Mozilla Security Advisory 2017-10 sailfish nss vulnerable CVE-2017-5461 CVE-2017-5462 (critical remote) [released]

Tracked by Jolla (In release)

asked 2017-10-04 16:35:56 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2019-01-27 19:07:51 +0300

lpr gravatar image

Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations. CVE-2017-5461
CVSS v3 Base Score: 9.8 / 10 critical remote
DRBG flaw in NSS CVE-2017-5462
A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5.

SFOS uses NSS 3.20.1 currently. JB#36810 and JB#36180

edit 20171024: still no update to 3.21 in SFOS
edit 20180827: still no update to 3.34 in SFOS
edit 20180904: still no update from 3.20 to 3.34 in SFOS 2.2.1
edit 20181031: still no update (still 3.20) in SFOS3.0 ... come on!
edit 20190127: nss 3.39 now available from hopefully part of sfos3.0.2

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by lpr
close date 2019-03-18 22:19:05.535918


We are working on this, however, the fix will not yet be in

jovirkku ( 2017-10-26 09:55:58 +0300 )edit

yes indeed, and not in

lpr ( 2018-09-04 18:08:18 +0300 )edit

and not in SFOS3.0!

lpr ( 2018-11-01 00:40:30 +0300 )edit

impatient people like me can install nss-3.39 and all required packages from

lpr ( 2019-01-27 19:09:43 +0300 )edit

Do I need to download every single package?

dirksche ( 2019-01-27 22:11:13 +0300 )edit