Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0834 nss-softokn security update 10 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nss-softokn Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-12403 CVE-2019-17006 CVE-2019-11756 Reference: ESB-2021.0571 ESB-2021.0491 ESB-2020.3631 ESB-2020.3352 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0758 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nss-softokn security update Advisory ID: RHSA-2021:0758-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0758 Issue date: 2021-03-09 CVE Names: CVE-2019-11756 CVE-2019-17006 CVE-2020-12403 ===================================================================== 1. Summary: An update for nss-softokn is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.4) - ppc64le, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.4) - x86_64 3. Description: The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. Security Fix(es): * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1774835 - CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting 1775916 - CVE-2019-17006 nss: Check length of inputs for cryptographic primitives 1868931 - CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.4): Source: nss-softokn-3.28.3-10.el7_4.src.rpm x86_64: nss-softokn-3.28.3-10.el7_4.i686.rpm nss-softokn-3.28.3-10.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-devel-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.4): Source: nss-softokn-3.28.3-10.el7_4.src.rpm ppc64le: nss-softokn-3.28.3-10.el7_4.ppc64le.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.ppc64le.rpm nss-softokn-devel-3.28.3-10.el7_4.ppc64le.rpm nss-softokn-freebl-3.28.3-10.el7_4.ppc64le.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.ppc64le.rpm x86_64: nss-softokn-3.28.3-10.el7_4.i686.rpm nss-softokn-3.28.3-10.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-devel-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.4): Source: nss-softokn-3.28.3-10.el7_4.src.rpm x86_64: nss-softokn-3.28.3-10.el7_4.i686.rpm nss-softokn-3.28.3-10.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-devel-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11756 https://access.redhat.com/security/cve/CVE-2019-17006 https://access.redhat.com/security/cve/CVE-2020-12403 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYEc+RNzjgjWX9erEAQg4mQ/+MCpmmYSEI6SYvndSaGpNdO8n7hGXNjAM VmFgQ8T3HABcaoKX78x2lhSeFZypFdwLDac2fL7pOoxxY9KZKUJqDCZc1Q6UggmQ CWUgRNzngnZhkwGaZw3al+/371NN/dfj7kAkEuQTt/PSH0gdiyAdwYthZ0Ke+EOV wIW+8w1x2NxJFrTWIvBSP+w3HHn0d2dCRJicemPkPd25ptHsDzwer2ySDuRI7HJI OlVt5mop/Yq0xXEWlujB7qUhD3gH4ebwHHIgtce7Ffwi1Y/JBGeV9/V2xMbhCNBk 4jhK3AWRNw9ByI0vH4EfyxAuRlolUGR3T/z2ApemyV6pfrulr2KuWeKzF5AEEe1F 9VPuhZ2L+b1xlU3dkZWBO7KH97/c8FJDH2A6j6Lz+M4OtlDziFAPUkabo83AKSSq kv7K2LRL/rm2+dJbSRu9G/3H61jtwVLuGxWUfH6+f8j+NjIeY2BsPFGmCJRGMavI 37MpSDMeYcikHrxgcd49N/xYGNtJKuSQnaO2mQRM5KK7yfeZ8qKOprmC7nE5RKp7 zlIKxq3Py1S53zIzuXzyT5PnvM2nwI3EpBGrcQiiBLlRH7EBAW6eWUCcIQaZklW9 llkYRNyJ+qct5YItP7SjRMUyEJ6Zfn1fxNiJ3vGA4s1dsrBF097H+sqr/OuTEXM8 FTKK9cP2NpU= =9QSj - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYEgHWONLKJtyKPYoAQjh8w/+M5UqST2y5tl5ezB1WSD7CLemYtXJcZMJ ZhcmSCAUkfjyaAdKAs5R8b3KxZ6L2LKHDs5wi4gvjNs3LiLx3y0GbhbOnTkF3snj tzkBCsM7b11UqKlZmS5jLwG0/tr1kr53cGvGBex0Hm3JbUSBiEXxMNjmp2Cyihv4 tmIcS3hHGUnCr4kAVa2wLCQNzOM+8lkQP0dp/rgU5vUFD1t0SUt5a5fpD4zJcdtu wPuwv+DPulMjXxm2lEI7kAUe1UxUjrZrGcIBmYjKq+pHIEeHeo9J6AXXq2+/WAbH xnbngFJT1sJ3Lt15nO+rn2dQSviFqKZaYpAzjS9/RBgZ8Ckp6gDyHcBO6CiggrHW n3ii6YLgfNFl0XFN0HRj/kieP1CcPO2H+piEscd9Wxb7/uMPpRoKDlwmyXWTjYOc +VcLiExQ8AyFBkFdZxcL/TUrP/uWyPPOxUzOZ47MWghaCRTmwyfqhSukovFcB8I8 oDghiv5MDJztkHZQF93icm0saEKwO1GoUTbtNZkA8b8U05WG8reDttD0ebbamOJ7 lYkZbVw598WRuRYB31BkjFSepcQHpZ4VKRW8zo65+FCfGLIxpynxWkJzsKB5XVWV gWHuwMR0ADhRZKI5dd7ciOpuHox1FOz+TxjaqAXICa5JIosdwHm1LnFW8qKktUd6 Si9kv9Ogw9w= =S+Wv -----END PGP SIGNATURE-----