20989 – nss new security issue CVE-2017-7502

Bug 20989 - nss new security issue CVE-2017-7502

Summary: nss new security issue CVE-2017-7502

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	mga5-64-ok advisory mga5-32-ok
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2017-05-30 12:12 CEST by David Walser
Modified:	2017-06-08 23:40 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	nss-3.28.4-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-30 12:12:35 CEST

RedHat has issued an advisory today (May 30):
https://rhn.redhat.com/errata/RHSA-2017-1365.html

I have updated to 3.28.5 in SVN, which just fixes one bug (the rootcerts changes have already been pushed), and added the patch for the security issue.

Advisory will be as follows.

Advisory:
========================

Updated nss packages fix security vulnerability:

A null pointer dereference flaw was found in the way NSS handled empty SSLv2
messages. An attacker could use this flaw to crash a server application
compiled against the NSS library (CVE-2017-7502).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7502
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28.5_release_notes
 https://rhn.redhat.com/errata/RHSA-2017-1365.html
========================

Updated packages in core/updates_testing:
========================
nss-3.28.5-1.mga5
nss-doc-3.28.5-1.mga5
libnss3-3.28.5-1.mga5
libnss-devel-3.28.5-1.mga5
libnss-static-devel-3.28.5-1.mga5

from nss-3.28.5-1.mga5.src.rpm

Comment 1 David Walser 2017-05-30 15:51:37 CEST

Updated and patched packages uploaded for Mageia 5 and Cauldron.

Advisory and package list in Comment 0.

Assignee: bugsquad => qa-bugs

Comment 2 Brian Rockwell 2017-06-03 21:56:57 CEST

Linux localhost 4.4.68-desktop-1.mga5 #1 SMP Sun May 14 17:56:12 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

The following 4 packages are going to be installed:

- lib64nspr-devel-4.14-1.mga5.x86_64
- lib64nss-devel-3.28.5-1.mga5.x86_64
- lib64nss3-3.28.5-1.mga5.x86_64
- nss-3.28.5-1.mga5.x86_64

1.4MB of additional disk space will be used.

3.8MB of packages will be retrieved.

Is it ok to continue?


I am guessing here, but Redhat noted Firefox uses it so I installed the above and rebooted my machine to clear any cache.

Started Firefox and from Firefox using SSH into cloud-server.  That seems to be working as designed.

Also https to mail servers, etc.  All working equivalent.

Whiteboard: (none) => mga5-64-ok
CC: (none) => brtians1

Comment 3 Dave Hodgins 2017-06-07 04:44:21 CEST

Similar testing on Mageia 5 i586 ok. Advisory committed to svn. Validating.

Whiteboard: mga5-64-ok => mga5-64-ok advisory mga5-43-ok
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2017-06-07 05:00:15 CEST

Whiteboard: mga5-64-ok advisory mga5-43-ok => mga5-64-ok advisory mga5-32-ok

Comment 4 Mageia Robot 2017-06-08 23:40:43 CEST

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0160.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.