CVE-2020-12399

Published: 26 May 2020

NSS has shown timing differences when performing DSA signatures, which was exploitable and could eventually leak private keys. This vulnerability affects Thunderbird < 68.9.0, Firefox < 77, and Firefox ESR < 68.9.

Priority

Cvss 3 Severity Score

4.4

Score breakdown

Status

Package	Release	Status
thunderbird Launchpad, Ubuntu, Debian	bionic	Released (1:68.10.0+build1-0ubuntu0.18.04.1)
	eoan	Released (1:68.10.0+build1-0ubuntu0.19.10.1)
	focal	Released (1:68.10.0+build1-0ubuntu0.20.04.1)
	trusty	Does not exist
	upstream	Released (68.9.0)
	xenial	Released (1:68.10.0+build1-0ubuntu0.16.04.1)
firefox Launchpad, Ubuntu, Debian	bionic	Released (77.0.1+build1-0ubuntu0.18.04.1)
	eoan	Released (77.0.1+build1-0ubuntu0.19.10.1)
	focal	Released (77.0.1+build1-0ubuntu0.20.04.1)
	trusty	Does not exist
	upstream	Released (77.0)
	xenial	Released (77.0.1+build1-0ubuntu0.16.04.1)
nss Launchpad, Ubuntu, Debian	bionic	Released (2:3.35-2ubuntu2.8)
	eoan	Released (2:3.45-1ubuntu2.3)
	focal	Released (2:3.49.1-1ubuntu1.1)
	trusty	Released (2:3.28.4-0ubuntu0.14.04.5+esm5) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Released (3.44.4,3.52.1)
	xenial	Released (2:3.28.4-0ubuntu0.16.04.11)
	Patches: upstream: https://hg.mozilla.org/projects/nss/rev/daa823a4a29bcef0fec33a379ec83857429aea2e

Severity score breakdown

Parameter	Value
Base score	4.4
Attack vector	Local
Attack complexity	High
Privileges required	Low
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›