User: Password:
Subscribe / Log in / New account

Debian alert DSA-2994-1 (nss)

From:  Raphael Geissert <>
Subject:  [SECURITY] [DSA 2994-1] nss security update
Date:  Thu, 31 Jul 2014 13:51:32 +0200
Message-ID:  <5105666.fXRtNcABSl@eee>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2994-1 Raphael Geissert July 31, 2014 - ------------------------------------------------------------------------- Package : nss CVE ID : CVE-2013-1741 CVE-2013-5606 CVE-2014-1491 CVE-2014-1492 Several vulnerabilities have been discovered in nss, the Mozilla Network Security Service library: CVE-2013-1741 Runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls. CVE-2013-5606 Certificate validation with the verifylog mode did not return validation errors, but instead expected applications to determine the status by looking at the log. CVE-2014-1491 Ticket handling protection mechanisms bypass due to the lack of restriction of public values in Diffie-Hellman key exchanges. CVE-2014-1492 Incorrect IDNA domain name matching for wildcard certificates could allow specially-crafted invalid certificates to be considered as valid. For the stable distribution (wheezy), these problems have been fixed in version 2:3.14.5-1+deb7u1. For the testing distribution (jessie), and the unstable distribution (sid), these problems have been fixed in version 2:3.16-1. We recommend that you upgrade your nss packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: Mailing list: -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPaLcQACgkQYy49rUbZzlryAwCfcT/wdXfIg3Qan7v49hkErZtP XU4AoIuaVrosMXowQjtqvD8LJqNZ9hd+ =rne3 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to with a subject of "unsubscribe". Trouble? Contact Archive:

(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds