– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Gentoo Linux Security Advisory GLSA 202012-21
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
https://security.gentoo.org/
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Severity: Low
Title: Mozilla Network Security Service (NSS): Denial of service
Date: December 23, 2020
Bugs: #750254
ID: 202012-21

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Synopsis
========

A vulnerability in NSS might allow remote attackers to cause a Denial
of Service condition.

Background
==========

The Mozilla Network Security Service (NSS) is a library implementing
security features like SSL v.2/v.3, TLS, PKCS #5, PKCS #7, PKCS #11,
PKCS #12, S/MIME and X.509 certificates.

Affected packages
=================

——————————————————————-
Package / Vulnerable / Unaffected
——————————————————————-
1 dev-libs/nss < 3.58 >= 3.58

Description
===========

A flaw was found in the way Mozilla Network Security Service (NSS)
handled CCS (ChangeCipherSpec) messages in TLS 1.3.

Impact
======

A remote attacker could send multiple crafted CSS messages in row after
ClientHello message to a server application linked against NSS library,
possibly resulting in a Denial of Service condition.

Workaround
==========

Disable TLS 1.3 protocol.

Resolution
==========

All NSS users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=dev-libs/nss-3.58”

References
==========

[ 1 ] CVE-2020-25648
https://nvd.nist.gov/vuln/detail/CVE-2020-25648

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202012-21

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2020 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons – Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

—–BEGIN PGP SIGNATURE—–

wsB5BAABCAAjFiEEExKRzo+LDXJgXHuURObr3Jv2BVkFAl/jpi0FAwAAAAAACgkQRObr3Jv2BVmn
PAf/bfbkXfxc9fZ0z0/KFjE2ZnX97upaKxIDwmjoXfVDX3w6XgiTITN6SmwIF4rUPCo5puxKYz9G
pYFG05hFUQ1j6FF2eRiM+FwrXfiAAZR9ljndm6CIFVXCOy186gGZPwaT617mabqSwEo7V5rpbRjx
PCYeA8nbCrK/MaEWvaE677OaS72e1ArqfTqwKO1AEs4g9wTlTJ/fBqpngu72XkV+dRZzSwviWScp
NEoKOTJZlAYfaVooGBfSIR+TuP0FAHzMdkY/dNiV8/LzyVOYbZ5JJbQhWwEEeUL+3AAR4Dk9AnD4
NpgJd92BgdRqJec5eK+7HM759ouOKAfVgxzgp3v40Q==
=xIeG
—–END PGP SIGNATURE—–