The following security-relevant bugs have been resolved in NSS 3.15.2.
Users are encouraged to upgrade immediately.
* Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event
of a decryption failure.
Bring in the teams, it has been added to tree.
Arches, please test and mark stable:
Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 ~s390 sparc x86"
Stable for HPPA.
Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that
data structures are initialized before read operations, which allow remote
attackers to cause a denial of service or possibly have unspecified other
impact via vectors that trigger a decryption failure.
+ 24 Oct 2013; Lars Wendler <firstname.lastname@example.org> -nss-3.14.3.ebuild,
+ Removed vulnerable versions (bug #486114).
Do we want to add back 3.14.4?
(In reply to Dirkjan Ochtman from comment #15)
> Do we want to add back 3.14.4?
Please don't. nss-3.15 introduced TLS-1.2 which is the only TLS implementation out there that AFAIK has no known attack vector. And besides, nss-3.15.2 is already stable where it's necessary.
I have no problem with that, but I thought we might have stuff in the tree that depends on the 3.14 slot.
(In reply to Dirkjan Ochtman from comment #17)
> I have no problem with that, but I thought we might have stuff in the tree
> that depends on the 3.14 slot.
if we do, it's not specified in *DEPEND -- if it was then repoman would've caught it. I also grepped the tree just to be safe and didn't get any hits.
Arches and Mainter(s), Thank you for your work.
Added to an existing GLSA request.
This issue was resolved and addressed in
GLSA 201406-19 at http://security.gentoo.org/glsa/glsa-201406-19.xml
by GLSA coordinator Mikle Kolyada (Zlogene).