GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Tue Oct 17, 2006 10:26 pm Post subject: [ GLSA 200610-06 ] Mozilla Network Security Service (NSS): R |
 |
|
Gentoo Linux Security Advisory
Title: Mozilla Network Security Service (NSS): RSA signature forgery (GLSA 200610-06)
Severity: normal
Exploitable: remote
Date: October 17, 2006
Bug(s): #148283
ID: 200610-06
Synopsis
NSS fails to properly validate PKCS #1 v1.5 signatures.
Background
The Mozilla Network Security Service is a library implementing security
features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
S/MIME and X.509 certificates.
Affected Packages
Package: dev-libs/nss
Vulnerable: < 3.11.3
Unaffected: >= 3.11.3
Architectures: All supported architectures
Description
Daniel Bleichenbacher discovered that it might be possible to forge
signatures signed by RSA keys with the exponent of 3. This affects a
number of RSA signature implementations, including Mozilla's NSS.
Impact
Since several Certificate Authorities (CAs) are using an exponent of 3
it might be possible for an attacker to create a key with a false CA
signature. This impacts any software using the NSS library, like the
Mozilla products Firefox, Thunderbird and Seamonkey.
Workaround
There is no known workaround at this time.
Resolution
All NSS users should upgrade to the latest version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nss-3.11.3" |
Note: As usual after updating a library, you should run
'revdep-rebuild' (from the app-portage/gentoolkit package) to ensure
that all applications linked to it are properly rebuilt.
References
CVE-2006-4339
CVE-2006-4340
Last edited by GLSA on Sun Sep 13, 2009 4:17 am; edited 2 times in total |
|
News & Announcements
