Bug 1443326 (CVE-2017-5437) - REJECTED CVE-2017-5437 Mozilla: Vulnerabilities in libevent library (MFSA 2017-11, MFSA 2017-12)
Summary: REJECTED CVE-2017-5437 Mozilla: Vulnerabilities in libevent library (MFSA 201...
Status: CLOSED NOTABUG
Alias: CVE-2017-5437
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170419,repo...
Keywords: Security
Depends On:
Blocks: 1437814
TreeView+ depends on / blocked
 
Reported: 2017-04-19 06:19 UTC by Huzaifa S. Sidhpurwala
Modified: 2017-08-17 05:41 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-05-03 03:50:13 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1104 normal SHIPPED_LIVE Critical: firefox security update 2017-04-20 12:21:32 UTC
Red Hat Product Errata RHSA-2017:1106 normal SHIPPED_LIVE Critical: firefox security update 2017-04-21 04:49:25 UTC

Description Huzaifa S. Sidhpurwala 2017-04-19 06:19:36 UTC
Three vulnerabilities in the <code>libevent</code> library allowing for out-of-bounds reads and denial of service (DoS) attacks.

Comment 1 errata-xmlrpc 2017-04-20 08:23:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1104 https://access.redhat.com/errata/RHSA-2017:1104

Comment 2 errata-xmlrpc 2017-04-21 00:52:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1106 https://access.redhat.com/errata/RHSA-2017:1106

Comment 3 Andrej Nemec 2017-04-26 06:40:12 UTC
This CVE was rejected by Mitre.

Name: CVE-2017-5437
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5437
Assigned: 20170113

** REJECT **
DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2016-10195,
CVE-2016-10196, CVE-2016-10197.  Reason: This candidate is a duplicate
of CVE-2016-10195, CVE-2016-10196, and CVE-2016-10197.  Notes: All CVE
users should reference CVE-2016-10195, CVE-2016-10196, and/or
CVE-2016-10197 instead of this candidate.  All references and
descriptions in this candidate have been removed to prevent accidental
usage.

Comment 4 Huzaifa S. Sidhpurwala 2017-05-02 03:49:24 UTC
Mozilla replaced this CVE with the following:

Three vulnerabilities were reported in the Libevent library that allow for out-of-bounds reads and denial of service (DoS) attacks. These were fixed in the Libevent library and these changes were ported to Mozilla code.

These issues use CVE ids: CVE-2016-10195, CVE-2016-10196 and CVE-2016-10197

Acknowledgements:

Name: the Mozilla project
Upstream: Huzaifa Sidhpurwala

External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/#CVE-2016-10196


Note You need to log in before you can comment on or make changes to this bug.