Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2014-1492

Published: 25 March 2014

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Notes

AuthorNote
jdstrand
Thunderbird 24.5 has nss 3.15.4

Priority

Medium

Status

Package Release Status
chromium-browser
Launchpad, Ubuntu, Debian
lucid Not vulnerable
(uses system nss)
precise Not vulnerable
(uses system nss)
quantal Not vulnerable
(uses system nss)
saucy Not vulnerable
(uses system nss)
trusty Does not exist
(trusty was not-affected [uses system nss])
upstream Needs triage

firefox
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise
Released (29.0+build1-0ubuntu0.12.04.2)
quantal
Released (29.0+build1-0ubuntu0.12.10.3)
saucy
Released (29.0+build1-0ubuntu0.13.10.3)
trusty Does not exist
(trusty was released [29.0+build1-0ubuntu0.14.04.2])
upstream
Released (29.0)
nss
Launchpad, Ubuntu, Debian
lucid
Released (3.15.4-0ubuntu0.10.04.2)
precise
Released (3.15.4-0ubuntu0.12.04.2)
quantal
Released (3.15.4-0ubuntu0.12.10.2)
saucy
Released (2:3.15.4-0ubuntu0.13.10.2)
trusty
Released (2:3.15.4-1ubuntu7)
upstream
Released (3.16)
Patches:
upstream: https://hg.mozilla.org/projects/nss/rev/15ea62260c21
upstream: https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55
upstream: https://hg.mozilla.org/projects/nss/rev/709d4e597979
oxide-qt
Launchpad, Ubuntu, Debian
lucid Does not exist

precise Does not exist

quantal Does not exist

saucy Does not exist

trusty Does not exist
(trusty was not-affected [uses system nss])
upstream Needs triage

thunderbird
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise Not vulnerable

quantal Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Does not exist
(trusty was not-affected)
upstream Needs triage