Main Vulnerability Database SB2014041722

SB2014041722 - Input validation error in nss (Alpine package)

Published: April 17, 2014

Security Bulletin ID SB2014041722

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2014-1492)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=7e5212b7f595cf6e9bee5e565bc6b5bee041efc7
https://git.alpinelinux.org/aports/commit/?id=92aa2adfa30da9a1c8a51f7f501b084dc8a49daf
https://git.alpinelinux.org/aports/commit/?id=c2185a7ac54f1058fdbd8f360b531b04cc96033c