CVE-2016-5285
Published: 16 November 2016
A Null pointer dereference vulnerability exists in Mozilla Network Security Services due to a missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime, which could let a remote malicious user cause a Denial of Service.
Priority
Medium
CVSS 3 base score: 7.5
Status
| Package | Release | Status |
|---|---|---|
|
nss Launchpad, Ubuntu, Debian |
Upstream |
Released
(3.25)
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(2:3.26.2-0ubuntu0.16.04.2)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2:3.26.2-0ubuntu0.14.04.3)
|
|
|
Patches: Upstream: https://hg.mozilla.org/projects/nss/rev/45c047d18ac4 |
||
Notes
| Author | Note |
|---|---|
| mdeslaur | per upstream bug, this was fixed in 3.25, but patch for 3.21 fixes it differently. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5285
- https://ubuntu.com/security/notices/USN-3163-1
- NVD
- Launchpad
- Debian