Summary
Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library:
CVE-2013-1741
Runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls.
CVE-2013-5606
Certificate validation with the verifylog mode did not return validation errors, but instead expected applications to determine the status by looking at the log.
CVE-2014-1491
Ticket handling protection mechanisms bypass due to the lack of restriction of public values in Diffie-Hellman key exchanges.
CVE-2014-1492
Incorrect IDNA domain name matching for wildcard certificates could allow specially-crafted invalid certificates to be considered as valid.
Solution
For the stable distribution (wheezy), these problems have been fixed in version 2:3.14.5-1+deb7u1.
For the testing distribution (jessie), and the unstable distribution (sid), these problems have been fixed in version 2:3.16-1.
We recommend that you upgrade your nss packages.
Insight
nss is a set of libraries designed to support cross-platform development of security-enabled client and server applications.
Affected
nss on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-1741, CVE-2013-5606, CVE-2014-1491, CVE-2014-1492 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities