Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1433 nss security and bug fix update 28 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: nss Publisher: Red Hat Operating System: Red Hat UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-25648 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:1384 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running nss check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nss security and bug fix update Advisory ID: RHSA-2021:1384-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:1384 Issue date: 2021-04-27 CVE Names: CVE-2020-25648 ===================================================================== 1. Summary: An update for nss is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. Security Fix(es): * nss: TLS 1.3 CCS flood remote DoS Attack (CVE-2020-25648) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * FTBFS: Paypal Cert expired (BZ#1883973) * FTBFS: IKE CLASS_1563 fails gtest (BZ#1884793) * Cannot compile code with nss headers and -Werror=strict-prototypes (BZ#1885321) * CA HSM ncipher token disabled after RHEL-7.9 update (BZ#1932193) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, applications using NSS (for example, Firefox) must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1883973 - FTBFS: Paypal Cert expired [rhel-7.9.z] 1884793 - FTBFS: IKE CLASS_1563 fails gtest [rhel-7.9.z] 1885321 - Cannot compile code with nss headers and -Werror=strict-prototypes 1887319 - CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: nss-3.53.1-7.el7_9.src.rpm x86_64: nss-3.53.1-7.el7_9.i686.rpm nss-3.53.1-7.el7_9.x86_64.rpm nss-debuginfo-3.53.1-7.el7_9.i686.rpm nss-debuginfo-3.53.1-7.el7_9.x86_64.rpm nss-sysinit-3.53.1-7.el7_9.x86_64.rpm nss-tools-3.53.1-7.el7_9.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: nss-debuginfo-3.53.1-7.el7_9.i686.rpm nss-debuginfo-3.53.1-7.el7_9.x86_64.rpm nss-devel-3.53.1-7.el7_9.i686.rpm nss-devel-3.53.1-7.el7_9.x86_64.rpm nss-pkcs11-devel-3.53.1-7.el7_9.i686.rpm nss-pkcs11-devel-3.53.1-7.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: nss-3.53.1-7.el7_9.src.rpm x86_64: nss-3.53.1-7.el7_9.i686.rpm nss-3.53.1-7.el7_9.x86_64.rpm nss-debuginfo-3.53.1-7.el7_9.i686.rpm nss-debuginfo-3.53.1-7.el7_9.x86_64.rpm nss-sysinit-3.53.1-7.el7_9.x86_64.rpm nss-tools-3.53.1-7.el7_9.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): x86_64: nss-debuginfo-3.53.1-7.el7_9.i686.rpm nss-debuginfo-3.53.1-7.el7_9.x86_64.rpm nss-devel-3.53.1-7.el7_9.i686.rpm nss-devel-3.53.1-7.el7_9.x86_64.rpm nss-pkcs11-devel-3.53.1-7.el7_9.i686.rpm nss-pkcs11-devel-3.53.1-7.el7_9.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: nss-3.53.1-7.el7_9.src.rpm ppc64: nss-3.53.1-7.el7_9.ppc.rpm nss-3.53.1-7.el7_9.ppc64.rpm nss-debuginfo-3.53.1-7.el7_9.ppc.rpm nss-debuginfo-3.53.1-7.el7_9.ppc64.rpm nss-devel-3.53.1-7.el7_9.ppc.rpm nss-devel-3.53.1-7.el7_9.ppc64.rpm nss-sysinit-3.53.1-7.el7_9.ppc64.rpm nss-tools-3.53.1-7.el7_9.ppc64.rpm ppc64le: nss-3.53.1-7.el7_9.ppc64le.rpm nss-debuginfo-3.53.1-7.el7_9.ppc64le.rpm nss-devel-3.53.1-7.el7_9.ppc64le.rpm nss-sysinit-3.53.1-7.el7_9.ppc64le.rpm nss-tools-3.53.1-7.el7_9.ppc64le.rpm s390x: nss-3.53.1-7.el7_9.s390.rpm nss-3.53.1-7.el7_9.s390x.rpm nss-debuginfo-3.53.1-7.el7_9.s390.rpm nss-debuginfo-3.53.1-7.el7_9.s390x.rpm nss-devel-3.53.1-7.el7_9.s390.rpm nss-devel-3.53.1-7.el7_9.s390x.rpm nss-sysinit-3.53.1-7.el7_9.s390x.rpm nss-tools-3.53.1-7.el7_9.s390x.rpm x86_64: nss-3.53.1-7.el7_9.i686.rpm nss-3.53.1-7.el7_9.x86_64.rpm nss-debuginfo-3.53.1-7.el7_9.i686.rpm nss-debuginfo-3.53.1-7.el7_9.x86_64.rpm nss-devel-3.53.1-7.el7_9.i686.rpm nss-devel-3.53.1-7.el7_9.x86_64.rpm nss-sysinit-3.53.1-7.el7_9.x86_64.rpm nss-tools-3.53.1-7.el7_9.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): ppc64: nss-debuginfo-3.53.1-7.el7_9.ppc.rpm nss-debuginfo-3.53.1-7.el7_9.ppc64.rpm nss-pkcs11-devel-3.53.1-7.el7_9.ppc.rpm nss-pkcs11-devel-3.53.1-7.el7_9.ppc64.rpm ppc64le: nss-debuginfo-3.53.1-7.el7_9.ppc64le.rpm nss-pkcs11-devel-3.53.1-7.el7_9.ppc64le.rpm s390x: nss-debuginfo-3.53.1-7.el7_9.s390.rpm nss-debuginfo-3.53.1-7.el7_9.s390x.rpm nss-pkcs11-devel-3.53.1-7.el7_9.s390.rpm nss-pkcs11-devel-3.53.1-7.el7_9.s390x.rpm x86_64: nss-debuginfo-3.53.1-7.el7_9.i686.rpm nss-debuginfo-3.53.1-7.el7_9.x86_64.rpm nss-pkcs11-devel-3.53.1-7.el7_9.i686.rpm nss-pkcs11-devel-3.53.1-7.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: nss-3.53.1-7.el7_9.src.rpm x86_64: nss-3.53.1-7.el7_9.i686.rpm nss-3.53.1-7.el7_9.x86_64.rpm nss-debuginfo-3.53.1-7.el7_9.i686.rpm nss-debuginfo-3.53.1-7.el7_9.x86_64.rpm nss-devel-3.53.1-7.el7_9.i686.rpm nss-devel-3.53.1-7.el7_9.x86_64.rpm nss-sysinit-3.53.1-7.el7_9.x86_64.rpm nss-tools-3.53.1-7.el7_9.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: nss-debuginfo-3.53.1-7.el7_9.i686.rpm nss-debuginfo-3.53.1-7.el7_9.x86_64.rpm nss-pkcs11-devel-3.53.1-7.el7_9.i686.rpm nss-pkcs11-devel-3.53.1-7.el7_9.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-25648 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIf359zjgjWX9erEAQigOw//TKzf8ctaWjAPFaHygoCMnTJCG/XebHId iAPskx6/0IoejR+bMnQ9JA/pkcorSAEMY6C2is8t4nWSTqR1X5HVbIjMMs9s1GTQ EwZyrk7l+bdnXdBVWnv/UyhNG8D/FI8Aim7LQGCZDt5tt+HxWtmhZ/l9/yUKvmFy RPO14MFvLP8EzBZPHji/mt8TXuK/rFcvYwNMLavBW3H1rMj6BkTTz7QCnleCT1et CXm8swtiV6DccM33hH5R6M+7vuoQG4UJuIIgroW7wiLctmf8e48WSuppXPqpth7E 1hiE6WSbdixfMufXA3nvEbHNyH1Q6mv8KS2+QUVSO78ll2WPlPovE4rvLNa8867I paJ/G3fh3EgOtY2kWfCcvuI5EmAuLpxCPSc1yH13W8Q0xljfQzIkrKnSxH/IWXXl cKmG2YmBapWVdFXTAe8zuefDQT0qxKw3JfM4z3P2TIKF3FIRAk14tSd6U8+Z6zHS /HlIvW2GgEQaSV+yyfC8La6TRrvYw8e+LmXqyU5W8TGv+IW76b7Wxl18rYd+ubQt oIxyxE3rDcCBoGxexqSkcpox9AZYZrScIFCcoPPZCbGNhYNjpgpwa9+6rUnSfCGC t1u+krciwT8yoniesZsNZP+S5/yhuXQNP171nOXsOwY2WyCj2GsfMYJyMYe90DxZ wAIZFLjBDJ0= =9dqh - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIitpONLKJtyKPYoAQhY5g//ZtI7rusMwFktXYJ0fpHVpLDdbIaDcZu1 dJao7rCZ0ge1ng2BTBauigVExnJ2/jmC1fG10kRoAnJF3RS204ttce7QRxRl5bMz h682ni2IEQgaQGenPUmlkmQd52sKzegBiABtMeHE/9jQ0GjPulVZ0+MqplDKeadh 4IV1OXgwcHS6r35TI+0JajRJC0Z/oH8c8bk6e78CPGfz6eHIDChym3kJYLCtS3ua HaMT2inxLVlnAyw2q/VkpjabOvPbe6TD9T6TcqnFZblo5+6FRVHekSWPrQpy2mjE xQ1RbdR2GxRJPvTwIPxuFPQrUZ0j6iG7UWW+iB5Oo9BbBtmKObXiXQvAao97k0u/ BFzQdBtYeZTox4qlzcGpdcCJvj/u41QVJJZZgrPjeOQlPVNInqVLmyqtHsN6cApb jDn6GkWfL9DI0rsXSXhpREezs7jhay0JhVzVYjOtz0/WH1qn9lriaASMZqkr5cYb gQnw4Zf1vlG5Qd7pPY33+MsoghwhbTvNw2a41ZaFKv8U2DusqhV9RkJ/FBAZBrWH hh7CUL+XCJfMPQHcDaUf0CvEXzTpjZ5u7tATLqcH8KYo9w++TcjjEe9dpsKN5prA Y8qigwPI4NHs3AhjBytijGdwH1xrMcXm1CLl7bKGSzu1APcMgeNm7dPpnL7JgiXG 6OKgl4mHPmE= =pBVZ -----END PGP SIGNATURE-----