Bug 222952 - security/vuxml: Document vulnerability in nss (CVE-2017-7805)
Summary: security/vuxml: Document vulnerability in nss (CVE-2017-7805)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ports Security Team
URL:
Keywords: patch, security
Depends on:
Blocks:
 
Reported: 2017-10-12 13:19 UTC by Vladimir Krstulja
Modified: 2017-10-12 13:53 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (ports-secteam)


Attachments
Document vulnerability in nss (1.95 KB, patch)
2017-10-12 13:19 UTC, Vladimir Krstulja
no flags Details | Diff
Document vulnerability in nss, revised (2.02 KB, patch)
2017-10-12 13:31 UTC, Vladimir Krstulja
no flags Details | Diff
Document vulnerability in nss, revised 2 (2.02 KB, patch)
2017-10-12 13:49 UTC, Vladimir Krstulja
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Krstulja 2017-10-12 13:19:44 UTC
Created attachment 187103 [details]
Document vulnerability in nss

CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes, affects the nss ports prior to version 3.32.1. Attached is the vuxml entry.
Comment 1 Vladimir Krstulja 2017-10-12 13:31:14 UTC
Created attachment 187104 [details]
Document vulnerability in nss, revised

Revised patch, including the link to upstream commit of the fix to the NSS_3_32_RTM branch, subsequently included in the 3.32.1 release:

* https://hg.mozilla.org/projects/nss/shortlog/NSS_3_32_1_RTM
Comment 2 Vladimir Krstulja 2017-10-12 13:49:29 UTC
Created attachment 187105 [details]
Document vulnerability in nss, revised 2

Another patch revision, combine ranges under single package entry, and specify different ranges for 3.28 branch (affecting linux nss ports) and 3.32 branch (affecting security/nss port). 3.33 branch (current security/nss port version) is not affected as it already contains the fix.
Comment 3 Vladimir Krstulja 2017-10-12 13:50:32 UTC
Notify emulation@ as the linux nss ports are still vulnerable.
Comment 4 commit-hook freebsd_committer 2017-10-12 13:53:28 UTC
A commit references this bug:

Author: swills
Date: Thu Oct 12 13:52:28 UTC 2017
New revision: 451877
URL: https://svnweb.freebsd.org/changeset/ports/451877

Log:
  Document nss issue

  PR:		222952
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

Changes:
  head/security/vuxml/vuln.xml
Comment 5 Steve Wills freebsd_committer 2017-10-12 13:53:47 UTC
Committed, thanks!