USN-4060-1: NSS vulnerabilities
Severity
Medium
Vendor
Canonical Ubuntu
Description
Henry Corrigan-Gibbs discovered that NSS incorrectly handled importing certain curve25519 private keys. An attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2019-11719)
Hubert Kario discovered that NSS incorrectly handled PKCS#1 v1.5 signatures when using TLSv1.3. An attacker could possibly use this issue to trick NSS into using PKCS#1 v1.5 signatures, contrary to expectations. This issue only applied to Ubuntu 19.04. (CVE-2019-11727)
Jonas Allmann discovered that NSS incorrectly handled certain p256-ECDH public keys. An attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. (CVE-2019-11729)
CVEs contained in this USN include: CVE-2019-11719, CVE-2019-11727, CVE-2019-11729
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Pivotal Operations Manager is vulnerable in the following releases:
- 2.6.x versions prior to 2.6.5
- 2.5.x versions prior to 2.5.11
- 2.4.x versions prior to 2.4.17
- 2.3.x versions prior to 2.3.23
- Pivotal Greenplum for Kubernetes is vulnerable in the following releases:
- All versions prior to 1.2.0
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal Operations Manager: 2.6.5, 2.5.11, 2.4.17, 2.3.23
- Pivotal Greenplum for Kubernetes: 1.2.0