nspr-4.25.0-2.el7, nss-softokn-3.53.1-6.el7, nss-3.53.1-3.0.1.el7.AXS7, nss-util-3.53.1-1.el7
エラータID: AXSA:2020-683:02
Network Security Services (NSS) is a set of libraries designed to support the
cross-platform development of security-enabled client and server applications.
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI
operating system facilities.
The following packages have been upgraded to a later upstream version: nss
(3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0)
Security Fix(es):
nss: Out-of-bounds read when importing curve25519 private key
(CVE-2019-11719)
nss: Use-after-free in sftk_FreeSession due to improper refcounting
(CVE-2019-11756)
nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)
nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)
nss: P-384 and P-521 implementation uses a side-channel vulnerable modular
inversion function (CVE-2020-12400)
nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)
nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)
nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds
read (CVE-2020-12403)
nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)
nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid
state (CVE-2019-17023)
CVE-2019-11719
CVE-2019-11756
CVE-2019-17006
CVE-2020-6829
CVE-2020-12400
CVE-2020-12401
CVE-2020-12402
CVE-2020-12403
CVE-2019-11727
CVE-2019-17023
Bug Fix(es):
Memory leak: libcurl leaks 120 bytes on each connection
NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and
TLS 1.1
Make TLS 1.3 work in FIPS mode
Name Constraints validation: CN treated as DNS name even when syntactically
invalid as DNS name
x25519 allowed in FIPS mode
When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but
never released - consider alternative algorithm for benchmarking ACCESS call in
sdb_measureAccess
Running ipa-backup continuously causes httpd to crash and makes it
irrecoverable
nss needs to comply to the new SP800-56A rev 3 requirements
KDF-self-tests-induced changes for nss
Update packages.
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.
Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71.
In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
N/A
SRPMS
- nspr-4.25.0-2.el7.src.rpm
MD5: 163dcc2f3647ef8b03aa0b5f81677ed4
SHA-256: 973e9d75482397c0a1ca389cd9093e78f8661d1c602e10934fc4b224a55d8fc7
Size: 1.05 MB - nss-softokn-3.53.1-6.el7.src.rpm
MD5: 0d4e4aef665d4f3b4cb57a639c71284d
SHA-256: a8d61e5422127ca72cdc0e811eafb755b37ca14870bd519bdf0b68cd736c939e
Size: 67.22 MB - nss-3.53.1-3.0.1.el7.AXS7.src.rpm
MD5: 3ca26fe2cc8d3751e39a4897f744df96
SHA-256: 32596bd7a49a79cd2415baf60e125cd454ba7745f80512b1cda3151e5381cc6a
Size: 77.67 MB - nss-util-3.53.1-1.el7.src.rpm
MD5: 89c79c776a86d5a7e4ba7defba07f359
SHA-256: b824ce9a5abd4113e9112112f63aed05a1f92308c6c00b0749616e81258456dd
Size: 19.80 MB
Asianux Server 7 for x86_64
- nspr-4.25.0-2.el7.x86_64.rpm
MD5: 05e0e6fd0267d9452dc08856d8e1fc4a
SHA-256: a53ea38635114daea5202e67c25ae2257d632d424239732a8b011d758c0443c0
Size: 125.93 kB - nspr-devel-4.25.0-2.el7.x86_64.rpm
MD5: ebbe38d388bc9e9cc0a222d3b5922c50
SHA-256: 855eba3fb0307aa9a8148d03a8c1c9c5ace2c49ffe314a993cab29202a71c040
Size: 113.20 kB - nss-softokn-3.53.1-6.el7.x86_64.rpm
MD5: 9aab4fe496b94ec8623896f2c55eee07
SHA-256: 3bea9d9a1f85fa20560a6bb7a9795da0704bd6b9f8cb9542534041e082a57fb1
Size: 353.21 kB - nss-softokn-devel-3.53.1-6.el7.x86_64.rpm
MD5: d5f136352072d904fce8d9daff566ce6
SHA-256: 32f51657cd856e9929f86b6d3cd5b5e4c20ca099c39b2863082495e43c1709a0
Size: 29.97 kB - nss-softokn-freebl-3.53.1-6.el7.x86_64.rpm
MD5: 0db94bc9331b38405ecb0d5dc35ff1bb
SHA-256: a424a9fa28c2ff8eff772bd30b772468b0e5b877689c3861492e546cdde0d159
Size: 321.10 kB - nss-softokn-freebl-devel-3.53.1-6.el7.x86_64.rpm
MD5: d477fe7868ede705c98240e8913e9d28
SHA-256: 09215777d7056fb1dbf994b4a80ee20cff5ca9b71aa48a34b036162503996817
Size: 60.89 kB - nss-3.53.1-3.0.1.el7.AXS7.x86_64.rpm
MD5: d29f43c90bd358a3d12088338ce60116
SHA-256: c9671aa8162a0dfbaa785a92cc8c31d60fa8e9b79946ee3aa12ea6cd54180fb4
Size: 867.94 kB - nss-devel-3.53.1-3.0.1.el7.AXS7.x86_64.rpm
MD5: 390a9f57f9170d2efe495e2beebdc14d
SHA-256: 51d7181d56fb042b4d2b6ce7f51a7d8e43c688fa1914d0f3f9c9faf8b3c64eb6
Size: 239.19 kB - nss-sysinit-3.53.1-3.0.1.el7.AXS7.x86_64.rpm
MD5: 971b68609876b2c2fbe5d8f4896214cd
SHA-256: 757dc43f2949f7cbe4170ee822eb7e63ede542aeccab87f7639cb17e9a7f5462
Size: 64.59 kB - nss-tools-3.53.1-3.0.1.el7.AXS7.x86_64.rpm
MD5: 4dfab147b25b23e3978551970f6deba0
SHA-256: 1f2870650cb5d3e8e45b6e5fb1d67904d99b94fe6af439f51fea72cf9d8670d3
Size: 534.09 kB - nss-util-3.53.1-1.el7.x86_64.rpm
MD5: 3d9f2f93cfa3ea6fc95fceb941925ed7
SHA-256: 5d2e95790c337f7ef8d3dfe516c65eb3e2cd36d2789be66936f0ac7988c9bcc8
Size: 78.14 kB - nss-util-devel-3.53.1-1.el7.x86_64.rpm
MD5: a21bb569e64dfec71126cb0cd276f350
SHA-256: 75bb3401d9ff2fe53398b16d9064a1761e49ad5927fecd1ffb72d4e01e0427e2
Size: 80.09 kB - nspr-4.25.0-2.el7.i686.rpm
MD5: c28ebdd5cd182921ad479affcbb75920
SHA-256: a910ddaf832a6056e347c65f11d7c02589da55f2922c8441ce77173ac27d03e9
Size: 127.61 kB - nspr-devel-4.25.0-2.el7.i686.rpm
MD5: 9195414a6e6fc4315d8f83d5a1cfa593
SHA-256: 0d37544066cb24f7cde9d22558019456a1574aaa91560301d033bc27fc2a00b3
Size: 113.25 kB - nss-softokn-3.53.1-6.el7.i686.rpm
MD5: 1bc097651ff4045878cae295888f5830
SHA-256: 8a6b57b4f36f9949dcfbb21085a991586a9e9f9b7894f8c66f784d5436fdf575
Size: 360.54 kB - nss-softokn-devel-3.53.1-6.el7.i686.rpm
MD5: 6bafc32b3f9ae2526892d22d13cd5654
SHA-256: aa7111ef28cb5f5924f87ab3d60c4ac905843eb853b03fc34cc348afec1ee2ee
Size: 30.01 kB - nss-softokn-freebl-3.53.1-6.el7.i686.rpm
MD5: 8b650145345e8ec93ab1dab3f06298a8
SHA-256: e1ffb51ad983e451e44418709aed671bba239dc7aa5da81aa0bbce5b9c65d2f0
Size: 320.59 kB - nss-softokn-freebl-devel-3.53.1-6.el7.i686.rpm
MD5: b7cf5ba1b9c45563fb72c89fa2106eb5
SHA-256: 690f294ff68db9aef765dc5e5e4c32227cf0d8b5e839995abb841a138e869e7d
Size: 59.91 kB - nss-3.53.1-3.0.1.el7.AXS7.i686.rpm
MD5: f9cc0ff370303aa2a79d00620e85209a
SHA-256: 16dc957c86813a22d0548c203f450803cc5f829836ad34b8541e05ef2bc10748
Size: 868.45 kB - nss-devel-3.53.1-3.0.1.el7.AXS7.i686.rpm
MD5: 983c2cec828398e0cbca7b190fb26576
SHA-256: 09a0298f3c47df12cf4253d4bda6614b8b080d29ac855efe7e79135fb2e501ac
Size: 240.64 kB - nss-util-3.53.1-1.el7.i686.rpm
MD5: b8ef15702b98971a53c61d4aa8d21277
SHA-256: 84a2a108f6718d8691ee9d4b868decd21809d126ee34dfd6d156339db57a5895
Size: 76.62 kB - nss-util-devel-3.53.1-1.el7.i686.rpm
MD5: cba47eb4422b86ba1effb822c800d146
SHA-256: c8fcd275efe65e274031a27fc8bf7c9b5a8623b471e56eb16e6fc71ff01ab635
Size: 80.13 kB