CVE-2013-1740

Publication date 18 January 2014

Last updated 24 July 2024

Ubuntu priority

The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS False Start feature is enabled, allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary X.509 certificate during certain handshake traffic.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nss	13.10 saucy	Fixed 2:3.15.4-0ubuntu0.13.10.1
	13.04 raring	Ignored end of life
	12.10 quantal	Fixed 3.15.4-0ubuntu0.12.10.1
	12.04 LTS precise	Fixed 3.15.4-0ubuntu0.12.04.1
	10.04 LTS lucid	Fixed 3.15.4-0ubuntu0.10.04.1

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2088-1
NSS vulnerability
23 January 2014

Other references

https://developer.mozilla.org/docs/NSS/NSS_3.15.4_release_notes
https://bugzilla.redhat.com/show_bug.cgi?id=1053725
https://bugzilla.mozilla.org/show_bug.cgi?id=919877
https://bugs.gentoo.org/show_bug.cgi?id=498172
http://xforce.iss.net/xforce/xfdb/90394
https://www.cve.org/CVERecord?id=CVE-2013-1740