ALT-PU-2014-1209-1

Обновление пакета nss в ветке sisyphus

Версия3.15.4-alt1

Задание#113811

Опубликовано2014-02-19

Макс. серьёзностьCRITICAL

Серьёзность:

Закрытые проблемы (3)

MEDIUM5.8

The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.

Опубликовано: 2014-01-18Изменено: 2026-04-29

CVSS 2.0СРЕДНЯЯ 5.8

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N

Ссылки

CRITICAL9.3

Race condition in libssl in Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors involving a resumption handshake that triggers incorrect replacement of a session ticket.

Опубликовано: 2014-02-06Изменено: 2026-04-29

CVSS 2.0КРИТИЧЕСКАЯ 9.3

CVSS:2.0/AV:N/AC:M/Au:N/C:C/I:C/A:C

Ссылки

MEDIUM4.3

Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does not properly restrict public values in Diffie-Hellman key exchanges, which makes it easier for remote attackers to bypass cryptographic protection mechanisms in ticket handling by leveraging use of a certain value.

Опубликовано: 2014-02-06Изменено: 2026-04-29

CVSS 2.0СРЕДНЯЯ 4.3

CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N

Ссылки