[Secure-testing-commits] r47113 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Thu Dec 15 18:55:32 UTC 2016
Author: carnil
Date: 2016-12-15 18:55:32 +0000 (Thu, 15 Dec 2016)
New Revision: 47113
Modified:
data/CVE/list
Log:
Triaged CVE-2016-9574/nss
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-12-15 18:26:10 UTC (rev 47112)
+++ data/CVE/list 2016-12-15 18:55:32 UTC (rev 47113)
@@ -7973,17 +7973,13 @@
RESERVED
- freeipa <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1395311
-CVE-2016-9574 [Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable]
+CVE-2016-9574 [Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA]
RESERVED
- - nss <unfixed>
+ - nss 2:3.25-1
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1320695
- NOTE: The issue persists (although without segfault) up to 3.27. Using SessionTicket extension along
- NOTE: with any ECDHE-ECDSA ciphersuite renders unusable any subsequent connection to selfserv.
- NOTE: Proposed patch (not yet) finalized in upstream bug 1320695.
- NOTE: Scope of the CVE is not yet clear. It is not clear if the CVE is for the whole mentioned
- NOTE: issue or just for the segfault part. If it is for the segfault part we still need
- NOTE: to pingpoint the version fixing the issue, which should be somewhere before 3.26
- NOTE: upstream version.
+ NOTE: The CVE is specific to the segfault resulting from the reproducing steps
+ NOTE: as per buzilla entry, and https://bugzilla.redhat.com/show_bug.cgi?id=1397482
+ NOTE: https://hg.mozilla.org/projects/nss/rev/7385cd821735
CVE-2016-9573
RESERVED
- openjpeg2 <unfixed>
More information about the Secure-testing-commits
mailing list