[v2.7] nss: man-in-the-middle SSL spoofing (CVE-2014-1492)
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name’s U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
•CONFIRM: https://bugzilla.mozilla.org/show\_bug.cgi?id=903885
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1079851
•CONFIRM:
https://developer.mozilla.org/en-US/docs/NSS/NSS\_3.16\_release\_notes
•CONFIRM: https://hg.mozilla.org/projects/nss/rev/709d4e597979
(from redmine: issue id 2800, created on 2014-03-27, closed on 2014-04-18)
- Relations:
- parent #2796 (closed)
- Changesets:
- Revision c2185a7a by Timo Teräs on 2014-04-17T08:34:27Z:
main/nss: security upgrade to 3.16 (CVE-2014-1492)
remove upstreamed patch. fixes #2800
(cherry picked from commit 122586e61981d0c78c2f854a815b3de3cec8f6dd)