222952 – security/vuxml: Document vulnerability in nss (CVE-2017-7805)

Bug 222952 - security/vuxml: Document vulnerability in nss (CVE-2017-7805)

Summary: security/vuxml: Document vulnerability in nss (CVE-2017-7805)

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Ports Security Team

URL:
Keywords:	patch, security

Depends on:
Blocks:

Reported:	2017-10-12 13:19 UTC by VK
Modified:	2017-10-12 13:53 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (ports-secteam)

Attachments
Document vulnerability in nss (1.95 KB, patch) 2017-10-12 13:19 UTC, VK	no flags	Details \| Diff
Document vulnerability in nss, revised (2.02 KB, patch) 2017-10-12 13:31 UTC, VK	no flags	Details \| Diff
Document vulnerability in nss, revised 2 (2.02 KB, patch) 2017-10-12 13:49 UTC, VK	no flags	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description VK freebsd_triage

2017-10-12 13:19:44 UTC

Created attachment 187103 [details]
Document vulnerability in nss

CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes, affects the nss ports prior to version 3.32.1. Attached is the vuxml entry.

Comment 1 VK freebsd_triage

2017-10-12 13:31:14 UTC

Created attachment 187104 [details]
Document vulnerability in nss, revised

Revised patch, including the link to upstream commit of the fix to the NSS_3_32_RTM branch, subsequently included in the 3.32.1 release:

* https://hg.mozilla.org/projects/nss/shortlog/NSS_3_32_1_RTM

Comment 2 VK freebsd_triage

2017-10-12 13:49:29 UTC

Created attachment 187105 [details]
Document vulnerability in nss, revised 2

Another patch revision, combine ranges under single package entry, and specify different ranges for 3.28 branch (affecting linux nss ports) and 3.32 branch (affecting security/nss port). 3.33 branch (current security/nss port version) is not affected as it already contains the fix.

Comment 3 VK freebsd_triage

2017-10-12 13:50:32 UTC

Notify emulation@ as the linux nss ports are still vulnerable.

Comment 4 commit-hook freebsd_committer

2017-10-12 13:53:28 UTC

A commit references this bug:

Author: swills
Date: Thu Oct 12 13:52:28 UTC 2017
New revision: 451877
URL: https://svnweb.freebsd.org/changeset/ports/451877

Log:
  Document nss issue

  PR:		222952
  Submitted by:	Vladimir Krstulja <vlad-fbsd@acheronmedia.com>

Changes:
  head/security/vuxml/vuln.xml

Comment 5 Steve Wills freebsd_committer

2017-10-12 13:53:47 UTC

Committed, thanks!