please upgrade to 3.12.6
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| nss (Ubuntu) |
Fix Released
|
Medium
|
Chris Coulson | ||
| Hardy |
Fix Released
|
Medium
|
Unassigned | ||
| Intrepid |
Invalid
|
Medium
|
Unassigned | ||
| Jaunty |
Fix Released
|
Medium
|
Unassigned | ||
| Karmic |
Fix Released
|
Medium
|
Chris Coulson | ||
| Lucid |
Fix Released
|
Medium
|
Chris Coulson | ||
Bug Description
3.12.6 fixes CVE-2009-3555.
NSS 3.12.6 has support for the new renegotiation extension for TLS to implement rfc5746. NSS clients advertise their support for this extension and if the server also supports it, will be protected from this vulnerability. To maintain compatibility, NSS in Ubuntu will for the foreseeable future use the so-called 'transitional' mode which will fall back to the unprotected renegotiation method if the server doesn't support the new extension.
NSS was fixed in Ubuntu 9.10 because the new Firefox required it. Because Firefox needs changes to take advantage of the new NSS, once Ubuntu 8.04 LTS - 9.04 are updated to use an embedded NSS (and therefore won't use the system NSS), we can update the system NSS for these releases.
When upgrading the system NSS on Ubuntu 8.04 LTS - 9.04, be careful about https:/
| visibility: | private → public |
| Changed in nss (Ubuntu Lucid): | |
| status: | New → Fix Released |
| importance: | Undecided → Medium |
| assignee: | nobody → Chris Coulson (chrisccoulson) |
| Changed in nss (Ubuntu Karmic): | |
| status: | New → Fix Released |
| importance: | Undecided → Medium |
| assignee: | nobody → Chris Coulson (chrisccoulson) |
| Changed in nss (Ubuntu Hardy): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in nss (Ubuntu Intrepid): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in nss (Ubuntu Jaunty): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Alex Valavanis (valavanisalex) wrote | #1 |
| Changed in nss (Ubuntu Intrepid): | |
| status: | Triaged → Invalid |
| Changed in nss (Ubuntu Hardy): | |
| status: | Triaged → Fix Released |
| Changed in nss (Ubuntu Jaunty): | |
| status: | Triaged → Fix Released |
Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the
report. The bug has been fixed in newer releases of Ubuntu.