CVE-2020-12399

NameCVE-2020-12399
DescriptionForce a fixed length for DSA exponentiation
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4695-1
Debian Bugs961752

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
firefox (PTS)sid77.0-1fixed
firefox-esr (PTS)jessie52.8.1esr-1~deb8u1vulnerable
jessie (security)68.8.0esr-1~deb8u1vulnerable
stretch68.4.1esr-1~deb9u1vulnerable
stretch (security)68.9.0esr-1~deb9u1fixed
buster68.7.0esr-1~deb10u1vulnerable
buster (security)68.9.0esr-1~deb10u1fixed
bullseye68.8.0esr-1vulnerable
sid68.9.0esr-1fixed
nss (PTS)jessie2:3.26-1+debu8u3vulnerable
jessie (security)2:3.26-1+debu8u10vulnerable
stretch (security), stretch2:3.26.2-1.1+deb9u1vulnerable
buster, buster (security)2:3.42.1-1+deb10u2vulnerable
bullseye2:3.49.1-1vulnerable
sid2:3.53-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
firefoxsource(unstable)77.0-1
firefox-esrsource(unstable)68.9.0esr-1
firefox-esrsourcebuster68.9.0esr-1~deb10u1DSA-4695-1
firefox-esrsourcestretch68.9.0esr-1~deb9u1DSA-4695-1
nsssource(unstable)2:3.53-1961752

Notes

https://bugzilla.mozilla.org/show_bug.cgi?id=1631576 (non-public)
Fixed by: https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e
https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/#CVE-2020-12399
https://www.mozilla.org/en-US/security/advisories/mfsa2020-21/#CVE-2020-12399

Search for package or bug name: Reporting problems