CVE-2014-1492

Description

The cert_TestHostName function in lib/certdb/certdb.c in the certificate-checking implementation in Mozilla Network Security Services (NSS) before 3.16 accepts a wildcard character that is embedded in an internationalized domain name's U-label, which might allow man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

How to fix CVE-2014-1492

To remediate CVE-2014-1492, upgrade the affected package to a fixed version below.

• Debian/nss—upgrade to 2:3.16-1 or later

Is CVE-2014-1492 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2:3.16-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-1492