| Name | CVE-2019-17023 |
| Description | After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-4726-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| firefox (PTS) | sid | 128.0.2-1 | fixed |
| nss (PTS) | jessie, jessie (lts) | 2:3.26-1+debu8u18 | fixed |
| stretch (security) | 2:3.26.2-1.1+deb9u5 | fixed |
| stretch (lts), stretch | 2:3.26.2-1.1+deb9u7 | fixed |
| buster (security), buster, buster (lts) | 2:3.42.1-1+deb10u8 | fixed |
| bullseye (security), bullseye | 2:3.61-1+deb11u3 | fixed |
| bookworm | 2:3.87.1-1 | fixed |
| sid, trixie | 2:3.102-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| firefox | source | (unstable) | 72.0-1 | | | |
| nss | source | wheezy | (not affected) | | | |
| nss | source | jessie | (not affected) | | | |
| nss | source | stretch | (not affected) | | | |
| nss | source | buster | 2:3.42.1-1+deb10u3 | | DSA-4726-1 | |
| nss | source | (unstable) | 2:3.49-1 | | | |
Notes
[stretch] - nss <not-affected> (Vulnerable code was introduced later)
[jessie] - nss <not-affected> (Vulnerable code was introduced later)
https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17023
https://hg.mozilla.org/projects/nss/rev/d64102b76a437f24d98a20480dcc9f1655143e7c
https://hg.mozilla.org/projects/nss/rev/8a2bd40e7f89a796cf24a0ff7cfb67c6e69c5c78
[wheezy] - nss <not-affected> (Vulnerable code was introduced later)