Your submission was sent successfully! Close

CVE-2019-17023

Published: 8 January 2020

After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.

Notes

AuthorNote
mdeslaur
nss in xenial is built with NSS_DISABLE_TLS_1_3, so this issue
doesn't affect it.
Priority

Low

CVSS 3 base score: 6.5

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
bionic
Released (72.0.1+build1-0ubuntu0.18.04.1)
disco
Released (72.0.1+build1-0ubuntu0.19.04.1)
eoan
Released (72.0.1+build1-0ubuntu0.19.10.1)
focal
Released (72.0.1+build1-0ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (72.0)
xenial
Released (72.0.1+build1-0ubuntu0.16.04.1)
nss
Launchpad, Ubuntu, Debian
bionic
Released (2:3.35-2ubuntu2.8)
disco Ignored
(reached end-of-life)
eoan
Released (2:3.45-1ubuntu2.3)
focal Not vulnerable
(2:3.49.1-1ubuntu1)
precise Not vulnerable

trusty Not vulnerable

upstream
Released (2:3.49-1)
xenial Not vulnerable
(code not compiled)
Patches:
upstream: https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c
upstream: https://hg.mozilla.org/projects/nss/rev/8a2bd40e7f89a796cf24a0ff7cfb67c6e69c5c78