First Last Prev Next    This bug is not in your last search results.
Bug 1159819 - (CVE-2019-17006) VUL-0: CVE-2019-17006: mozilla-nss: nss: Check length of inputs for cryptographic primitives
(CVE-2019-17006)
VUL-0: CVE-2019-17006: mozilla-nss: nss: Check length of inputs for cryptogra...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Charles Robertson
Security Team bot
https://smash.suse.de/issue/249778/
CVSSv3:SUSE:CVE-2019-17006:6.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-12-27 07:52 UTC by Alexandros Toptsoglou
Modified: 2021-01-17 08:10 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-12-27 07:52:22 UTC 
CVE-2019-17006

As per Mozilla upstream a CVE flaw was fixed via:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes

Bug 1539788 - Add length checks for cryptographic primitives (CVE-2019-17006)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1775916
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17006
Comment 1 Alexandros Toptsoglou 2019-12-27 08:04:21 UTC 
Version 3.46 fixes this issue.

SLE-11 SP1 is already fixed since it ships version 3.47.1
SLE12 and SLE15 are currently affected but there is an ongoing update to version 3.47.1 which is going to be released soon.
Comment 3 Swamp Workflow Management 2019-12-30 17:11:44 UTC 
SUSE-SU-2019:3395-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1141322,1158527,1159819
CVE References: CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    mozilla-nss-3.47.1-3.22.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    mozilla-nss-3.47.1-3.22.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    mozilla-nspr-4.23-3.9.1, mozilla-nss-3.47.1-3.22.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    mozilla-nspr-4.23-3.9.1, mozilla-nss-3.47.1-3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-01-11 23:11:13 UTC 
openSUSE-SU-2020:0008-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1141322,1158527,1159819
CVE References: CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
Sources used:
openSUSE Leap 15.1 (src):    mozilla-nspr-4.23-lp151.2.6.1, mozilla-nss-3.47.1-lp151.2.9.1
Comment 7 Swamp Workflow Management 2020-01-13 23:33:21 UTC 
SUSE-SU-2020:0088-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1141322,1158527,1159819
CVE References: CVE-2019-11745,CVE-2019-17006
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE OpenStack Cloud 8 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE OpenStack Cloud 7 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP5 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP4 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Enterprise Storage 5 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE CaaS Platform 3.0 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
HPE Helion Openstack 8 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-06-18 22:17:13 UTC 
SUSE-SU-2020:1677-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1159819,1169746,1171978
CVE References: CVE-2019-17006,CVE-2020-12399
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    mozilla-nspr-4.25-3.12.1, mozilla-nss-3.53-3.40.1
SUSE Linux Enterprise Server 15-LTSS (src):    mozilla-nspr-4.25-3.12.1, mozilla-nss-3.53-3.40.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    mozilla-nss-3.53-3.40.1
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    mozilla-nss-3.53-3.40.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    mozilla-nspr-4.25-3.12.1, mozilla-nss-3.53-3.40.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    mozilla-nspr-4.25-3.12.1, mozilla-nss-3.53-3.40.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    mozilla-nspr-4.25-3.12.1, mozilla-nss-3.53-3.40.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    mozilla-nspr-4.25-3.12.1, mozilla-nss-3.53-3.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-06-24 10:13:24 UTC 
openSUSE-SU-2020:0854-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1159819,1169746,1171978
CVE References: CVE-2019-17006,CVE-2020-12399
Sources used:
openSUSE Leap 15.1 (src):    mozilla-nspr-4.25-lp151.2.9.1, mozilla-nss-3.53-lp151.2.23.1
Comment 13 Swamp Workflow Management 2020-07-03 16:13:04 UTC 
SUSE-SU-2020:1839-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1159819,1168669,1169746,1170908,1171978,1173022
CVE References: CVE-2019-17006,CVE-2020-12399,CVE-2020-12402
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE OpenStack Cloud Crowbar 8 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE OpenStack Cloud 9 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE OpenStack Cloud 8 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE OpenStack Cloud 7 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server 12-SP5 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
SUSE Enterprise Storage 5 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1
HPE Helion Openstack 8 (src):    mozilla-nspr-4.25-19.15.1, mozilla-nss-3.53.1-58.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-07-06 19:17:01 UTC 
SUSE-SU-2020:14418-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1141322,1158527,1159819,1168669,1169746,1170908,1171978,1173032
CVE References: CVE-2019-11727,CVE-2019-11745,CVE-2019-17006,CVE-2020-12399,CVE-2020-12402
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    mozilla-nspr-4.25-29.12.2, mozilla-nss-3.53.1-38.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Marcus Meissner 2021-01-17 08:10:42 UTC 
reelased
First Last Prev Next    This bug is not in your last search results.