Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArch LinuxASA-201412-18
HistoryDec 16, 2014 - 12:00 a.m.

nss: signature forgery

2014-12-1600:00:00
Arch Linux
lists.archlinux.org
16

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON

The definite_length_decoder function in lib/util/quickder.c in Mozilla
Network Security Services (NSS) does not ensure that the DER encoding of
an ASN.1 length is properly formed, which allows remote attackers to
conduct data-smuggling attacks by using a long byte sequence for an
encoding, as demonstrated by the SEC_QuickDERDecodeItem function’s
improper handling of an arbitrary-length encoding of 0x00.

This update also adds support for the TLS Fallback Signaling Cipher
Suite Value (TLS_FALLBACK_SCSV) in NSS, which can be used to prevent
protocol downgrade attacks against applications which re-connect using a
lower SSL/TLS protocol version when the initial connection indicating
the highest supported protocol version fails. This can prevent a
forceful downgrade of the communication to SSL 3.0, mitigating
CVE-2014-3566, also known as POODLE. SSL 3.0 support has also been
disabled by default in this Firefox and Thunderbird update, further
mitigating POODLE.

OSVersionArchitecturePackageVersionFilename
anyanyanynss< 3.17.3-1UNKNOWN

Related

nessus 45
securityvulns 2
fedora 19
exploitpack 1
zdt 1
veracode 2
cve 2
exploitdb 1
openvas 18
ubuntu 1
debian 4
debiancve 1
prion 1
osv 2
ubuntucve 1
ibm 84
suse 1
redhat 2
cisco 1
centos 1
seebug 1
hackerone 1
citrix 1
f5 1
amazon 1
cert 1
checkpoint_advisories 1
arista 1
virtuozzo 1
nessus
nessus
Mandriva Linux Security Advisory : nss (MDVSA-2014:252)
2014-12-16 00:00:00
Oracle iPlanet Web Server 6.1.x < 6.1.21 / 7.0.x < 7.0.22 NSS Signature Handling Remote Code Injection
2015-07-23 00:00:00
Ubuntu 14.04 LTS : NSS vulnerability (USN-2452-1)
2015-01-08 00:00:00
securityvulns
securityvulns
Mozilla nss information leakage
2014-12-22 00:00:00
[ MDVSA-2014:252 ] nss
2014-12-22 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: nss-3.17.3-2.fc21
2014-12-25 05:35:12
[SECURITY] Fedora 22 Update: fossil-1.33-1.fc22
2015-10-15 03:51:23
[SECURITY] Fedora 21 Update: subscription-manager-1.13.6-1.fc21
2014-11-10 06:34:40
exploitpack
exploitpack
MatrixSSL 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates
2019-02-20 00:00:00
zdt
zdt
MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates Vulnerability
2019-02-20 00:00:00
veracode
veracode
HTTP Request Smuggling
2019-01-15 09:03:35
Information Disclosure
2017-02-07 00:05:45
cve
cve
CVE-2014-1569
2014-12-15 18:59:00
CVE-2014-3566
2014-10-15 00:55:00
exploitdb
exploitdb
MatrixSSL &lt; 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates
2019-02-20 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-3186-1)
2015-03-12 00:00:00
Debian Security Advisory DSA 3186-1 (nss - security update)
2015-03-13 00:00:00
Ubuntu: Security Advisory (USN-2452-1)
2015-01-23 00:00:00
ubuntu
ubuntu
NSS vulnerability
2015-01-07 00:00:00
debian
debian
[SECURITY] [DSA 3186-1] nss security update
2015-03-13 08:15:52
[SECURITY] [DSA 3186-1] nss security update
2015-03-13 08:15:52
[SECURITY] [DSA 3489-1] lighttpd security update
2016-02-23 18:26:27
debiancve
debiancve
CVE-2014-1569
2014-12-15 18:59:00
prion
prion
Design/Logic Flaw
2014-12-15 18:59:00
osv
osv
nss - security update
2015-03-13 00:00:00
lighttpd - security update
2015-07-25 00:00:00
ubuntucve
ubuntucve
CVE-2014-1569
2014-12-15 00:00:00
ibm
ibm
Security Bulletin: Vulnerability in SSLv3 affects IBM Integration Designer and WebSphere Integration Developer (CVE-2014-3566)
2018-06-15 07:02:06
Security Bulletin: Vulnerability in SSLv3 affects IBM Rational ClearQuest (CVE-2014-3566)
2018-09-29 18:04:03
Security Bulletin: Vulnerability in SSLv3 affects Host Access Transformation Services (CVE-2014-3566)
2018-08-03 04:23:43
suse
suse
Security update for suseRegister (important)
2015-01-05 21:04:43
redhat
redhat
(RHSA-2014:1653) Moderate: openssl security update
2014-10-16 00:00:00
(RHSA-2015:1546) Important: node.js security update
2015-08-04 00:00:00
cisco
cisco
SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2014-10-15 18:30:00
centos
centos
openssl security update
2014-10-16 15:21:39
seebug
seebug
SSL 3.0 POODLE(CVE-2014-3566)
2017-02-17 00:00:00
hackerone
hackerone
New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
2017-03-26 19:08:23
citrix
citrix
CVE-2014-3566 - Citrix Security Advisory for SSLv3 Protocol Flaw
2014-10-14 04:00:00
f5
f5
K15702 : SSLv3 vulnerability CVE-2014-3566
2015-09-18 00:00:00
amazon
amazon
Important: openssl
2014-10-14 22:32:00
cert
cert
POODLE vulnerability in SSL 3.0
2014-10-17 00:00:00
checkpoint_advisories
checkpoint_advisories
Secure Socket Layer (SSL) Version 3.0 (CVE-2014-3566)
2014-10-15 00:00:00
arista
arista
Security Advisory 0007
2014-10-20 00:00:00
virtuozzo
virtuozzo
Important product update: Virtuozzo PowerPanel RTM Hotfix 3 (7.0.1-415)
2017-09-20 00:00:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

JSON
Related for ASA-201412-18
nessus45securityvulns2fedora19exploitpack1zdt1veracode2cve2exploitdb1openvas18ubuntu1debian4debiancve1prion1osv2ubuntucve1ibm84suse1redhat2cisco1centos1seebug1hackerone1citrix1f51amazon1cert1checkpoint_advisories1arista1virtuozzo1