NSS updated on Rawhide to NSS_3_13_RC0 (CVE-2011-3389)

Elio Maldonado emaldona at redhat.com
Mon Oct 10 16:42:34 UTC 2011 

Updated NSS in Rawhide to the upstream's NSS_3_13_RC0 and with it NSPR to NSPR_4.9_BETA3. 

The bug fixes in NSPR 4.9 BETA3 and NSS 3.18 RC0 can be found by these Bugzilla queries: 

For nspr: 
https://bugzilla.mozilla.org/buglist.cgi?order=Importance&resolution=FIXED&classification=Components&query_format=advanced&product=NSPR&target_milestone=4.9&list_id=1467991 

and for nss: 
https://bugzilla.mozilla.org/buglist.cgi?order=Importance&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.13&list_id=1468013 

Of particular importance is the fix for (CVE-2011-3389) 
Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets -76) 
https://bugzilla.mozilla.org/show_bug.cgi?id=665814 

To quote from the ssl patch itself: 
------ 
For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext attacks 
on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by splitting 
non-empty application_data records into two records; the first record has 
only the first byte of plaintext, and the second has the rest. 

This only prevents the attack in the sending direction; the connection may 
still be vulnerable to such attacks if the peer does not implement a similar 
countermeasure. 

This protection mechanism is on by default; the default can be overridden by 
setting NSS_SSL_CBC_RANDOM_IV=0 in the environment prior to execution, 
and/or by the application setting the option SSL_CBC_RANDOM_IV to PR_FALSE. 

The per-record IV in TLS 1.1 and later adds one block of overhead per 
record, whereas this hack will add at least two blocks of overhead per 
record, so TLS 1.1+ will always be more efficient. 

Other implementations (e.g. some versions of OpenSSL, in some 
configurations) prevent the same attack by prepending an empty 
application_data record to every application_data record they send; we do 
not do that because some implementations cannot handle empty 
application_data records. Also, we only split application_data records and 
not other types of records, because some implementations will not accept 
fragmented records of some other types (e.g. some versions of NSS do not 
accept fragmented alerts). 
------ 

The NSS team would greatly appreciate any feedback, specially regarding 
compatiblity issues with various sites. 

Thank you, 

Elio Maldonado 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/devel/attachments/20111010/39edba74/attachment.html

More information about the devel mailing list