CVE-2020-12399

NameCVE-2020-12399
DescriptionNSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2243-1, DLA-2247-1, DLA-2266-1, DLA-2388-1, DSA-4695-1, DSA-4702-1, DSA-4726-1, ELA-232-1, ELA-233-1
Debian Bugs961752

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid123.0-1fixed
firefox-esr (PTS)jessie, jessie (lts)68.9.0esr-1~deb8u2fixed
stretch (security), stretch (lts), stretch91.11.0esr-1~deb9u1fixed
buster91.12.0esr-1~deb10u1fixed
buster (security)115.8.0esr-1~deb10u1fixed
bullseye115.7.0esr-1~deb11u1fixed
bullseye (security)115.8.0esr-1~deb11u1fixed
bookworm115.7.0esr-1~deb12u1fixed
bookworm (security)115.8.0esr-1~deb12u1fixed
sid, trixie115.8.0esr-1fixed
nss (PTS)jessie, jessie (lts)2:3.26-1+debu8u17fixed
stretch (security)2:3.26.2-1.1+deb9u5fixed
stretch (lts), stretch2:3.26.2-1.1+deb9u6fixed
buster2:3.42.1-1+deb10u5fixed
buster (security)2:3.42.1-1+deb10u7fixed
bullseye (security), bullseye2:3.61-1+deb11u3fixed
bookworm2:3.87.1-1fixed
sid, trixie2:3.98-1fixed
thunderbird (PTS)jessie, jessie (lts)1:68.9.0-1~deb8u2fixed
stretch (security), stretch (lts), stretch1:91.10.0-1~deb9u1fixed
buster1:91.12.0-1~deb10u1fixed
buster (security)1:115.8.0-1~deb10u1fixed
bullseye1:115.7.0-1~deb11u1fixed
bullseye (security)1:115.8.0-1~deb11u1fixed
bookworm1:115.7.0-1~deb12u1fixed
bookworm (security)1:115.8.0-1~deb12u1fixed
trixie1:115.7.0-1fixed
sid1:115.8.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)77.0-1
firefox-esrsourcewheezy(unfixed)end-of-life
firefox-esrsourcejessie68.9.0esr-1~deb8u2DLA-2243-1
firefox-esrsourcestretch68.9.0esr-1~deb9u1DSA-4695-1
firefox-esrsourcebuster68.9.0esr-1~deb10u1DSA-4695-1
firefox-esrsource(unstable)68.9.0esr-1
nsssourcewheezy2:3.26-1+debu7u12ELA-232-1
nsssourcejessie2:3.26-1+debu8u11DLA-2266-1
nsssourcestretch2:3.26.2-1.1+deb9u2DLA-2388-1
nsssourcebuster2:3.42.1-1+deb10u3DSA-4726-1
nsssource(unstable)2:3.53-1961752
openjdk-7sourcewheezy7u261-2.6.22-1~deb7u2ELA-233-1
thunderbirdsourcewheezy(unfixed)end-of-life
thunderbirdsourcejessie1:68.9.0-1~deb8u2DLA-2247-1
thunderbirdsourcestretch1:68.9.0-1~deb9u1DSA-4702-1
thunderbirdsourcebuster1:68.9.0-1~deb10u1DSA-4702-1
thunderbirdsource(unstable)1:68.9.0-1

Notes

https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 (non-public)
Fixed by: https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e
https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12399
https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/#CVE-2020-12399
https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/#CVE-2020-12399

Search for package or bug name: Reporting problems