Bug#699888: TLS timing attack in nss (Lucky 13)
Thijs Kinkhorst
thijs at debian.org
Wed Feb 6 10:50:50 UTC 2013
Package: nss
Severity: serious
Tags: security
Hi,
Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
differences arising during MAC processing. Details of this attack can be
found at: http://www.isg.rhul.ac.uk/tls/
Upstream NSS progress is tracked at
https://bugzilla.mozilla.org/show_bug.cgi?id=822365
The generic protocol issue has been assigned CVE name CVE-2013-0169. The
specific fix for NSS is known as CVE-2013-1620. Please mention these
identifiers in the changelog.
Can you see to it that this issue is addressed in unstable and testing? And
are you available to create an update for stable-security?
Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20130206/689e3100/attachment.pgp>
More information about the pkg-mozilla-maintainers
mailing list