Your submission was sent successfully! Close

CVE-2014-1492

Published: 25 March 2014

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Priority

Medium

Status

Package Release Status
chromium-browser
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [uses system nss])
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (29.0)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [29.0+build1-0ubuntu0.14.04.2])
nss
Launchpad, Ubuntu, Debian
Upstream
Released (3.16)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2:3.15.4-1ubuntu7)
Patches:
Upstream: https://hg.mozilla.org/projects/nss/rev/15ea62260c21
Upstream: https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55
Upstream: https://hg.mozilla.org/projects/nss/rev/709d4e597979
oxide-qt
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [uses system nss])
thunderbird
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected)