UbuntuUpdates.org

Package "nss"

Name: nss

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Network Security Service libraries
  • Network Security Service libraries - transitional package
  • Debugging symbols for the Network Security Service libraries
  • Development files for the Network Security Service libraries

Latest version: 2:3.28.4-0ubuntu0.14.04.5
Release: trusty (14.04)
Level: updates
Repository: main

Links



Other versions of "nss" in Trusty

Repository Area Version
base main 2:3.15.4-1ubuntu7
security main 2:3.28.4-0ubuntu0.14.04.5

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2:3.28.4-0ubuntu0.14.04.5 2019-02-27 19:06:29 UTC

  nss (2:3.28.4-0ubuntu0.14.04.5) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
    - debian/patches/CVE-2018-18508-1.patch: add null checks in
      nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
      nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
      nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
    - debian/patches/CVE-2018-18508-2.patch: add null checks in
      nss/lib/smime/cmsmessage.c.
    - CVE-2018-18508

 -- Marc Deslauriers <email address hidden> Tue, 19 Feb 2019 14:41:32 +0100

Source diff to previous version
CVE-2018-18508 NULL pointer dereference in several CMS functions resulting in a denial of service

Version: 2:3.28.4-0ubuntu0.14.04.4 2019-01-09 20:06:38 UTC

  nss (2:3.28.4-0ubuntu0.14.04.4) trusty-security; urgency=medium

  * SECURITY UPDATE: side-channel attack on ECDSA signatures
    - debian/patches/CVE-2018-0495.patch: improve ecdsa and dsa in
      nss/lib/freebl/dsa.c, nss/lib/freebl/ec.c.
    - CVE-2018-0495
  * SECURITY UPDATE: ServerHello.random is all zero in v2 ClientHello
    - debian/patches/CVE-2018-12384-1.patch: fix random logic in
      nss/lib/ssl/ssl3con.c.
    - debian/patches/CVE-2018-12384-2.patch: add tests to
      nss/gtests/ssl_gtest/ssl_loopback_unittest.cc,
      nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
    - CVE-2018-12384
  * SECURITY UPDATE: cache side-channel variant of the Bleichenbacher attack
    - debian/patches/CVE-2018-12404-1.patch: improve RSA key exchange
      handling in nss/lib/ssl/ssl3con.c.
    - debian/patches/CVE-2018-12404-3.patch: add constant time
      mp_to_fixlen_octets in nss/gtests/freebl_gtest/mpi_unittest.cc,
      nss/lib/freebl/mpi/mpi.c, nss/lib/freebl/mpi/mpi.h.
    - CVE-2018-12404

 -- Marc Deslauriers <email address hidden> Fri, 14 Dec 2018 10:33:50 -0500

Source diff to previous version
CVE-2018-0495 Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of
CVE-2018-12384 ServerHello.random is all zero when handling a v2-compatible ClientHello
CVE-2018-12404 Cache side-channel variant of the Bleichenbacher attack

Version: 2:3.28.4-0ubuntu0.14.04.3 2017-10-02 16:06:56 UTC

  nss (2:3.28.4-0ubuntu0.14.04.3) trusty-security; urgency=medium

  * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
    - debian/patches/CVE-2017-7805.patch: Simplify handling of
      CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
    - CVE-2017-7805

 -- Marc Deslauriers <email address hidden> Fri, 29 Sep 2017 08:54:40 -0400

Source diff to previous version

Version: 2:3.28.4-0ubuntu0.14.04.2 2017-06-21 19:06:35 UTC

  nss (2:3.28.4-0ubuntu0.14.04.2) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via empty SSLv2 messages
    - debian/patches/CVE-2017-7502.patch: reject broken v2 records in
      nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
      added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
      nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
      nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
    - CVE-2017-7502

 -- Marc Deslauriers <email address hidden> Fri, 16 Jun 2017 08:14:11 -0400

Source diff to previous version
CVE-2017-7502 Null pointer dereference vulnerability in NSS since 3.24.0 was found when server receives empty SSLv2 messages resulting into denial of service by re

Version: 2:3.28.4-0ubuntu0.14.04.1 2017-04-27 18:06:50 UTC

  nss (2:3.28.4-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * Updated to upstream 3.28.4 to fix security issues and get a new CA
    certificate bundle.
  * SECURITY UPDATE: DES and Triple DES ciphers birthday attack
    - CVE-2016-2183
  * SECURITY UPDATE: out-of-bounds write in Base64 decoding
    - CVE-2017-5461
  * debian/patches/99_jarfile_ftbfs.patch: removed, upstream.
  * debian/patches/*.patch: refreshed for new version.
  * debian/control: bump libnspr4-dev to 4.13.1.
  * debian/libnss3.symbols: added new symbols.

 -- Marc Deslauriers <email address hidden> Wed, 26 Apr 2017 10:25:43 -0400

CVE-2016-2183 The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately



About   -   Send Feedback to @ubuntu_updates