CVE-2013-1741 – nss: Integer truncation in certificate parsing (MFSA 2013-103)
https://notcve.org/view.php?id=CVE-2013-1741
Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. Desbordamiento de enteros en Mozilla Network Security Services (NSS) 3.15.3 anterior 3.15 que permite a atacantes remotos provocar una denegación de servicio o posiblemente tener otro impacto no especificado a través de un valor de gran tamaño. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.apple.com/archives/security-announce/2015/Jun/msg00001.html http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00000.html http://lists.opensuse.org/opensuse-updates/2013-11/msg00080.html http://rhn.redhat.com/errata/RHSA-2013-1791.html http://rhn.redhat.com/errata/RHSA-2013-1829.html http://seclists.org/fulldisclosure/2014/Dec • CWE-189: Numeric Errors •
CVE-2013-5606 – nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103)
https://notcve.org/view.php?id=CVE-2013-5606
The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate. La función CERT_VerifyCert en lib / certhigh / certvfy.c de Servicios de Seguridad de Mozilla red (NSS) 3.15 antes de 3 3.15 proporciona un valor inesperado de retorno para un certificado de clave-uso incompatible cuando el argumento CERTVerifyLog es válido, lo que podría permitir a atacantes remotos evitar restricciones de acceso destinados a través de un certificado manipulado • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.opensuse.org/opensuse-security-announce/2013-12/msg00000.html http://lists.opensuse.org/opensuse-updates/2013-11/msg00080.html http://rhn.redhat.com/errata/RHSA-2013-1791.html http://rhn.redhat.com/errata/RHSA-2013-1829.html http://rhn.redhat.com/errata/RHSA-2014-0041.html http://seclists.org/fulldisclosure/2014/Dec/23 http://security.gentoo.org/glsa/glsa-201406-19.xml http://www.debian.org/securi • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-1739 – nss: Avoid uninitialized data read in the event of a decryption failure
https://notcve.org/view.php?id=CVE-2013-1739
Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. Mozilla Network Security Services (NSS) en versiones anteriores a 3.15.2 no asegura que las estructuras de datos estén inicializadas antes de las operaciones de lectura, lo que permite a atacantes remotos provocar una denegación de servicio o posiblemente tener otro impacto no especificado a través de vectores que desencadenan un fallo de descifrado. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00014.html http://lists.opensuse.org/opensuse-updates/2013-10/msg00013.html http://lists.opensuse.org/opensuse-updates/2013-10/msg00016.html http://rhn.redhat.com/errata/RHSA-2013-1791.html http://rhn.redhat.com/errata/RHSA-2013-1829.html http://seclists.org/fulldisclosure/2014/Dec/23 http://security.gentoo.org/glsa/glsa-201406-19.xml http://www.debia •
CVE-2013-0791 – Mozilla: Out-of-bounds array read in CERT_DecodeCertPackage (MFSA 2013-40)
https://notcve.org/view.php?id=CVE-2013-0791
The CERT_DecodeCertPackage function in Mozilla Network Security Services (NSS), as used in Mozilla Firefox before 20.0, Firefox ESR 17.x before 17.0.5, Thunderbird before 17.0.5, Thunderbird ESR 17.x before 17.0.5, SeaMonkey before 2.17, and other products, allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) via a crafted certificate. La función CERT_DecodeCertPackage en Mozilla Network Security Services (NSS), tal como se utiliza en Mozilla Firefox antes de v20.0, Firefox ESR v17.x antes v17.0.5, Thunderbird antes de v17.0.5, Thunderbird ESR v17.x antes de v17.0.5, SeaMonkey antes de v2.17, y otros productos, permite a atacantes remotos provocar una denegación de servicio (fuera del terreno de juego y lectura de corrupción de memoria) a través de un certificado manipulado. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00010.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00019.html http://rhn.redhat.com/errata/RHSA-2013-1135.html http://rhn.redhat.com/errata/RHSA-2013-1144.html http://www.mozilla.org/security • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2013-1620 – nss: TLS CBC padding timing attack
https://notcve.org/view.php?id=CVE-2013-1620
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. La implementación en Mozilla Network Security Services (NSS) de TLS no tiene debidamente en cuenta tiempos de canal lateral ataques a una operación de comprobación de incumplimiento MAC durante el procesamiento de malformaciones relleno CBC, que permite a atacantes remotos para realizar ataques distintivos y los ataques de recuperación de texto plano-a través de análisis estadístico de datos de tiempo de los paquetes hechos a mano, una cuestión relacionada con CVE-2013-0169. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00010.html http://openwall.com/lists/oss-security/2013/02/05/24 http://rhn.redhat.com/errata/RHSA-2013-1135.html http://rhn.redhat.com/errata/RHSA-2013-1144.html http://seclists.org/fulldisclosure/2014/Dec/23 http://security.gentoo.org/glsa/glsa-201406-19.xml http://www. • CWE-203: Observable Discrepancy •