[Git][security-tracker-team/security-tracker][master] Add CVE-2020-6829 and CVE-2020-12400 for nss

Sat Aug 1 07:54:58 BST 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a5c3cc82 by Salvatore Bonaccorso at 2020-08-01T08:54:09+02:00
Add CVE-2020-6829 and CVE-2020-12400 for nss

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9550,8 +9550,13 @@ CVE-2020-12402 (During RSA key generation, bignum implementations used a variati
 	NOTE: Fixed upstream in 3.53.1
 CVE-2020-12401
 	RESERVED
-CVE-2020-12400
+CVE-2020-12400 [P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function]
 	RESERVED
+	- nss 2:3.55-1
+	NOTE: https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c
+	NOTE: https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0
+	NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes
+	NOTE: Issue relates to CVE-2020-6829 and resolved in the same commits.
 CVE-2020-12399 (NSS has shown timing differences when performing DSA signatures, which ...)
 	{DSA-4726-1 DSA-4702-1 DSA-4695-1 DLA-2266-1 DLA-2247-1 DLA-2243-1}
 	- firefox 77.0-1
@@ -24698,8 +24703,13 @@ CVE-2020-6831 (A buffer overflow could occur when parsing and validating SCTP ch
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-6831
 CVE-2020-6830 (For native-to-JS bridging, the app requires a unique token to be passe ...)
 	- firefox <not-affected> (Firefox on iOS)
-CVE-2020-6829
+CVE-2020-6829 [Side channel attack on ECDSA signature generation]
 	RESERVED
+	- nss 2:3.55-1
+	NOTE: https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c
+	NOTE: https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0
+	NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes
+	NOTE: Issue relates to CVE-2020-12400 and resolved in the same commits.
 CVE-2020-6828 (A malicious Android application could craft an Intent that would have  ...)
 	- firefox-esr <not-affected> (Android-specific)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-13/#CVE-2020-6828



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5c3cc829ad39c98f1a9ee48f5275bd1b11a63ec

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5c3cc829ad39c98f1a9ee48f5275bd1b11a63ec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200801/c03f9af5/attachment.html>
