Bug 25792 - nss new security issue CVE-2019-11745
Summary: nss new security issue CVE-2019-11745
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 25820 25821
  Show dependency treegraph
 
Reported: 2019-11-30 17:03 CET by David Walser
Modified: 2019-12-09 15:26 CET (History)
4 users (show)

See Also:
Source RPM: nss-3.47.0-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-11-30 17:03:06 CET 
Mozilla has released NSS 3.47.1 on November 19, fixing a security issue:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes

Ubuntu has issued an advisory for this on November 27:
https://usn.ubuntu.com/4203-1/

Updated package uploaded for Mageia 7.

Advisory:
========================

Updated nss packages fix security vulnerability:

Out-of-bounds write when passing an output buffer smaller than the block size
to NSC_EncryptUpdate (CVE-2019-11745).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47.1_release_notes
https://usn.ubuntu.com/4203-1/
========================

Updated packages in core/updates_testing:
========================
rootcerts-20191126.00-1.mga7
rootcerts-java-20191126.00-1.mga7
nss-3.47.1-1.mga7
nss-doc-3.47.1-1.mga7
libnss3-3.47.1-1.mga7
libnss-devel-3.47.1-1.mga7
libnss-static-devel-3.47.1-1.mga7

from SRPMS:
rootcerts-20191126.00-1.mga7.src.rpm
nss-3.47.1-1.mga7.src.rpm
David Walser 2019-12-04 13:32:01 CET

Blocks: (none) => 25820

Comment 1 Herman Viaene 2019-12-05 16:22:21 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref to bug 24179 Comment 1 fr tests:
Restarted firefox after the update: works OK
At CLI:
$ bltest -F
CK_RV: 48.
but
$ certdb_gtest 
returns nothing
$ certdb_gtest -h
This program contains tests written using Google Test. You can use the
following command line flags to control its behavior:

Test Selection:
  --gtest_list_tests
      List the names of all tests instead of running them. The name of
      TEST(Foo, Bar) is "Foo.Bar".
and a lot more, so tried
$ certdb_gtest --gtest_list_tests
but that returns nothing either, as does
$ certdb_gtest --gtest_also_run_disabled_tests
and
$ dbtest 
dbdir selected is /home/tester7/.netscape

ERROR: Directory "/home/tester7/.netscape" does not exist.
of course not, something netsape has never been near ???

CC: (none) => herman.viaene

David Walser 2019-12-05 16:59:17 CET

Blocks: (none) => 25821

Comment 2 James Kerr 2019-12-08 15:12:12 CET 
On mga7-64

installed and tested with firefox bug#25820

OK for mga7-64

CC: (none) => jim

David Walser 2019-12-08 16:37:57 CET

Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2019-12-08 18:32:21 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 3 Mageia Robot 2019-12-08 19:13:24 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0374.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 4 David Walser 2019-12-09 15:26:15 CET 
RedHat has issued an advisory for this on December 9:
https://access.redhat.com/errata/RHSA-2019:4114
Note You need to log in before you can comment on or make changes to this bug.