Joined: 12 May 2004
|Posted: Tue Oct 17, 2006 10:26 pm Post subject: [ GLSA 200610-06 ] Mozilla Network Security Service (NSS): R
|Gentoo Linux Security Advisory
Title: Mozilla Network Security Service (NSS): RSA signature forgery (GLSA 200610-06)
Date: October 17, 2006
NSS fails to properly validate PKCS #1 v1.5 signatures.
The Mozilla Network Security Service is a library implementing security
features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
S/MIME and X.509 certificates.
Vulnerable: < 3.11.3
Unaffected: >= 3.11.3
Architectures: All supported architectures
Daniel Bleichenbacher discovered that it might be possible to forge
signatures signed by RSA keys with the exponent of 3. This affects a
number of RSA signature implementations, including Mozilla's NSS.
Since several Certificate Authorities (CAs) are using an exponent of 3
it might be possible for an attacker to create a key with a false CA
signature. This impacts any software using the NSS library, like the
Mozilla products Firefox, Thunderbird and Seamonkey.
There is no known workaround at this time.
All NSS users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-libs/nss-3.11.3"
Note: As usual after updating a library, you should run
'revdep-rebuild' (from the app-portage/gentoolkit package) to ensure
that all applications linked to it are properly rebuilt.
Last edited by GLSA on Sun Sep 13, 2009 4:17 am; edited 2 times in total