Mozilla Security Advisory 2017-10 sailfish nss vulnerable CVE-2017-5461 CVE-2017-5462 (critical remote) [released]
asked 2017-10-04 16:35:56 +0300
This post is a wiki. Anyone with karma >75 is welcome to improve it.
Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through 3.28.x before 3.28.4, 3.29.x before 3.29.5, and 3.30.x before 3.30.1 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by leveraging incorrect base64 operations. CVE-2017-5461
CVSS v3 Base Score: 9.8 / 10 critical remote
DRBG flaw in NSS CVE-2017-5462
A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5.
SFOS uses NSS 3.20.1 currently. JB#36810 and JB#36180
edit 20171024: still no update to 3.21 in SFOS 2.1.3.5
edit 20180827: still no update to 3.34 in SFOS 2.2.0.29
edit 20180904: still no update from 3.20 to 3.34 in SFOS 2.2.1
edit 20181031: still no update (still 3.20) in SFOS3.0 ... come on!
edit 20190127: nss 3.39 now available from http://repo.merproject.org/obs/mer:/core/latest_armv7hl/armv7hl/ hopefully part of sfos3.0.2
We are working on this, however, the fix will not yet be in 2.1.3.7.
jovirkku ( 2017-10-26 09:55:58 +0300 )edityes indeed, and not in 2.2.1.18
lpr ( 2018-09-04 18:08:18 +0300 )editand not in SFOS3.0!
lpr ( 2018-11-01 00:40:30 +0300 )editimpatient people like me can install nss-3.39 and all required packages from http://repo.merproject.org/obs/mer:/core/latest_armv7hl/armv7hl/
lpr ( 2019-01-27 19:09:43 +0300 )editDo I need to download every single package?
dirksche ( 2019-01-27 22:11:13 +0300 )edit