ELA-256-1 nss security update

ECDSA timing and side channel attacks

2020-08-02
Packagenss
Version2:3.26-1+debu8u12
Related CVEs CVE-2020-6829 CVE-2020-12400 CVE-2020-12401


Multiple security vulnerabilities were fixed in nss, the Network Security Services library. The ECDSA signature generation in P-384 and P-521 was found to be vulnerable to a side channel attack in the modular inversion function implementation. The ECDSA implementation was also found to be vulnerable to a timing attack mitigation bypass.



For Debian 8 jessie, these problems have been fixed in version 2:3.26-1+debu8u12.

We recommend that you upgrade your nss packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.