Debian Security Advisory

DLA-154-1 nss -- LTS security update

Date Reported:
16 Feb 2015
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 773625.
In Mitre's CVE dictionary: CVE-2011-3389, CVE-2014-1569.
More information:

nss 3.12.8-1+squeeze11 fixes two security issues:

  • CVE-2011-3389

    SSL 3.0 and TLS 1.0 connections were vulnerable to some chosen plaintext attacks which allowed man-in-the middle attackers to obtain plaintext HTTP headers on an HTTPS session. This issue is known as the BEAST attack.

  • CVE-2014-1569

    Possible information leak with too-permissive ASN.1 DER decoding of length.

For Debian 6 Squeeze, these issues have been fixed in nss version 3.12.8-1+squeeze11