Search for packages
| purl | pkg:deb/debian/nss@2:3.42.1-1%2Bdeb10u5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1xgw-uan4-byhg
Aliases: CVE-2021-43527 |
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. |
Affected by 5 other vulnerabilities. |
|
VCID-1zaj-dhug-bffr
Aliases: CVE-2024-0743 |
An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. |
Affected by 3 other vulnerabilities. |
|
VCID-54s7-rrtw-a7cg
Aliases: CVE-2020-12402 |
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. We would like to thank Sohaib ul Hassan for contributing a fix for this issue as well.*Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. |
Affected by 5 other vulnerabilities. |
|
VCID-77de-35ta-1kat
Aliases: CVE-2024-6609 |
When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. |
Affected by 3 other vulnerabilities. |
|
VCID-7s8d-r67g-6feh
Aliases: CVE-2024-6602 |
A mismatch between allocator and deallocator could have led to memory corruption. |
Affected by 3 other vulnerabilities. |
|
VCID-ake6-cm2x-8ubs
Aliases: CVE-2019-11745 |
When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. |
Affected by 5 other vulnerabilities. |
|
VCID-axss-jrt6-qqdk
Aliases: CVE-2020-25648 |
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw affects NSS versions before 3.58. |
Affected by 5 other vulnerabilities. |
|
VCID-bjhc-gzeg-vyhq
Aliases: CVE-2019-11719 |
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. |
Affected by 5 other vulnerabilities. |
|
VCID-c5su-4v3n-5qh4
Aliases: CVE-2020-12401 |
During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. |
Affected by 5 other vulnerabilities. |
|
VCID-e8wz-a6j9-ybas
Aliases: CVE-2020-12399 |
NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. |
Affected by 5 other vulnerabilities. |
|
VCID-hvj7-bwkf-f3em
Aliases: CVE-2020-6829 |
When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. |
Affected by 5 other vulnerabilities. |
|
VCID-mahw-y94d-xbe6
Aliases: CVE-2019-11729 |
Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used. |
Affected by 5 other vulnerabilities. |
|
VCID-pjmh-gvqz-47et
Aliases: CVE-2023-4421 |
The NSS code used for checking PKCS#1 v1.5 was leaking information useful in mounting Bleichenbacher-like attacks. Both the overall correctness of the padding as well as the length of the encrypted message was leaking through timing side-channel. By sending large number of attacker-selected ciphertexts, the attacker would be able to decrypt a previously intercepted PKCS#1 v1.5 ciphertext (for example, to decrypt a TLS session that used RSA key exchange), or forge a signature using the victim's key. The issue was fixed by implementing the implicit rejection algorithm, in which the NSS returns a deterministic random message in case invalid padding is detected, as proposed in the Marvin Attack paper. |
Affected by 5 other vulnerabilities. |
|
VCID-sm4b-5vw1-1qcf
Aliases: CVE-2019-17023 |
After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. |
Affected by 5 other vulnerabilities. |
|
VCID-sv69-65sj-vybj
Aliases: CVE-2020-12400 |
When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. |
Affected by 5 other vulnerabilities. |
|
VCID-tkkj-f8ww-1kdn
Aliases: CVE-2020-12403 |
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. |
Affected by 5 other vulnerabilities. |
|
VCID-ubzm-vaec-93gp
Aliases: CVE-2022-22747 |
After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. |
Affected by 5 other vulnerabilities. |
|
VCID-vme5-mkru-k3aj
Aliases: CVE-2019-17007 |
In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. |
Affected by 5 other vulnerabilities. |
|
VCID-w27h-8fnv-guhx
Aliases: CVE-2019-11727 |
A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. |
Affected by 5 other vulnerabilities. |
|
VCID-x6ny-uzze-23ap
Aliases: CVE-2019-17006 |
Affected by 5 other vulnerabilities. |
|
|
VCID-yqjn-5kut-6qbk
Aliases: CVE-2023-0767 |
An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. |
Affected by 5 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1xgw-uan4-byhg | NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. |
CVE-2021-43527
|
| VCID-54s7-rrtw-a7cg | During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. We would like to thank Sohaib ul Hassan for contributing a fix for this issue as well.*Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. |
CVE-2020-12402
|
| VCID-ake6-cm2x-8ubs | When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. |
CVE-2019-11745
|
| VCID-e8wz-a6j9-ybas | NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. |
CVE-2020-12399
|
| VCID-ex9u-mprs-bqfe | In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service. |
CVE-2018-18508
|
| VCID-nzee-g5hm-pfca | When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3. |
CVE-2018-12384
|
| VCID-sm4b-5vw1-1qcf | After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. |
CVE-2019-17023
|
| VCID-ubzm-vaec-93gp | After accepting an untrusted certificate, handling an empty pkcs7 sequence as part of the certificate data could have lead to a crash. This crash is believed to be unexploitable. |
CVE-2022-22747
|
| VCID-vme5-mkru-k3aj | In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service. |
CVE-2019-17007
|
| VCID-wqhe-hmdh-p7eq | During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash. |
CVE-2017-7805
|
| VCID-x6ny-uzze-23ap |
CVE-2019-17006
|
|
| VCID-z5tc-zwsb-eydp | A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41. |
CVE-2018-12404
|