Mandriva Linux Security Advisory 2011-162 - KDE KSSL in kdelibs does not properly handle a NUL character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. An input sanitization flaw was found in the KSSL API. An attacker could supply a specially-crafted SSL certificate to an application using KSSL, such as the Konqueror web browser, causing misleading information to be presented to the user, possibly tricking them into accepting the certificate as valid. The updated packages have been patched to correct these issues.
0b381d0e6a6306be9feffb69a83c5e196277a065e827c68c9a869e6303be4f3d
Debian Linux Security Advisory 2025-1 - Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client.
5ccd1a2ad93d249d46e731464cdcc802a972eeda3800afed3825af7057dffa07
VMware Security Advisory - Service console packages for Network Security Services (NSS) and NetScape Portable Runtime (NSPR) are updated to versions nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively. This patch fixes several security issues in the service console packages for NSS and NSPR.
750bfc5b2e28a67af487861fbcc96e099b1881a6cbe999078d4626cf32cfde37
Mandriva Linux Security Advisory 2009-197 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. Packages for 2008.0 are being provided due to extended support for Corporate products.
ecd423cda5abf43a8f153f67b66965b14d04a924ca31a32378cc5c2e7e74b029
Mandriva Linux Security Advisory 2009-217 - A number of security vulnerabilities have been discovered in Mozilla Security issues in thunderbird could lead to a man-in-the-middle attack via a spoofed X.509 certificate. A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack. Related to CVE-2009-2625. This update provides the latest version of Thunderbird which are not vulnerable to these issues. Packages for 2008.0 are being provided due to extended support for Corporate products.
042df619289149414468593fc222a4e12bebd8929de0148ed365c11a1e535552
Mandriva Linux Security Advisory 2009-288 - The mod_tls module in proftpd < 1.3.2b is vulnerable to a similar security issue as CVE-2009-2408. This update fixes these vulnerability.
0e8d72525416ecf43373f296880c86846c238d5af213c156135bba25e17696f4
Mandriva Linux Security Advisory 2009-217-2 - A number of security vulnerabilities have been discovered in Mozilla Thunderbird. The previous mozilla-thunderbird-moztraybiff packages had the wrong release which prevented it to be upgraded. The new packages addresses this problem.
5d153e895d2c4dc83174535c48a54a3e25b1eb3bc4bd5b2021de6a9d2f438c6e
Mandriva Linux Security Advisory 2009-217 - A number of security vulnerabilities have been discovered in Mozilla Thunderbird.
23af80c1b7971740b54732c05fcee9a0e68f26cda0ac036694fe85e3e7b41042
Mandriva Linux Security Advisory 2009-197-2 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. This update also provides fixed packages for Mandriva Linux 2008.1 and fixes mozilla-thunderbird error messages.
394905da2291d3fb11814cfdd3fb15394407e4aae6c16a48e8e81df3b42b194f
Debian Security Advisory 1874-1 - Several vulnerabilities have been discovered in the Network Security Service libraries.
c3c145e663c0e41608a4517f6698e23ceea9427cb81c0b2b53641a715105c451
Mandriva Linux Security Advisory 2009-217 - A number of security vulnerabilities have been discovered in Mozilla Thunderbird. Security issues in thunderbird could lead to a man-in-the-middle attack via a spoofed X.509 certificate. A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack.
9d01bf4018ef272796f802e7b69bf36d94eabb3f0d7d7fb3c6e573ebfc24366a
Mandriva Linux Security Advisory 2009-216 - A number of security vulnerabilities have been discovered in the NSS and NSPR libraries and in Mozilla Thunderbird.
e8e619c27abfa1ea866f6d756a974aa55669f6f2b6b85c33173163bb95017751
Mandriva Linux Security Advisory 2009-198 - Security researcher Juan Pablo Lopez Yacubian reported that an attacker could call window.open() on an invalid URL which looks similar to a legitimate URL and then use document.write() to place content within the new document, appearing to have come from the spoofed location. Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions. This update provides the latest Mozilla Firefox 3.0.x to correct these issues. Additionally, some packages which require so, have been rebuilt and are being provided as updates.
75f839274f8e82729d0a4c1aca579dbfb860f6c2f1f69f8353c4f57860a78bd7
Mandriva Linux Security Advisory 2009-197 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks.
bd0fc6956d963e958bc33f7098949780b68da008df3fe89a2bb4d9f2af528903
Ubuntu Security Notice USN-810-1 - Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program. Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Dan Kaminsky discovered NSS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site.
551f75cb720ebd7eaa1e942d3bd0085543b035e372926a826f94e7e0b94f1eb5