Vulnerability CVE-2019-17023: Information

Description

After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17023

Published: Jan. 9, 2020

Modified: Jan. 27, 2023

Error type identifier: CWE-287

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
firefox	sisyphus	72.0.2-alt1	125.0.3-alt1	ALT-PU-2020-1110-1	244791	Fixed
firefox	p10	72.0.2-alt1	118.0.2-alt0.p10.1	ALT-PU-2020-1110-1	244791	Fixed
firefox	p9	72.0.2-alt0.1.p9	105.0.1-alt0.c9.1	ALT-PU-2020-1617-1	245893	Fixed
firefox	c10f1	72.0.2-alt1	112.0.2-alt0.p10.1	ALT-PU-2020-1110-1	244791	Fixed
firefox	c9f2	72.0.2-alt0.1.p9	105.0.1-alt0.c9.1	ALT-PU-2020-1617-1	245893	Fixed
firefox-esr	sisyphus	78.0.2-alt1	115.10.0-alt1	ALT-PU-2020-2408-1	255107	Fixed
firefox-esr	p10	78.0.2-alt1	115.10.0-alt1	ALT-PU-2020-2408-1	255107	Fixed
firefox-esr	p9	78.3.0-alt0.1.p9	102.11.0-alt0.c9.1	ALT-PU-2020-2933-1	254920	Fixed
firefox-esr	c10f1	78.0.2-alt1	115.9.1-alt0.c10.1	ALT-PU-2020-2408-1	255107	Fixed
firefox-esr	c9f2	78.7.1-alt0.1.c9	102.12.0-alt0.c9.1	ALT-PU-2021-1368-1	264611	Fixed
nss	sisyphus	3.49.1-alt1	3.99-alt1	ALT-PU-2020-1109-1	244791	Fixed
nss	p10	3.49.1-alt1	3.93.0-alt1	ALT-PU-2020-1109-1	244791	Fixed
nss	p9	3.51.0-alt1	3.86-alt1	ALT-PU-2020-1616-1	245893	Fixed
nss	c10f1	3.49.1-alt1	3.92.0-alt1	ALT-PU-2020-1109-1	244791	Fixed
nss	c9f2	3.51.0-alt1	3.98-alt1	ALT-PU-2020-1616-1	245893	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1590001	Issue Tracking Permissions Required
https://www.mozilla.org/security/advisories/mfsa2020-01/	Vendor Advisory
USN-4234-1	Third Party Advisory
USN-4397-1	Third Party Advisory
DSA-4726	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  End excliding
  72.0
  
  Configuration 2
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
  
  Configuration 3
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Version: v24.5.0

Vulnerability CVE-2019-17023: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3