Gentoo Archives: gentoo-announce

From: Sam James <sam@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202008-08 ] Mozilla Network Security Service (NSS): Multiple vulnerabilities
Date: Wed, 19 Aug 2020 11:11:20
Message-Id: 0A09FFB5-3061-490D-933C-B1BCB01364B4@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202008-08
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Mozilla Network Security Service (NSS): Multiple
9 vulnerabilities
10 Date: August 19, 2020
11 Bugs: #734986
12 ID: 202008-08
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 NSS has multiple information disclosure vulnerabilities when handling
20 secret key material.
21
22 Background
23 ==========
24
25 The Mozilla Network Security Service (NSS) is a library implementing
26 security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11,
27 PKCS #12, S/MIME and X.509 certificates.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 dev-libs/nss < 3.55 >= 3.55
36
37 Description
38 ===========
39
40 Multiple vulnerabilities have been discovered in NSS. Please review the
41 CVE identifiers referenced below for details.
42
43 Impact
44 ======
45
46 An attacker may be able to obtain information about secret key
47 material.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All NSS users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.55"
61
62 References
63 ==========
64
65 [ 1 ] CVE-2020-12400
66 https://nvd.nist.gov/vuln/detail/CVE-2020-12400
67 [ 2 ] CVE-2020-12401
68 https://nvd.nist.gov/vuln/detail/CVE-2020-12401
69 [ 3 ] CVE-2020-12403
70 https://nvd.nist.gov/vuln/detail/CVE-2020-12403
71
72 Availability
73 ============
74
75 This GLSA and any updates to it are available for viewing at
76 the Gentoo Security Website:
77
78 https://security.gentoo.org/glsa/202008-08
79
80 Concerns?
81 =========
82
83 Security is a primary focus of Gentoo Linux and ensuring the
84 confidentiality and security of our users' machines is of utmost
85 importance to us. Any security concerns should be addressed to
86 security@g.o or alternatively, you may file a bug at
87 https://bugs.gentoo.org.
88
89 License
90 =======
91
92 Copyright 2020 Gentoo Foundation, Inc; referenced text
93 belongs to its owner(s).
94
95 The contents of this document are licensed under the
96 Creative Commons - Attribution / Share Alike license.
97
98 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature