[v2.4] CVE-2013-2566 CVE-2013-5605 CVE-2013-5606: nss and RC4 (TLS, SSL)
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has
many single-byte biases, which makes it easier for remote attackers
to conduct plaintext-recovery attacks via statistical analysis of
ciphertext in a large number of sessions that use the same plaintext
(CVE-2013-2566).
Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15
before 3.15.3 allows remote attackers to cause a denial of service or
possibly have unspecified other impact via invalid handshake packets
(CVE-2013-5605).
The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla
Network Security Services (NSS) 3.15 before 3.15.3 provides an
unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted
certificate (CVE-2013-5606).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606
(from redmine: issue id 2404, created on 2013-11-22, closed on 2014-03-03)
- Relations:
- parent #2403 (closed)