Описание
Security update for mozilla-nspr, mozilla-nss
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to version 3.53.1
- CVE-2019-11745: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate
- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032).
- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11727: A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages.
- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).
- Fixed an issue where Firefox tab was crashing (bsc#1170908).
Release notes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53_release_notes
mozilla-nspr was updated to version 4.25.
Список пакетов
SUSE Linux Enterprise Server 11 SP4-LTSS
Ссылки
- Link for SUSE-SU-2020:14418-1
- E-Mail link for SUSE-SU-2020:14418-1
- SUSE Security Ratings
- SUSE Bug 1141322
- SUSE Bug 1158527
- SUSE Bug 1159819
- SUSE Bug 1168669
- SUSE Bug 1169746
- SUSE Bug 1170908
- SUSE Bug 1171978
- SUSE Bug 1173032
- SUSE CVE CVE-2019-11727 page
- SUSE CVE CVE-2019-11745 page
- SUSE CVE CVE-2019-17006 page
- SUSE CVE CVE-2020-12399 page
- SUSE CVE CVE-2020-12402 page
Описание
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.
Затронутые продукты
Ссылки
- CVE-2019-11727
- SUSE Bug 1140868
- SUSE Bug 1141322
Описание
When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.
Затронутые продукты
Ссылки
- CVE-2019-11745
- SUSE Bug 1158328
- SUSE Bug 1158527
Описание
In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
Затронутые продукты
Ссылки
- CVE-2019-17006
- SUSE Bug 1159819
Описание
NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
Затронутые продукты
Ссылки
- CVE-2020-12399
- SUSE Bug 1171978
- SUSE Bug 1172402
Описание
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78.
Затронутые продукты
Ссылки
- CVE-2020-12402
- SUSE Bug 1173032
- SUSE Bug 1173576
- SUSE Bug 1174230