Upstream has updated certdata.txt as of 2013-11-11: https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt I've updated it in SVN, but not requested a freeze push yet. I went looking for this because I noticed that omdv had updated their rootcerts package: https://abf.rosalinux.ru/openmandriva/rootcerts/commits/master Their version tag is actually incorrect, as the certdata.txt that they uploaded is the 2013-04-11 version that we already have. Besides updating that, they've also added three other certs local to their package, cacert_class3.der (which appears to be related to the cacert.org.der that we already have), rootca_der.crt, and publicxca_der.crt. I don't know if we should add these, especially since we already have one request in bugzilla to remove the existing cacert.org one that we have. Assigning to Oden for advice on how to proceed. Reproducible: Steps to Reproduce:
As you might expect, new nspr and nss releases were also released on November 11. I've checked them into SVN for Mageia 2, Mageia 3, and Cauldron. I'll request a push once we decide what to do with rootcerts.
Someone should bump rootcerts, NSPR (4.10.2) and NSS (3.15.3) for cauldron, in that order. https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes Bug 925100 - (CVE-2013-1741) Ensure a size is <= half of the maximum PRUint32 value Bug 934016 - (CVE-2013-5605) Handle invalid handshake packets Bug 910438 - (CVE-2013-5606) Return the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used
rootcerts, nspr, and nss have all been uploaded for Cauldron. Updated packages have also been uploaded for Mageia 2 and Mageia 3. RedHat's bugzilla doesn't have any additional information on the nss CVEs, other than categorizing CVE-2013-5605 as critical severity. We should also provide an update to Firefox bugfix release 24.1.1. Are there any release notes out there for Firefox 24.1.1 BTW? Assigning these packages (rootcerts, nspr, and nss) to QA for now. Feel free to provide a better advisory than I have if you want :o) Advisory: ======================== Updated nss packages fix security vulnerabilities: This updates to the latest root certificate data from Mozilla, updates the nspr library to the latest version, and updates the nss library to the latest version which fixes multiple security issues (CVE-2013-1741, CVE-2013-5605, CVE-2013-5606). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606 https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes ======================== Updated packages in core/updates_testing: ======================== rootcerts-20131111.00-1.mga2 rootcerts-java-20131111.00-1.mga2 libnspr4-4.10.2-1.mga2 libnspr-devel-4.10.2-1.mga2 nss-3.15.3-1.mga2 nss-doc-3.15.3-1.mga2 libnss3-3.15.3-1.mga2 libnss-devel-3.15.3-1.mga2 libnss-static-devel-3.15.3-1.mga2 rootcerts-20131111.00-1.mga3 rootcerts-java-20131111.00-1.mga3 libnspr4-4.10.2-1.mga3 libnspr-devel-4.10.2-1.mga3 nss-3.15.3-1.mga3 nss-doc-3.15.3-1.mga3 libnss3-3.15.3-1.mga3 libnss-devel-3.15.3-1.mga3 libnss-static-devel-3.15.3-1.mga3 from SRPMS: rootcerts-20131111.00-1.mga2.src.rpm nspr-4.10.2-1.mga2.src.rpm nss-3.15.3-1.mga2.src.rpm rootcerts-20131111.00-1.mga3.src.rpm nspr-4.10.2-1.mga3.src.rpm nss-3.15.3-1.mga3.src.rpm
CC: (none) => oeVersion: Cauldron => 3Assignee: oe => qa-bugsSummary: rootcerts new certificate data available => rootcerts new certificate data available, nss new security issues fixed in 3.15.3Whiteboard: (none) => MGA2TOOSeverity: normal => critical
Component: RPM Packages => Security
(In reply to David Walser from comment #3) > We should also provide an update to Firefox bugfix release 24.1.1. > > Are there any release notes out there for Firefox 24.1.1 BTW? So I found them: https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/ So, it only fixes three things, two of which are updating nspr and nss (and rootcerts which is a part of nss technically). The other is a minor firefox-l10n issue: https://bugzilla.mozilla.org/show_bug.cgi?id=932310 I don't know if we *need* to provide an update for 24.1.1, but we can. Thoughts? firefox and firefox-l10n are building in updates_testing if they're wanted.
People would likely question why they don't have the latest firefox. We should probably release an update.
Thanks for the feedback Claire. Since Firefox is the mechanism for testing these other packages anyway, we might as well. Addendum to the advisory: ------------------------ The latest Firefox ESR version, which fixes an issue with translated strings not being used in some cases, is also being provided. References: https://bugzilla.mozilla.org/show_bug.cgi?id=932310 https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/ from SRPMS: firefox-24.1.1-1.mga2.src.rpm firefox-l10n-24.1.1-1.mga2.src.rpm firefox-24.1.1-1.mga3.src.rpm firefox-l10n-24.1.1-1.mga3.src.rpm
There is an MFSA for this now, and the nspr 4.10.2 update actually fixes a security issue as well (CVE-2013-5607): http://www.mozilla.org/security/announce/2013/mfsa2013-103.html There was also another CVE for nss fixed (CVE-2013-2566). Advisory: ======================== Updated nspr and nss packages fix security vulnerabilities: Potentially exploitable buffer overflow in NSS before 3.15.3 that allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets (CVE-2013-5605). The CERT_VerifyCert function in lib/certhigh/certvfy.c in NSS before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate (CVE-2013-5606). Runaway memset due to an integer truncation in certificate parsing on 64-bit computers in NSS before 3.15.3 leading to a crash by attempting to write 4Gb of nulls (CVE-2013-1741). Integer overflow in NSPR before 4.10.2 due to unsigned integer wrapping in PL_ArenaAllocate (CVE-2013-5607). NSS lowered the priority of RC4 in cipher suite advertisement so that more secure ciphers instead of RC4 are likely to be chosen by the server, because of plaintext recovery attacks possible with RC4 (CVE-2013-2566). This also updates to the latest root certificate data from Mozilla. Additionally, The latest Firefox ESR version, which fixes an issue with translated strings not being used in some cases, is also being provided. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607 https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/_8AcygMEjSA https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes http://www.mozilla.org/security/announce/2013/mfsa2013-103.html https://bugzilla.mozilla.org/show_bug.cgi?id=932310 https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/ ======================== Updated packages in core/updates_testing: ======================== rootcerts-20131111.00-1.mga2 rootcerts-java-20131111.00-1.mga2 libnspr4-4.10.2-1.mga2 libnspr-devel-4.10.2-1.mga2 nss-3.15.3-1.mga2 nss-doc-3.15.3-1.mga2 libnss3-3.15.3-1.mga2 libnss-devel-3.15.3-1.mga2 libnss-static-devel-3.15.3-1.mga2 firefox-24.1.1-1.mga2 firefox-devel-24.1.1-1.mga2 firefox-af-24.1.1-1.mga2 firefox-ar-24.1.1-1.mga2 firefox-as-24.1.1-1.mga2 firefox-ast-24.1.1-1.mga2 firefox-be-24.1.1-1.mga2 firefox-bg-24.1.1-1.mga2 firefox-bn_IN-24.1.1-1.mga2 firefox-bn_BD-24.1.1-1.mga2 firefox-br-24.1.1-1.mga2 firefox-bs-24.1.1-1.mga2 firefox-ca-24.1.1-1.mga2 firefox-cs-24.1.1-1.mga2 firefox-csb-24.1.1-1.mga2 firefox-cy-24.1.1-1.mga2 firefox-da-24.1.1-1.mga2 firefox-de-24.1.1-1.mga2 firefox-el-24.1.1-1.mga2 firefox-en_GB-24.1.1-1.mga2 firefox-en_ZA-24.1.1-1.mga2 firefox-eo-24.1.1-1.mga2 firefox-es_AR-24.1.1-1.mga2 firefox-es_CL-24.1.1-1.mga2 firefox-es_ES-24.1.1-1.mga2 firefox-es_MX-24.1.1-1.mga2 firefox-et-24.1.1-1.mga2 firefox-eu-24.1.1-1.mga2 firefox-fa-24.1.1-1.mga2 firefox-ff-24.1.1-1.mga2 firefox-fi-24.1.1-1.mga2 firefox-fr-24.1.1-1.mga2 firefox-fy-24.1.1-1.mga2 firefox-ga_IE-24.1.1-1.mga2 firefox-gd-24.1.1-1.mga2 firefox-gl-24.1.1-1.mga2 firefox-gu_IN-24.1.1-1.mga2 firefox-he-24.1.1-1.mga2 firefox-hi-24.1.1-1.mga2 firefox-hr-24.1.1-1.mga2 firefox-hu-24.1.1-1.mga2 firefox-hy-24.1.1-1.mga2 firefox-id-24.1.1-1.mga2 firefox-is-24.1.1-1.mga2 firefox-it-24.1.1-1.mga2 firefox-ja-24.1.1-1.mga2 firefox-kk-24.1.1-1.mga2 firefox-ko-24.1.1-1.mga2 firefox-km-24.1.1-1.mga2 firefox-kn-24.1.1-1.mga2 firefox-ku-24.1.1-1.mga2 firefox-lg-24.1.1-1.mga2 firefox-lij-24.1.1-1.mga2 firefox-lt-24.1.1-1.mga2 firefox-lv-24.1.1-1.mga2 firefox-mai-24.1.1-1.mga2 firefox-mk-24.1.1-1.mga2 firefox-ml-24.1.1-1.mga2 firefox-mr-24.1.1-1.mga2 firefox-nb_NO-24.1.1-1.mga2 firefox-nl-24.1.1-1.mga2 firefox-nn_NO-24.1.1-1.mga2 firefox-nso-24.1.1-1.mga2 firefox-or-24.1.1-1.mga2 firefox-pa_IN-24.1.1-1.mga2 firefox-pl-24.1.1-1.mga2 firefox-pt_BR-24.1.1-1.mga2 firefox-pt_PT-24.1.1-1.mga2 firefox-ro-24.1.1-1.mga2 firefox-ru-24.1.1-1.mga2 firefox-si-24.1.1-1.mga2 firefox-sk-24.1.1-1.mga2 firefox-sl-24.1.1-1.mga2 firefox-sq-24.1.1-1.mga2 firefox-sr-24.1.1-1.mga2 firefox-sv_SE-24.1.1-1.mga2 firefox-ta-24.1.1-1.mga2 firefox-ta_LK-24.1.1-1.mga2 firefox-te-24.1.1-1.mga2 firefox-th-24.1.1-1.mga2 firefox-tr-24.1.1-1.mga2 firefox-uk-24.1.1-1.mga2 firefox-vi-24.1.1-1.mga2 firefox-zh_CN-24.1.1-1.mga2 firefox-zh_TW-24.1.1-1.mga2 firefox-zu-24.1.1-1.mga2 rootcerts-20131111.00-1.mga3 rootcerts-java-20131111.00-1.mga3 libnspr4-4.10.2-1.mga3 libnspr-devel-4.10.2-1.mga3 nss-3.15.3-1.mga3 nss-doc-3.15.3-1.mga3 libnss3-3.15.3-1.mga3 libnss-devel-3.15.3-1.mga3 libnss-static-devel-3.15.3-1.mga3 firefox-24.1.1-1.mga3 firefox-devel-24.1.1-1.mga3 firefox-af-24.1.1-1.mga3 firefox-ar-24.1.1-1.mga3 firefox-as-24.1.1-1.mga3 firefox-ast-24.1.1-1.mga3 firefox-be-24.1.1-1.mga3 firefox-bg-24.1.1-1.mga3 firefox-bn_IN-24.1.1-1.mga3 firefox-bn_BD-24.1.1-1.mga3 firefox-br-24.1.1-1.mga3 firefox-bs-24.1.1-1.mga3 firefox-ca-24.1.1-1.mga3 firefox-cs-24.1.1-1.mga3 firefox-csb-24.1.1-1.mga3 firefox-cy-24.1.1-1.mga3 firefox-da-24.1.1-1.mga3 firefox-de-24.1.1-1.mga3 firefox-el-24.1.1-1.mga3 firefox-en_GB-24.1.1-1.mga3 firefox-en_ZA-24.1.1-1.mga3 firefox-eo-24.1.1-1.mga3 firefox-es_AR-24.1.1-1.mga3 firefox-es_CL-24.1.1-1.mga3 firefox-es_ES-24.1.1-1.mga3 firefox-es_MX-24.1.1-1.mga3 firefox-et-24.1.1-1.mga3 firefox-eu-24.1.1-1.mga3 firefox-fa-24.1.1-1.mga3 firefox-ff-24.1.1-1.mga3 firefox-fi-24.1.1-1.mga3 firefox-fr-24.1.1-1.mga3 firefox-fy-24.1.1-1.mga3 firefox-ga_IE-24.1.1-1.mga3 firefox-gd-24.1.1-1.mga3 firefox-gl-24.1.1-1.mga3 firefox-gu_IN-24.1.1-1.mga3 firefox-he-24.1.1-1.mga3 firefox-hi-24.1.1-1.mga3 firefox-hr-24.1.1-1.mga3 firefox-hu-24.1.1-1.mga3 firefox-hy-24.1.1-1.mga3 firefox-id-24.1.1-1.mga3 firefox-is-24.1.1-1.mga3 firefox-it-24.1.1-1.mga3 firefox-ja-24.1.1-1.mga3 firefox-kk-24.1.1-1.mga3 firefox-ko-24.1.1-1.mga3 firefox-km-24.1.1-1.mga3 firefox-kn-24.1.1-1.mga3 firefox-ku-24.1.1-1.mga3 firefox-lg-24.1.1-1.mga3 firefox-lij-24.1.1-1.mga3 firefox-lt-24.1.1-1.mga3 firefox-lv-24.1.1-1.mga3 firefox-mai-24.1.1-1.mga3 firefox-mk-24.1.1-1.mga3 firefox-ml-24.1.1-1.mga3 firefox-mr-24.1.1-1.mga3 firefox-nb_NO-24.1.1-1.mga3 firefox-nl-24.1.1-1.mga3 firefox-nn_NO-24.1.1-1.mga3 firefox-nso-24.1.1-1.mga3 firefox-or-24.1.1-1.mga3 firefox-pa_IN-24.1.1-1.mga3 firefox-pl-24.1.1-1.mga3 firefox-pt_BR-24.1.1-1.mga3 firefox-pt_PT-24.1.1-1.mga3 firefox-ro-24.1.1-1.mga3 firefox-ru-24.1.1-1.mga3 firefox-si-24.1.1-1.mga3 firefox-sk-24.1.1-1.mga3 firefox-sl-24.1.1-1.mga3 firefox-sq-24.1.1-1.mga3 firefox-sr-24.1.1-1.mga3 firefox-sv_SE-24.1.1-1.mga3 firefox-ta-24.1.1-1.mga3 firefox-ta_LK-24.1.1-1.mga3 firefox-te-24.1.1-1.mga3 firefox-th-24.1.1-1.mga3 firefox-tr-24.1.1-1.mga3 firefox-uk-24.1.1-1.mga3 firefox-vi-24.1.1-1.mga3 firefox-zh_CN-24.1.1-1.mga3 firefox-zh_TW-24.1.1-1.mga3 firefox-zu-24.1.1-1.mga3 from SRPMS: rootcerts-20131111.00-1.mga2.src.rpm nspr-4.10.2-1.mga2.src.rpm nss-3.15.3-1.mga2.src.rpm firefox-24.1.1-1.mga2.src.rpm firefox-l10n-24.1.1-1.mga2.src.rpm rootcerts-20131111.00-1.mga3.src.rpm nspr-4.10.2-1.mga3.src.rpm nss-3.15.3-1.mga3.src.rpm firefox-24.1.1-1.mga3.src.rpm firefox-l10n-24.1.1-1.mga3.src.rpm
Mga2, 64 bits Installed: firefox 24.1.1 1.mga2 x86_64 firefox-es_CL 24.1.1 1.mga2 noarch firefox-fr 24.1.1 1.mga2 noarch firefox-nl 24.1.1 1.mga2 noarch firefox-pt_BR 24.1.1 1.mga2 noarch lib64nspr4 4.10.2 1.mga2 x86_64 lib64nss3 3.15.3 1.mga2 x86_64 firefox-en_GB 24.1.1 1.mga2 noarch firefox-es_AR 24.1.1 1.mga2 noarch firefox-it 24.1.1 1.mga2 noarch firefox-el 24.1.1 1.mga2 noarch firefox-en_ZA 24.1.1 1.mga2 noarch firefox-es_MX 24.1.1 1.mga2 noarch firefox-pt_PT 24.1.1 1.mga2 noarch firefox-cs 24.1.1 1.mga2 noarch firefox-de 24.1.1 1.mga2 noarch firefox-es_ES 24.1.1 1.mga2 noarch firefox-sl 24.1.1 1.mga2 noarch firefox-tr 24.1.1 1.mga2 noarch rootcerts 20131111.00 1.mga2 x86_64 nss 3.15.3 1.mga2 x86_64 rootcerts-java 20131111.00 1.mga2 x86_64 Browsing, including to secure pages, works fine. Youtube works ok, but Calenco's Javascript is a disaster for FF (as it already was in Mga 2 and 3, since Calenco's last upgrade, so that shouldn't stop this update) Can't think of anything else to check
CC: (none) => marja11
Summary: rootcerts new certificate data available, nss new security issues fixed in 3.15.3 => firefox update & rootcerts new certificate data available, nss new security issues fixed in 3.15.3Whiteboard: MGA2TOO => MGA2TOO has_procedure
For new users with FR locale, firefox opens https://www.mozilla.org/fr/firefox/24.1.1/firstrun/ which doesn't exist. Problem was present in previous firefox update too.
CC: (none) => stormi
Advisory uploaded. Please remove the 'advisory' whiteboard tag if anything changes.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory
Ubuntu has issued an advisory for this on November 18: http://www.ubuntu.com/usn/usn-2030-1/
URL: (none) => http://lwn.net/Vulnerabilities/574311/
http://www.mozilla.org/security/announce/2013/mfsa2013-103.html
FYI. For NSS this is the only change in firefox-17.0.11esr: --- firefox-17.0.10esr/security/nss/lib/ssl/ssl3con.c 2013-10-23 01:53:06.000000000 +0000 +++ firefox-17.0.11esr/security/nss/lib/ssl/ssl3con.c 2013-11-13 23:36:00.000000000 +0000 @@ -5,7 +5,7 @@ * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* $Id: ssl3con.c,v 1.201.2.1 2013/10/22 20:34:00 kaie%kuix.de Exp $ */ +/* $Id: ssl3con.c,v 1.201.2.1.2.1 2013/11/10 20:38:30 kaie%kuix.de Exp $ */ /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */ @@ -740,6 +740,11 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, const unsigned char *input, int inputLen) { + if (inputLen > maxOutputLen) { + *outputLen = 0; /* Match PK11_CipherOp in setting outputLen */ + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } *outputLen = inputLen; if (input != output) PORT_Memcpy(output, input, inputLen); Quite peculiar...
(In reply to Oden Eriksson from comment #13) > FYI. For NSS this is the only change in firefox-17.0.11esr: Yeah, IIRC 17.0.11esr was updated to 3.14.5 while all other products were updated to 3.15.3, and some of these security issues (if not all but one of them) only affected 3.15.
Adding mga2 64 ok from Marja's tests in comment 8
Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory mga2-64-ok
Testing complete mga2 32
Whiteboard: MGA2TOO has_procedure advisory mga2-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok
Testing complete mga3 32 & 64 Validating. Could sysadmin please push from 2&3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0337.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED