[ubuntu/disco-updates] nss 2:3.42-1ubuntu2.1 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Tue Jul 16 12:28:13 UTC 2019


nss (2:3.42-1ubuntu2.1) disco-security; urgency=medium

  * SECURITY UPDATE: OOB read when importing a curve25519 private key
    - debian/patches/CVE-2019-11719.patch: don't unnecessarily strip
      leading 0's from key material during PKCS11 import in
      nss/lib/freebl/ecl/ecp_25519.c, nss/lib/pk11wrap/pk11akey.c,
      nss/lib/pk11wrap/pk11cert.c, nss/lib/pk11wrap/pk11pk12.c,
      nss/lib/softoken/legacydb/lgattr.c, nss/lib/softoken/pkcs11c.c.
    - CVE-2019-11719
  * SECURITY UPDATE: incorrect use of PKCS#1 v1.5 signatures with TLSv1.3
    - debian/patches/CVE-2019-11727.patch: prohibit use of
      RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 in
      nss/gtests/ssl_gtest/ssl_auth_unittest.cc,
      nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
      nss/gtests/ssl_gtest/ssl_extension_unittest.cc,
      nss/lib/ssl/ssl3con.c.
    - CVE-2019-11727
  * SECURITY UPDATE: segfault via empty or malformed p256-ECDH public keys
    - debian/patches/CVE-2019-11729-1.patch: more thorough input checking
      in nss/lib/cryptohi/seckey.c, nss/lib/freebl/dh.c,
      nss/lib/freebl/ec.c, nss/lib/util/quickder.c.
    - debian/patches/CVE-2019-11729-2.patch: ignore spki decode failures on
      negative tests in nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc.
    - CVE-2019-11729

Date: 2019-07-12 12:54:14.456184+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/nss/2:3.42-1ubuntu2.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Disco-changes mailing list