Security update for mozilla-nspr, mozilla-nss
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.47.1:
Security issues fixed:
- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).
- CVE-2019-11745: EncryptUpdate should use maxout, not block size (bsc#1158527).
- CVE-2019-11727: Fixed vulnerability sign CertificateVerify with PKCS#1 v1.5 signatures issue (bsc#1141322).
mozilla-nspr was updated to version 4.23:
- Whitespace in C files was cleaned up and no longer uses tab characters for indenting.
This update was imported from the SUSE:SLE-15:Update update project.
-
Submitted by
Charles Robertson (cgrobertson)
Fixed bugs
bnc#1159819
VUL-0: CVE-2019-17006: mozilla-nss: nss: Check length of inputs for cryptographic primitives
bnc#1158527
VUL-0: CVE-2019-11745: mozilla-nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate
bnc#1141322
VUL-1: CVE-2019-11727: mozilla-nss: A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequ
