CVSS Base Vector:
The remote host is missing an update for the 'nss'
Linux Distribution Package(s) announced via the CESA-2020:4076 advisory.
Checks if a vulnerable Linux Distribution Package version is present on the target host.
Network Security Services (NSS) is a set of libraries designed to support
the cross-platform development of security-enabled client and server
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI
operating system facilities.
The following Linux Distribution Packages have been upgraded to a later upstream version: nss
(3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0).
(BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273)
* nss: Out-of-bounds read when importing curve25519 private key
* nss: Use-after-free in sftk_FreeSession due to improper refcounting
* nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)
* nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)
* nss: P-384 and P-521 implementation uses a side-channel vulnerable
modular inversion function (CVE-2020-12400)
* nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)
* nss: Side channel vulnerabilities during RSA key generation
* nss: CHACHA20-POLY1305 decryption with undersized tag leads to
out-of-bounds read (CVE-2020-12403)
* nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)
* nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
* Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958)
* NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and
TLS 1.1 (BZ#1712924)
* Make TLS 1.3 work in FIPS mode (BZ#1724251)
* Name Constraints validation: CN treated as DNS name even when
syntactically invalid as DNS name (BZ#1737910)
* x25519 allowed in FIPS mode (BZ#1754518)
* When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase
but never released - consider alternative algorithm for benchmarking ACCESS
call in sdb_measureAccess (BZ#1779325)
* Running ipa-backup continuously causes httpd to crash and makes it
* nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308)
* KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)
'nss' Linux Distribution Package(s) on CentOS 7.
Please install the updated Linux Distribution Package(s).
NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)
Linux Distribution Package