Bug 1174492 (CVE-2014-1569)
Summary: | CVE-2014-1569 nss: QuickDER decoder length issue | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | carnil, dsirrine, emaldona, huzaifas, kdudka, kengert, security-response-team, simon.atwater |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nss 3.17.3 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-07-25 12:51:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1174493 | ||
Bug Blocks: | 1174495 |
Description
Murray McAllister
2014-12-15 23:34:27 UTC
Created nss tracking bugs for this issue: Affects: fedora-all [bug 1174493] As RHEL seems to have rebased to nss 3.18.0, are they still vulnerable to this CVE? Given the text of the advisory from Mozilla, it appears as though it only affects 3.17.x before 3.17.3. Thanks in advance. Changing needinfo from s-r-t@ to Huzaifa. He should be able to answer that. I am also interested in the answer to David Sirrine's question. Has Huzaifa weighed in? This issue was fixed in upstream nss-3.17.3 as described in the release notes at: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes Consequently nss packages shipped with Red Hat Enterprise Linux 5, 6 and 7 were rebased to 3.18.0 via the following advisories. Red Hat Enterprise Linux 5: https://rhn.redhat.com/errata/RHBA-2015-0925.html Red Hat Enterprise Linux 6: https://rhn.redhat.com/errata/RHBA-2015-0926.html Red Hat Enterprise Linux 7: https://rhn.redhat.com/errata/RHBA-2015-0965.html This particular rebase fixed this security flaw. Statement: (none) |