Debian Bug report logs -
#863839
CVE-2017-7502
Reported by: Ola Lundqvist <ola@inguza.com>
Date: Wed, 31 May 2017 20:03:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in versions 2:3.14.3-1, 2:3.14.5-1+deb7u5
Fixed in versions 2:3.26-1+debu8u2, 2:3.29-1, 2:3.26-1+debu7u4, nss/2:3.26.2-1.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#863839; Package nss.
(Wed, 31 May 2017 20:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <ola@inguza.com>:
New Bug report received and forwarded. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Wed, 31 May 2017 20:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: nss
Severity: important
Hi
An important vulnerability has been found in nss.
For more information see
https://security-tracker.debian.org/tracker/CVE-2017-7502
and
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7502
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Marked as found in versions 2:3.14.5-1+deb7u5.
Request was from Ola Lundqvist <ola@inguza.com>
to control@bugs.debian.org.
(Wed, 31 May 2017 20:12:03 GMT) (full text, mbox, link).
Marked as fixed in versions 2:3.26-1+debu7u4.
Request was from Ola Lundqvist <ola@inguza.com>
to control@bugs.debian.org.
(Wed, 31 May 2017 20:12:04 GMT) (full text, mbox, link).
Marked as found in versions 2:3.14.3-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 31 May 2017 20:24:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream, security, and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 31 May 2017 20:24:03 GMT) (full text, mbox, link).
Marked as fixed in versions 2:3.29-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 31 May 2017 20:24:04 GMT) (full text, mbox, link).
Marked as fixed in versions 2:3.26-1+debu8u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 Jun 2017 04:21:04 GMT) (full text, mbox, link).
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 862958-submit@bugs.debian.org.
(Fri, 02 Jun 2017 16:12:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#863839; Package nss.
(Fri, 02 Jun 2017 16:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Fri, 02 Jun 2017 16:12:05 GMT) (full text, mbox, link).
Message #24 received at 863839@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 862958 + patch
Control: tags 863839 + patch
Hi
prepared a NMU for src:nss fixing CVE-2017-5461, CVE-2017-5462 and
CVE-2017-7502. But I still want to double check the patches with the
ones done by Moritz Muehlenhoff in the last DSA. will afterwards
upload to a delayed queue to make it in time for stretch if that's
fine with you.
Regards,
Salvatore
[nss_3.26.2-1.1.debdiff (text/plain, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 862958-submit@bugs.debian.org.
(Fri, 02 Jun 2017 19:12:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#863839; Package nss.
(Fri, 02 Jun 2017 19:12:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Fri, 02 Jun 2017 19:12:07 GMT) (full text, mbox, link).
Message #31 received at 863839@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 862958 + pending
Control: tags 863839 + pending
# make RC severity due to otherwise regression from jessie
Control: severity 862958 serious
Control: severity 863839 serious
Dear maintainer,
I've prepared an NMU for nss (versioned as 2:3.26.2-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[nss-3.26.2-1.1-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 04 Jun 2017 19:36:05 GMT) (full text, mbox, link).
Notification sent
to Ola Lundqvist <ola@inguza.com>:
Bug acknowledged by developer.
(Sun, 04 Jun 2017 19:36:05 GMT) (full text, mbox, link).
Message #36 received at 863839-close@bugs.debian.org (full text, mbox, reply):
Source: nss
Source-Version: 2:3.26.2-1.1
We believe that the bug you reported is fixed in the latest version of
nss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863839@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated nss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 01 Jun 2017 06:57:51 +0200
Source: nss
Binary: libnss3 libnss3-tools libnss3-dev libnss3-dbg
Architecture: source
Version: 2:3.26.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 862958 863839
Description:
libnss3 - Network Security Service libraries
libnss3-dbg - Debugging symbols for the Network Security Service libraries
libnss3-dev - Development files for the Network Security Service libraries
libnss3-tools - Network Security Service tools
Changes:
nss (2:3.26.2-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2017-5461: Out-of-bounds write in Base64 encoding (Closes: #862958)
* CVE-2017-5462: DRBG flaw (Closes: #862958)
* CVE-2017-7502: Null pointer dereference when handling empty SSLv2 messages
(Closes: #863839)
Checksums-Sha1:
81e8094d265877f2f07c314b50787986dcdd4d69 2400 nss_3.26.2-1.1.dsc
bd77bcde17c68b35e19e45ae3003cbdb68d7b4d0 29880 nss_3.26.2-1.1.debian.tar.xz
Checksums-Sha256:
78788486311be767ca54f5b72dfd2948db13d659a836d12f157d89aa09bd3043 2400 nss_3.26.2-1.1.dsc
64ac3a3361bde8f63659b648b32fd8c13a5d8bd2fb924588392168641cbbece9 29880 nss_3.26.2-1.1.debian.tar.xz
Files:
2ebf367449a171e48497ff4e00eda2d9 2400 libs optional nss_3.26.2-1.1.dsc
63493eef5caaf06f1c537ccf2e22e927 29880 libs optional nss_3.26.2-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkxty1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ep9EP/0sS51Hnu0ixaJZwS4h4yjuwDmH+6ekm
qFXD4Y6KNv5qIxrn7JQGOPMTnLZfIlIpTnhCBRiK9Vwfs8Sj86Rio1PxksHtZaKs
pAOHaKPopC7RWl22h4nPk1TFyVA+eXOKemt5a7wuX0fZ6fpGWmoCoKoIXuoYtNAZ
4JDc17JY/Gif7XIjF/MCgq7sViTtEEM2ao9VHIRG3/PTk38uf8jfWEtg8IY7Vdvw
4NIKUP9tjj/odC9JWMjLmQHoLo5zD3NfjyA2Rl5MC3wc4/Rknc0mRauMj4WRYINP
z7bfhHpxrS5EqenhtxvNel1+ge5Twz3tsBI3LTsXjBXjfsW5G+VEL2WdEBHcMYnV
886u4OXXrAKlsnZ9hx9TneL5jh8KHRRn8zNsdOJkqzRNoIBXWG8C8HGAAClg9CRV
qchrGw1oIsPuG6uiibV/cOXL9j+Fc4wz8+c3C4wgl5+AgiJKkEzVts1CKvxTDmsc
uzt4aKtsVExlxUHbQfllF5z8t9nTCRk8MDOiwWCSjdr/oZ5UQImgBRGon6DlY5uV
QZNXilfoGpOVkqhdB86wxJrkAWE7/BzemjJy3Wov7taKKa7oPJMa0CyzzxrG+1Re
Sa1h47OuUnA3ZQ/vfDp0I2b2KDFRjhPQeM52jsAzvcyHk27GNWWmnR4CTx3MPGN4
RZQ3VOkfzh7J
=UALS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 03 Jul 2017 07:25:39 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:03:09 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon