A security issue has been reported in NSS, which can be exploited by a malicious user to disclose certain information. The issue arises due to an error within the "ssl_Do1stHandshake()" function in lib/ssl/sslsecur.c, which can be exploited to potentially return unencrypted and unauthenticated data from PR_Recv. Successful exploitation requires false start to be enabled. The issue is said to be fixed in NSS 3.15.4. References: https://bugs.gentoo.org/show_bug.cgi?id=498172 https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=919877 Patch: https://bugzilla.mozilla.org/attachment.cgi?id=825813
By default, NSS ships with false start disabled, for which the above patch works and was implemented in NSS 3.15.3.
The upstream bug noted actually has fixes from another upstream bug [1] which notes the actual upstream commit [2], however the next noted commit [3] may also be required. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=713933 [2] https://hg.mozilla.org/projects/nss/rev/1b9c43d28713 [3] https://hg.mozilla.org/projects/nss/rev/f28426e944ae
According to this document, False Start has been implemented in NSS since 3.12.9: https://technotes.googlecode.com/git/falsestart.html I'm unable to find any corresponding note or changelog for nss to back it up, however.
Created nss tracking bugs for this issue: Affects: fedora-all [bug 1054456]
(In reply to Vincent Danen from comment #5) > According to this document, False Start has been implemented in NSS since > 3.12.9: > > https://technotes.googlecode.com/git/falsestart.html > > I'm unable to find any corresponding note or changelog for nss to back it > up, however. Vincent, Looking at old cvs history (nss switched from cvs to mercurial last year) I see this commit ---------------------------- revision 1.39 date: 2010/07/30 03:00:16; author: wtc%google.com; state: Exp; lines: +12 -1 Bug 525092: Support TLS false start. The patch is contributed by Adam Langley of Google <agl>. r=wtc. Modified Files: cmd/strsclnt/strsclnt.c cmd/tstclnt/tstclnt.c lib/ssl/ssl.h lib/ssl/ssl3con.c lib/ssl/ssl3gthr.c lib/ssl/sslimpl.h lib/ssl/sslsecur.c lib/ssl/sslsock.c tests/ssl/sslstress.txt ---------------- See https://bugzilla.mozilla.org/show_bug.cgi?id=525092 This may be what you are looking for. -Elio
(In reply to Elio Maldonado Batiz from comment #8) ... > See https://bugzilla.mozilla.org/show_bug.cgi?id=525092 > This may be what you are looking for. Thanks, Elio. That's exactly it. Last comment in that bug is: "Patch checked in on the NSS trunk (NSS 3.13) and NSS_3_12_BRANCH (NSS 3.12.8)." which is pretty close to the 3.12.9 version I had indicated. Thanks for that confirmation.
nss-3.15.4-1.fc20, nss-softokn-3.15.4-1.fc20, nss-util-3.15.4-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
nss-3.15.4-1.fc19, nss-softokn-3.15.4-1.fc19, nss-util-3.15.4-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Statement: (none)
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0917 https://rhn.redhat.com/errata/RHSA-2014-0917.html
IssueDescription: A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server.
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1246 https://rhn.redhat.com/errata/RHSA-2014-1246.html