jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
cvrf2cusa/cvrf/2021/cvrf-openEuler-SA-2021-1059.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

214 lines
12 KiB
XML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for nss is now available for openEuler-20.03-LTS</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2021-1059</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2021-03-05</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2021-03-05</InitialReleaseDate>
<CurrentReleaseDate>2021-03-05</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2021-03-05</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">nss security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for nss is now available for openEuler-20.03-LTS.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Security Fix(es):
In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.(CVE-2019-17006)
In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.(CVE-2019-17007)
A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS.(CVE-2019-11756)
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress..(CVE-2020-12402)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for nss is now available for openEuler-20.03-LTS.
openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Critical</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">nss</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1059</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-17006</URL>
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-17007</URL>
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-11756</URL>
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-12402</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2019-17006</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2019-17007</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2019-11756</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-12402</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">openEuler-20.03-LTS</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="nss-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-3.54.0-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="nss-devel-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-devel-3.54.0-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="nss-debuginfo-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-debuginfo-3.54.0-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="nss-debugsource-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-debugsource-3.54.0-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="nss-softokn-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-softokn-3.54.0-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="nss-softokn-devel-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-softokn-devel-3.54.0-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="nss-util-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-util-3.54.0-2.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="nss-util-devel-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-util-devel-3.54.0-2.oe1.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="nss-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-3.54.0-2.oe1.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="nss-devel-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-devel-3.54.0-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="nss-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-3.54.0-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="nss-debugsource-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-debugsource-3.54.0-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="nss-debuginfo-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-debuginfo-3.54.0-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="nss-softokn-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-softokn-3.54.0-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="nss-softokn-devel-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-softokn-devel-3.54.0-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="nss-util-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-util-3.54.0-2.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="nss-util-devel-3.54.0-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS">nss-util-devel-3.54.0-2.oe1.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow.</Note>
</Notes>
<ReleaseDate>2021-03-05</ReleaseDate>
<CVE>CVE-2019-17006</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Critical</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>9.8</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>nss security update</Description>
<DATE>2021-03-05</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1059</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">In Network Security Services before 3.44, a malformed Netscape Certificate Sequence can cause NSS to crash, resulting in a denial of service.</Note>
</Notes>
<ReleaseDate>2021-03-05</ReleaseDate>
<CVE>CVE-2019-17007</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>nss security update</Description>
<DATE>2021-03-05</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1059</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">A use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS.</Note>
</Notes>
<ReleaseDate>2021-03-05</ReleaseDate>
<CVE>CVE-2019-11756</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.1</BaseScore>
<Vector>AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>nss security update</Description>
<DATE>2021-03-05</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1059</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.</Note>
</Notes>
<ReleaseDate>2021-03-05</ReleaseDate>
<CVE>CVE-2019-12402</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>nss security update</Description>
<DATE>2021-03-05</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1059</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink