Bug 193906 - security/nss: update to 3.17.1 to fix CVE-2014-1568
Summary: security/nss: update to 3.17.1 to fix CVE-2014-1568
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-gecko (Nobody)
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2014-09-24 20:24 UTC by Jan Beich
Modified: 2014-09-26 13:13 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Beich freebsd_committer freebsd_triage 2014-09-24 20:24:03 UTC
While native firefox/thunderbird/seamonkey ports use --with-system-nss it maybe still worth updating in order to fix bugs missed in other point releases as gecko@ team may not have any committers left. And there're still 3 weeks before firefox 33.0.

$ svn export https://trillian.chruetertee.ch/svn/freebsd-gecko/branches/firefox32
$ cp -R firefox32/ /usr/ports/

  <vuln vid="48108fb0-751c-4cbb-8f33-09239ead4b55">
    <topic>NSS -- RSA Signature Forgery</topic>
    <affects>
      <package>
	<name>linux-firefox</name>
	<range><lt>32.0.3,1</lt></range>
      </package>
      <package>
	<name>linux-thunderbird</name>
	<range><lt>31.1.2</lt></range>
      </package>
      <package>
	<name>linux-seamonkey</name>
	<range><lt>2.29.1</lt></range>
      </package>
      <package>
	<name>nss</name>
	<range><lt>3.17.1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>The Mozilla Project reports:</p>
	<blockquote cite="http://www.mozilla.org/security/known-vulnerabilities/">
	  <p>MFSA 2014-73 RSA Signature Forgery in NSS</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2014-1568</cvename>
      <url>https://www.mozilla.org/security/announce/2014/mfsa2014-73.html</url>
    </references>
    <dates>
      <discovery>2014-09-23</discovery>
      <entry>2014-09-24</entry>
    </dates>
  </vuln>
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2014-09-24 20:24:03 UTC
Auto-assigned to maintainer gecko@FreeBSD.org
Comment 2 Jan Beich freebsd_committer freebsd_triage 2014-09-24 21:18:16 UTC
Baptiste, do you have time to land the update?
Comment 3 commit-hook freebsd_committer freebsd_triage 2014-09-25 07:41:09 UTC
A commit references this bug:

Author: des
Date: Thu Sep 25 07:40:34 UTC 2014
New revision: 369218
URL: http://svnweb.freebsd.org/changeset/ports/369218

Log:
  Upgrade to 3.17.1

  PR:		193906
  MFH:		2014Q3
  Security:	CVE-2014-1568

Changes:
  head/security/nss/Makefile
  head/security/nss/distinfo
Comment 4 commit-hook freebsd_committer freebsd_triage 2014-09-25 07:44:11 UTC
A commit references this bug:

Author: des
Date: Thu Sep 25 07:43:18 UTC 2014
New revision: 369219
URL: http://svnweb.freebsd.org/changeset/ports/369219

Log:
  Add entry for the NSS signature forgery bug.

  PR:		193906
  MFH:		2014Q3
  Security:	CVE-2014-1568

Changes:
  head/security/vuxml/vuln.xml
Comment 5 Jan Beich freebsd_committer freebsd_triage 2014-09-26 13:13:24 UTC
Beat updated vulnerable linux-* ports.

http://svnweb.freebsd.org/changeset/ports/369237