nss: signature forgery [LWN.net]

Package(s):

iceweasel

CVE #(s):

CVE-2014-1568

Created:

September 25, 2014

Updated:

October 13, 2014

Description:

From the Debian advisory:

Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library, embedded in Wheezy's Iceweasel package), was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack. An attacker could craft ASN.1 data to forge RSA certificates with a valid certification chain to a trusted CA.

Alerts:

Gentoo	201504-01	firefox	2015-04-07
Mandriva	MDVSA-2015:059	nss	2015-03-13
Oracle	ELSA-2014-1948	nss	2014-12-02
Red Hat	RHSA-2014:1371-01	nss	2014-10-10
SUSE	SUSE-SU-2014:1220-4	mozilla-nss	2014-10-01
SUSE	SUSE-SU-2014:1220-3	mozilla-nss	2014-09-30
CentOS	CESA-2014:1307	nss	2014-09-30
SUSE	SUSE-SU-2014:1220-2	mozilla-nss	2014-09-29
openSUSE	openSUSE-SU-2014:1224-1	NSS	2014-09-28
openSUSE	openSUSE-SU-2014:1232-1	mozilla-nss	2014-09-28
SUSE	SUSE-SU-2014:1220-1	mozilla-nss	2014-09-27
Mageia	MGASA-2014-0391	nss	2014-09-26
Oracle	ELSA-2014-1307	nss	2014-09-26
Oracle	ELSA-2014-1307	nss	2014-09-26
Oracle	ELSA-2014-1307	nss	2014-09-26
Debian	DSA-3037-1	icedove	2014-09-26
CentOS	CESA-2014:1307	nss	2014-09-26
Scientific Linux	SLSA-2014:1307-1	nss	2014-09-26
Red Hat	RHSA-2014:1307-01	nss	2014-09-26
Fedora	FEDORA-2014-11518	nss-util	2014-09-26
Fedora	FEDORA-2014-11518	nss-softokn	2014-09-26
Fedora	FEDORA-2014-11518	nss	2014-09-26
CentOS	CESA-2014:1307	nss	2014-09-26
Ubuntu	USN-2360-2	thunderbird	2014-09-24
Ubuntu	USN-2361-1	nss	2014-09-24
Ubuntu	USN-2360-1	firefox	2014-09-24
Slackware	SSA:2014-267-02	mozilla	2014-09-24
Mandriva	MDVSA-2014:189	nss	2014-09-25
Debian	DSA-3033-1	nss	2014-09-25
Debian	DSA-3034-1	iceweasel	2014-09-25
Fedora	FEDORA-2014-11565	nss-util	2014-10-11
Fedora	FEDORA-2014-11565	nss-softokn	2014-10-11
Fedora	FEDORA-2014-11565	nss	2014-10-11