Debian Bug report logs -
#862958
nss: CVE-2017-5461 CVE-2017-5462
Reported by: Raphael Hertzog <hertzog@debian.org>
Date: Fri, 19 May 2017 10:48:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version nss/2:3.26-1
Fixed in versions nss/2:3.30-1, nss/2:3.26-1+debu8u2, nss/2:3.26.2-1.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#862958; Package src:nss.
(Fri, 19 May 2017 10:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Fri, 19 May 2017 10:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: nss
Version: 2:3.26-1
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: important
Tags: security patch upstream
Control: fixed -1 2:3.30-1
Hi,
the following vulnerabilities were published for nss.
CVE-2017-5461[0]:
| Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through
| 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1
| allows remote attackers to cause a denial of service (out-of-bounds
| write) or possibly have unspecified other impact by leveraging
| incorrect base64 operations.
CVE-2017-5462[1]:
| A flaw in DRBG number generation within the Network Security Services
| (NSS) library where the internal state V does not correctly carry bits
| over. The NSS library has been updated to fix this issue to address this
| issue and Firefox 53 has been updated with NSS version 3.29.5.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5461
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461
[1] https://security-tracker.debian.org/tracker/CVE-2017-5462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5462
Please adjust the affected versions in the BTS as needed.
While those issues are fixed in experimental, they still need to be fixed
in unstable and stretch.
I'm attaching the patches I prepared/backported as part of my LTS work.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
[CVE-2017-5461.patch (text/x-diff, attachment)]
[CVE-2017-5462.patch (text/x-diff, attachment)]
Marked as fixed in versions nss/2:3.30-1.
Request was from Raphael Hertzog <hertzog@debian.org>
to submit@bugs.debian.org.
(Fri, 19 May 2017 10:48:04 GMT) (full text, mbox, link).
Marked as fixed in versions nss/2:3.26-1+debu8u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 02 Jun 2017 04:21:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#862958; Package src:nss.
(Fri, 02 Jun 2017 16:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Fri, 02 Jun 2017 16:12:03 GMT) (full text, mbox, link).
Message #14 received at 862958@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 862958 + patch
Control: tags 863839 + patch
Hi
prepared a NMU for src:nss fixing CVE-2017-5461, CVE-2017-5462 and
CVE-2017-7502. But I still want to double check the patches with the
ones done by Moritz Muehlenhoff in the last DSA. will afterwards
upload to a delayed queue to make it in time for stretch if that's
fine with you.
Regards,
Salvatore
[nss_3.26.2-1.1.debdiff (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#862958; Package src:nss.
(Fri, 02 Jun 2017 19:12:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Fri, 02 Jun 2017 19:12:04 GMT) (full text, mbox, link).
Message #19 received at 862958@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 862958 + pending
Control: tags 863839 + pending
# make RC severity due to otherwise regression from jessie
Control: severity 862958 serious
Control: severity 863839 serious
Dear maintainer,
I've prepared an NMU for nss (versioned as 2:3.26.2-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[nss-3.26.2-1.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 862958-submit@bugs.debian.org.
(Fri, 02 Jun 2017 19:12:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 04 Jun 2017 19:36:03 GMT) (full text, mbox, link).
Notification sent
to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer.
(Sun, 04 Jun 2017 19:36:03 GMT) (full text, mbox, link).
Message #26 received at 862958-close@bugs.debian.org (full text, mbox, reply):
Source: nss
Source-Version: 2:3.26.2-1.1
We believe that the bug you reported is fixed in the latest version of
nss, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 862958@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated nss package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 01 Jun 2017 06:57:51 +0200
Source: nss
Binary: libnss3 libnss3-tools libnss3-dev libnss3-dbg
Architecture: source
Version: 2:3.26.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 862958 863839
Description:
libnss3 - Network Security Service libraries
libnss3-dbg - Debugging symbols for the Network Security Service libraries
libnss3-dev - Development files for the Network Security Service libraries
libnss3-tools - Network Security Service tools
Changes:
nss (2:3.26.2-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2017-5461: Out-of-bounds write in Base64 encoding (Closes: #862958)
* CVE-2017-5462: DRBG flaw (Closes: #862958)
* CVE-2017-7502: Null pointer dereference when handling empty SSLv2 messages
(Closes: #863839)
Checksums-Sha1:
81e8094d265877f2f07c314b50787986dcdd4d69 2400 nss_3.26.2-1.1.dsc
bd77bcde17c68b35e19e45ae3003cbdb68d7b4d0 29880 nss_3.26.2-1.1.debian.tar.xz
Checksums-Sha256:
78788486311be767ca54f5b72dfd2948db13d659a836d12f157d89aa09bd3043 2400 nss_3.26.2-1.1.dsc
64ac3a3361bde8f63659b648b32fd8c13a5d8bd2fb924588392168641cbbece9 29880 nss_3.26.2-1.1.debian.tar.xz
Files:
2ebf367449a171e48497ff4e00eda2d9 2400 libs optional nss_3.26.2-1.1.dsc
63493eef5caaf06f1c537ccf2e22e927 29880 libs optional nss_3.26.2-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlkxty1fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ep9EP/0sS51Hnu0ixaJZwS4h4yjuwDmH+6ekm
qFXD4Y6KNv5qIxrn7JQGOPMTnLZfIlIpTnhCBRiK9Vwfs8Sj86Rio1PxksHtZaKs
pAOHaKPopC7RWl22h4nPk1TFyVA+eXOKemt5a7wuX0fZ6fpGWmoCoKoIXuoYtNAZ
4JDc17JY/Gif7XIjF/MCgq7sViTtEEM2ao9VHIRG3/PTk38uf8jfWEtg8IY7Vdvw
4NIKUP9tjj/odC9JWMjLmQHoLo5zD3NfjyA2Rl5MC3wc4/Rknc0mRauMj4WRYINP
z7bfhHpxrS5EqenhtxvNel1+ge5Twz3tsBI3LTsXjBXjfsW5G+VEL2WdEBHcMYnV
886u4OXXrAKlsnZ9hx9TneL5jh8KHRRn8zNsdOJkqzRNoIBXWG8C8HGAAClg9CRV
qchrGw1oIsPuG6uiibV/cOXL9j+Fc4wz8+c3C4wgl5+AgiJKkEzVts1CKvxTDmsc
uzt4aKtsVExlxUHbQfllF5z8t9nTCRk8MDOiwWCSjdr/oZ5UQImgBRGon6DlY5uV
QZNXilfoGpOVkqhdB86wxJrkAWE7/BzemjJy3Wov7taKKa7oPJMa0CyzzxrG+1Re
Sa1h47OuUnA3ZQ/vfDp0I2b2KDFRjhPQeM52jsAzvcyHk27GNWWmnR4CTx3MPGN4
RZQ3VOkfzh7J
=UALS
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 03 Jul 2017 07:26:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:23:52 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon