[Git][security-tracker-team/security-tracker][master] 2 commits: Remove nss from dla-needed.txt

Fri Feb 7 17:57:24 GMT 2020


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0f44c8cf by Markus Koschany at 2020-02-07T18:54:42+01:00
Remove nss from dla-needed.txt

- - - - -
f392457f by Markus Koschany at 2020-02-07T18:55:29+01:00
CVE-2019-17023,nss: Mark as not-affected for Jessie

The vulnerable code was introduced later. Version 3.26 of nss only contains an
experimental TLS 1.3 implementation. Not every feature has been implemented and
the HelloRetryRequest is missing. Thus the vulnerability does not apply.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -26742,6 +26742,7 @@ CVE-2019-17024 (Mozilla developers reported memory safety bugs present in Firefo
 CVE-2019-17023 (After a HelloRetryRequest has been sent, the client may negotiate a lo ...)
 	- firefox 72.0-1
 	- nss 2:3.49-1
+	[jessie] - nss <not-affected> (Vulnerable code was introduced later)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17023
 	NOTE: https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c
 	NOTE: https://hg.mozilla.org/projects/nss/rev/8a2bd40e7f89a796cf24a0ff7cfb67c6e69c5c78


=====================================
data/dla-needed.txt
=====================================
@@ -59,10 +59,6 @@ netty (Sylvain Beucler)
 --
 netty-3.9 (Sylvain Beucler)
 --
-nss (Markus Koschany)
-  NOTE: 20200127: Fix for CVE-2019-17023 requires more work and testing but
-  NOTE: release is planned for this week.
---
 opendmarc (Thorsten Alteholz)
   NOTE: 20200119: still testing package, original patch does not seem to be enough, still ongoing
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/fab4f4066da54a910f425fcdea8fe0d732d439cc...f392457f877bc69e8c3bcf3995b43f98163de888

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/fab4f4066da54a910f425fcdea8fe0d732d439cc...f392457f877bc69e8c3bcf3995b43f98163de888
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200207/b20fa0ce/attachment-0001.html>
