Upstream has released nss 3.15.4 on January 9, fixing a security issue: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Committed in SVN for Mageia 3 and Cauldron and freeze push requested for Cauldron.
Updated packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated nss packages fix security vulnerability: When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1740 https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes ======================== Updated packages in core/updates_testing: ======================== nss-3.15.4-1.mga3 nss-doc-3.15.4-1.mga3 libnss3-3.15.4-1.mga3 libnss-devel-3.15.4-1.mga3 libnss-static-devel-3.15.4-1.mga3 from nss-3.15.4-1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO => (none)
mga3-64 installs normally. No specific PoC, so apparently OK.
CC: (none) => wrw105Whiteboard: (none) => mga3-64-OK
Same for mga3-32. Advisory needs to be uploaded to SVN prior to validation.
Whiteboard: mga3-64-OK => mga3-64-OK mga3-32-ok
Advisory uploaded. Validating. Could sysadmin please push from 3 core/updates_testing to updates Thanks
Keywords: (none) => validated_updateWhiteboard: mga3-64-OK mga3-32-ok => advisory mga3-64-OK mga3-32-okCC: (none) => sysadmin-bugs
If I may be permitted to update the advisory, Oden's advisory text for the Mandriva advisory is more descriptive than what I got from upstream. Advisory: ======================== Updated nss packages fix security vulnerability: The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic (CVE-2013-1740). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1740 https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2014:012/
Advisory updated.
Update pushed: http://advisories.mageia.org/MGASA-2014-0024.html
Status: NEW => RESOLVEDCC: (none) => tmbCVE: (none) => CVE-2013-1740Resolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/581549/
Mozilla has issued an advisory with 2 more CVEs it says were fixed in 3.15.4: http://www.mozilla.org/security/announce/2014/mfsa2014-12.html They are CVE-2014-1490 and CVE-2014-1491.
LWN reference for the CVEs in MFSA2014-12: http://lwn.net/Vulnerabilities/584753/