Null pointer dereference vulnerability in NSS was found when server receives empty SSLv2 messages. This issue was introduced with the recent removal of SSLv2 protocol from upstream code in 3.24.0 and introduction of dedicated parser able to handle just sslv2-style hello messages. Upstream patch: https://hg.mozilla.org/projects/nss/rev/55ea60effd0d
*** Bug 1450763 has been marked as a duplicate of this bug. ***
*** Bug 1449161 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1365 https://access.redhat.com/errata/RHSA-2017:1365
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:1364 https://access.redhat.com/errata/RHSA-2017:1364
This issue has been addressed in the following products: CDK 3.0 Via RHSA-2017:1567 https://access.redhat.com/errata/RHSA-2017:1567