[SECURITY] [DLA 2388-1] nss security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2388-1] nss security update
From: Adrian Bunk <bunk@debian.org>
Date: Tue, 29 Sep 2020 22:15:28 +0300
Message-id: <[🔎] 20200929191528.GA27738@localhost>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2388-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
September 29, 2020                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : nss
Version        : 2:3.26.2-1.1+deb9u2
CVE ID         : CVE-2018-12404 CVE-2018-18508 CVE-2019-11719 CVE-2019-11729 
                 CVE-2019-11745 CVE-2019-17006 CVE-2019-17007 CVE-2020-6829 
                 CVE-2020-12399 CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 
                 CVE-2020-12403
Debian Bug     : 921614 961752 963152

Various vulnerabilities were fixed in nss,
the Network Security Service libraries.

CVE-2018-12404

    Cache side-channel variant of the Bleichenbacher attack.

CVE-2018-18508

    NULL pointer dereference in several CMS functions resulting in a 
    denial of service.

CVE-2019-11719

    Out-of-bounds read when importing curve25519 private key.

CVE-2019-11729

    Empty or malformed p256-ECDH public keys may trigger a segmentation 
    fault.

CVE-2019-11745

    Out-of-bounds write when encrypting with a block cipher.

CVE-2019-17006

    Some cryptographic primitives did not check the length of the input 
    text, potentially resulting in overflows.

CVE-2019-17007

    Handling of Netscape Certificate Sequences may crash with a NULL 
    dereference leading to a denial of service.

CVE-2020-12399

    Force a fixed length for DSA exponentiation.

CVE-2020-6829
CVE-2020-12400

    Side channel attack on ECDSA signature generation.

CVE-2020-12401

    ECDSA timing attack mitigation bypass.

CVE-2020-12402

    Side channel vulnerabilities during RSA key generation.

CVE-2020-12403

    CHACHA20-POLY1305 decryption with undersized tag leads to 
    out-of-bounds read.

For Debian 9 stretch, these problems have been fixed in version
2:3.26.2-1.1+deb9u2.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl9zh9AACgkQiNJCh6LY
mLECsBAAwG1ooIYlA1tctSKDyDWOAZ/eXED+xSc2ybze888ttYQkCCPwKo9kC75o
x7gexxkQ1re4kw7J/D9LFW/fSiCEtiU2HYgvsSjk9broRBAFzwKT5+RcQf4939rb
KdQu0n5CqbSybdCq12Q6RNOj1n6SuthYYDxy58DvnU6OK+6fzFR1Av3/cVyNxCvr
QiGLW23ZvWwiui3UjP2ZgPhqSMu3V+bsDcbcu1698kQitPLp34VyqU7MJZyyMT4H
NZh/wbPANZyi2i4O6i6KxA7zu/O7hfdxY75svCa8/YKe+4oK2j85QtkQhKlL7d1g
lW7m2OU3wMeSfjvYnRgtt+Yubl4obHptD/oS1qy7sImq849eNyD7vVcS78vVRFh8
V7q6+2viEkkta/jpw5u7ELRrjIo6lprMd0rddaDzNMiKmzumR6zUqjxuIPGNnE1+
rQ7JLl0oRZvKFBKYPzE2oo1fG77K7qIBV2qATZ6QE9bGEhApnTqKen7x1UU0n6xK
UO4IfETtsYwyKvlwb1FY3nfEF/0T3tDw/wLajSjTj7eZui1bbuwthIopdKYYUbLw
vSsedvKfH5c3mL3u5lCJxwp8XUMioJ8Pw9yAZgxYI8a/cZOy0Cxix2ROgIcbIq8L
WZ5++RMIEJ+B0GMa8RONTcD7WGAF8Ns1LyxOohAPWau2oEfsXr0=
=VSGn
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2379-2] mediawiki regression update
Next by Date: [SECURITY] [DLA 2387-2] firefox-esr regression update
Previous by thread: [SECURITY] [DLA 2379-2] mediawiki regression update
Next by thread: [SECURITY] [DLA 2387-2] firefox-esr regression update
Index(es):
- Date
- Thread