[Git][security-tracker-team/security-tracker][master] CVE-2019-11727/CVE-2019-17023: Same applies as for jessie

Adrian Bunk bunk at debian.org
Mon Jul 27 19:31:17 BST 2020 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c211f8ed by Adrian Bunk at 2020-07-27T21:29:33+03:00
CVE-2019-11727/CVE-2019-17023: Same applies as for jessie

nss 3.26.2 in stretch does not contain more TLS 1.3 support
than nss 3.26 in jessie.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -47719,6 +47719,7 @@ CVE-2019-17023 (After a HelloRetryRequest has been sent, the client may negotiat
 	{DSA-4726-1}
 	- firefox 72.0-1
 	- nss 2:3.49-1
+	[stretch] - nss <not-affected> (Vulnerable code was introduced later)
 	[jessie] - nss <not-affected> (Vulnerable code was introduced later)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17023
 	NOTE: https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c
@@ -64928,7 +64929,7 @@ CVE-2019-11727 (A vulnerability exists where it possible to force Network Securi
 	- firefox 68.0-1 (unimportant)
 	- nss 2:3.45-1
 	[buster] - nss 2:3.42.1-1+deb10u1
-	[stretch] - nss <no-dsa> (Minor issue)
+	[stretch] - nss <ignored> (Issue is specific to TLS 1.3 and support was not really complete in 3.26; code has diverged significantly since and applying the fix would be very disruptive)
 	[jessie] - nss <ignored> (Issue is specific to TLS 1.3 and support was not really complete in 3.26; code has diverged significantly since and applying the fix would be very disruptive)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727
 	NOTE: https://hg.mozilla.org/projects/nss/rev/0a4e8b72a92e144663c2f35d3836f7828cfc97f2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c211f8ed4a2ce718512c4d4f1c45ba64a7da04af

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c211f8ed4a2ce718512c4d4f1c45ba64a7da04af
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200727/e519f8eb/attachment.html>

More information about the debian-security-tracker-commits mailing list