[DLA 23-1] nss security update

To: debian-lts-announce@lists.debian.org
Subject: [DLA 23-1] nss security update
From: Raphael Geissert <geissert@debian.org>
Date: Thu, 31 Jul 2014 13:23:33 +0200
Message-id: <[🔎] 4350531.fZcX2fzBas@eee>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : nss
Version        : 3.12.8-1+squeeze8
CVE ID         : CVE-2013-1741 CVE-2013-5606 CVE-2014-1491 CVE-2014-1492

CVE-2013-1741

    Runaway memset in certificate parsing on 64-bit computers leading to
    a crash by attempting to write 4Gb of nulls.

CVE-2013-5606

    Certificate validation with the verifylog mode did not return
    validation errors, but instead expected applications to determine
    the status by looking at the log.

CVE-2014-1491

    Ticket handling protection mechanisms bypass due to the lack of
    restriction of public values in Diffie-Hellman key exchanges.

CVE-2014-1492

    Incorrect IDNA domain name matching for wildcard certificates could
    allow specially-crafted invalid certificates to be considered as
    valid.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: [DLA 26-1] python-scipy security update
Next by Date: [DLA 24-1] poppler security update
Previous by thread: [DLA 26-1] python-scipy security update
Next by thread: [DLA 24-1] poppler security update
Index(es):
- Date
- Thread