[2/2] libnss: security bump to version 3.33

Message ID 20171012211752.18036-2-peter@korsgaard.com
State Accepted
Headers show
Series
  • [1/2] libnspr: bump version to 4.17
Related show

Commit Message

Peter Korsgaard Oct. 12, 2017, 9:17 p.m.
Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
Network Security Service library, is prone to a use-after-free vulnerability
in the TLS 1.2 implementation when handshake hashes are generated.  A remote
attacker can take advantage of this flaw to cause an application using the
nss library to crash, resulting in a denial of service, or potentially to
execute arbitrary code.

Also add a hash for the license file while we're at it.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/libnss/libnss.hash | 6 ++++--
 package/libnss/libnss.mk   | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

Comments

Peter Korsgaard Oct. 15, 2017, 9:04 p.m. | #1
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
 > Network Security Service library, is prone to a use-after-free vulnerability
 > in the TLS 1.2 implementation when handshake hashes are generated.  A remote
 > attacker can take advantage of this flaw to cause an application using the
 > nss library to crash, resulting in a denial of service, or potentially to
 > execute arbitrary code.

 > Also add a hash for the license file while we're at it.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2017.02.x, thanks.
Peter Korsgaard Oct. 17, 2017, 9:09 a.m. | #2
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
 > Network Security Service library, is prone to a use-after-free vulnerability
 > in the TLS 1.2 implementation when handshake hashes are generated.  A remote
 > attacker can take advantage of this flaw to cause an application using the
 > nss library to crash, resulting in a denial of service, or potentially to
 > execute arbitrary code.

 > Also add a hash for the license file while we're at it.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2017.08.x, thanks.

Patch

diff --git a/package/libnss/libnss.hash b/package/libnss/libnss.hash
index e4e24283cb..6c8ce83784 100644
--- a/package/libnss/libnss.hash
+++ b/package/libnss/libnss.hash
@@ -1,2 +1,4 @@ 
-# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_31_RTM/src/SHA256SUMS
-sha256	e90561256a3271486162c1fbe8d614d118c333d36a4455be2af8688bd420a65d	nss-3.31.tar.gz
+# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_33_RTM/src/SHA256SUMS
+sha256	98f0dabd36408e83dd3a11727336cc3cdfee4cbdd9aede2b2831eb2389c284e4  nss-3.33.tar.gz
+# Locally calculated
+sha256	a20c1a32d1f8102432360b42e932869f7c11c7cdbacf9cac554c422132af47f4  nss/COPYING
diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk
index 51559295ef..27d305cc34 100644
--- a/package/libnss/libnss.mk
+++ b/package/libnss/libnss.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LIBNSS_VERSION = 3.31
+LIBNSS_VERSION = 3.33
 LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz
 LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src
 LIBNSS_DISTDIR = dist