Bug#862958: nss: CVE-2017-5461 CVE-2017-5462
Raphael Hertzog
hertzog at debian.org
Fri May 19 10:44:59 UTC 2017
Source: nss
Version: 2:3.26-1
X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
Severity: important
Tags: security patch upstream
Control: fixed -1 2:3.30-1
Hi,
the following vulnerabilities were published for nss.
CVE-2017-5461[0]:
| Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through
| 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1
| allows remote attackers to cause a denial of service (out-of-bounds
| write) or possibly have unspecified other impact by leveraging
| incorrect base64 operations.
CVE-2017-5462[1]:
| A flaw in DRBG number generation within the Network Security Services
| (NSS) library where the internal state V does not correctly carry bits
| over. The NSS library has been updated to fix this issue to address this
| issue and Firefox 53 has been updated with NSS version 3.29.5.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5461
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461
[1] https://security-tracker.debian.org/tracker/CVE-2017-5462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5462
Please adjust the affected versions in the BTS as needed.
While those issues are fixed in experimental, they still need to be fixed
in unstable and stretch.
I'm attaching the patches I prepared/backported as part of my LTS work.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2017-5461.patch
Type: text/x-diff
Size: 5212 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20170519/74862cb6/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2017-5462.patch
Type: text/x-diff
Size: 3708 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20170519/74862cb6/attachment-0001.patch>
More information about the pkg-mozilla-maintainers
mailing list