Debian 10: DLA-3328-1 Severe curl Security Flaw Risks Code Execution
debian lts
February 20, 2023
Multiple security vulnerabilities have been discovered in nss, the Network Security Service libraries
Topics Covered
Summary
When performing EC scalar point multiplication, the wNAF point
multiplication algorithm was used; which leaked partial information about
the nonce used during signature generation. Given an electro-magnetic trace
of a few signature generations, the private key could have been computed.
CVE-2020-12400
When converting coordinates from projective to affine, the modular
inversion was not performed in constant time, resulting in a possible
timing-based side channel attack.
CVE-2020-12401
During ECDSA signature generation, padding applied in the nonce designed to
ensure constant-time scalar multiplication was removed, resulting in
variable-time execution dependent on secret data.
CVE-2020-12403
A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS.
When using multi-part Chacha20, it could cause out-of-bounds reads.
This issue was fixed by explicitly disabling multi-part ChaCha20Â
PREVIOUS 
NEXT -------------------------------------------------------------------------Package: nss
Version: 2:3.42.1-1+deb10u6
CVE ID: CVE-2020-6829 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!