CVE-2014-1492
Published: 25 March 2014
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
Notes
| Author | Note |
|---|---|
| jdstrand | Thunderbird 24.5 has nss 3.15.4 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
chromium-browser Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
(uses system nss)
|
| precise |
Not vulnerable
(uses system nss)
|
|
| quantal |
Not vulnerable
(uses system nss)
|
|
| saucy |
Not vulnerable
(uses system nss)
|
|
| trusty |
Does not exist
(trusty was not-affected [uses system nss])
|
|
| upstream |
Needs triage
|
|
|
firefox Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
| precise |
Released
(29.0+build1-0ubuntu0.12.04.2)
|
|
| quantal |
Released
(29.0+build1-0ubuntu0.12.10.3)
|
|
| saucy |
Released
(29.0+build1-0ubuntu0.13.10.3)
|
|
| trusty |
Released
(29.0+build1-0ubuntu0.14.04.2)
|
|
| upstream |
Released
(29.0)
|
|
|
nss Launchpad, Ubuntu, Debian |
lucid |
Released
(3.15.4-0ubuntu0.10.04.2)
|
| precise |
Released
(3.15.4-0ubuntu0.12.04.2)
|
|
| quantal |
Released
(3.15.4-0ubuntu0.12.10.2)
|
|
| saucy |
Released
(2:3.15.4-0ubuntu0.13.10.2)
|
|
| trusty |
Released
(2:3.15.4-1ubuntu7)
|
|
| upstream |
Released
(3.16)
|
|
|
Patches: upstream: https://hg.mozilla.org/projects/nss/rev/15ea62260c21 upstream: https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55 upstream: https://hg.mozilla.org/projects/nss/rev/709d4e597979 |
||
|
oxide-qt Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| saucy |
Does not exist
|
|
| trusty |
Does not exist
(trusty was not-affected [uses system nss])
|
|
| upstream |
Needs triage
|
|
|
thunderbird Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
| precise |
Not vulnerable
|
|
| quantal |
Ignored
(end of life)
|
|
| saucy |
Ignored
(end of life)
|
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| upstream |
Needs triage
|
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1492
- https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes
- https://ubuntu.com/security/notices/USN-2159-1
- http://www.mozilla.org/security/announce/2014/mfsa2014-45.html
- https://ubuntu.com/security/notices/USN-2185-1
- NVD
- Launchpad
- Debian