260 lines
12 KiB
JSON
260 lines
12 KiB
JSON
{
|
||
"Definition": [
|
||
{
|
||
"ID": "oval:org.altlinux.errata:def:20211367",
|
||
"Version": "oval:org.altlinux.errata:def:20211367",
|
||
"Class": "patch",
|
||
"Metadata": {
|
||
"Title": "ALT-PU-2021-1367: package `nss` update to version 3.61.0-alt1",
|
||
"AffectedList": [
|
||
{
|
||
"Family": "unix",
|
||
"Platforms": [
|
||
"ALT Linux branch c9f2"
|
||
],
|
||
"Products": [
|
||
"ALT SPWorkstation",
|
||
"ALT SPServer"
|
||
]
|
||
}
|
||
],
|
||
"References": [
|
||
{
|
||
"RefID": "ALT-PU-2021-1367",
|
||
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-1367",
|
||
"Source": "ALTPU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-03953",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-03953",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-03960",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-03960",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2020-03961",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2020-03961",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-00099",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-00099",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "BDU:2021-05184",
|
||
"RefURL": "https://bdu.fstec.ru/vul/2021-05184",
|
||
"Source": "BDU"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-12399",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-12399",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-12400",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-12400",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-12401",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-12401",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-12403",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-12403",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-25648",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-25648",
|
||
"Source": "CVE"
|
||
},
|
||
{
|
||
"RefID": "CVE-2020-6829",
|
||
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2020-6829",
|
||
"Source": "CVE"
|
||
}
|
||
],
|
||
"Description": "This update upgrades nss to version 3.61.0-alt1. \nSecurity Fix(es):\n\n * BDU:2020-03953: Уязвимость компонента Knowledge Management программной интеграционной платформы SAP NetWeaver, позволяющая нарушителю осуществить межсайтовые сценарные атаки\n\n * BDU:2020-03960: Уязвимость функции модульной инверсии набора библиотек NSS (Network Security Services), позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2020-03961: Уязвимость набора библиотек NSS (Network Security Services), связанная с использованием криптографического алгоритма ECDSA (Elliptic Curve Digital Signature Algorithm), содержащего дефекты, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2021-00099: Уязвимость подписи DSA веб-браузеров программного обеспечения Firefox, Firefox-esr и Thunderbird, связанная с раскрытием информации в результате расхождений, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * BDU:2021-05184: Уязвимость пакета библиотек для сетевой защиты приложений NSS, связанная с выделением неограниченной памяти, позволяющая нарушителю вызвать отказ в обслуживании\n\n * CVE-2020-12399: NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird \u003c 68.9.0, Firefox \u003c 77, and Firefox ESR \u003c 68.9.\n\n * CVE-2020-12400: When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox \u003c 80 and Firefox for Android \u003c 80.\n\n * CVE-2020-12401: During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox \u003c 80 and Firefox for Android \u003c 80.\n\n * CVE-2020-12403: A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability.\n\n * CVE-2020-25648: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58.\n\n * CVE-2020-6829: When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox \u003c 80 and Firefox for Android \u003c 80.\n\n * #38590: NSS and NSS_DISABLE_DBM\n\n * #38597: Сломана сборка с -Werror=strict-prototypes\n\n * #38636: В состав libnss больше не входит libpkix.",
|
||
"Advisory": {
|
||
"From": "errata.altlinux.org",
|
||
"Severity": "Critical",
|
||
"Rights": "Copyright 2024 BaseALT Ltd.",
|
||
"Issued": {
|
||
"Date": "2021-02-18"
|
||
},
|
||
"Updated": {
|
||
"Date": "2021-02-18"
|
||
},
|
||
"BDUs": [
|
||
{
|
||
"ID": "BDU:2020-03953",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
||
"CVSS3": "AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
|
||
"CWE": "CWE-80",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-03953",
|
||
"Impact": "Critical",
|
||
"Public": "20200813"
|
||
},
|
||
{
|
||
"ID": "BDU:2020-03960",
|
||
"CVSS": "AV:L/AC:L/Au:N/C:N/I:C/A:N",
|
||
"CVSS3": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
|
||
"CWE": "CWE-327",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-03960",
|
||
"Impact": "Low",
|
||
"Public": "20200716"
|
||
},
|
||
{
|
||
"ID": "BDU:2020-03961",
|
||
"CVSS": "AV:L/AC:H/Au:S/C:C/I:N/A:N",
|
||
"CVSS3": "AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-327",
|
||
"Href": "https://bdu.fstec.ru/vul/2020-03961",
|
||
"Impact": "Low",
|
||
"Public": "20200629"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-00099",
|
||
"CVSS": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-00099",
|
||
"Impact": "Low",
|
||
"Public": "20200602"
|
||
},
|
||
{
|
||
"ID": "BDU:2021-05184",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-770",
|
||
"Href": "https://bdu.fstec.ru/vul/2021-05184",
|
||
"Impact": "High",
|
||
"Public": "20201020"
|
||
}
|
||
],
|
||
"CVEs": [
|
||
{
|
||
"ID": "CVE-2020-12399",
|
||
"CVSS": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-12399",
|
||
"Impact": "Low",
|
||
"Public": "20200709"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-12400",
|
||
"CVSS": "AV:L/AC:H/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-12400",
|
||
"Impact": "Low",
|
||
"Public": "20201008"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-12401",
|
||
"CVSS": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
|
||
"CWE": "CWE-203",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-12401",
|
||
"Impact": "Low",
|
||
"Public": "20201008"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-12403",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
|
||
"CWE": "CWE-125",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-12403",
|
||
"Impact": "Critical",
|
||
"Public": "20210527"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-25648",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
|
||
"CWE": "CWE-770",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-25648",
|
||
"Impact": "High",
|
||
"Public": "20201020"
|
||
},
|
||
{
|
||
"ID": "CVE-2020-6829",
|
||
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
||
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
|
||
"CWE": "NVD-CWE-noinfo",
|
||
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2020-6829",
|
||
"Impact": "Low",
|
||
"Public": "20201028"
|
||
}
|
||
],
|
||
"Bugzilla": [
|
||
{
|
||
"ID": "38590",
|
||
"Href": "https://bugzilla.altlinux.org/38590",
|
||
"Data": "NSS and NSS_DISABLE_DBM"
|
||
},
|
||
{
|
||
"ID": "38597",
|
||
"Href": "https://bugzilla.altlinux.org/38597",
|
||
"Data": "Сломана сборка с -Werror=strict-prototypes"
|
||
},
|
||
{
|
||
"ID": "38636",
|
||
"Href": "https://bugzilla.altlinux.org/38636",
|
||
"Data": "В состав libnss больше не входит libpkix."
|
||
}
|
||
],
|
||
"AffectedCPEs": {
|
||
"CPEs": [
|
||
"cpe:/o:alt:spworkstation:8.4",
|
||
"cpe:/o:alt:spserver:8.4"
|
||
]
|
||
}
|
||
}
|
||
},
|
||
"Criteria": {
|
||
"Operator": "AND",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
||
"Comment": "ALT Linux must be installed"
|
||
}
|
||
],
|
||
"Criterias": [
|
||
{
|
||
"Operator": "OR",
|
||
"Criterions": [
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211367001",
|
||
"Comment": "libnss is earlier than 0:3.61.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211367002",
|
||
"Comment": "libnss-devel is earlier than 0:3.61.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211367003",
|
||
"Comment": "libnss-devel-static is earlier than 0:3.61.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211367004",
|
||
"Comment": "libnss-nssckbi-checkinstall is earlier than 0:3.61.0-alt1"
|
||
},
|
||
{
|
||
"TestRef": "oval:org.altlinux.errata:tst:20211367005",
|
||
"Comment": "nss-utils is earlier than 0:3.61.0-alt1"
|
||
}
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
]
|
||
} |