[v2.5] nss: man-in-the-middle SSL spoofing (CVE-2014-1492)
The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name’s U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
•CONFIRM: https://bugzilla.mozilla.org/show\_bug.cgi?id=903885
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1079851
•CONFIRM:
https://developer.mozilla.org/en-US/docs/NSS/NSS\_3.16\_release\_notes
•CONFIRM: https://hg.mozilla.org/projects/nss/rev/709d4e597979
(from redmine: issue id 2798, created on 2014-03-27, closed on 2014-04-18)
- Relations:
- parent #2796 (closed)
- Changesets:
- Revision 5b835f22 by Timo Teräs on 2014-04-17T08:59:08Z:
main/nss: security fix for CVE-2014-1492
fixes #2798
(cherry picked from commit 7e5212b7f595cf6e9bee5e565bc6b5bee041efc7)