Описание
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | nss | Not affected | ||
| Red Hat Enterprise Linux 5 | nss | Fixed | RHSA-2014:1246 | 16.09.2014 |
| Red Hat Enterprise Linux 6 | nspr | Fixed | RHSA-2014:0917 | 22.07.2014 |
| Red Hat Enterprise Linux 6 | nss | Fixed | RHSA-2014:0917 | 22.07.2014 |
| Red Hat Enterprise Linux 6 | nss-util | Fixed | RHSA-2014:0917 | 22.07.2014 |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS2
Связанные уязвимости
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Net ...
The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.
ELSA-2014-1246: nss and nspr security, bug fix, and enhancement update (MODERATE)
4.3 Medium
CVSS2