Mozilla’s Network Security Services (NSS): New packages fix cryptographic weaknesses

Users of Mozilla’s Network Security Services (NSS) please be advised of a New packages fix cryptographic weaknesses that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

DSA 2123-1: [DSA 2123-1] New NSS packages fix cryptographic weaknesses
Several vulnerabilities have been discovered in Mozilla’s Network

Security Services (NSS) library. The Common Vulnerabilities and

Exposures project identifies the following problems:
CVE-2010-3170

NSS recognizes a wildcard IP address in the subject’s Common

Name field of an X.509 certificate, which might allow

man-in-the-middle attackers to spoof arbitrary SSL servers via

a crafted certificate issued by a legitimate Certification

Authority.
CVE-2010-3173

NSS does not properly set the minimum key length for

Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for

remote attackers to defeat cryptographic protection mechanisms

via a brute-force attack.

Read more at http://www.criticalwatch.com
 

Advertisements