rpm package

suse/mozilla-nspr&distro=SUSE OpenStack Cloud Crowbar 8

pkg:rpm/suse/mozilla-nspr&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208

Vulnerabilities (9)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2020-12403	—	< 4.32-19.18.1	4.32-19.18.1	May 27, 2021	A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly en
CVE-2020-6829	—	< 4.32-19.18.1	4.32-19.18.1	Oct 28, 2020	When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been com
CVE-2019-17006	—	< 4.23-19.12.1	4.23-19.12.1	Oct 22, 2020	In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
CVE-2020-25648	—	< 4.32-19.18.1	4.32-19.18.1	Oct 20, 2020	A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system ava
CVE-2020-12401	—	< 4.32-19.18.1	4.32-19.18.1	Oct 8, 2020	During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
CVE-2020-12400	—	< 4.32-19.18.1	4.32-19.18.1	Oct 8, 2020	When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
CVE-2020-12402	—	< 4.25-19.15.1	4.25-19.15.1	Jul 9, 2020	During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the rec
CVE-2020-12399	—	< 4.25-19.15.1	4.25-19.15.1	Jul 9, 2020	NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
CVE-2019-11745	—	< 4.23-19.12.1	4.23-19.12.1	Jan 8, 2020	When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3,

CVE-2020-12403May 27, 2021
affected < 4.32-19.18.1fixed 4.32-19.18.1
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly en
CVE-2020-6829Oct 28, 2020
affected < 4.32-19.18.1fixed 4.32-19.18.1
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been com
CVE-2019-17006Oct 22, 2020
affected < 4.23-19.12.1fixed 4.23-19.12.1
In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.
CVE-2020-25648Oct 20, 2020
affected < 4.32-19.18.1fixed 4.32-19.18.1
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system ava
CVE-2020-12401Oct 8, 2020
affected < 4.32-19.18.1fixed 4.32-19.18.1
During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
CVE-2020-12400Oct 8, 2020
affected < 4.32-19.18.1fixed 4.32-19.18.1
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80.
CVE-2020-12402Jul 9, 2020
affected < 4.25-19.15.1fixed 4.25-19.15.1
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the rec
CVE-2020-12399Jul 9, 2020
affected < 4.25-19.15.1fixed 4.25-19.15.1
NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
CVE-2019-11745Jan 8, 2020
affected < 4.23-19.12.1fixed 4.23-19.12.1
When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3,