CVE-2017-11697

NameCVE-2017-11697
DescriptionThe __hash_open function in hash.c:229 in Mozilla Network Security Services (NSS) allows context-dependent attackers to cause a denial of service (floating point exception and crash) via a crafted cert8.db file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs873258

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nss (PTS)jessie2:3.26-1+debu8u3vulnerable
jessie (security)2:3.26-1+debu8u9vulnerable
stretch (security), stretch2:3.26.2-1.1+deb9u1vulnerable
buster2:3.42.1-1+deb10u1vulnerable
buster (security)2:3.42.1-1+deb10u2vulnerable
bullseye2:3.45-1vulnerable
sid2:3.47.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nsssource(unstable)(unfixed)unimportant873258

Notes

Issues triggered by crafted DBM databases, which would
require local user access to a machine running NSS and
crafting the local DBM files.
http://seclists.org/fulldisclosure/2017/Aug/17
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900

Search for package or bug name: Reporting problems