[ GLSA 200610-06 ] Mozilla Network Security Service (NSS): RSA signature forgery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ GLSA 200610-06 ] Mozilla Network Security Service (NSS): RSA signature forgery

Subject: [ GLSA 200610-06 ] Mozilla Network Security Service (NSS): RSA signature forgery
Date: Tue, 17 Oct 2006 20:29:06 +0200
From: Raphael Marichez <suppressed>

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200610-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Mozilla Network Security Service (NSS): RSA signature
            forgery
      Date: October 17, 2006
      Bugs: #148283
        ID: 200610-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

NSS fails to properly validate PKCS #1 v1.5 signatures.

Background
==========

The Mozilla Network Security Service is a library implementing security
features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
S/MIME and X.509 certificates.

Affected packages
=================

    -------------------------------------------------------------------
     Package       /  Vulnerable  /                         Unaffected
    -------------------------------------------------------------------
  1  dev-libs/nss      < 3.11.3                              >= 3.11.3

Description
===========

Daniel Bleichenbacher discovered that it might be possible to forge
signatures signed by RSA keys with the exponent of 3. This affects a
number of RSA signature implementations, including Mozilla's NSS.

Impact
======

Since several Certificate Authorities (CAs) are using an exponent of 3
it might be possible for an attacker to create a key with a false CA
signature. This impacts any software using the NSS library, like the
Mozilla products Firefox, Thunderbird and Seamonkey.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All NSS users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.11.3"

Note: As usual after updating a library, you should run
'revdep-rebuild' (from the app-portage/gentoolkit package) to ensure
that all applications linked to it are properly rebuilt.

References
==========

  [ 1 ] CVE-2006-4339
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
  [ 2 ] CVE-2006-4340
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4340

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200610-06.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
suppressed or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Attachment: pgpTPNk01VwSy.pgp
Description: PGP signature

Prev by Date: [ GLSA 200610-05 ] CAPI4Hylafax fax receiver: Execution of arbitrary code
Next by Date: phpAdsNew include bug!
Previous by thread: [ GLSA 200610-05 ] CAPI4Hylafax fax receiver: Execution of arbitrary code
Next by thread: phpAdsNew include bug!
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.