Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1446631 - (CVE-2017-7502) CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
CVE-2017-7502 nss: Null pointer dereference when handling empty SSLv2 messages
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170530,repo...
: Security
: 1449161 1450763 (view as bug list)
Depends On: 1435017 1450750 1450751 1450752 1450753
Blocks: 1446634
  Show dependency treegraph
 
Reported: 2017-04-28 09:10 EDT by Adam Mariš
Modified: 2017-06-21 11:11 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A null pointer dereference flaw was found in the way NSS handled empty SSLv2 messages. An attacker could use this flaw to crash a server application compiled against the NSS library.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-05-31 08:46:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1364 normal SHIPPED_LIVE Important: nss security and bug fix update 2017-05-30 11:08:08 EDT
Red Hat Product Errata RHSA-2017:1365 normal SHIPPED_LIVE Important: nss security and bug fix update 2017-05-30 08:04:45 EDT
Red Hat Product Errata RHSA-2017:1567 normal SHIPPED_LIVE Important: Red Hat Container Development Kit 3.0.0 security update 2017-06-21 15:11:05 EDT

  None (edit)
Description Adam Mariš 2017-04-28 09:10:54 EDT 
Null pointer dereference vulnerability in NSS was found when server receives empty SSLv2 messages. This issue was introduced with the recent removal of SSLv2 protocol from upstream code in 3.24.0 and introduction of dedicated parser able to handle just sslv2-style hello messages.

Upstream patch:

https://hg.mozilla.org/projects/nss/rev/55ea60effd0d
Comment 3 Hubert Kario 2017-05-15 10:29:23 EDT 
*** Bug 1450763 has been marked as a duplicate of this bug. ***
Comment 4 Hubert Kario 2017-05-26 07:41:19 EDT 
*** Bug 1449161 has been marked as a duplicate of this bug. ***
Comment 5 errata-xmlrpc 2017-05-30 04:05:03 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1365 https://access.redhat.com/errata/RHSA-2017:1365
Comment 6 errata-xmlrpc 2017-05-30 07:08:27 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1364 https://access.redhat.com/errata/RHSA-2017:1364
Comment 8 errata-xmlrpc 2017-06-21 11:11:41 EDT 
This issue has been addressed in the following products:

  CDK 3.0

Via RHSA-2017:1567 https://access.redhat.com/errata/RHSA-2017:1567
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.