Mozilla has updated the version of Network Security Services (NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis.
Name: the Mozilla project
Upstream: Tyson Smith and Jed Davis
This flaw corresponds to the following upstream commits:
These security flaws were fixed in nss-3.23
Fedora 22 and Fedora 23 already contains nss-3.24 and therefore is not affected by these flaws.
Do not use NSS to parse untrusted certificates.
(In reply to Huzaifa S. Sidhpurwala from comment #2)
> This flaw corresponds to the following upstream commits:
The patches apply cleanly on top of each other in the following order:
I recommend to add the following very minor change, which only affects test code, but was made before the above changes, so including it makes sense for completeness:
I have merged all those changes into a single patch, which I'm attaching to the bug.
The patches seem isolated, without references to other code. Backporting should be safe.
Created attachment 1210200 [details]
*** Bug 1380171 has been marked as a duplicate of this bug. ***
*** Bug 1380172 has been marked as a duplicate of this bug. ***
*** Bug 1380173 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 5
Via RHSA-2016:2779 https://rhn.redhat.com/errata/RHSA-2016-2779.html