VulnerableCode Package Details - pkg:deb/debian/nss@2:3.87.1-1%2Bdeb12u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-s7qh-rv74-mqfx Aliases: CVE-2023-5388	NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data.	2:3.110-1 Affected by 0 other vulnerabilities.
VCID-s7vh-16cg-vbb8 Aliases: CVE-2023-6135	Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key.	2:3.110-1 Affected by 0 other vulnerabilities.
VCID-zbyj-zuwa-e7hn Aliases: CVE-2024-7531	Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change.	2:3.110-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-s7qh-rv74-mqfx
Aliases:
CVE-2023-5388

NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data.

2:3.110-1
Affected by 0 other vulnerabilities.

VCID-s7vh-16cg-vbb8
Aliases:
CVE-2023-6135

Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key.

2:3.110-1
Affected by 0 other vulnerabilities.

VCID-zbyj-zuwa-e7hn
Aliases:
CVE-2024-7531

Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change.

2:3.110-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1zaj-dhug-bffr	An unchecked return value in TLS handshake code could have caused a potentially exploitable crash.	CVE-2024-0743
VCID-77de-35ta-1kat	When almost out-of-memory an elliptic curve key which was never allocated could have been freed again.	CVE-2024-6609
VCID-7s8d-r67g-6feh	A mismatch between allocator and deallocator could have led to memory corruption.	CVE-2024-6602

Vulnerability

Summary

Aliases

VCID-1zaj-dhug-bffr

An unchecked return value in TLS handshake code could have caused a potentially exploitable crash.

CVE-2024-0743

VCID-77de-35ta-1kat

When almost out-of-memory an elliptic curve key which was never allocated could have been freed again.

CVE-2024-6609

VCID-7s8d-r67g-6feh

A mismatch between allocator and deallocator could have led to memory corruption.

CVE-2024-6602

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T19:47:09.913018+00:00	Debian Oval Importer	Fixing	VCID-7s8d-r67g-6feh	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:53:11.907105+00:00	Debian Oval Importer	Fixing	VCID-1zaj-dhug-bffr	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T15:10:19.129319+00:00	Debian Oval Importer	Fixing	VCID-77de-35ta-1kat	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	37.0.0
2025-08-01T13:11:51.710287+00:00	Debian Importer	Affected by	VCID-s7vh-16cg-vbb8	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:38:47.529505+00:00	Debian Importer	Affected by	VCID-zbyj-zuwa-e7hn	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:14:51.181560+00:00	Debian Importer	Affected by	VCID-s7qh-rv74-mqfx	https://security-tracker.debian.org/tracker/data/json	37.0.0