Bug 48851 – nss: Multiple issues (4.2)

Bug 48851 - nss: Multiple issues (4.2)


Summary:	nss: Multiple issues (4.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.2
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.2-5-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-03-05 08:43 CET by Quality Assurance
Modified:	2019-03-06 14:24 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Quality Assurance

2019-03-05 08:43:39 CET

New Debian nss 2:3.26-1+debu8u4 fixes:
This update addresses the following issues:
* Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404)
* NULL pointer dereference in several CMS functions resulting in a denial of  service (CVE-2018-18508)

Comment 1 Quality Assurance

2019-03-05 09:00:23 CET

--- mirror/ftp/4.2/unmaintained/4.2-4/source/nss_3.26-1+debu8u3.dsc
+++ apt/ucs_4.2-0-errata4.2-5/source/nss_3.26-1+debu8u4.dsc
@@ -1,3 +1,15 @@
+2:3.26-1+debu8u4 [Mon, 04 Mar 2019 09:46:23 -0500] Roberto C. Sanchez <roberto@debian.org>:
+
+  * Non-maintainer upload by the LTS Security Team.
+  * Update nss/tests/libpkix/certs/PayPalEE.cert to work-around the fact that
+    the former certificate has expired.  The new certificate expiry is
+    2020-08-18.  Also update the expected OID through (adds
+    debian/patches/replace_expired_paypal_cert.patch).
+  * Add patches to fix two security issues:
+    - CVE-2018-12404: Cache side-channel variant of the Bleichenbacher attack
+    - CVE-2018-18508: NULL pointer dereference in several CMS functions
+      resulting in a denial of service (Closes: #921614)
+
 2:3.26-1+debu8u3 [Sat, 07 Oct 2017 21:33:20 +0200] Salvatore Bonaccorso <carnil@debian.org>:
 
   * Non-maintainer upload by the Security Team.

<http://10.200.17.11/4.2-5/#2009491523397746279>

Comment 2 Philipp Hahn

2019-03-05 13:48:31 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.2-5] 2c7312e410 Bug #48851: nss 2:3.26-1+debu8u4
 doc/errata/staging/nss.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

Comment 3 Arvid Requate

2019-03-06 14:24:24 CET

<http://errata.software-univention.de/ucs/4.2/611.html>