-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: nss-softokn security update Advisory ID: RHSA-2020:1345-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:1345 Issue date: 2020-04-07 CVE Names: CVE-2018-0495 CVE-2019-11745 ==================================================================== 1. Summary: An update for nss-softokn is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.4) - ppc64le, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.4) - x86_64 3. Description: The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. Security Fix(es): * nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) * ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries (CVE-2018-0495) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1591163 - CVE-2018-0495 ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries 1774831 - CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.4): Source: nss-softokn-3.28.3-9.el7_4.src.rpm x86_64: nss-softokn-3.28.3-9.el7_4.i686.rpm nss-softokn-3.28.3-9.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-9.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-9.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-9.el7_4.i686.rpm nss-softokn-devel-3.28.3-9.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-9.el7_4.i686.rpm nss-softokn-freebl-3.28.3-9.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-9.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-9.el7_4.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.4): Source: nss-softokn-3.28.3-9.el7_4.src.rpm ppc64le: nss-softokn-3.28.3-9.el7_4.ppc64le.rpm nss-softokn-debuginfo-3.28.3-9.el7_4.ppc64le.rpm nss-softokn-devel-3.28.3-9.el7_4.ppc64le.rpm nss-softokn-freebl-3.28.3-9.el7_4.ppc64le.rpm nss-softokn-freebl-devel-3.28.3-9.el7_4.ppc64le.rpm x86_64: nss-softokn-3.28.3-9.el7_4.i686.rpm nss-softokn-3.28.3-9.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-9.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-9.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-9.el7_4.i686.rpm nss-softokn-devel-3.28.3-9.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-9.el7_4.i686.rpm nss-softokn-freebl-3.28.3-9.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-9.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-9.el7_4.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.4): Source: nss-softokn-3.28.3-9.el7_4.src.rpm x86_64: nss-softokn-3.28.3-9.el7_4.i686.rpm nss-softokn-3.28.3-9.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-9.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-9.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-9.el7_4.i686.rpm nss-softokn-devel-3.28.3-9.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-9.el7_4.i686.rpm nss-softokn-freebl-3.28.3-9.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-9.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-9.el7_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-0495 https://access.redhat.com/security/cve/CVE-2019-11745 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXoxI5dzjgjWX9erEAQiD+hAAkAnoav5FMltQo/IdtfRZMwhxS9N0Y6W4 H/xwgg/jipCZ61vE/STaMM44zJWSzTayme8nslELtqRsijY9GdhZwH0lLrtYbVEJ sdWliYxfPwzlqokaIi9HcnbDok2xYrhbM5wfzSMcvE2Coq8yoo4++Nrlv0m7cxNE dAVJZNi594WBeiNdffFfoGBLFewr+qcfLwd20hQpjji74V/r+Q6fj4BHp7ilU5qU 0s/0lEFzCr4vOXYrIe58P4DRhcO4C8W5qAVDAtjx4cXGkUPIjbcO2JJE7ywlFajp 5EBgZeJK9f7MbWGXMjEOGJhPDt0uykj2f8AGZKZxh4Az4GyijMQMYKRkiwBy4HRd BBb0hCti/phfzx2enk5Z39e1tAX91h3nlzAbWQbcEOmvrcudxjnxkM9DTh9h5nQZ eHN9kE18KrYExvJXA5seWD/p/LBW5DXaaumKcHXiKoS6d+O+D43DwvUpzdl2JP+e 57xTskKOrZzk1h7O+1LoEstTI7bqTnYH7VCfIQEdgKBG3AQ2t5O8vfWFLKF7AjXX CoYdmT0cMtu2r00Scr7JSs45hQ/Yy0bBiUSlvDKNnVhsr45EscG5pAVVzID5DlCh cMol1vhCBoV53UfQ3wkZiqMcxsJxNC5ajN9Q7lZgejg2zA1bGySrXALlg13t3ZIH olEFz/LzYms=XO4i -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce