An attack on the RSA signature verification has been found in the nss library. Details in Mozilla's bugtracker are still private, so I can't judge how serious this is. The description says it's a variant of the Bleichenbacher attack, which probably refers to the attack presented at crypto 2006: http://www.imc.org/ietf-openpgp/mail-archive/msg06063.html nss 3.17.1 and 3.16.5 fix this. This is probably bundled in google-chrome, firefox-bin and maybe more packages.
I don't think this part of NSS is bundled in Chrome/Chromium on Linux, which would explain why Google only released an update for Windows and Mac. http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_24.html I do see that we bundle libssl3, but not libnss3.
+*nss-3.17.1 (25 Sep 2014) +*nss-3.16.5 (25 Sep 2014) + + 25 Sep 2014; Lars Wendler <polynomial-c@gentoo.org> +nss-3.16.5.ebuild, + +nss-3.17.1.ebuild, +files/nss-3.17.1-gentoo-fixups.patch: + Security bump (bug #523652). RSA signature forgery attack (CVE-2014-1568). +
*** Bug 523698 has been marked as a duplicate of this bug. ***
May we go ahead with the stabilization? which version(s)?
We are bundled nss in firefox-bin/thunderbird-bin and seamonkey-bin.
*** Bug 523774 has been marked as a duplicate of this bug. ***
oh, that's a Summary fail, then.
All ebuilds in the tree. Please stabilize the following: dev-libs/nss-3.16.5 www-client/firefox-bin-24.8.1 mail-client/thunderbird-bin-24.8.1 As seamonkey-bin-2.29 was ~arch we may still need to wait for other issues before 2.29.1 can be stabilized. PolyC can provide guidance on that.
oops, apparently ATs were not CC'd. Trying again. Please stabilize the following: dev-libs/nss-3.16.5 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" www-client/firefox-bin-24.8.1 Target KEYWORDS="amd64 x86" mail-client/thunderbird-bin-24.8.1 Target KEYWORDS="amd64 x86"
Stable for HPPA.
(In reply to Ian Stakenvicius from comment #9) > oops, apparently ATs were not CC'd. Trying again. I'm pretty sure you didn't mean "ATs".
amd64 stable
x86 stable
dev-libs/nss doesn't even compile on alpha, see bug 525042
CVE-2014-1568 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1568): Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120, does not properly parse ASN.1 values in X.509 certificates, which makes it easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.
ppc , ppc64 , arm , arm64 -- ping! I'd like to drop vulnerable versions from the tree sooner rather than later. I've also added nss-3.16.2.1 to the tree; IFF 3.16.5 can't be stabilized on a given arch please try and stabilize nss-3.16.2.1 as a "stop-gap" until 3.16.5 can be patched.
x86 amd amd64 teams, please stabilize www-client/seamonkey-bin-2.29.1 also, as it's ready.
dev-libs/nss-3.16.5 and dev-libs/nspr-4.10.6-r1 stable on Alpha.
ppc stable
ppc64 stable
ia64 stable
sparc stable
arm stable for nss and nspr
Merging multiple bugs for www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin) under the latest bug 531408 which is undergoing stabilization with each bug either needing cleanup or some stabilization. dev-libs/nss - Cleanup as part of bug 531628
Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01 by GLSA coordinator Kristian Fiskerstrand (K_F).