Bug 897890 (CVE-2014-1568)

Summary:	VUL-0: CVE-2014-1568: mozilla-nss: certificate forgery possible
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Marcus Meissner <meissner>
Component:	Incidents	Assignee:	Petr Cerny <pcerny>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P5 - None	CC:	jsegitz, skliu, wolfgang
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	maint:released:sle11-sp3:59085 maint:released:sle11-sp2:59086 maint:released:sle11-sp1:59083 maint:released:sle10-sp3:59084 maint:released:sle10-sp3:59088 maint:released:oes11-sp1:59224
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	MFSA2014-73 draft

Description Marcus Meissner 2014-09-23 07:01:34 UTC

via security and distros, 
embargoed until 24th September (Wednesday)

Betreff: Chemspill releases for NSS bug (Firefox/Thunderbird/everything)
Datum: Mon, 22 Sep 2014 11:30:08 -0700
Von: Daniel Veditz <dveditz@mozilla.com>
An: security-group <security-group@mozilla.org>

We are currently planning a chemspill release of Firefox and Thunderbird
to fix a critical NSS security problem. All downstream users of NSS will
also need to pick up the patches when they have landed.

The patches have not yet landed. I expect those to happen overnight at
the latest (tomorrow morning in Kai's CET), then build and test
tomorrow, with a release on Wednesday.

The patches are currently in bug 1064636 (based on a problem reported by
Antoine Delignat-Lavaud). Intel PSIRT reported the same issue
independently in bug 1069405. Both research teams have produced forged
certificates that work in Firefox.

The NSS team will land the patches in the nss repo and tag
  3.16.2.1           for Firefox 31-ESR and below
  3.16.5 (3.16.4.1?) for Firefox 32
  3.17.1             for 33 and higher

We will then need to build
 Firefox 32.0.3
 Firefox ESR 31.1.1
 Firefox ESR 24.8.1
 Thunderbird 31.1.1

We will need to make these patches available to our Firefox OS partners.
 1.3/1.4 should use NSS 3.16.2.1
 2.0 should use NSS 3.16.5
 2.1 should use NSS 3.17.1

Google will also be releasing Chrome on Wednesday.

Tor Browser Bundle will want these patches ASAP

Linux distros will need to push system-nss updates.

Comment 3 Marcus Meissner 2014-09-23 08:49:12 UTC

needs LTSS updates too.

Comment 7 Marcus Meissner 2014-09-24 19:35:54 UTC

https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates.

The Advanced Threat Research team at Intel Security also independently discovered and reported this issue.

Comment 8 Bernhard Wiedemann 2014-09-24 20:01:13 UTC

This is an autogenerated message for OBS integration:
This bug (897890) was mentioned in
https://build.opensuse.org/request/show/251989 Factory / mozilla-nss

Comment 9 Marcus Meissner 2014-09-25 14:11:27 UTC

http://www.kb.cert.org/vuls/id/772676  is the CERT VU for this

Comment 11 Swamp Workflow Management 2014-09-26 22:04:26 UTC

SUSE-SU-2014:1220-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 897890
CVE References: CVE-2014-1568
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    mozilla-nss-3.16.5-0.7.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    mozilla-nss-3.16.5-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    mozilla-nss-3.16.5-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    mozilla-nss-3.16.5-0.7.1

Comment 12 Swamp Workflow Management 2014-09-28 10:04:26 UTC

openSUSE-SU-2014:1224-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 897890
CVE References: CVE-2014-1568
Sources used:
openSUSE Evergreen 11.4 (src):    mozilla-nss-3.16.5-98.1

Comment 13 Swamp Workflow Management 2014-09-28 10:07:12 UTC

openSUSE-SU-2014:1232-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 897890
CVE References: CVE-2014-1568
Sources used:
openSUSE 13.1 (src):    mozilla-nss-3.16.5-39.1
openSUSE 12.3 (src):    mozilla-nss-3.16.5-1.55.1

Comment 14 Marcus Meissner 2014-09-29 09:51:01 UTC

https://www.imperialviolet.org/2014/09/26/pkcs1.html

Comment 15 Marcus Meissner 2014-10-01 07:27:47 UTC

released

Comment 16 Swamp Workflow Management 2014-10-01 15:05:01 UTC

SUSE-SU-2014:1220-4: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 897890
CVE References: CVE-2014-1568
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    mozilla-nss-3.16.5-0.5.1

Comment 17 Bernhard Wiedemann 2014-10-14 18:00:22 UTC

This is an autogenerated message for OBS integration:
This bug (897890) was mentioned in
https://build.opensuse.org/request/show/256315 13.1 / mozilla-nss
https://build.opensuse.org/request/show/256316 12.3 / mozilla-nss

Comment 18 Swamp Workflow Management 2014-11-02 12:05:35 UTC

openSUSE-SU-2014:1344-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 894370,896624,897890,900941,901213
CVE References: CVE-2014-1554,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1580,CVE-2014-1581,CVE-2014-1582,CVE-2014-1583,CVE-2014-1584,CVE-2014-1585,CVE-2014-1586
Sources used:
openSUSE 12.3 (src):    MozillaFirefox-33.0-1.90.1, mozilla-nspr-4.10.7-1.34.1, mozilla-nss-3.17.1-1.59.1, seamonkey-2.30-1.61.1

Comment 19 Swamp Workflow Management 2014-11-02 12:06:35 UTC

openSUSE-SU-2014:1345-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 894370,896624,897890,900941,901213
CVE References: CVE-2014-1554,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1580,CVE-2014-1581,CVE-2014-1582,CVE-2014-1583,CVE-2014-1584,CVE-2014-1585,CVE-2014-1586
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-33.0-46.2, mozilla-nspr-4.10.7-16.1, mozilla-nss-3.17.1-43.1, seamonkey-2.30-36.2

Comment 20 Swamp Workflow Management 2014-11-27 09:05:03 UTC

SUSE-SU-2014:1510-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 897890,900941
CVE References: CVE-2014-1568,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1581,CVE-2014-1583,CVE-2014-1585,CVE-2014-1586
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    MozillaFirefox-31.2.0esr-6.4, mozilla-nss-3.17.2-8.2
SUSE Linux Enterprise Server 12 (src):    MozillaFirefox-31.2.0esr-6.4, MozillaFirefox-branding-SLE-31-4.1, mozilla-nss-3.17.2-8.2
SUSE Linux Enterprise Desktop 12 (src):    MozillaFirefox-31.2.0esr-6.4, MozillaFirefox-branding-SLE-31-4.1, mozilla-nss-3.17.2-8.2