Mozilla has updated the version of Network Security Services (NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis. External Reference: https://www.mozilla.org/security/announce/2016/mfsa2016-61.html Acknowledgements: Name: the Mozilla project Upstream: Tyson Smith and Jed Davis
This flaw corresponds to the following upstream commits: https://hg.mozilla.org/projects/nss/rev/8d78a5ae260a https://hg.mozilla.org/projects/nss/rev/1ba7cd83c672 https://hg.mozilla.org/projects/nss/rev/5fde729fdbff https://hg.mozilla.org/projects/nss/rev/329932eb1700
These security flaws were fixed in nss-3.23 Fedora 22 and Fedora 23 already contains nss-3.24 and therefore is not affected by these flaws.
Mitigation: Do not use NSS to parse untrusted certificates.
(In reply to Huzaifa S. Sidhpurwala from comment #2) > This flaw corresponds to the following upstream commits: > > https://hg.mozilla.org/projects/nss/rev/8d78a5ae260a > https://hg.mozilla.org/projects/nss/rev/1ba7cd83c672 > https://hg.mozilla.org/projects/nss/rev/5fde729fdbff > https://hg.mozilla.org/projects/nss/rev/329932eb1700 The patches apply cleanly on top of each other in the following order: https://hg.mozilla.org/projects/nss/rev/8d78a5ae260a https://hg.mozilla.org/projects/nss/rev/5fde729fdbff https://hg.mozilla.org/projects/nss/rev/1ba7cd83c672 https://hg.mozilla.org/projects/nss/rev/329932eb1700 I recommend to add the following very minor change, which only affects test code, but was made before the above changes, so including it makes sense for completeness: https://hg.mozilla.org/projects/nss/rev/b6bcbd62e833 I have merged all those changes into a single patch, which I'm attaching to the bug. The patches seem isolated, without references to other code. Backporting should be safe.
Created attachment 1210200 [details] backported patch
*** Bug 1380171 has been marked as a duplicate of this bug. ***
*** Bug 1380172 has been marked as a duplicate of this bug. ***
*** Bug 1380173 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2016:2779 https://rhn.redhat.com/errata/RHSA-2016-2779.html