[v2.6] nss: Mis-issued ANSSI/DCSSI certificate
Impact: High
Announced: December 10, 2013
Reporter: Google
Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozilla’s root store, was loaded into a man-in-the-middle (MITM) traffic management device. This certificate was issued by Agence nationale de la sécurité des systèmes d’information (ANSSI), an agency of the French government and a certificate authority in Mozilla’s root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control.
References:
http://www.mozilla.org/security/announce/2013/mfsa2013-117.html
https://hg.mozilla.org/projects/nss/rev/5a7944776645
https://rhn.redhat.com/errata/RHSA-2013-1861.html
(from redmine: issue id 2574, created on 2014-01-08, closed on 2014-03-03)
- Relations:
- parent #2571 (closed)
- Changesets:
- Revision 0952c7f4 by Natanael Copa on 2014-03-03T13:50:06Z:
main/nss: security upgrade to 3.15.4 (CVE-2013-1740)
fixes #2646
fixes #2574