Red Hat Security Advisory 2014-1246-01 - Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server. A race condition was found in the way NSS implemented session ticket handling as specified by RFC 5077. An attacker could use this flaw to crash an application using NSS or, in rare cases, execute arbitrary code with the privileges of the user running that application.
25f1fdc017f9a95d3cee062e33da2f40130debeb3d3442262cac02c0f768b952Red Hat Security Advisory 2014-0917-01 - Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Netscape Portable Runtime provides platform independence for non-GUI operating system facilities. A race condition was found in the way NSS verified certain certificates. A remote attacker could use this flaw to crash an application using NSS or, possibly, execute arbitrary code with the privileges of the user running that application. A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server.
1fbbded1e323cfe2bc56f39ece91381947f983d3521f4f1a05904aa80a6a7550Slackware Security Advisory - New mozilla-nss packages are available for Slackware 14.0, 14.1, and -current to fix a security issue.
985394a529eb8e2dc205f756adfa22da2611ace7eea571d769bc2a3506915047Ubuntu Security Notice 2088-1 - Brian Smith discovered that NSS incorrectly handled the TLS False Start feature. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to spoof SSL servers.
a0185fb2945b52f58676814f7c2d5a0d59a2bdc2468d9bf7fdbf55f2e85626b7Mandriva Linux Security Advisory 2014-012 - The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic. The updated packages have been upgraded to the 3.15.4 version which is not vulnerable to this issue.
b89f1b4a4e243ae1667aaeb1c78d43bed14afd1547721ce92ea804fd904255b6
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed