Bugzilla – Bug 897890
VUL-0: CVE-2014-1568: mozilla-nss: certificate forgery possible
Last modified: 2015-02-19 06:48:47 UTC
via security and distros, embargoed until 24th September (Wednesday) Betreff: Chemspill releases for NSS bug (Firefox/Thunderbird/everything) Datum: Mon, 22 Sep 2014 11:30:08 -0700 Von: Daniel Veditz <dveditz@mozilla.com> An: security-group <security-group@mozilla.org> We are currently planning a chemspill release of Firefox and Thunderbird to fix a critical NSS security problem. All downstream users of NSS will also need to pick up the patches when they have landed. The patches have not yet landed. I expect those to happen overnight at the latest (tomorrow morning in Kai's CET), then build and test tomorrow, with a release on Wednesday. The patches are currently in bug 1064636 (based on a problem reported by Antoine Delignat-Lavaud). Intel PSIRT reported the same issue independently in bug 1069405. Both research teams have produced forged certificates that work in Firefox. The NSS team will land the patches in the nss repo and tag 3.16.2.1 for Firefox 31-ESR and below 3.16.5 (3.16.4.1?) for Firefox 32 3.17.1 for 33 and higher We will then need to build Firefox 32.0.3 Firefox ESR 31.1.1 Firefox ESR 24.8.1 Thunderbird 31.1.1 We will need to make these patches available to our Firefox OS partners. 1.3/1.4 should use NSS 3.16.2.1 2.0 should use NSS 3.16.5 2.1 should use NSS 3.17.1 Google will also be releasing Chrome on Wednesday. Tor Browser Bundle will want these patches ASAP Linux distros will need to push system-nss updates.
needs LTSS updates too.
https://www.mozilla.org/security/announce/2014/mfsa2014-73.html MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue.
This is an autogenerated message for OBS integration: This bug (897890) was mentioned in https://build.opensuse.org/request/show/251989 Factory / mozilla-nss
http://www.kb.cert.org/vuls/id/772676 is the CERT VU for this
SUSE-SU-2014:1220-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 897890 CVE References: CVE-2014-1568 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): mozilla-nss-3.16.5-0.7.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): mozilla-nss-3.16.5-0.7.1 SUSE Linux Enterprise Server 11 SP3 (src): mozilla-nss-3.16.5-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): mozilla-nss-3.16.5-0.7.1
openSUSE-SU-2014:1224-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 897890 CVE References: CVE-2014-1568 Sources used: openSUSE Evergreen 11.4 (src): mozilla-nss-3.16.5-98.1
openSUSE-SU-2014:1232-1: An update that fixes one vulnerability is now available. Category: security (critical) Bug References: 897890 CVE References: CVE-2014-1568 Sources used: openSUSE 13.1 (src): mozilla-nss-3.16.5-39.1 openSUSE 12.3 (src): mozilla-nss-3.16.5-1.55.1
https://www.imperialviolet.org/2014/09/26/pkcs1.html
released
SUSE-SU-2014:1220-4: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 897890 CVE References: CVE-2014-1568 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): mozilla-nss-3.16.5-0.5.1
This is an autogenerated message for OBS integration: This bug (897890) was mentioned in https://build.opensuse.org/request/show/256315 13.1 / mozilla-nss https://build.opensuse.org/request/show/256316 12.3 / mozilla-nss
openSUSE-SU-2014:1344-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 894370,896624,897890,900941,901213 CVE References: CVE-2014-1554,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1580,CVE-2014-1581,CVE-2014-1582,CVE-2014-1583,CVE-2014-1584,CVE-2014-1585,CVE-2014-1586 Sources used: openSUSE 12.3 (src): MozillaFirefox-33.0-1.90.1, mozilla-nspr-4.10.7-1.34.1, mozilla-nss-3.17.1-1.59.1, seamonkey-2.30-1.61.1
openSUSE-SU-2014:1345-1: An update that fixes 13 vulnerabilities is now available. Category: security (moderate) Bug References: 894370,896624,897890,900941,901213 CVE References: CVE-2014-1554,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1580,CVE-2014-1581,CVE-2014-1582,CVE-2014-1583,CVE-2014-1584,CVE-2014-1585,CVE-2014-1586 Sources used: openSUSE 13.1 (src): MozillaFirefox-33.0-46.2, mozilla-nspr-4.10.7-16.1, mozilla-nss-3.17.1-43.1, seamonkey-2.30-36.2
SUSE-SU-2014:1510-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 897890,900941 CVE References: CVE-2014-1568,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1581,CVE-2014-1583,CVE-2014-1585,CVE-2014-1586 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): MozillaFirefox-31.2.0esr-6.4, mozilla-nss-3.17.2-8.2 SUSE Linux Enterprise Server 12 (src): MozillaFirefox-31.2.0esr-6.4, MozillaFirefox-branding-SLE-31-4.1, mozilla-nss-3.17.2-8.2 SUSE Linux Enterprise Desktop 12 (src): MozillaFirefox-31.2.0esr-6.4, MozillaFirefox-branding-SLE-31-4.1, mozilla-nss-3.17.2-8.2