CVE-2019-17023

Priority
Description
After a HelloRetryRequest has been sent, the client may negotiate a lower
protocol that TLS 1.3, resulting in an invalid state transition in the TLS
State Machine. If the client gets into this state, incoming Application
Data records will be ignored. This vulnerability affects Firefox < 72.
Assigned-to
chrisccoulson
Notes
mdeslaurnss in xenial is built with NSS_DISABLE_TLS_1_3, so this issue
doesn't affect it.
Package
Upstream:released (72.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (72.0.1+build1-0ubuntu0.16.04.1)
Ubuntu 18.04 LTS (Bionic Beaver):released (72.0.1+build1-0ubuntu0.18.04.1)
Ubuntu 19.10 (Eoan Ermine):released (72.0.1+build1-0ubuntu0.19.10.1)
Ubuntu 20.04 LTS (Focal Fossa):released (72.0.1+build1-0ubuntu1)
Ubuntu 20.10 (Groovy Gorilla):released (72.0.1+build1-0ubuntu1)
Package
Source: nss (LP Ubuntu Debian)
Upstream:released (2:3.49-1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (code not compiled)
Ubuntu 18.04 LTS (Bionic Beaver):released (2:3.35-2ubuntu2.8)
Ubuntu 19.10 (Eoan Ermine):released (2:3.45-1ubuntu2.3)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (2:3.49.1-1ubuntu1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2:3.49.1-1ubuntu1)
Patches:
Upstream:https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c
Upstream:https://hg.mozilla.org/projects/nss/rev/8a2bd40e7f89a796cf24a0ff7cfb67c6e69c5c78
More Information

Updated: 2020-06-16 18:15:28 UTC (commit 605ea6c9112020b11c3d8ba49a15a46821193a81)