Main Vulnerability Database SB2020060234

SB2020060234 - Race condition in firefox-esr (Alpine package)

Published: June 2, 2020

Security Bulletin ID SB2020060234

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Race condition (CVE-ID: CVE-2020-12399)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to time differences in Mozilla NSS library during the process of generating a DSA signature, the nonce value 'k' is not padded, exposing the bit length. Combined with other techniques, this can result in the recovery of the DSA private key.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=aadba671901181be240a1d151a9f3a04f2ce3ca5
https://git.alpinelinux.org/aports/commit/?id=37e37d549603b29c55fafcde8f3732cfb9db1640
https://git.alpinelinux.org/aports/commit/?id=c3bc99eb0be5fedab0fdd751a54afe87028c920b
https://git.alpinelinux.org/aports/commit/?id=da1c1b9ae466f66ae95fc66418a02c3ae10be583
https://git.alpinelinux.org/aports/commit/?id=5d9ca1b5fa041ac0d09e2bd2038f505e06c7d7f5
https://git.alpinelinux.org/aports/commit/?id=b3181176e64948e2cd534829b0e3883aed67a27c
https://git.alpinelinux.org/aports/commit/?id=66010d68451b4eac4d3f7315739fd156bd840f21
https://git.alpinelinux.org/aports/commit/?id=8dc0bf1501171d97e4b280f12987e24bf3cc53f7