CVE-2014-1492

NameCVE-2014-1492
DescriptionThe cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-23-1, DSA-2994-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nss (PTS)buster2:3.42.1-1+deb10u5fixed
buster (security)2:3.42.1-1+deb10u6fixed
bullseye (security), bullseye2:3.61-1+deb11u3fixed
bookworm2:3.87.1-1fixed
sid2:3.89-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
icedovesource(unstable)(not affected)
iceweaselsource(unstable)(not affected)
nsssourcesqueeze3.12.8-1+squeeze8
nsssourcewheezy2:3.14.5-1+deb7u1DSA-2994-1
nsssource(unstable)2:3.16-1

Notes

- iceweasel <not-affected> (Only affects Firefox 28)
- icedove <not-affected> (Only affects Firefox 28)
Search for package or bug name: Reporting problems