Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2014-1492

Published: 25 March 2014

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Notes

AuthorNote
jdstrand 
Thunderbird 24.5 has nss 3.15.4

Priority

Medium

Status

Package Release Status
chromium-browser
Launchpad, Ubuntu, Debian 		lucid Not vulnerable
(uses system nss)
precise Not vulnerable
(uses system nss)
quantal Not vulnerable
(uses system nss)
saucy Not vulnerable
(uses system nss)
trusty Does not exist
(trusty was not-affected [uses system nss])
upstream Needs triage

firefox
Launchpad, Ubuntu, Debian 		lucid Ignored
(reached end-of-life)
precise
Released (29.0+build1-0ubuntu0.12.04.2)
quantal
Released (29.0+build1-0ubuntu0.12.10.3)
saucy
Released (29.0+build1-0ubuntu0.13.10.3)
trusty Does not exist
(trusty was released [29.0+build1-0ubuntu0.14.04.2])
upstream
Released (29.0)
nss
Launchpad, Ubuntu, Debian 		lucid
Released (3.15.4-0ubuntu0.10.04.2)
precise
Released (3.15.4-0ubuntu0.12.04.2)
quantal
Released (3.15.4-0ubuntu0.12.10.2)
saucy
Released (2:3.15.4-0ubuntu0.13.10.2)
trusty
Released (2:3.15.4-1ubuntu7)
upstream
Released (3.16)
Patches:
upstream: https://hg.mozilla.org/projects/nss/rev/15ea62260c21
upstream: https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55
upstream: https://hg.mozilla.org/projects/nss/rev/709d4e597979
oxide-qt
Launchpad, Ubuntu, Debian 		lucid Does not exist

precise Does not exist

quantal Does not exist

saucy Does not exist

trusty Does not exist
(trusty was not-affected [uses system nss])
upstream Needs triage

thunderbird
Launchpad, Ubuntu, Debian 		lucid Ignored
(reached end-of-life)
precise Not vulnerable

quantal Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Does not exist
(trusty was not-affected)
upstream Needs triage

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading