oss-sec mailing list archives
Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly
From: Julien Cristau <jcristau () debian org>
Date: Fri, 3 Sep 2010 23:46:16 +0200
On Fri, Sep 3, 2010 at 14:15:13 -0700, Reed Loden wrote:
On Fri, 03 Sep 2010 18:20:49 +0200 Jan Lieskovsky <jlieskov () redhat com> wrote:Richard Moore and Simon Ward reported flaws in the way: 1, Network Security Services (NSS) handled wildcard (*) character in the Common Name field of a x509v3 digital certificate. If an attacker is able to get a carefully-crafted certificate, signed by a Certificate Authority trusted by Firefox, the attacker could use the certificate during the man-in-the-middle attack and potentially confuse Firefox into accepting it by mistake. Different vulnerability than CVE-2009-2408. References: [1] http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt [2] http://bugs.gentoo.org/show_bug.cgi?id=335731Mozilla has assigned this CVE-2010-3170. We're tracking this as https://bugzilla.mozilla.org/show_bug.cgi?id=578697.
That bug is helpfully (or not) closed down. Cheers, Julien
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Jan Lieskovsky (Sep 03)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Reed Loden (Sep 03)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Julien Cristau (Sep 03)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Reed Loden (Sep 03)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Julien Cristau (Sep 03)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Joe Orton (Sep 04)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Richard Moore (Sep 05)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Florian Weimer (Sep 06)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Tomas Hoger (Sep 27)
- Re: CVE Request 1, NSS 2, Qt: Doesn't handle wildcards in Common Name properly Reed Loden (Sep 03)