NSS incorrectly preferring a longer, weaker chain over a shorter, stronger chain

Bug #1423031 reported by Cambell Prince on 2015-02-18
280
This bug affects 5 people
Affects Status Importance Assigned to Milestone
nss (Debian)
Fix Released
Unknown
nss (Ubuntu)
Undecided
Marc Deslauriers
Lucid
Undecided
Marc Deslauriers
Precise
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers
Vivid
Undecided
Marc Deslauriers

Bug Description

See:

https://code.google.com/p/chromium/issues/detail?id=437733

and

https://code.google.com/p/chromium/issues/detail?id=459131

This issue is fixed in upstream libnss3 version >= 3.17.4

This issue causes incorrect SHA1 sunset behaviour in Google Chrome.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nss (Ubuntu):
status: New → Confirmed
Changed in nss (Debian):
status: Unknown → Confirmed
Marco (bulletxt) wrote :

Please get this fixed, chrome 41 will get out soon and its deprecating sha1 ssl. This library has to be updated! Thanls

Changed in nss (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in nss (Ubuntu Precise):
status: New → Confirmed
Changed in nss (Ubuntu Trusty):
status: New → Confirmed
Changed in nss (Ubuntu Utopic):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.17.4-0ubuntu1

---------------
nss (2:3.17.4-0ubuntu1) vivid; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/98_CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:32:50 -0500

Changed in nss (Ubuntu Vivid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.17.4-0ubuntu0.10.04.1

---------------
nss (3.17.4-0ubuntu0.10.04.1) lucid-security; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:48:44 -0500

Changed in nss (Ubuntu Lucid):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.17.4-0ubuntu0.14.04.1

---------------
nss (2:3.17.4-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:44:05 -0500

Changed in nss (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.17.4-0ubuntu0.14.10.1

---------------
nss (2:3.17.4-0ubuntu0.14.10.1) utopic-security; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:41:50 -0500

Changed in nss (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.17.4-0ubuntu0.12.04.1

---------------
nss (3.17.4-0ubuntu0.12.04.1) precise-security; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:45:59 -0500

Changed in nss (Ubuntu Precise):
status: Confirmed → Fix Released
Cambell Prince (cambell-prince) wrote :

Tested on Trusty and confirmed fixed. Thanks.

- Google Chrome 40.0.2214.115-1
- libnss3 2:3.17.4-0ubuntu0.14.04.1

information type: Public → Public Security
Marco (bulletxt) wrote :

tested on Ubuntu 14.04 , great it fixed the problem!

Thanks

Changed in nss (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.