[v2.4] nss: man-in-the-middle SSL spoofing (CVE-2014-1492)
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name’s U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
•CONFIRM: https://bugzilla.mozilla.org/show\_bug.cgi?id=903885
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1079851
•CONFIRM:
https://developer.mozilla.org/en-US/docs/NSS/NSS\_3.16\_release\_notes
•CONFIRM: https://hg.mozilla.org/projects/nss/rev/709d4e597979
(from redmine: issue id 2797, created on 2014-03-27, closed on 2014-04-18)
- Relations:
- parent #2796 (closed)
- Changesets:
- Revision 92aa2adf by Timo Teräs on 2014-04-17T09:19:25Z:
main/nss: security fix for CVE-2014-1492
fixes #2797