-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.3355
                            nss security update
                             30 September 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           nss
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-12403 CVE-2020-12402 CVE-2020-12401
                   CVE-2020-12400 CVE-2020-12399 CVE-2020-6829
                   CVE-2019-17007 CVE-2019-17006 CVE-2019-11745
                   CVE-2019-11729 CVE-2019-11719 CVE-2018-18508
                   CVE-2018-12404  

Reference:         ESB-2020.2650
                   ESB-2020.2446

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2020/09/msg00029.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2388-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                          Adrian Bunk
September 29, 2020                            https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : nss
Version        : 2:3.26.2-1.1+deb9u2
CVE ID         : CVE-2018-12404 CVE-2018-18508 CVE-2019-11719 CVE-2019-11729 
                 CVE-2019-11745 CVE-2019-17006 CVE-2019-17007 CVE-2020-6829 
                 CVE-2020-12399 CVE-2020-12400 CVE-2020-12401 CVE-2020-12402 
                 CVE-2020-12403
Debian Bug     : 921614 961752 963152

Various vulnerabilities were fixed in nss,
the Network Security Service libraries.

CVE-2018-12404

    Cache side-channel variant of the Bleichenbacher attack.

CVE-2018-18508

    NULL pointer dereference in several CMS functions resulting in a 
    denial of service.

CVE-2019-11719

    Out-of-bounds read when importing curve25519 private key.

CVE-2019-11729

    Empty or malformed p256-ECDH public keys may trigger a segmentation 
    fault.

CVE-2019-11745

    Out-of-bounds write when encrypting with a block cipher.

CVE-2019-17006

    Some cryptographic primitives did not check the length of the input 
    text, potentially resulting in overflows.

CVE-2019-17007

    Handling of Netscape Certificate Sequences may crash with a NULL 
    dereference leading to a denial of service.

CVE-2020-12399

    Force a fixed length for DSA exponentiation.

CVE-2020-6829
CVE-2020-12400

    Side channel attack on ECDSA signature generation.

CVE-2020-12401

    ECDSA timing attack mitigation bypass.

CVE-2020-12402

    Side channel vulnerabilities during RSA key generation.

CVE-2020-12403

    CHACHA20-POLY1305 decryption with undersized tag leads to 
    out-of-bounds read.

For Debian 9 stretch, these problems have been fixed in version
2:3.26.2-1.1+deb9u2.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl9zh9AACgkQiNJCh6LY
mLECsBAAwG1ooIYlA1tctSKDyDWOAZ/eXED+xSc2ybze888ttYQkCCPwKo9kC75o
x7gexxkQ1re4kw7J/D9LFW/fSiCEtiU2HYgvsSjk9broRBAFzwKT5+RcQf4939rb
KdQu0n5CqbSybdCq12Q6RNOj1n6SuthYYDxy58DvnU6OK+6fzFR1Av3/cVyNxCvr
QiGLW23ZvWwiui3UjP2ZgPhqSMu3V+bsDcbcu1698kQitPLp34VyqU7MJZyyMT4H
NZh/wbPANZyi2i4O6i6KxA7zu/O7hfdxY75svCa8/YKe+4oK2j85QtkQhKlL7d1g
lW7m2OU3wMeSfjvYnRgtt+Yubl4obHptD/oS1qy7sImq849eNyD7vVcS78vVRFh8
V7q6+2viEkkta/jpw5u7ELRrjIo6lprMd0rddaDzNMiKmzumR6zUqjxuIPGNnE1+
rQ7JLl0oRZvKFBKYPzE2oo1fG77K7qIBV2qATZ6QE9bGEhApnTqKen7x1UU0n6xK
UO4IfETtsYwyKvlwb1FY3nfEF/0T3tDw/wLajSjTj7eZui1bbuwthIopdKYYUbLw
vSsedvKfH5c3mL3u5lCJxwp8XUMioJ8Pw9yAZgxYI8a/cZOy0Cxix2ROgIcbIq8L
WZ5++RMIEJ+B0GMa8RONTcD7WGAF8Ns1LyxOohAPWau2oEfsXr0=
=VSGn
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX3PzPONLKJtyKPYoAQipnA//VXUy8Ijqhao8NijDH5PaGuk9acL2Uqz4
AS/cTzAD3sjKA5pajZqvDFihsAF5g0Q077lIHxmN4khVg8EpnA9GQMLo97ruJMkB
xgokH1LiSVrzJQGYq5Eli+u1tzca1KShbDkh/pUEGGYl13sTnvc1plrwAE9apLsJ
a6Pkg45LgkIpu/jZ9ZTUA4C+2gKw+FQuhFxFPJ75BFYifobf4up8FX7UK6giIVf7
ufdjYn4UcZyeYf3tE/lgc+oAmE+bY7v4+53ugyDg3TEjkKWmVyM0gdKTZkWrS2E7
/5fqLBCbROwrgWrIWmHxV+imGPLfV10aUCmZ55NHRDpSwY01BmCNQngFxd34qeq8
AdFLfazwiQvlz7QAbzvKMQf64yaw0dDVLEWfuj7N1RWR/uyJjG1AVksVqGMHK5FG
qOCxHB+gJOFmi3n0M2tmDQ/qiJbkmhvMu3EkyEL0zlI5J7zgMeyHjxNeJwPDDg8D
5Oun9PTNmS+uviemWArdxNW5A/hJW0QLU4IzlqW5elAvfcFx4tcI9YtLPKvdgEFj
6mhdCc+pQ3rkZl4J9oqHyzn5cPw5K9+gdEveBT/US9YJTYfF+aHCL5/qmJ/dlgCt
BpBK2iaLSz/aVZ7R8L2jzCAH7sx7jHsM9VxLt5OXxfpVTuJwLXVjT0DFRiUe71H6
VghN+63Kl3c=
=yz6E
-----END PGP SIGNATURE-----