You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2013-103

Mozilla Foundation Security Advisory 2013-103

Title: Miscellaneous Network Security Services (NSS) vulnerabilities
Impact: Critical
Announced: November 15, 2013
Products: Firefox, Thunderbird, Seamonkey

Fixed in: Firefox 25.0.1
  Firefox ESR 24.1.1
  Firefox ESR 17.0.11
  Thunderbird 24.1.1
  Thunderbird ESR 17.0.11
  Seamonkey 2.22.1

Description

Mozilla has updated the version of Network Security Services (NSS) library used in Mozilla projects to NSS 3.15.3 with the exception of ESR17-based releases, which have been updated to NSS 3.14.5. This addresses several moderate to critical rated networking security issues.

Google developer Andrew Tinits reported a potentially exploitable buffer overflow that was fixed in both NSS 3.15.3 and NSS 3.14.5.

Mozilla developer Camilo Viecco discovered that if the verifylog feature was used when validating certificates then certificates with incompatible key usage constraints were not rejected. This did not directly affect Firefox but might affect other software using the NSS library

Google security researcher Tavis Ormandy reported a runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls.

Pascal Cuoq, RedHat developer Kamil Dudka, and Google developer Wan-Teh Chang found equivalent Netscape Portable Runtime (NSPR) library code suffered the same integer truncation.

NSS lowered the priority of RC4 in cipher suite advertisement so that more secure ciphers instead of RC4 are likely to be chosen by the server. This can help address the problem described by Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt in their paper "On the Security of RC4 in TLS."