Search for packages
| purl | pkg:deb/debian/nss@2:3.124-1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-13wx-hrvm-ubf7 | nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS |
CVE-2019-17007
|
| VCID-1y2k-f5xt-j3cs | An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. |
CVE-2023-0767
|
| VCID-2b7j-hzma-nbfb | Security researcher Kaspar Brand found a flaw in how the Network Security Services (NSS) ASN.1 decoder handles zero length items. Effects of this issue depend on the field. One known symptom is an unexploitable crash in handling OCSP responses. NSS also mishandles zero-length basic constraints, assuming default values for some types that should be rejected as malformed. These issues have been addressed in NSS 3.13.4, which is now being used by Mozilla. |
CVE-2012-0441
|
| VCID-2tdh-tupa-23en | NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. |
CVE-2023-5388
|
| VCID-2ypw-vkgz-77e5 | nss: Check length of inputs for cryptographic primitives |
CVE-2019-17006
|
| VCID-3319-jstz-juhx | nss: Null pointer dereference when handling empty SSLv2 messages |
CVE-2017-7502
|
| VCID-3c4a-9z8y-vbec | When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. |
CVE-2019-11719
|
| VCID-3hvn-sszd-dqdg | Mozilla community member Ambroz Bizjak reported an out-of-bounds array read in the CERT_DecodeCertPackage function of the Network Security Services (NSS) library when decoding a certificate. When this occurs, it will lead to memory corruption and a non-exploitable crash. |
CVE-2013-0791
|
| VCID-43xd-mvbk-jkhp | An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. |
CVE-2024-0743
|
| VCID-5dqq-xwr4-pbfv |
CVE-2026-6767
|
|
| VCID-67az-bzxs-5kes | SSL/TLS: CBC padding timing attack (lucky-13) |
CVE-2013-0169
|
| VCID-6edx-mm7m-p3hv | Mozilla community member Watson Ladd reported that the implementation of Elliptical Curve Cryptography (ECC) multiplication for Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation in Network Security Services (NSS) did not handle exceptional cases correctly. This could potentially allow for signature forgery. This issue was fixed in NSS version 3.19.1. |
CVE-2015-2730
|
| VCID-73hk-8ry1-cfdf | After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. |
CVE-2022-22747
|
| VCID-7qdp-s55r-xqhh | Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. |
CVE-2019-11729
|
| VCID-7vub-2tme-ffbs | Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change. |
CVE-2024-7531
|
| VCID-7yym-bd42-aydg | When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. |
CVE-2024-6609
|
| VCID-85ny-5axt-vkgq |
CVE-2018-12384
|
|
| VCID-86dx-a3mk-9yhx | nss: small-subgroups attack flaw |
CVE-2016-8635
|
| VCID-8fqj-5gga-nfed | An out-of-bounds write during Base64 decoding operation in the Network Security Services (NSS) library due to insufficient memory being allocated to the buffer. This results in a potentially exploitable crash. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5. |
CVE-2017-5461
|
| VCID-8xmq-xuka-rudn | A flaw in DRBG number generation within the Network Security Services (NSS) library where the internal state V does not correctly carry bits over. The NSS library has been updated to fix this issue to address this issue and Firefox 53 has been updated with NSS version 3.29.5. |
CVE-2017-5462
|
| VCID-8y3y-wqf8-23eg | Mozilla developer Brian Smith and security researchers Antoine Delignat-Lavaud and Karthikeyan Bhargavan of the Prosecco research team at INRIA Paris reported issues with ticket handling in the Network Security Services (NSS) libraries. These have been addressed in the NSS 3.15.4 release, shipping on affected platforms. |
CVE-2014-1490
|
| VCID-9wd5-tsfw-eke4 | Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where MD5 signatures in the server signature within the TLS 1.2 ServerKeyExchange message are still accepted. This is an issue since NSS has officially disallowed the accepting MD5 as a hash algorithm in signatures since 2011. This issues exposes NSS based clients such as Firefox to theoretical collision-based forgery attacks. This issue was fixed in NSS version 3.20.2. |
CVE-2015-7575
|
| VCID-a5sf-mq4g-7fgh | nss: TLS CBC padding timing attack |
CVE-2013-1620
|
| VCID-bnkf-cbew-aqcj | After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. |
CVE-2019-17023
|
| VCID-c3q5-juta-6qa5 | Mozilla has updated the version of Network Security Services (NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis. |
CVE-2016-2834
|
| VCID-cg71-bce4-n3cm | NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. |
CVE-2021-43527
|
| VCID-crjp-qc36-wfb7 | Security researchers Tyson Smith and Jesse Schwartzentruber used the Address Sanitizer tool while fuzzing to discover a use-after-free error resulting in a crash. This is a result of a pair of NSSCertificate structures being added to a trust domain and then one of them is removed while they are still in use by the trusted cache. This crash is potentially exploitable. This issue was addressed in the Network Security Services (NSS) library in version 3.16.2, shipping on affected platforms.In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts. |
CVE-2014-1544
|
| VCID-czk2-34xv-pbfr | Antoine Delignat-Lavaud, security researcher at Inria Paris in team Prosecco, reported an issue in Network Security Services (NSS) libraries affecting all versions. He discovered that NSS is vulnerable to a variant of a signature forgery attack previously published by Daniel Bleichenbacher. This is due to lenient parsing of ASN.1 values involved in a signature and could lead to the forging of RSA certificates.The Advanced Threat Research team at Intel Security also independently discovered and reported this issue.These have been addressed in the NSS releases shipping on affected Mozilla products: |
CVE-2014-1568
|
| VCID-dfch-mh2w-5fgu | nss: Information exposure when DH secret are reused across multiple TLS connections |
CVE-2020-12413
|
| VCID-e6yt-xzqm-8qds | nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read |
CVE-2020-12403
|
| VCID-ebcw-tanv-sba9 | During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. |
CVE-2020-12401
|
| VCID-fgat-rwky-9kfd | A mismatch between allocator and deallocator could have led to memory corruption. |
CVE-2024-6602
|
| VCID-gk4z-t62t-bkha |
CVE-2026-2781
|
|
| VCID-gxau-xxpj-fufj | Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. |
CVE-2023-6135
|
| VCID-h76y-kvt6-ebfr | Mozilla has updated the version of Network Security Services (NSS) library used in Mozilla projects to NSS 3.15.3 with the exception of ESR17-based releases, which have been updated to NSS 3.14.5. This addresses several moderate to critical rated networking security issues.Google developer Andrew Tinits reported a potentially exploitable buffer overflow that was fixed in both NSS 3.15.3 and NSS 3.14.5. |
CVE-2013-5606
|
| VCID-hh1a-udhx-kfh4 | NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. |
CVE-2020-12399
|
| VCID-hhrm-r6gt-zugj | A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. |
CVE-2019-11727
|
| VCID-hs89-asjt-xqdy | nss: /pkcs11.txt and /secmod.db files read on initialization |
CVE-2011-3640
|
| VCID-hvg5-cywn-yqhf | During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. |
CVE-2017-7805
|
| VCID-j5xg-j8a3-d3fk | Security researcher Christian Heimes reported that the Network Security Services (NSS) library does not handle IDNA domain prefixes according to RFC 6125 for wildcard certificates. This leads to improper wildcard matching of domains when they should not be matched in compliance with the specification. This issue was fixed in NSS version 3.16. |
CVE-2014-1492
|
| VCID-jd6h-m6sm-xqbt |
CVE-2026-6766
|
|
| VCID-k8ja-5uz5-zbhe | An existing mitigation of timing side-channel attacks is insufficient in some circumstances. This issue is addressed in Network Security Services (NSS) 3.26.1. |
CVE-2016-9074
|
| VCID-kvg8-pa7m-2bfg | Security researcher Richard Moore reported that when an SSL certificate was created with a common name containing a wildcard followed by a partial IP address a valid SSL connection could be established with a server whose IP address matched the wildcard range by browsing directly to the IP address. It is extremely unlikely that such a certificate would be issued by a Certificate Authority. |
CVE-2010-3170
|
| VCID-m8vy-5me8-jfby | nss: nss client auth crash without a user certificate in the database |
CVE-2022-3479
|
| VCID-mbu2-e885-t7et | SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN) |
CVE-2016-0800
|
| VCID-mg3r-rr93-zuen |
CVE-2026-6772
|
|
| VCID-mhmh-rxkf-3fbr | Mozilla developer Tim Taubert used the Address Sanitizer tool and software fuzzing to discover a use-after-free vulnerability while processing DER encoded keys in the Network Security Services (NSS) libraries. The vulnerability overwrites the freed memory with zeroes. This issue has been addressed in NSS 3.21.1, shipping in Firefox 45. |
CVE-2016-1979
|
| VCID-nfx7-2cb9-6yhh | nss: NULL pointer dereference in several CMS functions resulting in a denial of service |
CVE-2018-18508
|
| VCID-nhbn-aqde-vue5 | Mozilla cryptographer Nelson Bolyard reported that the SSL implementation was permitting servers to use Diffie-Hellman Ephemeral mode (DHE) with too short of a minimum key length. DHE keys of such lengths are trivially breakable on modern hardware so SSL servers operating in this mode were providing very little effective security for their clients. |
CVE-2010-3173
|
| VCID-njme-jy8b-xuan | Mozilla developer Eric Rescorla reported that a failed allocation during DHE and ECDHE handshakes would lead to a use-after-free vulnerability. |
CVE-2016-1978
|
| VCID-nmfg-j5e8-qqa5 | When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. |
CVE-2020-12400
|
| VCID-pe1u-3mjs-rucx | Security researcher Karthikeyan Bhargavan reported an issue in Network Security Services (NSS) where the client allows for a ECDHE_ECDSA exchange where the server does not send its ServerKeyExchange message instead of aborting the handshake. Instead, the NSS client will take the EC key from the ECDSA certificate. This violates the TLS protocol and also has some security implications for forward secrecy. In this situation, the browser thinks it is engaged in an ECDHE exchange, but has been silently downgraded to a non-forward secret mixed-ECDH exchange instead. As a result, if False Start is enabled, the browser will start sending data encrypted under these non-forward-secret connection keys. This issue was fixed in NSS version 3.19.1. |
CVE-2015-2721
|
| VCID-q8zq-w7zs-h3gp | Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw. |
CVE-2009-2404
|
| VCID-qjw6-mxat-g7bc | deprecate MD2 in SSL cert validation (Kaminsky) |
CVE-2009-2409
|
| VCID-qmg4-n3mr-pkbg | nss: Cache side-channel variant of the Bleichenbacher attack |
CVE-2018-12404
|
| VCID-qynd-jtrm-p7bd | Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code.In general these flaws cannot be exploited through email in the Thunderbird and Seamonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts. |
CVE-2013-1739
|
| VCID-rgxy-53sw-mqdv | nss: Remote DoS during session handshake when using SessionTicket extention and ECDHE-ECDSA |
CVE-2016-9574
|
| VCID-s26k-d91c-6kbj | When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. |
CVE-2019-11745
|
| VCID-s6kg-u7qf-v7eh | Mozilla has updated the version of Network Security Services (NSS) library used in Mozilla projects to NSS 3.15.3 with the exception of ESR17-based releases, which have been updated to NSS 3.14.5. This addresses several moderate to critical rated networking security issues.Google developer Andrew Tinits reported a potentially exploitable buffer overflow that was fixed in both NSS 3.15.3 and NSS 3.14.5. |
CVE-2013-5605
|
| VCID-sty3-c143-efb2 | Mozilla has updated the version of Network Security Services (NSS) library used in Mozilla projects to NSS 3.15.3 with the exception of ESR17-based releases, which have been updated to NSS 3.14.5. This addresses several moderate to critical rated networking security issues.Google developer Andrew Tinits reported a potentially exploitable buffer overflow that was fixed in both NSS 3.15.3 and NSS 3.14.5. |
CVE-2013-1741
|
| VCID-t8zp-v52s-abgk | nss: TLS 1.3 CCS flood remote DoS Attack |
CVE-2020-25648
|
| VCID-tk6s-jge5-tfdk | The NSS code used for checking PKCS#1 v1.5 was leaking information useful in mounting Bleichenbacher-like attacks. Both the overall correctness of the padding as well as the length of the encrypted message was leaking through timing side-channel. By sending large number of attacker-selected ciphertexts, the attacker would be able to decrypt a previously intercepted PKCS#1 v1.5 ciphertext (for example, to decrypt a TLS session that used RSA key exchange), or forge a signature using the victim's key. The issue was fixed by implementing the implicit rejection algorithm, in which the NSS returns a deterministic random message in case invalid padding is detected, as proposed in the Marvin Attack paper. |
CVE-2023-4421
|
| VCID-tkpu-fc1n-5ya3 | Security researcher Matthew Green reported a Diffie–Hellman (DHE) key processing issue in Network Security Services (NSS) where a man-in-the-middle (MITM) attacker can force a server to downgrade TLS connections to 512-bit export-grade cryptography by modifying client requests to include only export-grade cipher suites. The resulting weak key can then be leveraged to impersonate the server. This attack is detailed in the "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice" paper and is known as the "Logjam Attack."This issue was fixed in NSS version 3.19.1 by limiting the lower strength of supported DHE keys to use 1023 bit primes. |
CVE-2015-4000
|
| VCID-u52n-bfng-8kcc | Security researcher Francis Gabriel of Quarkslab reported a heap-based buffer overflow in the way the Network Security Services (NSS) libraries parsed certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause it to crash or execute arbitrary code with the permissions of the user. This issue has been addressed in the NSS releases shipping on affected Mozilla products: |
CVE-2016-1950
|
| VCID-vg1a-61x3-g7gs | nss: false start PR_Recv information disclosure security issue |
CVE-2013-1740
|
| VCID-w16b-j9pd-jyg8 | nss: QuickDER decoder length issue |
CVE-2014-1569
|
| VCID-x4hh-waed-2faz | nss: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash |
CVE-2016-5285
|
| VCID-x6pd-2arc-gqdq | HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST) |
CVE-2011-3389
|
| VCID-xet9-63wg-3fgw | SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack |
CVE-2014-3566
|
| VCID-xhrv-tvzq-kyb9 | Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS. |
CVE-2015-7181
|
| VCID-xjrf-7rjd-zyh8 | When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. |
CVE-2020-6829
|
| VCID-y8nr-6tvb-cbh1 | Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS. |
CVE-2015-7182
|
| VCID-yb2m-gy9e-9qft | Mozilla developer Brian Smith and security researchers Antoine Delignat-Lavaud and Karthikeyan Bhargavan of the Prosecco research team at INRIA Paris reported issues with ticket handling in the Network Security Services (NSS) libraries. These have been addressed in the NSS 3.15.4 release, shipping on affected platforms. |
CVE-2014-1491
|
| VCID-ycjq-pc6z-b7d2 | IOActive security researcher Dan Kaminsky reported a mismatch in the treatment of domain names in SSL certificates between SSL clients and the Certificate Authorities (CA) which issue server certificates. In particular, if a malicious person requested a certificate for a host name with an invalid null character in it most CAs would issue the certificate if the requester owned the domain specified after the null, while most SSL clients (browsers) ignored that part of the name and used the unvalidated part in front of the null. This made it possible for attackers to obtain certificates that would function for any site they wished to target. These certificates could be used to intercept and potentially alter encrypted communication between the client and a server such as sensitive bank account transactions.This vulnerability was independently reported to us by researcher Moxie Marlinspike who also noted that since Firefox relies on SSL to protect the integrity of security updates this attack could be used to serve malicious updates. Mozilla would like to thank Dan and the Microsoft Vulnerability Research team for coordinating a multiple-vendor response to this problem. |
CVE-2009-2408
|
| VCID-zafx-6fyq-pbc3 | During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. We would like to thank Sohaib ul Hassan for contributing a fix for this issue as well.*Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. |
CVE-2020-12402
|
| VCID-zk4j-bc3y-7qfd | Security researcher Hanno Böck reported that calculations with mp_div and mp_exptmod in Network Security Services (NSS) can produce wrong results in some circumstances. These functions are used within NSS for a variety of cryptographic division functions, leading to potential cryptographic weaknesses. |
CVE-2016-1938
|
| VCID-znvx-aqbr-2yck | Mozilla developers added support in the Network Security Services module for preventing a type of man-in-the-middle attack against TLS using forced renegotiation.Note that to benefit from the fix, Firefox 3.6 and Firefox 3.5 users will need to set their security.ssl.require_safe_negotiation preference to true. Firefox 3 does not contain the fix for this issue. |
CVE-2009-3555
GHSA-f7w7-6pjc-wwm6 VU#120541 |