7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Antoine Delignat-Lavaud from Inria discovered an issue in the way NSS
(the Mozilla Network Security Service library) was parsing ASN.1 data
used in signatures, making it vulnerable to a signature forgery attack.
An attacker could craft ASN.1 data to forge RSA certificates with a
valid certification chain to a trusted CA.
This update fixes this issue for the NSS libraries.
Note that iceweasel, which is also affected by CVE-2014-1568, however
has reached end-of-life in Squeeze(-LTS) and thus has not been fixed.
For Debian 6 Squeeze, these issues have been fixed in nss version 3.12.8-1+squeeze9