Описание
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| firefox | fixed | 68.0-1 | package | |
| firefox-esr | fixed | 60.8.0esr-1 | package | |
| firefox-esr | fixed | 60.8.0esr-1~deb10u1 | buster | package |
| firefox-esr | fixed | 60.8.0esr-1~deb9u1 | stretch | package |
| thunderbird | fixed | 1:60.8.0-1 | package | |
| thunderbird | fixed | 1:60.8.0-1~deb10u1 | buster | package |
| thunderbird | fixed | 1:60.8.0-1~deb9u1 | stretch | package |
| nss | fixed | 2:3.45-1 | package | |
| nss | fixed | 2:3.42.1-1+deb10u1 | buster | package |
Примечания
https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11719
https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11719
https://hg.mozilla.org/projects/nss/rev/6cfb54d262d030783137aa6478b45ecb3cbfc624
firefox-esr in older suites than buster use the embedded copy and thus issue
is just fixed by updating firefox-esr to 60.8.0. For the others an update to
src:nss is needed as firefox-esr uses the system library.
Связанные уязвимости
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
Уязвимость библиотеки служб сетевой безопасности (NSS) почтового клиента Thunderbird и браузеров Firefox и Firefox ESR, позволяющая нарушителю получить несанкционированный доступ к информации