CVE-2015-7182
Published: 4 November 2015
Heap-based buffer overflow in the ASN.1 decoder in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted OCTET STRING data.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
firefox Launchpad, Ubuntu, Debian |
precise |
Released
(42.0+build2-0ubuntu0.12.04.1)
|
| trusty |
Released
(42.0+build2-0ubuntu0.14.04.1)
|
|
| upstream |
Released
(42.0)
|
|
| vivid |
Released
(42.0+build2-0ubuntu0.15.04.1)
|
|
| wily |
Released
(42.0+build2-0ubuntu0.15.10.1)
|
|
|
nss Launchpad, Ubuntu, Debian |
precise |
Released
(3.19.2.1-0ubuntu0.12.04.1)
|
| trusty |
Released
(2:3.19.2.1-0ubuntu0.14.04.1)
|
|
| upstream |
Released
(3.19.2.1,3.19.4,3.20.1)
|
|
| vivid |
Released
(2:3.19.2.1-0ubuntu0.15.04.1)
|
|
| wily |
Released
(2:3.19.2.1-0ubuntu0.15.10.1)
|
|
|
Patches: upstream: http://hg.mozilla.org/projects/nss/rev/4dc247276e58 upstream: http://hg.mozilla.org/projects/nss/rev/534aca7a5bca upstream: http://hg.mozilla.org/projects/nss/rev/b4feb2cb0ed6 upstream: http://hg.mozilla.org/projects/nss/rev/f47d00c2732a |
||
|
thunderbird Launchpad, Ubuntu, Debian |
precise |
Released
(1:38.4.0+build3-0ubuntu0.12.04.1)
|
| trusty |
Released
(1:38.4.0+build3-0ubuntu0.14.04.1)
|
|
| upstream |
Released
(38.4.0)
|
|
| vivid |
Released
(1:38.4.0+build3-0ubuntu0.15.04.1)
|
|
| wily |
Released
(1:38.4.0+build3-0ubuntu0.15.10.1)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |