[v2.7] nss: man-in-the-middle SSL spoofing (CVE-2013-1740)
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
•CONFIRM: https://bugs.gentoo.org/show\_bug.cgi?id=498172
•CONFIRM: https://bugzilla.mozilla.org/show\_bug.cgi?id=919877
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1053725
•CONFIRM:
https://developer.mozilla.org/docs/NSS/NSS\_3.15.4\_release\_notes
•XF:mozilla-nss-cve20131740-info-disc(90394)
•URL: http://xforce.iss.net/xforce/xfdb/90394
(from redmine: issue id 2647, created on 2014-02-04, closed on 2014-02-05)
- Relations:
- parent #2643 (closed)
- Changesets:
- Revision a70459e3 by Natanael Copa on 2014-02-05T12:02:03Z:
main/nss: security upgrade to 3.15.4 (CVE-2013-1740)
fixes #2647