Security Information / 2014 / Security Information -- DSA-3033-1 nss

Debian Security Advisory

DSA-3033-1 nss -- security update

Date Reported:

25 Sep 2014

Affected Packages:

nss

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-1568.

More information:

Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS (the Mozilla Network Security Service library) was parsing ASN.1 data used in signatures, making it vulnerable to a signature forgery attack.

An attacker could craft ASN.1 data to forge RSA certificates with a valid certification chain to a trusted CA.

For the stable distribution (wheezy), this problem has been fixed in version 2:3.14.5-1+deb7u2.

For the testing distribution (jessie), this problem has been fixed in version 2:3.17.1.

For the unstable distribution (sid), this problem has been fixed in version 2:3.17.1.

We recommend that you upgrade your nss packages.