system/nss: CVE-2020-25648: TLS 1.3 ChangeCipherSpec DoS
Bugzilla ID | 363 |
Alias(es) | CVE-2020-25648 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-10-26 13:19:04 -0500 |
Modified | 2020-10-26 13:19:04 -0500 |
Status | CONFIRMED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Package(s) | system/nss |
URL | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes |
Description
CVE-2020-25648: https://nvd.nist.gov/vuln/detail/CVE-2020-25648
A flaw was found in the way NSS handled CCS (ChangeCipherSpec)
messages in TLS 1.3. This flaw allows a remote attacker to send
multiple CCS messages, causing a denial of service for servers
compiled with the NSS library. The highest threat from this
vulnerability is to system availability. This flaw affects NSS
versions before 3.58.
Fixed in >= 3.58 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes