RHSA-2021:0876: Red Hat Security Advisory: nss and nss-softokn security update

An update for nss and nss-softokn is now available for Red Hat Enterprise Linux 7.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. Security Fix(es):

• nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)
• nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)
• nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS (CVE-2019-17007)
• nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
• CVE-2019-11756: nss: Use-after-free in sftk_FreeSession due to improper refcounting
• CVE-2019-17006: nss: Check length of inputs for cryptographic primitives
• CVE-2019-17007: nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS
• CVE-2020-12403: nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read