From ${URL} : Notable Changes in NSS 3.17.3: The QuickDER decoder now decodes lengths robustly (CVE-2014-1569). @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arches please test and mark stable =dev-libs/nss-3.17.3 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris
amd64 stable
Stable for HPPA.
x86 stable
ppc stable
ppc64 stable
ia64 stable
arm stable
alpha stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No
CVE-2014-1569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1569): The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.
GLSA Vote: No, marking noglsa
Maintainer(s), please drop the vulnerable version(s). I am using all other open NSS bugs as depend for this bug for cleanup.
Maintainer(s), it has been 30 days since request for cleanup. Please drop the vulnerable versions.
+*nss-3.17.4 (31 Jan 2015) + + 31 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -nss-3.15.4.ebuild, + -nss-3.16.5.ebuild, -nss-3.16.6.ebuild, -nss-3.17.2.ebuild, + +nss-3.17.4.ebuild, -files/nss-3.15-gentoo-fixups.patch, + -files/nss-3.15-x32.patch: + Version bump (bug #538288). Removed old. + Vulnerable versions have been dropped. Sorry for the delay...
Maintainer(s), Thank you for cleanup! Closing noglsa.