Source | Text Version

QSN-4060-1: nss vulnerabilities

July 16, 2019

Summary

Several security issues were fixed in NSS.

Details

Henry Corrigan-Gibbs discovered that NSS incorrectly handled importing certain curve25519 private keys. An attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2019-11719)

Hubert Kario discovered that NSS incorrectly handled PKCS#1 v1.5 signatures when using TLSv1.3. An attacker could possibly use this issue to trick NSS into using PKCS#1 v1.5 signatures, contrary to expectations. This issue only applied to Ubuntu 19.04. (CVE-2019-11727)

Jonas Allmann discovered that NSS incorrectly handled certain p256-ECDH public keys. An attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. (CVE-2019-11729)

References

https://usn.ubuntu.com/4060-1

http://people.canonical.com/~ubuntu-security/cve/CVE-2019-11719

http://people.canonical.com/~ubuntu-security/cve/CVE-2019-11727

http://people.canonical.com/~ubuntu-security/cve/CVE-2019-11729

Update

A general update will usually fix all issues, but to make sure, you can check your current version with:

$ dpkg -l libnss3

If the current version you have is before 2:3.28.4-0ubuntu0.16.04.6, run the following:

$ sudo apt-get update
$ sudo apt-get install libnss3

Copyright © 2010-2015, OSNEXUS Corporation. All rights reserved.