Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Adélie Package Tree Adélie Package Tree
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 309
    • Issues 309
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 21
    • Merge requests 21
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Adélie Linux
  • Adélie Package TreeAdélie Package Tree
  • Issues
  • #310

Closed
Open
Created Jun 19, 2020 by Emily@emily🤖

system/nss: multiple vulnerabilities

Bugzilla ID 310
Alias(es) CVE-2020-12399, CVE-2020-12402
Reporter Max Rees (sroracle)
Assignee A. Wilcox (awilfox)
Reported 2020-06-19 02:57:04 -0500
Modified 2020-09-16 22:29:42 -0500
Status RESOLVED FIXED
Version 1.0-RC1
Hardware Adélie Linux / All
Importance --- / normal
Package(s) system/nss
URL https://code.foxkit.us/adelie/packages/commit/f5d4de7809

Description

CVE-2020-12399: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-12399

During DSA signature generation in the function dsa_SignDigest, the
nonce value k is not padded, exposing the bit length of k, i.e.
the most significant bits (MSBs) of the nonce. Combined with other
techniques this can result in DSA private keys recovery.

Fixed in >= 3.52.1 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52.1_release_notes

CVE-2020-12402: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-12402

It was found that NSS is vulnerable to RSA key generation cache timing
side channel attacks. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could
recover the private key.

Fixed in >= 3.53.1 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.53.1_release_notes

Assignee
Assign to
Time tracking