Opened 5 years ago

Closed 5 years ago

#15284 closed defect (fixed)

NSS library out of date

Reported by: ioerror Owned by: datallah
Milestone: 2.10.7 Component: winpidgin (gtk)
Version: 2.10.6 Keywords: security
Cc:

Description

It appears that the pidgin libnss library shipped with the Windows release is vulnerable to CVE-2012-0441 and perhaps other issues.

% strings nss3.dll|grep -i  3.1  
$Header: NSS 3.12.5.0  Feb 28 2010 18:45:37 $
@(#)NSS 3.12.5.0  Feb 28 2010 18:45:37

http://www.mozilla.org/security/announce/2012/mfsa2012-39.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0441

It may also be vulnerable to MITM ala CVE-2009-3555: http://www.mozilla.org/security/announce/2010/mfsa2010-22.html

Is Pidgin shipping NSS 3.12.5.0? It appears that 3.12.6 is may be the way to not be vulnerable to the above MITM issue: https://bugzilla.mozilla.org/show_bug.cgi?id=545755

Change History (2)

comment:1 Changed 5 years ago by ioerror

It appears that these libraries are also part of the seemingly ancient libnss distribution:

freebl3.dll
nssckbi.dll
nssutil3.dll
libnspr4.dll
libplc4.dll
libplds4.dll
nssutil3.dll
nss3.dll
nssckbi.dll
smime3.dll
softokn3.dll
ssl3.dll

comment:2 Changed 5 years ago by Daniel Atallah <datallah@…>

  • Milestone set to 2.10.7
  • Resolution set to fixed
  • Status changed from new to closed

(In [ace2bba864d7]):
Update NSS to 3.13.6 and NSPR to 4.9.2 in the win32 build. Fixes #15284 Refs #15286

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!