Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1091
nss-softokn security update
31 March 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: nss-softokn
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-12403 CVE-2019-17006 CVE-2019-11756
Reference: ESB-2021.0933
ESB-2020.3355
ESB-2020.2963
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:1026
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: nss-softokn security update
Advisory ID: RHSA-2021:1026-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1026
Issue date: 2021-03-30
CVE Names: CVE-2019-11756 CVE-2019-17006 CVE-2020-12403
=====================================================================
1. Summary:
An update for nss-softokn is now available for Red Hat Enterprise Linux 7.7
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux ComputeNode EUS (v. 7.7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.7) - x86_64
Red Hat Enterprise Linux Server EUS (v. 7.7) - ppc64, ppc64le, s390x, x86_64
3. Description:
The nss-softokn package provides the Network Security Services Softoken
Cryptographic Module.
Security Fix(es):
* nss: Use-after-free in sftk_FreeSession due to improper refcounting
(CVE-2019-11756)
* nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)
* nss: CHACHA20-POLY1305 decryption with undersized tag leads to
out-of-bounds read (CVE-2020-12403)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1774835 - CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting
1775916 - CVE-2019-17006 nss: Check length of inputs for cryptographic primitives
1868931 - CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read
6. Package List:
Red Hat Enterprise Linux ComputeNode EUS (v. 7.7):
Source:
nss-softokn-3.44.0-9.el7_7.src.rpm
x86_64:
nss-softokn-3.44.0-9.el7_7.i686.rpm
nss-softokn-3.44.0-9.el7_7.x86_64.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.i686.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.x86_64.rpm
nss-softokn-freebl-3.44.0-9.el7_7.i686.rpm
nss-softokn-freebl-3.44.0-9.el7_7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Optional EUS (v. 7.7):
x86_64:
nss-softokn-debuginfo-3.44.0-9.el7_7.i686.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.x86_64.rpm
nss-softokn-devel-3.44.0-9.el7_7.i686.rpm
nss-softokn-devel-3.44.0-9.el7_7.x86_64.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.i686.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.x86_64.rpm
Red Hat Enterprise Linux Server EUS (v. 7.7):
Source:
nss-softokn-3.44.0-9.el7_7.src.rpm
ppc64:
nss-softokn-3.44.0-9.el7_7.ppc.rpm
nss-softokn-3.44.0-9.el7_7.ppc64.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.ppc.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.ppc64.rpm
nss-softokn-devel-3.44.0-9.el7_7.ppc.rpm
nss-softokn-devel-3.44.0-9.el7_7.ppc64.rpm
nss-softokn-freebl-3.44.0-9.el7_7.ppc.rpm
nss-softokn-freebl-3.44.0-9.el7_7.ppc64.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.ppc.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.ppc64.rpm
ppc64le:
nss-softokn-3.44.0-9.el7_7.ppc64le.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.ppc64le.rpm
nss-softokn-devel-3.44.0-9.el7_7.ppc64le.rpm
nss-softokn-freebl-3.44.0-9.el7_7.ppc64le.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.ppc64le.rpm
s390x:
nss-softokn-3.44.0-9.el7_7.s390.rpm
nss-softokn-3.44.0-9.el7_7.s390x.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.s390.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.s390x.rpm
nss-softokn-devel-3.44.0-9.el7_7.s390.rpm
nss-softokn-devel-3.44.0-9.el7_7.s390x.rpm
nss-softokn-freebl-3.44.0-9.el7_7.s390.rpm
nss-softokn-freebl-3.44.0-9.el7_7.s390x.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.s390.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.s390x.rpm
x86_64:
nss-softokn-3.44.0-9.el7_7.i686.rpm
nss-softokn-3.44.0-9.el7_7.x86_64.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.i686.rpm
nss-softokn-debuginfo-3.44.0-9.el7_7.x86_64.rpm
nss-softokn-devel-3.44.0-9.el7_7.i686.rpm
nss-softokn-devel-3.44.0-9.el7_7.x86_64.rpm
nss-softokn-freebl-3.44.0-9.el7_7.i686.rpm
nss-softokn-freebl-3.44.0-9.el7_7.x86_64.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.i686.rpm
nss-softokn-freebl-devel-3.44.0-9.el7_7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-11756
https://access.redhat.com/security/cve/CVE-2019-17006
https://access.redhat.com/security/cve/CVE-2020-12403
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYGLw6tzjgjWX9erEAQil5RAAk4SQyOwg4jjHXl8KvhhYyhjeC6KIYb5g
ojisBr4cVKjGo1fMVZTfpg8DE2OTHetZfiQ0BVSkEMXPxr+nuT+p+qxQIyiq2Idb
uDzO+ttBUdPiTYEFMNodbrit0x9nhpgH6eJ4hQ90hRRBah6DxftOKde36MuozKkg
GZ4+JHf8UoJo6LX7lwz4sMTWOtIdOo3fsknxiLAVC7IUFURm5wXNhhgobSQSpiou
WFlMeTfqBT7A9ZNzh2DEAv80ltUDp/z6qEqRCvk1VkVfR/JYzUGbWZWjmbL0Srs2
kscz1yRIJSeeT5IlUsvZDTQYZ2XBJotynMPlDc4y51FraFuBZu5gg5lLqhQXhpnz
10H9xVKrDbXkHPFEzinE6WzcowTdlTlicPaWLtWpvDQO0n0dWZyX64wP3Ym7/8kK
mdTaX5HS5YdHBWSy9FF4pVzJdM8TOkNKTqaMQikSAav3/UNAeL5l3SVgLXjSPgh9
Fe4GiPJG2PU6aPmYHzSZAPvoxCA6NXm+N4eNnZL7mMFQc33Y9QcbFJpNr8/5ROMm
LZvGerUbwlLnavZFkhrr2Rvj9pdgXLWGCNP8SH/AiErfy+3dFOWQlAqy5CNnepBW
Y/swsuMBspTe4aMqsefOnbCFrHbGYKgZPsLsLnzByBuqemtn5SrAgh1TWOAqfmHx
+Pi1slDSt2U=
=Y2VV
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYGO1RONLKJtyKPYoAQjs2Q//d/9bNivFRwl2y+ot9fXpSgyZMzD1Qliz
ozjqnJ0i685MyecApOxadIeOhBz9FoCvu8AplU2DUPS+6CL3c2foN38EhCCi/BbB
HnPWF5W2bB8XQyBiFUQvMEUebO0yVheuhFzzSDK566goTgluJhoj9xRi7x32XLpX
QUUAjebuhcg1Q4dACxj7El8QTQHADFa64oSLKXr4b3JKeFZ1hwvxeAObTow0xA6p
YVPqSRV003yOgvIRXn08e4pL+XWrXg9MT3dJg2PSk6anfeeV6NpHpWPKb7qp3jxj
3XBFngkMnQk20Sc2umciHCExAdxnbKkKFLcHT+28JSZP7MMnanFHuNvtGIQtkt82
kT4jK/2wdQVGWpk24ZhSLMpLUJZE2QIHefanvgf+lNumX3sqRrfcvuE6Hcuq5XQ9
AonqLvNxccjjZuLuq5b69EJPadO2ETi9HwewHuuYKbF43WAKdz8yirObxM5YvA4n
8cMBHboLBDGN4aJBJ9RxFSyy6WT/1LkzAyQZw7peepF3yrvR8FD1H5UZ3jnqiXn9
c4MLZQbepIyv3QBT1nZkPwfxOij3zmG9coBf7aJ/sIL9zSbLjXvb42/w26YNsBH2
nKCYpLA5KolaYXqO6d26xe/sz4ymR7lbJFMtBVLZGkxQbU7c3vKK01qrfL1eND/u
j3Cmu24wp9k=
=tA+R
-----END PGP SIGNATURE-----