Bug 897890 - (CVE-2014-1568) VUL-0: CVE-2014-1568: mozilla-nss: certificate forgery possible
(CVE-2014-1568)
VUL-0: CVE-2014-1568: mozilla-nss: certificate forgery possible
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Petr Cerny
Security Team bot
maint:released:sle11-sp3:59085 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-23 07:01 UTC by Marcus Meissner
Modified: 2015-02-19 06:48 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
MFSA2014-73 draft (3.25 KB, text/html)
2014-09-24 06:23 UTC, Wolfgang Rosenauer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-23 07:01:34 UTC
via security and distros, 
embargoed until 24th September (Wednesday)

Betreff: Chemspill releases for NSS bug (Firefox/Thunderbird/everything)
Datum: Mon, 22 Sep 2014 11:30:08 -0700
Von: Daniel Veditz <dveditz@mozilla.com>
An: security-group <security-group@mozilla.org>

We are currently planning a chemspill release of Firefox and Thunderbird
to fix a critical NSS security problem. All downstream users of NSS will
also need to pick up the patches when they have landed.

The patches have not yet landed. I expect those to happen overnight at
the latest (tomorrow morning in Kai's CET), then build and test
tomorrow, with a release on Wednesday.

The patches are currently in bug 1064636 (based on a problem reported by
Antoine Delignat-Lavaud). Intel PSIRT reported the same issue
independently in bug 1069405. Both research teams have produced forged
certificates that work in Firefox.

The NSS team will land the patches in the nss repo and tag
  3.16.2.1           for Firefox 31-ESR and below
  3.16.5 (3.16.4.1?) for Firefox 32
  3.17.1             for 33 and higher

We will then need to build
 Firefox 32.0.3
 Firefox ESR 31.1.1
 Firefox ESR 24.8.1
 Thunderbird 31.1.1

We will need to make these patches available to our Firefox OS partners.
 1.3/1.4 should use NSS 3.16.2.1
 2.0 should use NSS 3.16.5
 2.1 should use NSS 3.17.1

Google will also be releasing Chrome on Wednesday.

Tor Browser Bundle will want these patches ASAP

Linux distros will need to push system-nss updates.
Comment 3 Marcus Meissner 2014-09-23 08:49:12 UTC
needs LTSS updates too.
Comment 7 Marcus Meissner 2014-09-24 19:35:54 UTC
https://www.mozilla.org/security/announce/2014/mfsa2014-73.html

MFSA 2014-73 / CVE-2014-1568: Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates.

The Advanced Threat Research team at Intel Security also independently discovered and reported this issue.
Comment 8 Bernhard Wiedemann 2014-09-24 20:01:13 UTC
This is an autogenerated message for OBS integration:
This bug (897890) was mentioned in
https://build.opensuse.org/request/show/251989 Factory / mozilla-nss
Comment 9 Marcus Meissner 2014-09-25 14:11:27 UTC
http://www.kb.cert.org/vuls/id/772676  is the CERT VU for this
Comment 11 Swamp Workflow Management 2014-09-26 22:04:26 UTC
SUSE-SU-2014:1220-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 897890
CVE References: CVE-2014-1568
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    mozilla-nss-3.16.5-0.7.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    mozilla-nss-3.16.5-0.7.1
SUSE Linux Enterprise Server 11 SP3 (src):    mozilla-nss-3.16.5-0.7.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    mozilla-nss-3.16.5-0.7.1
Comment 12 Swamp Workflow Management 2014-09-28 10:04:26 UTC
openSUSE-SU-2014:1224-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 897890
CVE References: CVE-2014-1568
Sources used:
openSUSE Evergreen 11.4 (src):    mozilla-nss-3.16.5-98.1
Comment 13 Swamp Workflow Management 2014-09-28 10:07:12 UTC
openSUSE-SU-2014:1232-1: An update that fixes one vulnerability is now available.

Category: security (critical)
Bug References: 897890
CVE References: CVE-2014-1568
Sources used:
openSUSE 13.1 (src):    mozilla-nss-3.16.5-39.1
openSUSE 12.3 (src):    mozilla-nss-3.16.5-1.55.1
Comment 14 Marcus Meissner 2014-09-29 09:51:01 UTC
https://www.imperialviolet.org/2014/09/26/pkcs1.html
Comment 15 Marcus Meissner 2014-10-01 07:27:47 UTC
released
Comment 16 Swamp Workflow Management 2014-10-01 15:05:01 UTC
SUSE-SU-2014:1220-4: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 897890
CVE References: CVE-2014-1568
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    mozilla-nss-3.16.5-0.5.1
Comment 17 Bernhard Wiedemann 2014-10-14 18:00:22 UTC
This is an autogenerated message for OBS integration:
This bug (897890) was mentioned in
https://build.opensuse.org/request/show/256315 13.1 / mozilla-nss
https://build.opensuse.org/request/show/256316 12.3 / mozilla-nss
Comment 18 Swamp Workflow Management 2014-11-02 12:05:35 UTC
openSUSE-SU-2014:1344-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 894370,896624,897890,900941,901213
CVE References: CVE-2014-1554,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1580,CVE-2014-1581,CVE-2014-1582,CVE-2014-1583,CVE-2014-1584,CVE-2014-1585,CVE-2014-1586
Sources used:
openSUSE 12.3 (src):    MozillaFirefox-33.0-1.90.1, mozilla-nspr-4.10.7-1.34.1, mozilla-nss-3.17.1-1.59.1, seamonkey-2.30-1.61.1
Comment 19 Swamp Workflow Management 2014-11-02 12:06:35 UTC
openSUSE-SU-2014:1345-1: An update that fixes 13 vulnerabilities is now available.

Category: security (moderate)
Bug References: 894370,896624,897890,900941,901213
CVE References: CVE-2014-1554,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1580,CVE-2014-1581,CVE-2014-1582,CVE-2014-1583,CVE-2014-1584,CVE-2014-1585,CVE-2014-1586
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-33.0-46.2, mozilla-nspr-4.10.7-16.1, mozilla-nss-3.17.1-43.1, seamonkey-2.30-36.2
Comment 20 Swamp Workflow Management 2014-11-27 09:05:03 UTC
SUSE-SU-2014:1510-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 897890,900941
CVE References: CVE-2014-1568,CVE-2014-1574,CVE-2014-1575,CVE-2014-1576,CVE-2014-1577,CVE-2014-1578,CVE-2014-1581,CVE-2014-1583,CVE-2014-1585,CVE-2014-1586
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    MozillaFirefox-31.2.0esr-6.4, mozilla-nss-3.17.2-8.2
SUSE Linux Enterprise Server 12 (src):    MozillaFirefox-31.2.0esr-6.4, MozillaFirefox-branding-SLE-31-4.1, mozilla-nss-3.17.2-8.2
SUSE Linux Enterprise Desktop 12 (src):    MozillaFirefox-31.2.0esr-6.4, MozillaFirefox-branding-SLE-31-4.1, mozilla-nss-3.17.2-8.2