CVE-2020-12399

NameCVE-2020-12399
DescriptionNSS has shown timing differences when performing DSA signatures, which ...
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2243-1, DLA-2247-1, DLA-2266-1, DLA-2388-1, DSA-4695-1, DSA-4702-1, DSA-4726-1, ELA-232-1, ELA-233-1
Debian Bugs961752

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid84.0.2-1fixed
firefox-esr (PTS)jessie, jessie (lts)68.9.0esr-1~deb8u2fixed
stretch68.10.0esr-1~deb9u1fixed
stretch (security)78.6.1esr-1~deb9u1fixed
buster78.5.0esr-1~deb10u1fixed
buster (security)78.6.1esr-1~deb10u1fixed
bullseye78.6.0esr-1fixed
sid78.6.1esr-1fixed
nss (PTS)jessie, jessie (lts)2:3.26-1+debu8u13fixed
stretch2:3.26.2-1.1+deb9u1vulnerable
stretch (security)2:3.26.2-1.1+deb9u2fixed
buster, buster (security)2:3.42.1-1+deb10u3fixed
sid, bullseye2:3.60-1fixed
thunderbird (PTS)jessie, jessie (lts)1:68.9.0-1~deb8u2fixed
stretch1:68.10.0-1~deb9u1fixed
stretch (security)1:78.6.0-1~deb9u1fixed
buster1:78.5.0-1~deb10u1fixed
buster (security)1:78.6.0-1~deb10u1fixed
sid, bullseye1:78.6.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)77.0-1
firefox-esrsource(unstable)68.9.0esr-1
firefox-esrsourcebuster68.9.0esr-1~deb10u1DSA-4695-1
firefox-esrsourcejessie68.9.0esr-1~deb8u2DLA-2243-1
firefox-esrsourcestretch68.9.0esr-1~deb9u1DSA-4695-1
firefox-esrsourcewheezy(unfixed)end-of-life
nsssource(unstable)2:3.53-1961752
nsssourcebuster2:3.42.1-1+deb10u3DSA-4726-1
nsssourcejessie2:3.26-1+debu8u11DLA-2266-1
nsssourcestretch2:3.26.2-1.1+deb9u2DLA-2388-1
nsssourcewheezy2:3.26-1+debu7u12ELA-232-1
openjdk-7sourcewheezy7u261-2.6.22-1~deb7u2ELA-233-1
thunderbirdsource(unstable)1:68.9.0-1
thunderbirdsourcebuster1:68.9.0-1~deb10u1DSA-4702-1
thunderbirdsourcejessie1:68.9.0-1~deb8u2DLA-2247-1
thunderbirdsourcestretch1:68.9.0-1~deb9u1DSA-4702-1
thunderbirdsourcewheezy(unfixed)end-of-life

Notes

https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 (non-public)
Fixed by: https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e
https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12399
https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/#CVE-2020-12399
https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12399

Search for package or bug name: Reporting problems