AXSA:2020-690:01

Release date: 
Tuesday, October 13, 2020 - 09:11
Subject: 
nspr-4.25.0-2.el8, nss-3.53.1-11.0.1.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.

Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.

The following packages have been upgraded to a later upstream version: nss (3.53.1), nspr (4.25.0).

Security Fix(es):

* nss: UAF in sftk_FreeSession due to improper refcounting (CVE-2019-11756)

* nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)

* nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)

* nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Install of update of nss.x86_64 adds i686 into transaction

* NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1

* TLS Keying Material Exporter is unsupported by command line tools

* TLS_AES_256_GCM_SHA384 is not marked as FIPS compatible

* Make TLS 1.3 work in FIPS mode

* NSS rejects records with large padding with SHA384 HMAC

* NSS missing IKEv1 Quick Mode KDF

* Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name

* FIPS needs nss to restrict valid dh primes to those primes that are approved.

* nss needs to comply to the new SP800-56A rev 3 requirements

Enhancement(s):

* [RFE] nss should use AES for storage of keys

CVE-2019-11756
Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71.
CVE-2019-17006
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-17023
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.
CVE-2020-12402
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. nspr-4.25.0-2.el8.src.rpm
    MD5: 5515c6664ec7611a60f78c3f8ac52336
    SHA-256: fb544fe07d6a075753695780e7858d9141ce1384409e3f40db8c2b54f044cc9a
    Size: 1.05 MB
  2. nss-3.53.1-11.0.1.el8.src.rpm
    MD5: 8002bc884066741cca93f4e9f44da90b
    SHA-256: 90a43e0ed3c41fb268b496615f252a4c18c01119afb1ae7d2b1c75813543ba08
    Size: 136.45 MB

Asianux Server 8 for x86_64
  1. nspr-4.25.0-2.el8.x86_64.rpm
    MD5: 94d866df129d3d9a6d7418c5feca747e
    SHA-256: 27c9430125754dc6b6e332a480279025f73da6ef0959b0e825c82e450d5e1640
    Size: 141.00 kB
  2. nspr-devel-4.25.0-2.el8.x86_64.rpm
    MD5: eb61fcb225f9fc56f8a09f34b86ec4e4
    SHA-256: 70b5d6fc5c2c84be0ff2e1e40114953613f603e9b14de50abaae0d79c122cd75
    Size: 119.20 kB
  3. nss-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: 97e67ca0e06009102f3667b0c2c9b2e2
    SHA-256: bb0d2e078bd200d41a5a508409d37a410c9c0635210c369bbf969145a8271a9a
    Size: 720.75 kB
  4. nss-devel-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: 16cc12401be2b0198be4f549ca44f78f
    SHA-256: 10ba0bd12ec55b294af6971be52e9cf91fa486ff79a6801d5f5d27bb29394387
    Size: 268.04 kB
  5. nss-softokn-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: 2bb92cdf2b3dcfa0c6cf57f33b913963
    SHA-256: 8cb5f66823affa251e4c157ff546ea591aca257aaedc5ed5ebe17b889ef4225a
    Size: 482.47 kB
  6. nss-softokn-devel-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: ceda3bcf6a7b55e479fc7b439853001a
    SHA-256: fb74fd5d0209d89cf5870e59c6e38fc586fdda9d3dc51ee2838e848fe49a3e1c
    Size: 65.54 kB
  7. nss-softokn-freebl-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: 0c1cc92f2f205d5d3e8fbf9d191f4970
    SHA-256: 469ecd8eeb1ca6097913adb94ba790e4dae954d7c8251ff601137e8b53322e35
    Size: 288.57 kB
  8. nss-softokn-freebl-devel-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: a87dbb25f2dc3ff1632825c1b024d0a1
    SHA-256: 524acd2d1d6dcd1d9e42fae103d8b035b82970aac5909fd169a487e97aec7702
    Size: 117.47 kB
  9. nss-sysinit-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: 4388d8a5d766e8bed26b83a16c266155
    SHA-256: 9245b60c266541975d291e58940b060b729c1eea10c207f8bf1efb61e33f0d05
    Size: 70.40 kB
  10. nss-tools-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: c10ddab3a7c9f86315cc94873d85be05
    SHA-256: 621501b7f06ad45102bab5cfa0f8a3f7f8316367f37d4da3d738aa55fe736e60
    Size: 558.61 kB
  11. nss-util-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: 3420b1572343f69746b271fbdb3de4a7
    SHA-256: bba664ce41a9c11a784d6465f1d6f6e9cb02f603ed0882fbe41d1a83b7317485
    Size: 133.92 kB
  12. nss-util-devel-3.53.1-11.0.1.el8.x86_64.rpm
    MD5: 64f043d5a313c84e9fc376b37931b98d
    SHA-256: 534b6d6bd89d78fec04eaf5f7f7823ab6094df50b76f8d476c1868b340b76ae8
    Size: 128.82 kB
  13. nspr-4.25.0-2.el8.i686.rpm
    MD5: 0cbfc6ec41855c8f46f316d9fea3b907
    SHA-256: 5e7256c16f3f862c9225acd8c24603d6dc90826817a22dd1561ede6cc230efdc
    Size: 151.08 kB
  14. nspr-devel-4.25.0-2.el8.i686.rpm
    MD5: c8f7c6d04e18a5b41f283a27dc8c00d6
    SHA-256: 936edbebeb2828ed13f0c88cfd8b16498c1f1933eb967f9ddbe7b1ff3436d20d
    Size: 119.24 kB
  15. nss-3.53.1-11.0.1.el8.i686.rpm
    MD5: 7e66765b505f4c1db41d971ed14bad04
    SHA-256: 956626d23129223b72ee4ab4659ac7f769e3769eef91d3bedda2d9fee2358ce7
    Size: 794.32 kB
  16. nss-devel-3.53.1-11.0.1.el8.i686.rpm
    MD5: 92bacb5b871f4a407f27116a89cb0ce0
    SHA-256: 7b5124fa093cd7ffbba3b072c983fc4f08e43185e6dbc339ef4feb19f7b95355
    Size: 271.58 kB
  17. nss-softokn-3.53.1-11.0.1.el8.i686.rpm
    MD5: 2e7fe467079d19921d57162a6bc4002d
    SHA-256: 05c0b719ebc7ef52f70602e263329bca3a3b335dd93f6f5f1867ff56834d1711
    Size: 517.03 kB
  18. nss-softokn-devel-3.53.1-11.0.1.el8.i686.rpm
    MD5: 47bae2413d62f2530ae84466f4703869
    SHA-256: 2ff52810ee4b3455e1fdec7308098c75f459b3043c8e132ef16f84f7e5ca79f9
    Size: 65.58 kB
  19. nss-softokn-freebl-3.53.1-11.0.1.el8.i686.rpm
    MD5: 4bf0ce5cadba83ab47172367aa93d740
    SHA-256: ad6159a1394a416106e0dec15f0ddf70ea8d03309518e083c7324ae05c661d20
    Size: 276.71 kB
  20. nss-softokn-freebl-devel-3.53.1-11.0.1.el8.i686.rpm
    MD5: 56a233a9f50d72cc5766bf2f1a3b7a6d
    SHA-256: f8c908ef231b8047d935109fdfbecd7b5a83f95fbf3866036a02b411d2c6ceeb
    Size: 116.86 kB
  21. nss-util-3.53.1-11.0.1.el8.i686.rpm
    MD5: 184c9db9d81187316d65e7bf7844de12
    SHA-256: 8f177afd9e41c9ed7726dbac34aa0345b2a8ca8b3e5688f1c3884881d816cff5
    Size: 136.91 kB
  22. nss-util-devel-3.53.1-11.0.1.el8.i686.rpm
    MD5: 1e0f172579f520e1cce3bf9807702f05
    SHA-256: a61b5f7f800f9fe21e5eda282f044641081d6239cc543dfedb1ba169b1fc60f4
    Size: 128.86 kB
Copyright© 2007-2015 Asianux. All rights reserved.