rpm package
suse/mozilla-nspr&distro=SUSE Linux Enterprise Module for Basesystem 15 SP3
pkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-31741 | Hig | 8.8 | < 4.34-150000.3.23.1 | 4.34-150000.3.23.1 | Dec 22, 2022 | A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10. | |
| CVE-2020-12403 | Cri | 9.1 | < 4.32-3.20.1 | 4.32-3.20.1 | May 27, 2021 | A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly en | |
| CVE-2020-6829 | Med | 5.3 | < 4.32-3.20.1 | 4.32-3.20.1 | Oct 28, 2020 | When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been com | |
| CVE-2020-25648 | Hig | 7.5 | < 4.32-3.20.1 | 4.32-3.20.1 | Oct 20, 2020 | A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system ava | |
| CVE-2020-12401 | Med | 4.7 | < 4.32-3.20.1 | 4.32-3.20.1 | Oct 8, 2020 | During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. | |
| CVE-2020-12400 | Med | 4.7 | < 4.32-3.20.1 | 4.32-3.20.1 | Oct 8, 2020 | When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. |
- affected < 4.34-150000.3.23.1fixed 4.34-150000.3.23.1
A crafted CMS message could have been processed incorrectly, leading to an invalid memory read, and potentially further memory corruption. This vulnerability affects Thunderbird < 91.10, Firefox < 101, and Firefox ESR < 91.10.
- affected < 4.32-3.20.1fixed 4.32-3.20.1
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly en
- affected < 4.32-3.20.1fixed 4.32-3.20.1
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been com
- affected < 4.32-3.20.1fixed 4.32-3.20.1
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system ava
- affected < 4.32-3.20.1fixed 4.32-3.20.1
During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
- affected < 4.32-3.20.1fixed 4.32-3.20.1
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.