Mozilla Security Advisory 2017-10 sailfish nss vulnerable CVE-2017-5461 CVE-2017-5462 (critical remote)

Tracked by Jolla

asked 2017-10-04 16:35:56 +0200

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2018-11-01 00:39:36 +0200

lpr gravatar image

Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations. CVE-2017-5461
CVSS v3 Base Score: 9.8 / 10 critical remote
DRBG flaw in NSS CVE-2017-5462
A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5.

SFOS uses NSS 3.20.1 currently. JB#36810 and JB#36180

edit 20171024: still no update to 3.21 in SFOS 2.1.3.5
edit 20180827: still no update to 3.34 in SFOS 2.2.0.29
edit 20180904: still no update from 3.20 to 3.34 in SFOS 2.2.1
edit 20181031: still no update (still 3.20) in SFOS3.0 ... come on!

edit retag flag offensive close delete

Comments

We are working on this, however, the fix will not yet be in 2.1.3.7.

jovirkku ( 2017-10-26 09:55:58 +0200 )edit
2

yes indeed, and not in 2.2.1.18

lpr ( 2018-09-04 18:08:18 +0200 )edit
2

and not in SFOS3.0!

lpr ( 2018-11-01 00:40:30 +0200 )edit