-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nss-softokn security update Advisory ID: RHSA-2021:0758-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:0758 Issue date: 2021-03-09 CVE Names: CVE-2019-11756 CVE-2019-17006 CVE-2020-12403 ===================================================================== 1. Summary: An update for nss-softokn is now available for Red Hat Enterprise Linux 7.4 Advanced Update Support, Red Hat Enterprise Linux 7.4 Telco Extended Update Support, and Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Server AUS (v. 7.4) - x86_64 Red Hat Enterprise Linux Server E4S (v. 7.4) - ppc64le, x86_64 Red Hat Enterprise Linux Server TUS (v. 7.4) - x86_64 3. Description: The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. Security Fix(es): * nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756) * nss: Check length of inputs for cryptographic primitives (CVE-2019-17006) * nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1774835 - CVE-2019-11756 nss: Use-after-free in sftk_FreeSession due to improper refcounting 1775916 - CVE-2019-17006 nss: Check length of inputs for cryptographic primitives 1868931 - CVE-2020-12403 nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read 6. Package List: Red Hat Enterprise Linux Server AUS (v. 7.4): Source: nss-softokn-3.28.3-10.el7_4.src.rpm x86_64: nss-softokn-3.28.3-10.el7_4.i686.rpm nss-softokn-3.28.3-10.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-devel-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.x86_64.rpm Red Hat Enterprise Linux Server E4S (v. 7.4): Source: nss-softokn-3.28.3-10.el7_4.src.rpm ppc64le: nss-softokn-3.28.3-10.el7_4.ppc64le.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.ppc64le.rpm nss-softokn-devel-3.28.3-10.el7_4.ppc64le.rpm nss-softokn-freebl-3.28.3-10.el7_4.ppc64le.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.ppc64le.rpm x86_64: nss-softokn-3.28.3-10.el7_4.i686.rpm nss-softokn-3.28.3-10.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-devel-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.x86_64.rpm Red Hat Enterprise Linux Server TUS (v. 7.4): Source: nss-softokn-3.28.3-10.el7_4.src.rpm x86_64: nss-softokn-3.28.3-10.el7_4.i686.rpm nss-softokn-3.28.3-10.el7_4.x86_64.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.i686.rpm nss-softokn-debuginfo-3.28.3-10.el7_4.x86_64.rpm nss-softokn-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-devel-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-3.28.3-10.el7_4.x86_64.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.i686.rpm nss-softokn-freebl-devel-3.28.3-10.el7_4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11756 https://access.redhat.com/security/cve/CVE-2019-17006 https://access.redhat.com/security/cve/CVE-2020-12403 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYEc+RNzjgjWX9erEAQg4mQ/+MCpmmYSEI6SYvndSaGpNdO8n7hGXNjAM VmFgQ8T3HABcaoKX78x2lhSeFZypFdwLDac2fL7pOoxxY9KZKUJqDCZc1Q6UggmQ CWUgRNzngnZhkwGaZw3al+/371NN/dfj7kAkEuQTt/PSH0gdiyAdwYthZ0Ke+EOV wIW+8w1x2NxJFrTWIvBSP+w3HHn0d2dCRJicemPkPd25ptHsDzwer2ySDuRI7HJI OlVt5mop/Yq0xXEWlujB7qUhD3gH4ebwHHIgtce7Ffwi1Y/JBGeV9/V2xMbhCNBk 4jhK3AWRNw9ByI0vH4EfyxAuRlolUGR3T/z2ApemyV6pfrulr2KuWeKzF5AEEe1F 9VPuhZ2L+b1xlU3dkZWBO7KH97/c8FJDH2A6j6Lz+M4OtlDziFAPUkabo83AKSSq kv7K2LRL/rm2+dJbSRu9G/3H61jtwVLuGxWUfH6+f8j+NjIeY2BsPFGmCJRGMavI 37MpSDMeYcikHrxgcd49N/xYGNtJKuSQnaO2mQRM5KK7yfeZ8qKOprmC7nE5RKp7 zlIKxq3Py1S53zIzuXzyT5PnvM2nwI3EpBGrcQiiBLlRH7EBAW6eWUCcIQaZklW9 llkYRNyJ+qct5YItP7SjRMUyEJ6Zfn1fxNiJ3vGA4s1dsrBF097H+sqr/OuTEXM8 FTKK9cP2NpU= =9QSj -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce