Ubuntu
nss package

NSS incorrectly preferring a longer, weaker chain over a shorter, stronger chain

Bug #1423031 reported by Cambell Prince
280
This bug affects 5 people
Affects Status Importance Assigned to Milestone
nss (Debian)
Fix Released
Unknown
nss (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Lucid
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Utopic
Fix Released
Undecided
Marc Deslauriers
Vivid
Fix Released
Undecided
Marc Deslauriers

Bug Description

See:

https://code.google.com/p/chromium/issues/detail?id=437733

and

https://code.google.com/p/chromium/issues/detail?id=459131

This issue is fixed in upstream libnss3 version >= 3.17.4

This issue causes incorrect SHA1 sunset behaviour in Google Chrome.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in nss (Ubuntu):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in nss (Debian):
status: Unknown → Confirmed
Revision history for this message
Marco (bulletxt) wrote :

Please get this fixed, chrome 41 will get out soon and its deprecating sha1 ssl. This library has to be updated! Thanls

Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in nss (Ubuntu Lucid):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in nss (Ubuntu Precise):
status: New → Confirmed
Changed in nss (Ubuntu Trusty):
status: New → Confirmed
Changed in nss (Ubuntu Utopic):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.17.4-0ubuntu1

---------------
nss (2:3.17.4-0ubuntu1) vivid; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/98_CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:32:50 -0500

Changed in nss (Ubuntu Vivid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.17.4-0ubuntu0.10.04.1

---------------
nss (3.17.4-0ubuntu0.10.04.1) lucid-security; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:48:44 -0500

Changed in nss (Ubuntu Lucid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.17.4-0ubuntu0.14.04.1

---------------
nss (2:3.17.4-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:44:05 -0500

Changed in nss (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.17.4-0ubuntu0.14.10.1

---------------
nss (2:3.17.4-0ubuntu0.14.10.1) utopic-security; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:41:50 -0500

Changed in nss (Ubuntu Utopic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.17.4-0ubuntu0.12.04.1

---------------
nss (3.17.4-0ubuntu0.12.04.1) precise-security; urgency=medium

  * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
    bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
  * Removed unneeded patches:
    - debian/patches/CVE-2014-1569.patch: included upstream.
 -- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:45:59 -0500

Changed in nss (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Cambell Prince (cambell-prince) wrote :

Tested on Trusty and confirmed fixed. Thanks.

- Google Chrome 40.0.2214.115-1
- libnss3 2:3.17.4-0ubuntu0.14.04.1

Mathew Hodson (mhodson)
information type: Public → Public Security
Revision history for this message
Marco (bulletxt) wrote :

tested on Ubuntu 14.04 , great it fixed the problem!

Thanks

Bug Watch Updater (bug-watch-updater)
Changed in nss (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.