Arch Linux Security Advisory 201409-1 ===================================== Severity: High Date : 2014-09-24 CVE-ID : CVE-2014-1568 Package : nss Type : Signature forgery attack Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE-2014 Summary ======= The package nss before version 3.17.1-1 is vulnerable to a signature forgery attack. Resolution ========== Upgrade to 3.17.1-1. The problem has been fixed upstream in version 3.17.1. Description =========== Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates. The Advanced Threat Research team at Intel Security also independently discovered and reported this issue. Impact ====== This vulnerability may allow an attacker to forge false RSA certificates, considered valid by applications, like Firefox or Thunderbird, that rely on NSS to valid certificates. This could for example be used to conduct Man-In-The-Middle attack. References ========== http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568 https://www.mozilla.org/security/announce/2014/mfsa2014-73.html