CVE-2016-1950
icedove - security update
8.8
HIGH
CVSS 3.1
EPSS 1.9%
Description
Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.
How to fix CVE-2016-1950
To remediate CVE-2016-1950, upgrade the affected package to a fixed version below.
- —upgrade to 45.0esr-1 or later
- —upgrade to 38.7.0-1~deb7u1 or later
- —upgrade to 38.7.0esr-1~deb7u1 or later
- —upgrade to 2:3.23-1 or later
Is CVE-2016-1950 being exploited?
Low — EPSS is 1.9%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 45.0esr-1
- from 0, < 38.7.0-1~deb7u1
- from 0, < 38.7.0esr-1~deb7u1
- from 0, < 2:3.23-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |