Re: Analysis of nss CVE-2016-2834

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Analysis of nss CVE-2016-2834
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 18 Jun 2016 11:25:18 +0200
Message-id: <[🔎] 20160618092518.GA2590@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] CABY6=0kcLkzxxtLFkgT+ss7xvOMg2O-Qx1aBQ-oe4W55eiw47g@mail.gmail.com>
References: <[🔎] CABY6=0kcLkzxxtLFkgT+ss7xvOMg2O-Qx1aBQ-oe4W55eiw47g@mail.gmail.com>

Hi Ola,
On Sat, Jun 18, 2016 at 12:15:15AM +0200, Ola Lundqvist wrote:
[..snip..]
> So I have now gone through the ~7 MB diff between nss and found changes
> regarding the following:
> - ASN1 parsing issue. See also CVE-2016-1950
> - A lot of changes from getenv to some secure variant.
> - A change in sslinfo.c that could potentially be the change.
> - Downgrade fixes. Good but not this CVE.
> 
> Do anyone know more about this CVE?
> 
> There are a few references to mozilla bugzilla bugs but I do not have
> access to them. Anyone who have?

Usually Mozilla's Bugzilla has all the details of the CVEs. If the bug
is non public you can ask it to be opened up.

Cheers,
 -- Guido

Reply to:

References:
- Analysis of nss CVE-2016-2834
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Analysis of nss CVE-2016-2834
Next by Date: Re: [SECURITY] [DLA 520-1] horizon security update
Previous by thread: Analysis of nss CVE-2016-2834
Next by thread: Re: [SECURITY] [DLA 520-1] horizon security update
Index(es):
- Date
- Thread