Security update for mozilla-nss SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0955-1 Final 1 1 2020-07-13T16:28:37Z current 2020-07-13T16:28:37Z 2020-07-13T16:28:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for mozilla-nss This update for mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53.1 - CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032) - Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-955 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/62SBXYYHCYQ7PZ2H2VC26CEXR66YDCCA/ E-Mail link for openSUSE-SU-2020:0955-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1168669 SUSE Bug 1168669 https://bugzilla.suse.com/1173032 SUSE Bug 1173032 https://www.suse.com/security/cve/CVE-2020-12402/ SUSE CVE CVE-2020-12402 page openSUSE Leap 15.2 libfreebl3-3.53.1-lp152.2.4.1 libfreebl3-32bit-3.53.1-lp152.2.4.1 libfreebl3-hmac-3.53.1-lp152.2.4.1 libfreebl3-hmac-32bit-3.53.1-lp152.2.4.1 libsoftokn3-3.53.1-lp152.2.4.1 libsoftokn3-32bit-3.53.1-lp152.2.4.1 libsoftokn3-hmac-3.53.1-lp152.2.4.1 libsoftokn3-hmac-32bit-3.53.1-lp152.2.4.1 mozilla-nss-3.53.1-lp152.2.4.1 mozilla-nss-32bit-3.53.1-lp152.2.4.1 mozilla-nss-certs-3.53.1-lp152.2.4.1 mozilla-nss-certs-32bit-3.53.1-lp152.2.4.1 mozilla-nss-devel-3.53.1-lp152.2.4.1 mozilla-nss-sysinit-3.53.1-lp152.2.4.1 mozilla-nss-sysinit-32bit-3.53.1-lp152.2.4.1 mozilla-nss-tools-3.53.1-lp152.2.4.1 libfreebl3-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 libfreebl3-32bit-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 libfreebl3-hmac-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 libfreebl3-hmac-32bit-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 libsoftokn3-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 libsoftokn3-32bit-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 libsoftokn3-hmac-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 libsoftokn3-hmac-32bit-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 mozilla-nss-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 mozilla-nss-32bit-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 mozilla-nss-certs-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 mozilla-nss-certs-32bit-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 mozilla-nss-devel-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 mozilla-nss-sysinit-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 mozilla-nss-sysinit-32bit-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 mozilla-nss-tools-3.53.1-lp152.2.4.1 as a component of openSUSE Leap 15.2 During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes. *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. CVE-2020-12402 openSUSE Leap 15.2:libfreebl3-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:libfreebl3-32bit-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:libfreebl3-hmac-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:libfreebl3-hmac-32bit-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:libsoftokn3-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:libsoftokn3-32bit-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:libsoftokn3-hmac-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:libsoftokn3-hmac-32bit-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:mozilla-nss-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:mozilla-nss-32bit-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:mozilla-nss-certs-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:mozilla-nss-certs-32bit-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:mozilla-nss-devel-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:mozilla-nss-sysinit-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:mozilla-nss-sysinit-32bit-3.53.1-lp152.2.4.1 openSUSE Leap 15.2:mozilla-nss-tools-3.53.1-lp152.2.4.1 moderate 1.2 AV:L/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/62SBXYYHCYQ7PZ2H2VC26CEXR66YDCCA/ https://www.suse.com/security/cve/CVE-2020-12402.html CVE-2020-12402 https://bugzilla.suse.com/1173032 SUSE Bug 1173032 https://bugzilla.suse.com/1173576 SUSE Bug 1173576 https://bugzilla.suse.com/1174230 SUSE Bug 1174230