POC wrote:
Does the following vulnerability with ASN1, noted in some versions of openSSL, also affect NSS?
http://www.cert.org/advisories/CA-2003-26.html
The NISCC TLS/SSL and S/MIME test suites uncovered several vulnerabilities in NSS. All of the vulnerabilities found during our NISCC testing have been fixed in NSS 3.9. We recommend that all NSS customers upgrade to NSS 3.9 in the next release of your product
I'd like to add a few more comments, speaking unofficially, of course.
1. OpenSSL and NSS are separately developed software, so none of the specific vulnerabilities of one directly affect the other. However, it is possible that the two products coincidentally had vulnerabilities to similar sorts of attacks.
2. The types of vulnerabilities that were found in NSS would cause denial of service, through crashes or memory leaks. I didn't find any stack buffer overflows of the sort that allow attackers to run their own code.
3. If I'm not mistaken, NSS 3.9 *should* be a "drop in" replacement for NSS 3.7 and later, so it should be possible to simply install the NSS 3.9 shared libraries over the older ones in existing products. No need to wait for a new product release to use the new NSS. (Be sure to backup your old software and NSS databases first though. Your mileage may vary.)
For example, I've installed NSS 3.9 DLLs into a mozilla 1.3.1 installation and it works just fine.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
