Security Information / 2013 / Security Information -- DSA-2599-1 nss

Debian Security Advisory

DSA-2599-1 nss -- mis-issued intermediates

Date Reported:

06 Jan 2013

Affected Packages:

nss

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-0743.

More information:

Google, Inc. discovered that the TurkTrust certification authority included in the Network Security Service libraries (nss) mis-issued two intermediate CAs which could be used to generate rogue end-entity certificates. This update explicitly distrusts those two intermediate CAs. The two existing TurkTrust root CAs remain active.

For the stable distribution (squeeze), this problem has been fixed in version 3.12.8-1+squeeze6.

For the testing distribution (wheezy), this problem has been fixed in version 2:3.13.6-2.

For the unstable distribution (sid), this problem has been fixed in version 2:3.14.1.with.ckbi.1.93-1.

We recommend that you upgrade your nss packages.