Pivotal + VMware: Transforming how more of the world builds software

All Vulnerability Reports

USN-4060-1: NSS vulnerabilities


Severity

Medium

Vendor

Canonical Ubuntu

Description

Henry Corrigan-Gibbs discovered that NSS incorrectly handled importing certain curve25519 private keys. An attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly obtain sensitive information. (CVE-2019-11719)

Hubert Kario discovered that NSS incorrectly handled PKCS#1 v1.5 signatures when using TLSv1.3. An attacker could possibly use this issue to trick NSS into using PKCS#1 v1.5 signatures, contrary to expectations. This issue only applied to Ubuntu 19.04. (CVE-2019-11727)

Jonas Allmann discovered that NSS incorrectly handled certain p256-ECDH public keys. An attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. (CVE-2019-11729)

CVEs contained in this USN include: CVE-2019-11719, CVE-2019-11727, CVE-2019-11729

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Operations Manager is vulnerable in the following releases:
    • 2.6.x versions prior to 2.6.5
    • 2.5.x versions prior to 2.5.11
    • 2.4.x versions prior to 2.4.17
    • 2.3.x versions prior to 2.3.23
  • Pivotal Greenplum for Kubernetes is vulnerable in the following releases:
    • All versions prior to 1.2.0
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal Operations Manager: 2.6.5, 2.5.11, 2.4.17, 2.3.23
    • Pivotal Greenplum for Kubernetes: 1.2.0
References
Contactez-nous