Mozilla NSS SSLv2 Remote Code Execution Vulnerability (CVE-2007-0008/0009) Advisory

Vulnerability Key Information Vulnerability Name: Mozilla Network Security Service: Remote execution of arbitrary code GLSA ID: 200703-22 Release Date: March 20, 2007 Last Revised: March 20, 2007 Affected Package: dev-libs/nss - Affected Versions: = 3.11.5 Severity: normal Exploitability: remote Background Mozilla Network Security Service is a library that implements security features such as SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, and X.509 certificates. Description IDefense reported two potential buffer overflow vulnerabilities discovered by researcher "regenrecht" in the code implementing the SSLv2 protocol. Impact A remote attacker can send a specially crafted SSL master key to an SSLv2 server using NSS, or entice users of NSS-based client applications (such as Mozilla products) to connect to a malicious server. This can trigger the vulnerability and result in the execution of arbitrary code with the privileges of the vulnerable application. Solution All NSS users should upgrade to the latest version: References CVE-2007-0008 CVE-2007-0009 Bugzilla Entry 165555

Goal Reached Thanks to every supporter — we hit 100%!

Mozilla NSS SSLv2 Remote Code Execution Vulnerability (CVE-2007-0008/0009) Advisory