Summary: | <dev-libs/nss-3.21-r2: Weak RSA-MD5 signature allows attack on client certificate authentication (part of SLOTH attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mozilla, slawomir.nizio |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mitls.org/pages/attacks/SLOTH | ||
Whiteboard: | A3 [glsa cve blocked] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 604916 | ||
Bug Blocks: |
Description
Hanno Böck
2016-01-06 16:00:20 UTC
According to what [1] reads right now, these Gentoo packages are also affected: net-libs/mbedtls-2.1.3 net-libs/polarssl (all versions) dev-java/oracle-jdk-bin:1.8 dev-java/oracle-jre-bin:1.8 Should those be dedicated bug reports or should this very ticket handle them all? [1] http://www.mitls.org/pages/attacks/SLOTH#disclosure (In reply to Sebastian Pipping from comment #1) > > Should those be dedicated bug reports or should this very ticket handle them > all? The cleanest by far is dedicated bug reports and blocking a tracker bug for the overall issue. I got the OK from vapier that the changes he made to nss-3.21-r2 should be good to go for stabilization, let's do it: Arches, please stabilize =dev-libs/nss-3.21-r2 Stable for HPPA. 3.21 fixes another vuln (found by me actually), I'll just add the CVE to the description here. Stable on alpha. Stable for PPC64. amd64 stable x86 stable arm stable *** Bug 571518 has been marked as a duplicate of this bug. *** ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. 3.20 is still in the tree... @maintainer(s), can you please clean this? This issue was resolved and addressed in GLSA 201701-46 at https://security.gentoo.org/glsa/201701-46 by GLSA coordinator Thomas Deutschmann (whissi). |