Package: libnss3-1d Version: 3.12.8-1+squeeze6 Severity: grave Tags: security Justification: user security hole
-- System Information: Debian Release: 6.0.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Versions of packages libnss3-1d depends on: ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library ii libsqlite3-0 3.7.3-1 SQLite 3 shared library ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime libnss3-1d recommends no packages. libnss3-1d suggests no packages. http://www.debian.org/security/2013/dsa-2599 updated squeeze by updating ckbi (certdata.txt and certdata.c) to distrust the mis-issued TURKTRUST intermediate CAs. In preparing updates for Ubuntu, I saw that while 'strings /usr/lib/nss/libnssckbi.so' shows that the certificates were added to libnssckbi.so (certutil will only show root certificates, so you can't verify the inclusion of the intermediates with this tool-- if there is another tool to do this, please let me know :), nss does not actually blacklist them. If I follow the instructions from the upstream bug[1] to verify the certs are blacklisted, the certs chain is shown as good: # Compile nss since we need access to vfychain and it isn't shipped in packages $ sudo apt-get build-dep nss $ sudo apt-get install libnss3-1d # needed at runtime for vfychain (make sure # it is 3.12.8-1+squeeze6) $ apt-get source nss=3.12.8-1+squeeze6 $ cd nss-*/ $ fakeroot debian/rules build $ mozilla/dist/bin/vfychain -u 1 /tmp/turktrust-google-1.der \ /tmp/turktrust-google-2.der \ /tmp/turktrust-google-3.der Chain is good! $ mozilla/dist/bin/vfychain -u 3 /tmp/turktrust-intermediate-2.der \ /tmp/turktrust-google-3.der Chain is good! Both of these should show 'Chain is bad!'. I can confirm that simply updating ckbi is not enough for nss 3.13.1 and earlier. I did not check wheezy. I was able to confirm that if I recompile nspr 2:4.9.4-2 and nss 2:3.14.1.with.ckbi.1.93-1 on an Ubuntu 12.10 system, vfychain would correctly blacklist them. As a result, I am considering upgrading nss and nspr on all of Ubuntu's stable releases to the latest upstream versions (with ckbi 1.93) to address this issue rather than trying to identify and cherrypick the commits to make blacklisting an intermediate work. [1]https://bugzilla.mozilla.org/show_bug.cgi?id=825022#c8 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
