------------------------------------------------------------------------- Debian LTS Advisory DLA-3327-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany February 20, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : nss Version : 2:3.42.1-1+deb10u6 CVE ID : CVE-2020-6829 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403 CVE-2023-0767 Multiple security vulnerabilities have been discovered in nss, the Network Security Service libraries. CVE-2020-6829 When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. CVE-2020-12400 When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. CVE-2020-12401 During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. CVE-2020-12403 A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. CVE-2023-0767 Christian Holler discovered that incorrect handling of PKCS 12 Safe Bag attributes may result in execution of arbitrary code if a specially crafted PKCS 12 certificate bundle is processed. For Debian 10 buster, these problems have been fixed in version 2:3.42.1-1+deb10u6. We recommend that you upgrade your nss packages. For the detailed security status of nss please refer to its security tracker page at: https://security-tracker.debian.org/tracker/nss Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: This is a digitally signed message part