Debian Bug report logs -
#773625
nss: CVE-2014-1569 information leak
Reported by: Michael Gilbert <mgilbert@debian.org>
Date: Sun, 21 Dec 2014 03:51:02 UTC
Severity: serious
Tags: patch
Found in version nss/3.12.8-1
Fixed in versions nss/3.12.8-1+squeeze11, nss/2:3.17.2-1.1, nss/2:3.14.5-1+deb7u4
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#773625; Package src:nss.
(Sun, 21 Dec 2014 03:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
New Bug report received and forwarded. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Sun, 21 Dec 2014 03:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: src:nss
version: 3.12.8-1
severity: serious
tag: security
An information leak issue was disclosed for nss, fixed in 3.17.3:
https://security-tracker.debian.org/tracker/CVE-2014-1569
Best wishes,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#773625; Package src:nss.
(Mon, 22 Dec 2014 13:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Matt Kraai <kraai@ftbfs.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Mon, 22 Dec 2014 13:51:04 GMT) (full text, mbox, link).
Message #10 received at 773625@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 773625 + patch
Control: tags 773625 + pending
Hi,
I've prepared an NMU for nss (versioned as 2:3.17.2-1.1) and uploaded
it to DELAYED/5. Please feel free to tell me if I should cancel it or
delay it longer.
--
Matt
[nss-3.17.2-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Matt Kraai <kraai@ftbfs.org>
to 773625-submit@bugs.debian.org.
(Mon, 22 Dec 2014 13:51:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Matt Kraai <kraai@ftbfs.org>
to 773625-submit@bugs.debian.org.
(Mon, 22 Dec 2014 13:51:05 GMT) (full text, mbox, link).
Reply sent
to Matt Kraai <kraai@debian.org>:
You have taken responsibility.
(Sat, 27 Dec 2014 04:39:05 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer.
(Sat, 27 Dec 2014 04:39:05 GMT) (full text, mbox, link).
Message #19 received at 773625-close@bugs.debian.org (full text, mbox, reply):
Source: nss
Source-Version: 2:3.17.2-1.1
We believe that the bug you reported is fixed in the latest version of
nss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773625@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Matt Kraai <kraai@debian.org> (supplier of updated nss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 21 Dec 2014 19:46:52 -0800
Source: nss
Binary: libnss3 libnss3-1d libnss3-tools libnss3-dev libnss3-dbg
Architecture: source amd64
Version: 2:3.17.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
Changed-By: Matt Kraai <kraai@debian.org>
Description:
libnss3 - Network Security Service libraries
libnss3-1d - Network Security Service libraries - transitional package
libnss3-dbg - Debugging symbols for the Network Security Service libraries
libnss3-dev - Development files for the Network Security Service libraries
libnss3-tools - Network Security Service tools
Closes: 773625
Changes:
nss (2:3.17.2-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Fix CVE-2014-1569. Closes: #773625.
Checksums-Sha1:
730f504d036e1dc0e84c6dfdf5a7ad6e53e86592 2216 nss_3.17.2-1.1.dsc
e81f735d4338b97b2c1da9e66be3e8ede6cf84ee 27588 nss_3.17.2-1.1.debian.tar.xz
1e62930789922b5dee84876f092091a1731247d9 1130062 libnss3_3.17.2-1.1_amd64.deb
b4a59d348a86f7dc681bd54dc8e62b7042b5b28c 17798 libnss3-1d_3.17.2-1.1_amd64.deb
f2813e24e7fc2ffb95dffca8380a1a8e7b53e2bc 773462 libnss3-tools_3.17.2-1.1_amd64.deb
4bf7052c22ff1d9d34a31b2ddf5042b5d1ad928d 224388 libnss3-dev_3.17.2-1.1_amd64.deb
c07a45b12e712b7a95b3baa1ac54063bb8ddf4b7 8043638 libnss3-dbg_3.17.2-1.1_amd64.deb
Checksums-Sha256:
d2ec964f27a5c3cf99191be5dc3c66d01947cf266c8bbc8c58293e45326058a9 2216 nss_3.17.2-1.1.dsc
0704372c5cd690a46f059a082c689cf3ee6aa0b473e9661324b5fb2afd05a2d6 27588 nss_3.17.2-1.1.debian.tar.xz
b221509191c8eaa3e1f722c8b7e06525869facccc21337d5e4f885b91ae717fb 1130062 libnss3_3.17.2-1.1_amd64.deb
081bd70f1d6aaa5e715aad3e3aaaa2c50b7dfc355a500fb4a120c1dbdbfce7dd 17798 libnss3-1d_3.17.2-1.1_amd64.deb
8d6d34c62598ac6718c53f653854501d18008356124342ce86680a256b4606e4 773462 libnss3-tools_3.17.2-1.1_amd64.deb
7c8c45151407199c9319039c67e3a0cdeabc756765a81c7968193ab9e9ae716a 224388 libnss3-dev_3.17.2-1.1_amd64.deb
f95f66c4d8ad1c14700ee6482c170e144e75b7064cc8d49165a5d6ce66a2cb9e 8043638 libnss3-dbg_3.17.2-1.1_amd64.deb
Files:
c552f8ca5cb2be7e461f15e108b6a90a 2216 libs optional nss_3.17.2-1.1.dsc
d0b0f05dd91cb9a8decc98d900db1524 27588 libs optional nss_3.17.2-1.1.debian.tar.xz
4437b301d2cad5eb6d8f02b3b449789a 1130062 libs optional libnss3_3.17.2-1.1_amd64.deb
c7b99d3048ed4b08e1b2693ccfd9ea31 17798 oldlibs extra libnss3-1d_3.17.2-1.1_amd64.deb
b98544c8235993470695f52ec9a88c1c 773462 admin optional libnss3-tools_3.17.2-1.1_amd64.deb
4c192ef8c9453e7379137c36f40474ae 224388 libdevel optional libnss3-dev_3.17.2-1.1_amd64.deb
499bf104ed4c985846a31823286098cf 8043638 debug extra libnss3-dbg_3.17.2-1.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUl5i1AAoJEB6TENmtzmBl1hMQAI0TGNXRgdKE/PkH2e6AglLK
1zmwf84IdajKPxuYaPZynJ1QIi82+tmc6Rjxp94x+dlOsniK+2wXdYZV2d8+fYOe
oMLj21Ji7WaCEFy8kfuClp97euot/z9Ix2eK70dh/2p7IHZ19exSntNHnwjY96yy
zXin9Ih4sTV2J6+f4rww5EuyqEYjjHaz5oRIQm/q4eqXfjJtQuxGnzdx1GxvY9Dj
TIm56IIz3WxxTGMcS192OmNQ3eAbYD9IrZyyTsIlwgiCnIhxSEMCtNDxsnFMSEyb
aMgtaHP0lsV5OkLUDYlcl/uV34auw/Rwpvyehn4GoGWXn7GM3t87mhFq6jNF8o+K
W2Sg4BRtEG0yUGWwUYMGii5RitE1+QUgwE9PUh0H+K7tOmkRw8+zcZYp/b+U37kB
HfOca+b+SQ2sBPx9wciu2sYw0mRqS+dpDIfA3rNc1x0xeqW4SbwtEw5qjST8pK1L
l5XepcPSGIfvhnaBA8wrDCXRxAOXeCB0qfXb4einWf6Ps34TwvioMpYD/8M2Q7BS
nVAkVpYKtJWkcH3ozR8LfymOQogdP3oveiREa8sjyMR3UnXCnfnbQtSWy0oLjs3Y
GSyYMfeMNLst8V658U19lB///wiTWMU76bXTnQKXvQEx/U+ta9sGgpNAsnXe4REv
gUiJAX2d82bYNLoWWEUb
=ljOS
-----END PGP SIGNATURE-----
Reply sent
to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility.
(Mon, 16 Feb 2015 15:42:08 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer.
(Mon, 16 Feb 2015 15:42:08 GMT) (full text, mbox, link).
Message #24 received at 773625-close@bugs.debian.org (full text, mbox, reply):
Source: nss
Source-Version: 3.12.8-1+squeeze11
We believe that the bug you reported is fixed in the latest version of
nss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773625@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated nss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Feb 2015 14:49:54 +0100
Source: nss
Binary: libnss3-1d libnss3-tools libnss3-dev libnss3-1d-dbg
Architecture: source amd64
Version: 3.12.8-1+squeeze11
Distribution: squeeze-lts
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
libnss3-1d - Network Security Service libraries
libnss3-1d-dbg - Debugging symbols for the Network Security Service libraries
libnss3-dev - Development files for the Network Security Service libraries
libnss3-tools - Network Security Service tools
Closes: 773625
Changes:
nss (3.12.8-1+squeeze11) squeeze-lts; urgency=medium
.
* Non-maintainer upload by the Debian LTS team.
* Fix CVE-2011-3389 by backporting the upstream patch:
https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab
* Fix CVE-2014-1569 by backporting the upstream patch:
https://hg.mozilla.org/projects/nss/rev/a163e09dc4d5
Closes: #773625
Checksums-Sha1:
84415931f675020793b9ae8ce6a67288d501b925 1723 nss_3.12.8-1+squeeze11.dsc
f8920a00e2c24ca8c0c5e629324abcf3d17253d0 130249 nss_3.12.8-1+squeeze11.debian.tar.gz
889714beb9dc62992e358158c2bdacb28898a714 1119710 libnss3-1d_3.12.8-1+squeeze11_amd64.deb
b0aa028ff6432003a12a5febeeff5ca3797c1a69 449506 libnss3-tools_3.12.8-1+squeeze11_amd64.deb
3059fd5ce7979088c553aeebbfa01947010cbebb 271206 libnss3-dev_3.12.8-1+squeeze11_amd64.deb
a92896123a1d8f2c05c526cbf9641a9f4d7199fa 3276408 libnss3-1d-dbg_3.12.8-1+squeeze11_amd64.deb
Checksums-Sha256:
2e48201a04be617203a01e5f23ecc622c439ce226da79bc34c7ce022a69e1bc5 1723 nss_3.12.8-1+squeeze11.dsc
dc8e200c7aab08c459fb5b8fc1f174ad5018473a6a81c471d409fd502d2a1280 130249 nss_3.12.8-1+squeeze11.debian.tar.gz
29e391aab31e51a25bdd88917d77c6f57327ea711ef4a6dd29ebe639545cf697 1119710 libnss3-1d_3.12.8-1+squeeze11_amd64.deb
fdad9b9e128e4400f617055f3c09a5ee1e33ac044b33ee9358e17ecec6938e02 449506 libnss3-tools_3.12.8-1+squeeze11_amd64.deb
6cc7de56541c381b9b0b760f5b6609fd6154a5bd644e61a95ccc070f9a16396e 271206 libnss3-dev_3.12.8-1+squeeze11_amd64.deb
5601f7afc7de99ea68080eb2db806693748ecda6b0aaa2aae278ce654339f58c 3276408 libnss3-1d-dbg_3.12.8-1+squeeze11_amd64.deb
Files:
28f5ee47ce692dc54f53897e18f0125a 1723 libs optional nss_3.12.8-1+squeeze11.dsc
18b4c79097f2a8504ca686bd9b7047b6 130249 libs optional nss_3.12.8-1+squeeze11.debian.tar.gz
108edebab11738cca4d7ea7193a75acb 1119710 libs optional libnss3-1d_3.12.8-1+squeeze11_amd64.deb
2ab095a4d9eab9c02abedc54996b1c87 449506 admin optional libnss3-tools_3.12.8-1+squeeze11_amd64.deb
45445ca987ba335504769399ac7476ed 271206 libdevel optional libnss3-dev_3.12.8-1+squeeze11_amd64.deb
3eb0bbe2f4cb8a2d29c250ff29b9e900 3276408 debug extra libnss3-1d-dbg_3.12.8-1+squeeze11_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Signed by Raphael Hertzog
iQEcBAEBCAAGBQJU4gTYAAoJEAOIHavrwpq5xN0H/jwmrsXYyeb3ImT7bQlo3/l1
cEi/uovfKGAisqTTt0j6cjV/2cJ996DRCMXDXRvb2Cq5ICr0HVKibwp8xIJzuCUG
kP16n1+eLha2HUc0SxQL2rIZEzgnsb3JEsEdAegJkjG2zkZvXmWrgA/ACUwnosed
FU37Vs/TzV6kZ9s8X8ZjJH07SXijxB4WmdYW1i3OUujj8nRV9AhGOXl3TDWDq0Xe
v/aAAoKrU9YUne+6TIiMwfqtyJW0qv8C7t+6qxL19kicTTR51GK8qCgsgus3HPQE
xh6H2mjewBzvrY5LTLOE5Qft8pUp2r97QJVOsv4kh40eT34dpW4qunZpQAbttdI=
=uiv2
-----END PGP SIGNATURE-----
Marked as fixed in versions nss/2:3.14.5-1+deb7u4.
Request was from Samuel Bronson <naesten@gmail.com>
to control@bugs.debian.org.
(Fri, 13 Mar 2015 21:51:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 13 Mar 2015 22:06:09 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <mgilbert@debian.org>:
Bug acknowledged by developer.
(Fri, 13 Mar 2015 22:06:09 GMT) (full text, mbox, link).
Message #31 received at 773625-close@bugs.debian.org (full text, mbox, reply):
Source: nss
Source-Version: 2:3.14.5-1+deb7u4
We believe that the bug you reported is fixed in the latest version of
nss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773625@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated nss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Dec 2014 16:11:33 +0100
Source: nss
Binary: libnss3 libnss3-1d libnss3-tools libnss3-dev libnss3-dbg
Architecture: source amd64
Version: 2:3.14.5-1+deb7u4
Distribution: wheezy-security
Urgency: high
Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
libnss3 - Network Security Service libraries
libnss3-1d - Network Security Service libraries - transitional package
libnss3-dbg - Debugging symbols for the Network Security Service libraries
libnss3-dev - Development files for the Network Security Service libraries
libnss3-tools - Network Security Service tools
Closes: 773625
Changes:
nss (2:3.14.5-1+deb7u4) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-1569.patch.
CVE-2014-1569: ASN.1 DER decoding of lengths is too permissive, allowing
undetected smuggling of arbitrary data. (Closes: #773625)
Checksums-Sha1:
058492a32be9525519b0c269a67ef561175cd4fc 2193 nss_3.14.5-1+deb7u4.dsc
d7a36ddaf8f28c0480f4ed4c59169d8718280713 50232 nss_3.14.5-1+deb7u4.debian.tar.gz
d22979be2e9833ec6f3845890dc64d4ac673365e 1062946 libnss3_3.14.5-1+deb7u4_amd64.deb
597b005d6733d146645d33526dea3452e6824532 20554 libnss3-1d_3.14.5-1+deb7u4_amd64.deb
310926c2438af5e9b7040e9d78fde5ec77bc5627 228978 libnss3-tools_3.14.5-1+deb7u4_amd64.deb
3e6062e5d301c564cb750f467741258b1235d141 220802 libnss3-dev_3.14.5-1+deb7u4_amd64.deb
02decb968e0885e841eb844cb6e1edd449b2b82b 4838814 libnss3-dbg_3.14.5-1+deb7u4_amd64.deb
Checksums-Sha256:
4b4df6fc32d41e43dfaa1b15c7f90a5942aed15c18fc3083fced1171709d5e43 2193 nss_3.14.5-1+deb7u4.dsc
c8e51b22d2ff59ef28333fa288f4c71fdb88fd420153a43e6d891dc22374278f 50232 nss_3.14.5-1+deb7u4.debian.tar.gz
e1068fe79a438fab600680d4c3a54f7ff72ee474b0fee6f9a44738e86ac52ba0 1062946 libnss3_3.14.5-1+deb7u4_amd64.deb
42c2bb237d87e41ac93e29d151f309a41668b9cd359c6faa296287b4aa30c832 20554 libnss3-1d_3.14.5-1+deb7u4_amd64.deb
be563917afb0123412f5f4696f9fec0b67b241e9f7b910f4685056d7c9d9f42f 228978 libnss3-tools_3.14.5-1+deb7u4_amd64.deb
53ce197259b0eb3d2c45286aa7a45f7560b4d824f43949315d553e5c6a445c3a 220802 libnss3-dev_3.14.5-1+deb7u4_amd64.deb
99fbe44b04a2e57577e140ee02ae4027528058f50f49f814d781ac521fff75e1 4838814 libnss3-dbg_3.14.5-1+deb7u4_amd64.deb
Files:
cb0dbf366ec3b02e86425e07d110228e 2193 libs optional nss_3.14.5-1+deb7u4.dsc
a001adf4942fcaf1c8b4ea1806b558e2 50232 libs optional nss_3.14.5-1+deb7u4.debian.tar.gz
30adefff037923b20cfdc8b6cf917e11 1062946 libs optional libnss3_3.14.5-1+deb7u4_amd64.deb
30c3e55d8f241b8d99a2ac9ae3567681 20554 oldlibs extra libnss3-1d_3.14.5-1+deb7u4_amd64.deb
f186be28d6e1d707e6916c1d3fcb9ecb 228978 admin optional libnss3-tools_3.14.5-1+deb7u4_amd64.deb
a7d169811f86bcb27541ee5bea9ee7e4 220802 libdevel optional libnss3-dev_3.14.5-1+deb7u4_amd64.deb
f6fadce94c92edb5f8468a61c1a5cd53 4838814 debug extra libnss3-dbg_3.14.5-1+deb7u4_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVAekKAAoJEAVMuPMTQ89EXQwQAKB7DmdN39B6pnNpbTJjuRP5
uSqPCEJcxaS47nR/9cwCUzYEfIXgj/npBOXV4vn0fHotU69FrhRpSy0W9FkVoKhR
HVHu0bbvJsLSU+l2D8H6iLHCEc8o71ooLdF1aKbL9Gi1vkyg9whXU8ZxqIlEjnSr
iBFHVwumnQIhf+QPVRixUQ1t6C4Wrot0BOwqh+ZVH3s1A54lwSlznvDhG30tmfvR
IPdjo3CkCMRg+DdUGuE3ByabX6CWbwVR4CLR0X3qnDq6HMtuRzens6xrjcTppCrU
1OGRDQfpAPsE96SrpfzGahM+U6Zc6eYhvn3wjm7cBVeGYK7HA4LoycNFqhrOqobr
SFFfJr2QeFxv6TD+ULWd7mp+8N7tn9+rwDuiM69qokMyxrSHKhnJ0T9SG+dyyMvo
ez6Ce8FNIOXycf5Ho8b1Ame67BI4A+T37No027pFY33IhW/3liEve6Ig9hXYZ0E6
4Z2ZWM5sIfyN6/Ko3Jf9ylQA2Z+rnyMn+MiuGv24esZBUSYGcVwf3q6dZuy6o4Bx
8dKgHc/z7WfO0bXd70bE8BGed7T939lpgqzDJ5UZhAUWAzFHv6U7/u+9ZO6I3NLR
9IGAUCzye+VjdaaMdgz+bXXkyBcH4Ay6DnOmFxNeowvtdaDNpmsggQyOpqkcmNZU
UqiFBZRQfVoIa4HAOGTz
=ry/z
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 May 2015 07:40:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:17:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon