Headline
Ubuntu Security Notice USN-5506-1
Ubuntu Security Notice 5506-1 - Tavis Ormandy discovered that NSS incorrectly handled an empty pkcs7 sequence. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 21.10. Ronald Crane discovered that NSS incorrectly handled certain memory operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
==========================================================================
Ubuntu Security Notice USN-5506-1
July 07, 2022
nss vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in NSS.
Software Description:
- nss: Network Security Service library
Details:
Tavis Ormandy discovered that NSS incorrectly handled an empty pkcs7
sequence. A remote attacker could possibly use this issue to cause NSS to
crash, resulting in a denial of service. This issue only affected Ubuntu
18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 21.10. (CVE-2022-22747)
Ronald Crane discovered that NSS incorrectly handled certain memory
operations. A remote attacker could use this issue to cause NSS to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2022-34480)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.04 LTS:
libnss3 2:3.68.2-0ubuntu1.1
Ubuntu 21.10:
libnss3 2:3.68-1ubuntu1.2
Ubuntu 20.04 LTS:
libnss3 2:3.49.1-1ubuntu1.8
Ubuntu 18.04 LTS:
libnss3 2:3.35-2ubuntu2.15
After a standard system update you need to restart any applications that
use NSS to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5506-1
CVE-2022-22747, CVE-2022-34480
Package Information:
https://launchpad.net/ubuntu/+source/nss/2:3.68.2-0ubuntu1.1
https://launchpad.net/ubuntu/+source/nss/2:3.68-1ubuntu1.2
https://launchpad.net/ubuntu/+source/nss/2:3.49.1-1ubuntu1.8
https://launchpad.net/ubuntu/+source/nss/2:3.35-2ubuntu2.15
Related news
Ubuntu Security Notice 5872-1 - Tavis Ormandy discovered that NSS incorrectly handled an empty pkcs7 sequence. A remote attacker could possibly use this issue to cause NSS to crash, resulting in a denial of service. Ronald Crane discovered that NSS incorrectly handled certain memory operations. A remote attacker could use this issue to cause NSS to crash, resulting in a denial of service, or possibly execute arbitrary code.
It was possible to construct specific XSLT markup that would be able to bypass an iframe sandbox. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.
An iframe that was not permitted to run scripts could do so if the user clicked on a <code>javascript:</code> link. This vulnerability affects Firefox < 102, Firefox ESR < 91.11, Thunderbird < 102, and Thunderbird < 91.11.
Gentoo Linux Security Advisory 202208-14 - Multiple vulnerabilities have been found in Mozilla Thunderbird, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0 are affected.
Gentoo Linux Security Advisory 202208-8 - Multiple vulnerabilities have been found in Mozilla Firefox, the worst of which could result in the arbitrary execution of code. Versions less than 91.12.0:esr are affected.