blob: fdaf5eee6f21e16dce2ab91166db08908317317f [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200610-06">
<title>Mozilla Network Security Service (NSS): RSA signature forgery</title>
NSS fails to properly validate PKCS #1 v1.5 signatures.
<product type="ebuild">nss</product>
<announced>October 17, 2006</announced>
<revised>October 17, 2006: 01</revised>
<package name="dev-libs/nss" auto="yes" arch="*">
<unaffected range="ge">3.11.3</unaffected>
<vulnerable range="lt">3.11.3</vulnerable>
The Mozilla Network Security Service is a library implementing security
features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
S/MIME and X.509 certificates.
Daniel Bleichenbacher discovered that it might be possible to forge
signatures signed by RSA keys with the exponent of 3. This affects a
number of RSA signature implementations, including Mozilla's NSS.
<impact type="normal">
Since several Certificate Authorities (CAs) are using an exponent of 3
it might be possible for an attacker to create a key with a false CA
signature. This impacts any software using the NSS library, like the
Mozilla products Firefox, Thunderbird and Seamonkey.
There is no known workaround at this time.
All NSS users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=dev-libs/nss-3.11.3&quot;</code>
Note: As usual after updating a library, you should run
'revdep-rebuild' (from the app-portage/gentoolkit package) to ensure
that all applications linked to it are properly rebuilt.
<uri link="">CVE-2006-4339</uri>
<uri link="">CVE-2006-4340</uri>
<metadata tag="requester" timestamp="Mon, 25 Sep 2006 12:57:17 +0000">
<metadata tag="bugReady" timestamp="Tue, 03 Oct 2006 18:27:05 +0000">
<metadata tag="submitter" timestamp="Sun, 08 Oct 2006 19:45:16 +0000">