Vulnerability in OpenSSL - RSA silently downgrades to EXPORT_RSA [Client]

An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session. Found by Karthikeyan Bhargavan of the PROSECCO team at INRIA...

Vulnerability in OpenSSL - ECDHE silently downgrades to ECDH [Client]

An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite. Found by Karthikeyan Bhargavan of the PROSECCO team at INRIA...

chromium -- RSA signature malleability in NSS

Google Chrome Releases reports: 414124 RSA signature malleability in NSS CVE-2014-1568. Thanks to Antoine Delignat-Lavaud of Prosecco/INRIA, Brian Smith and Advanced Threat Research team at Intel Security...

Stable Channel Update

The stable channel has been updated to 37.0.2062.124 for Windows and Mac. This build contains a security change: 414124 RSA signature malleability in NSS CVE-2014-1568. Thanks to Antoine Delignat-Lavaud of Prosecco/INRIA, Brian Smith and Advanced Threat Research team at Intel Security Interested ...

RSA Signature Forgery in NSS — Mozilla

Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services NSS libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is...

NSS ticket handling issues — Mozilla

Mozilla developer Brian Smith and security researchers Antoine Delignat-Lavaud and Karthikeyan Bhargavan of the Prosecco research team at INRIA Paris reported issues with ticket handling in the Network Security Services NSS libraries. These have been addressed in the NSS 3.15.4 release, shipping ...