CVE-2014-1492

NameCVE-2014-1492
DescriptionThe cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-23-1, DSA-2994-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
icedove (PTS)jessie1:52.3.0-4~deb8u2fixed
nss (PTS)jessie2:3.26-1+debu8u3fixed
jessie (security)2:3.26-1+debu8u9fixed
stretch (security), stretch2:3.26.2-1.1+deb9u1fixed
buster2:3.42.1-1+deb10u1fixed
buster (security)2:3.42.1-1+deb10u2fixed
bullseye2:3.45-1fixed
sid2:3.47.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icedovesource(unstable)(not affected)
iceweaselsource(unstable)(not affected)
nsssource(unstable)2:3.16-1
nsssourcesqueeze3.12.8-1+squeeze8
nsssourcewheezy2:3.14.5-1+deb7u1DSA-2994-1

Notes

- iceweasel <not-affected> (Only affects Firefox 28)
- icedove <not-affected> (Only affects Firefox 28)

Search for package or bug name: Reporting problems