Bugzilla – Bug 1015547
VUL-0: CVE-2016-8635: mozilla-nss: small-subgroups attack flaw
Last modified: 2020-06-13 00:55:59 UTC
via redhat bug rh#1391818 It was found that Diffie Hellman Client key exchange handling in NSS, was vulnerable to small subgroup confinement attack[1]. An attacker could use this flaw to recover private keys by confining the client DH key to small subgroup of the desired group. [1] https://en.wikipedia.org/wiki/Small_subgroup_confinement_attack References: https://bugzilla.redhat.com/show_bug.cgi?id=1391818
The RH package has a single patch referring to https://bugzilla.mozilla.org/show_bug.cgi?id=1314604. Looking further, it seems to be excerpt from https://hg.mozilla.org/projects/nss/revfdee095b5e2e. I'll add the RH patch into our packages.
Wolfgang, any chance you could cc me on the mozilla bug? Thanks.
Even I don't have access to that one but I requested information from within the security group. Will report back about the result.
The upstream bug is now open.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2017-05-03. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63559
SUSE-SU-2017:1175-1: An update that fixes 29 vulnerabilities is now available. Category: security (important) Bug References: 1015499,1015547,1021636,1030071,1035082,983639 CVE References: CVE-2016-1950,CVE-2016-2834,CVE-2016-8635,CVE-2016-9574,CVE-2017-5429,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5437,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5448,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5469 Sources used: SUSE OpenStack Cloud 5 (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1 SUSE Manager Proxy 2.1 (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1 SUSE Manager 2.1 (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1 SUSE Linux Enterprise Server 11-SP4 (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): MozillaFirefox-45.9.0esr-71.2, mozilla-nspr-4.13.1-32.1, mozilla-nss-3.29.5-46.1
SUSE-SU-2017:1248-1: An update that fixes 29 vulnerabilities is now available. Category: security (important) Bug References: 1015499,1015547,1021636,1026102,1030071,1035082,983639 CVE References: CVE-2016-1950,CVE-2016-2834,CVE-2016-8635,CVE-2016-9574,CVE-2017-5429,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5437,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5448,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5469 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP2 (src): MozillaFirefox-45.9.0esr-105.1, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): MozillaFirefox-45.9.0esr-105.1, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1 SUSE Linux Enterprise Server for SAP 12 (src): MozillaFirefox-45.9.0esr-105.1, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): MozillaFirefox-45.9.0esr-105.1, java-1_8_0-openjdk-1.8.0.121-23.4, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1 SUSE Linux Enterprise Server 12-SP2 (src): MozillaFirefox-45.9.0esr-105.1, java-1_8_0-openjdk-1.8.0.121-23.4, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1 SUSE Linux Enterprise Server 12-SP1 (src): MozillaFirefox-45.9.0esr-105.1, java-1_8_0-openjdk-1.8.0.121-23.4, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1 SUSE Linux Enterprise Server 12-LTSS (src): MozillaFirefox-45.9.0esr-105.1, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1 SUSE Linux Enterprise Desktop 12-SP2 (src): MozillaFirefox-45.9.0esr-105.1, java-1_8_0-openjdk-1.8.0.121-23.4, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1 SUSE Linux Enterprise Desktop 12-SP1 (src): MozillaFirefox-45.9.0esr-105.1, java-1_8_0-openjdk-1.8.0.121-23.4, mozilla-nspr-4.13.1-18.1, mozilla-nss-3.29.5-57.1
released