CC'd. Trying again. Please stabilize the following: dev-libs/nss-3.16.5 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" www-client/firefox-bin-24.8.1 Target KEYWORDS="amd64 x86" mail-client/thunderbird-bin-24.8.1 Target KEYWORDS="amd64 x86" Stable for HPPA. (In reply to Ian Stakenvicius from comment #9) > oops, apparently ATs were not CC'd. Trying again. I'm pretty sure you didn't mean "ATs". amd64 stable x86 stable dev-libs/nss doesn't even compile on alpha, see bug 525042 CVE-2014-1568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1568): Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue. ppc , ppc64 , arm , arm64 -- ping! I'd like to drop vulnerable versions from the tree sooner rather than later. I've also added nss-3.16.2.1 to the tree; IFF 3.16.5 can't be stabilized on a given arch please try and stabilize nss-3.16.2.1 as a "stop-gap" until 3.16.5 can be patched. x86 amd amd64 teams, please stabilize www-client/seamonkey-bin-2.29.1 also, as it's ready. dev-libs/nss-3.16.5 and dev-libs/nspr-4.10.6-r1 stable on Alpha. amd64 stable x86 stable ppc stable ppc64 stable ia64 stable sparc stable arm stable for nss and nspr Merging multiple bugs for www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin) under the latest bug 531408 which is undergoing stabilization with each bug either needing cleanup or some stabilization. dev-libs/nss - Cleanup as part of bug 531628 Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01 by GLSA coordinator Kristian Fiskerstrand (K_F). |