Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
218a5a79 by Salvatore Bonaccorso at 2024-09-23T22:30:15+02:00
Revert "CVE-2024-6609: bullseye: mark as fixed in nss > 3.61"
This reverts commit 551af19f2e7b6aaeb1a28f0b3b2dc608ce7d2dd3.
As pointed out in the notes the respective error handling code needs to
be added to the ec_NewKey function in the cleanup section, after
mp_clear and before `if (rv)` for older versions (older than 3.101) of
nss.
This was a note confirmed by upstream that this is the minimal requried
change to implement to fix the CVE in older versions of nss.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -18094,7 +18094,6 @@ CVE-2024-6610 (Form validation popups could capture
escape key presses. Therefor
CVE-2024-6609 (When almost out-of-memory an elliptic curve key which was never
alloca ...)
- firefox 128.0-1
- nss 2:3.101-1
- [bullseye] - nss 2:3.61-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/#CVE-2024-6609
NOTE: To address CVE in older versions of src:nss what is needed is to
add the error
NOTE: handling code (confirmed by upstream):
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/218a5a79d22822b48e7aff377ae19f1a72ff4fb4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/218a5a79d22822b48e7aff377ae19f1a72ff4fb4
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
