ALT-PU-2020-2932-1
Closed vulnerabilities
BDU:2020-03953
Уязвимость компонента Knowledge Management программной интеграционной платформы SAP NetWeaver, позволяющая нарушителю осуществить межсайтовые сценарные атаки
BDU:2020-03960
Уязвимость функции модульной инверсии набора библиотек NSS (Network Security Services), позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2020-03961
Уязвимость набора библиотек NSS (Network Security Services), связанная с использованием криптографического алгоритма ECDSA (Elliptic Curve Digital Signature Algorithm), содержащего дефекты, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
BDU:2021-00099
Уязвимость подписи DSA веб-браузеров программного обеспечения Firefox, Firefox-esr и Thunderbird, связанная с раскрытием информации в результате расхождений, позволяющая нарушителю получить доступ к конфиденциальным данным
Modified: 2024-11-21
CVE-2020-12399
NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
- [debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update
- GLSA-202007-49
- USN-4421-1
- DSA-4726
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631576
- https://www.mozilla.org/security/advisories/mfsa2020-22/
- https://www.mozilla.org/security/advisories/mfsa2020-21/
- https://www.mozilla.org/security/advisories/mfsa2020-20/
- DSA-4726
- USN-4421-1
- GLSA-202007-49
- [debian-lts-announce] 20200929 [SECURITY] [DLA 2388-1] nss security update
Modified: 2024-11-21
CVE-2020-12400
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1623116
- [debian-lts-announce] 20230220 [SECURITY] [DLA 3327-1] nss security update
- https://www.mozilla.org/security/advisories/mfsa2020-36/
- https://www.mozilla.org/security/advisories/mfsa2020-39/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1623116
- https://www.mozilla.org/security/advisories/mfsa2020-39/
- https://www.mozilla.org/security/advisories/mfsa2020-36/
- [debian-lts-announce] 20230220 [SECURITY] [DLA 3327-1] nss security update
Modified: 2024-11-21
CVE-2020-12401
During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631573
- [debian-lts-announce] 20230220 [SECURITY] [DLA 3327-1] nss security update
- https://www.mozilla.org/security/advisories/mfsa2020-36/
- https://www.mozilla.org/security/advisories/mfsa2020-39/
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631573
- https://www.mozilla.org/security/advisories/mfsa2020-39/
- https://www.mozilla.org/security/advisories/mfsa2020-36/
- [debian-lts-announce] 20230220 [SECURITY] [DLA 3327-1] nss security update
Modified: 2024-11-21
CVE-2020-12403
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.
- https://bugzilla.redhat.com/show_bug.cgi?id=1868931
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes
- [debian-lts-announce] 20230220 [SECURITY] [DLA 3327-1] nss security update
- https://security.netapp.com/advisory/ntap-20230324-0006/
- https://bugzilla.redhat.com/show_bug.cgi?id=1868931
- https://security.netapp.com/advisory/ntap-20230324-0006/
- [debian-lts-announce] 20230220 [SECURITY] [DLA 3327-1] nss security update
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes
Modified: 2024-11-21
CVE-2020-6829
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631583
- https://bugzilla.mozilla.org/show_bug.cgi?id=1631583
- [debian-lts-announce] 20230220 [SECURITY] [DLA 3327-1] nss security update
- [debian-lts-announce] 20230220 [SECURITY] [DLA 3327-1] nss security update
- https://www.mozilla.org/security/advisories/mfsa2020-36/
- https://www.mozilla.org/security/advisories/mfsa2020-36/
- https://www.mozilla.org/security/advisories/mfsa2020-39/
- https://www.mozilla.org/security/advisories/mfsa2020-39/
Closed bugs
NSS and NSS_DISABLE_DBM
Сломана сборка с -Werror=strict-prototypes
В состав libnss больше не входит libpkix.