| Message ID | 20171012211752.18036-2-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/2] libnspr: bump version to 4.17 | expand |
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla > Network Security Service library, is prone to a use-after-free vulnerability > in the TLS 1.2 implementation when handshake hashes are generated. A remote > attacker can take advantage of this flaw to cause an application using the > nss library to crash, resulting in a denial of service, or potentially to > execute arbitrary code. > Also add a hash for the license file while we're at it. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2017.02.x, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla > Network Security Service library, is prone to a use-after-free vulnerability > in the TLS 1.2 implementation when handshake hashes are generated. A remote > attacker can take advantage of this flaw to cause an application using the > nss library to crash, resulting in a denial of service, or potentially to > execute arbitrary code. > Also add a hash for the license file while we're at it. > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed to 2017.08.x, thanks.
diff --git a/package/libnss/libnss.hash b/package/libnss/libnss.hash index e4e24283cb..6c8ce83784 100644 --- a/package/libnss/libnss.hash +++ b/package/libnss/libnss.hash @@ -1,2 +1,4 @@ -# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_31_RTM/src/SHA256SUMS -sha256 e90561256a3271486162c1fbe8d614d118c333d36a4455be2af8688bd420a65d nss-3.31.tar.gz +# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_33_RTM/src/SHA256SUMS +sha256 98f0dabd36408e83dd3a11727336cc3cdfee4cbdd9aede2b2831eb2389c284e4 nss-3.33.tar.gz +# Locally calculated +sha256 a20c1a32d1f8102432360b42e932869f7c11c7cdbacf9cac554c422132af47f4 nss/COPYING diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk index 51559295ef..27d305cc34 100644 --- a/package/libnss/libnss.mk +++ b/package/libnss/libnss.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBNSS_VERSION = 3.31 +LIBNSS_VERSION = 3.33 LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src LIBNSS_DISTDIR = dist
Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla Network Security Service library, is prone to a use-after-free vulnerability in the TLS 1.2 implementation when handshake hashes are generated. A remote attacker can take advantage of this flaw to cause an application using the nss library to crash, resulting in a denial of service, or potentially to execute arbitrary code. Also add a hash for the license file while we're at it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/libnss/libnss.hash | 6 ++++-- package/libnss/libnss.mk | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-)