Bug 12342

Summary: nss new security issue CVE-2013-1740
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb, wrw105
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/581549/
Whiteboard: advisory mga3-64-OK mga3-32-ok
Source RPM: nss-3.15.3.1-1.mga4.src.rpm CVE: CVE-2013-1740
Status comment:

Description David Walser 2014-01-17 18:56:28 CET 
Upstream has released nss 3.15.4 on January 9, fixing a security issue:
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-17 18:57:14 CET

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-17 19:08:27 CET 
Committed in SVN for Mageia 3 and Cauldron and freeze push requested for Cauldron.
Comment 2 David Walser 2014-01-18 22:11:09 CET 
Updated packages uploaded for Mageia 3 and Cauldron.

Advisory:
========================

Updated nss packages fix security vulnerability:

When false start is enabled, libssl will sometimes return unencrypted,
unauthenticated data from PR_Recv (CVE-2013-1740).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1740
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes
========================

Updated packages in core/updates_testing:
========================
nss-3.15.4-1.mga3
nss-doc-3.15.4-1.mga3
libnss3-3.15.4-1.mga3
libnss-devel-3.15.4-1.mga3
libnss-static-devel-3.15.4-1.mga3

from nss-3.15.4-1.mga3.src.rpm

Version: Cauldron => 3
Assignee: bugsquad => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 3 Bill Wilkinson 2014-01-19 03:58:03 CET 
mga3-64 installs normally.  No specific PoC, so apparently OK.

CC: (none) => wrw105
Whiteboard: (none) => mga3-64-OK

Comment 4 Bill Wilkinson 2014-01-19 04:32:53 CET 
Same for mga3-32.

Advisory needs to be uploaded to SVN prior to validation.

Whiteboard: mga3-64-OK => mga3-64-OK mga3-32-ok

Comment 5 claire robinson 2014-01-20 09:17:01 CET 
Advisory uploaded. Validating.

Could sysadmin please push from 3 core/updates_testing to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga3-64-OK mga3-32-ok => advisory mga3-64-OK mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 6 David Walser 2014-01-21 13:51:37 CET 
If I may be permitted to update the advisory, Oden's advisory text for the Mandriva advisory is more descriptive than what I got from upstream.

Advisory:
========================

Updated nss packages fix security vulnerability:

The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla
Network Security Services (NSS) before 3.15.4, when the TLS False
Start feature is enabled, allows man-in-the-middle attackers to spoof
SSL servers by using an arbitrary X.509 certificate during certain
handshake traffic (CVE-2013-1740).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1740
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:012/
Comment 7 claire robinson 2014-01-21 15:01:50 CET 
Advisory updated.
Comment 8 Thomas Backlund 2014-01-21 17:47:48 CET 

Update pushed:
http://advisories.mageia.org/MGASA-2014-0024.html

Status: NEW => RESOLVED
CC: (none) => tmb
CVE: (none) => CVE-2013-1740
Resolution: (none) => FIXED

David Walser 2014-01-21 20:47:05 CET

URL: (none) => http://lwn.net/Vulnerabilities/581549/

Comment 9 David Walser 2014-02-04 23:27:49 CET 
Mozilla has issued an advisory with 2 more CVEs it says were fixed in 3.15.4:
http://www.mozilla.org/security/announce/2014/mfsa2014-12.html

They are CVE-2014-1490 and CVE-2014-1491.
Comment 10 David Walser 2014-02-07 17:12:49 CET 
LWN reference for the CVEs in MFSA2014-12:
http://lwn.net/Vulnerabilities/584753/