Bug 604916 (CVE-2016-5285, CVE-2016-8635)

Comment 1 Thomas Deutschmann (RETIRED) 2017-01-07 12:20:57 UTC

CVE-2016-5285:

Upstream fixed this issue via https://hg.mozilla.org/projects/nss/rev/45c047d18ac4 (see upstream's bug from commit message).

This changeset is present in 3.21.3 release:

$ hg log -r "45c047d18ac4:: and tag()"
changeset:   12729:ee067d70a228
branch:      NSS_3_21_BRANCH
tag:         NSS_3_21_3_RTM
parent:      12726:a9cb2d41c54f
user:        Kai Engert <kaie@kuix.de>
date:        Mon Oct 17 20:24:18 2016 +0200
summary:     set version numbers to 3.21.3 release

which never materialized according to https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases

While one would assume the changes are present in following versions like 3.22, 3.23 ... branch as well I was unable to locate the fixed code in our currently stable =dev-libs/nss-3.22.2 and =dev-libs/nss-3.23 version.

In 3.27 upstream worked on TLS 1.3 support and has rewritten affected function. However, the change (=to make sure that "rv" is set to "SECFailure") is present in in =dev-libs/nss-3.27.2.



CVE-2016-8635:

Upstream fix: https://hg.mozilla.org/projects/nss/rev/95bb47ef808b

Present in currently p.masked =dev-libs/nss-3.28 only.


CVE-2016-9074:

Upstream fix: https://hg.mozilla.org/projects/nss/rev/d38536fcc726

Present in currently p.masked =dev-libs/nss-3.28 only.

Comment 2 Jory A. Pratt 2017-01-08 21:45:09 UTC

Please bring in archs we are going with 3.28.1 thank you.

Comment 3 Thomas Deutschmann (RETIRED) 2017-01-08 21:47:28 UTC

@ Maintainer(s): Thank you for the bumps!


@ Arches,

please test and mark stable: =dev-libs/nss-3.28.1

Comment 4 Jory A. Pratt 2017-01-09 02:12:55 UTC

(In reply to Thomas Deutschmann from comment #3)
> @ Maintainer(s): Thank you for the bumps!
> 
> 
> @ Arches,
> 
> please test and mark stable: =dev-libs/nss-3.28.1

Please also mark stable: =dev-libs/nspr-4.13.1

Comment 5 Agostino Sarubbo 2017-01-10 14:57:00 UTC

amd64 stable

Comment 6 Agostino Sarubbo 2017-01-10 15:26:26 UTC

x86 stable

Comment 7 Agostino Sarubbo 2017-01-11 10:54:16 UTC

sparc stable

Comment 8 Markus Meier 2017-01-13 17:02:18 UTC

arm stable

Comment 9 Agostino Sarubbo 2017-01-15 16:07:05 UTC

ppc stable

Comment 10 Jeroen Roovers (RETIRED) 2017-01-15 20:18:15 UTC

Stable for HPPA.

Comment 11 Tobias Klausmann (RETIRED) 2017-01-15 22:20:57 UTC

Stable on alpha.

Comment 12 James Le Cuirot 2017-01-16 23:02:38 UTC

I need this stabilised on ppc64 in order to fix bug #605430. icedtea-bin seems to encounter some breakage when built against 3.27 but run against 3.28.

Comment 13 Agostino Sarubbo 2017-01-17 14:41:55 UTC

ia64 stable

Comment 14 Agostino Sarubbo 2017-01-18 10:06:20 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 15 Aaron Bauman (RETIRED) 2017-01-19 08:23:34 UTC

GLSA request filed.

Comment 16 GLSAMaker/CVETool Bot 2017-01-19 19:22:11 UTC

This issue was resolved and addressed in
 GLSA 201701-46 at https://security.gentoo.org/glsa/201701-46
by GLSA coordinator Thomas Deutschmann (whissi).