Bugzilla – Bug 637290
VUL-1: CVE-2010-3170: mozilla-nss: NSS allows wildcard matching for IPs in CNs
Last modified: 2016-04-15 14:07:51 UTC
Your friendly security team received the following report via oss-security. Please respond ASAP. The issue is public. NSS allows wildcard matching for IP addresses in X509 certificate Common Names. CVE-2010-3170 http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt http://bugs.gentoo.org/show_bug.cgi?id=335731 https://bugzilla.mozilla.org/show_bug.cgi?id=578697.
NSS 3.12.8 will contain the fix. AFAIK we are currently on 3.12.6 for all supported/maintained distributions? Patch against 3.12.6 is available upstream and could be used against the current package apparently.
Hmm, 11.1 still has 3.12.0 or is it just OBS' mbranch not doing the right thing? (and I cannot do SLE updates as always)
$ osc ls openSUSE:11.1:Update mozilla-nss|grep bz2 nss-3.12.6.tar.bz2
I'm a bit confused. The issue is public but this and mozilla's upstream bug are closed. I'm not sure if I can prepare updates in the public (=OBS) already?
Yes, you may use obs. I'll also open this bug. Mozilla seems to have the strange policy to not open bugs until firefox is released with a fix: http://marc.info/?l=oss-security&m=128355172325868&w=2
IMO we don't need to release a security update just for this issue. It's ok to include the fix in case something worse comes up.
NSS 3.12.8 final was released and is waiting for openSUSE:Factory approval. While later Firefox versions _might_ include that version upstream we are always using the system version. So if we ever need to release a fix for this we probably should go for 3.12.8 (or a newer version).
NSS 3.12.8 is now minimal requirement for all upcoming Firefox security releases. (Firefox 3.6.11/3.5.x to be released in around two weeks). NSS 3.12.8 also has NSPR 4.8.6 as minimal requirement. So with next round of Mozilla updates we have to update NSPR and NSS.
security-team, could you please confirm the needed update? And also I'm wondering if we can/should do NSPR and NSS updates before the next Firefox update or at the same time? (Technically I will submitreq NSPR and NSS soonish to 11.1-11.3)
Marcus? All I can say is that the wildcard cert bug here doesn't justify an update of it's own.
I think we could already do a nss , nspr update at this time to decouple it from the next firefox update round. (especially if it is mandatory for them). this would also refresh the certificates? any other cert* package we need to release?
(In reply to comment #11) > this would also refresh the certificates? any other cert* package we need to > release? It has an updated CA list, yes. If the cert store should stay in sync with ca-certificates-mozilla this might need an update as well.
And I forgot the usual disclaimer. NSPR and NSS are supposed to be backwards API and ABI compatible. It's a design principle and everything else would be a blocker for their release. So risk should be _very_ low for version update.
submitrequests for mozilla-nspr and mozilla-nss are pending for 11.1, 11.2 and 11.3
The SWAMPID for this issue is 36165. This issue was rated as moderate. Please submit fixed packages until 2010-10-14. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Maintenance, this will be a minor version bump for mozilla-nss and -nspr, which will be required by future Mozilla Firefox. It should be binary compatible (previous updates always were). OK for updating for SLE too?
I'm OK with the version update, however I wonder if it wouldn't be better to combine it into the next FF update to reduce QA testing overhead?
according to comment #11 Marcus wanted to decouple it from FF
we can test it in parallel, but I would use seperate patchinfos then.
whats the status here?
P5 -> P3 mass change
mozilla-nspr is easy to upgrade, mozilla-nss less so I am afraid, adjusting to the package split will be interesting.
Which package split that is? A package for 11.1 is already submitted bases on the GA package split which would fit SLES11. So is the issue the libfreebl3 split which wasn't there in SLES10?
oh, i diffed against 11.3 instead of 11.1 ... 11.1 looks easier ,)
submitted sle11, and sle10sp3, wrote and submitted patchinfos to autobuild
Update released for: libfreebl3, libfreebl3-debuginfo, libsoftokn3, libsoftokn3-debuginfo, mozilla-nspr, mozilla-nspr-debuginfo, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nss, mozilla-nss-certs, mozilla-nss-certs-debuginfo, mozilla-nss-debuginfo, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-sysinit, mozilla-nss-sysinit-debuginfo, mozilla-nss-tools, mozilla-nss-tools-debuginfo Products: openSUSE 11.1 (debug, i586, ppc, ppc64, x86_64) openSUSE 11.2 (debug, i586, x86_64) openSUSE 11.3 (debug, i586, x86_64)
released opensuse packages to allow other opensuse releases already. sles* still in qa.
Update released for: mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-64bit, mozilla-nspr-debuginfo, mozilla-nspr-devel, mozilla-nspr-x86, mozilla-nss, mozilla-nss-32bit, mozilla-nss-64bit, mozilla-nss-debuginfo, mozilla-nss-devel, mozilla-nss-tools, mozilla-nss-x86 Products: SLE-DESKTOP 10-SP3 (i386, x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
Update released for: libfreebl3, libfreebl3-32bit, libfreebl3-x86, mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-debuginfo-32bit, mozilla-nspr-debuginfo-x86, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nspr-x86, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-debuginfo-32bit, mozilla-nss-debuginfo-x86, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools, mozilla-nss-x86 Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
Update released for: libfreebl3, libfreebl3-32bit, libfreebl3-x86, mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-debuginfo-32bit, mozilla-nspr-debuginfo-x86, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nspr-x86, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-debuginfo-32bit, mozilla-nss-debuginfo-x86, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools, mozilla-nss-x86 Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11 (i386, ia64, ppc64, s390x, x86_64)
Update released for: libfreebl3, mozilla-nspr, mozilla-nspr-debuginfo, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nss, mozilla-nss-debuginfo, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools Products: SUSE-MOBLIN 2.1 (i386) SUSE-MOBLIN 2.1-DEBUG (i386)
Update released for: libfreebl3, mozilla-nspr, mozilla-nspr-debuginfo, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nss, mozilla-nss-debuginfo, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools Products: SUSE-MOBLIN 2.0 (i386) SUSE-MOBLIN 2.0-DEBUG (i386)
This is an autogenerated message for OBS integration: This bug (637290) was mentioned in https://build.opensuse.org/request/show/49507 11.1 / mozilla-nspr https://build.opensuse.org/request/show/49508 11.2:Test / mozilla-nspr https://build.opensuse.org/request/show/49509 11.3:Test / mozilla-nspr https://build.opensuse.org/request/show/49515 11.3:Test / mozilla-nss https://build.opensuse.org/request/show/49516 11.2:Test / mozilla-nss https://build.opensuse.org/request/show/49517 11.1 / mozilla-nss