[Git][security-tracker-team/security-tracker][master] Revert "CVE-2024-6609: bullseye: mark as fixed in nss > 3.61"

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
218a5a79 by Salvatore Bonaccorso at 2024-09-23T22:30:15+02:00
Revert "CVE-2024-6609: bullseye: mark as fixed in nss > 3.61"

This reverts commit 551af19f2e7b6aaeb1a28f0b3b2dc608ce7d2dd3.

As pointed out in the notes the respective error handling code needs to
be added to the ec_NewKey function in the cleanup section, after
mp_clear and before `if (rv)` for older versions (older than 3.101) of
nss.

This was a note confirmed by upstream that this is the minimal requried
change to implement to fix the CVE in older versions of nss.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18094,7 +18094,6 @@ CVE-2024-6610 (Form validation popups could capture escape key presses. Therefor
 CVE-2024-6609 (When almost out-of-memory an elliptic curve key which was never alloca ...)
 	- firefox 128.0-1
 	- nss 2:3.101-1
-    [bullseye] - nss 2:3.61-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/#CVE-2024-6609
 	NOTE: To address CVE in older versions of src:nss what is needed is to add the error
 	NOTE: handling code (confirmed by upstream):



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/218a5a79d22822b48e7aff377ae19f1a72ff4fb4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/218a5a79d22822b48e7aff377ae19f1a72ff4fb4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240923/99750e4a/attachment.htm>