I'm downgrading this to sec-moderate. Because of a separate (functional) issue in checking the max output length, the overflow is limited to four bytes of random data. Patch incoming, just adding some additional tests for HKDF.
Bug 1577953 Comment 4 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I'm downgrading this to sec-moderate. Because of a separate (functional) issue in checking the max output length, the overflow is limited to four bytes of pseudorandom data. Patch incoming, just adding some additional tests for HKDF.