[ALAS2-2024-2419] Amazon Linux 2 2017.12 - ALAS2-2024-2419: medium priority package update for nss-softokn

Severity Medium

Affected Packages 15

CVEs 1

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities:
CVE-2023-5388:
It was discovered that the numerical library used in NSS for RSA cryptography leaks information whether high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger like attack against all RSA decryption operations. As the leak happens before any padding operations, it affects all padding modes: PKCS#1 v1.5, OAEP, and RSASVP. Both API level calls and TLS server operation are affected.

Package	Affected Version
pkg:rpm/amazonlinux/nss-softokn?arch=x86_64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn?arch=i686&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn?arch=aarch64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-freebl?arch=x86_64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-freebl?arch=i686&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-freebl?arch=aarch64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-freebl-devel?arch=x86_64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-freebl-devel?arch=i686&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-freebl-devel?arch=aarch64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-devel?arch=x86_64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-devel?arch=i686&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-devel?arch=aarch64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-debuginfo?arch=x86_64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-debuginfo?arch=i686&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1
pkg:rpm/amazonlinux/nss-softokn-debuginfo?arch=aarch64&distro=amazonlinux-2	< 3.90.0-6.amzn2.0.1

ID

ALAS2-2024-2419

Severity

medium

URL

https://alas.aws.amazon.com/AL2/ALAS-2024-2419.html

Published

2024-01-19T01:51:00
(8 months ago)

Modified

2024-01-19T01:51:00
(8 months ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	Name	URL
CVE	CVE-2023-5388		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5388

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/nss-softokn?arch=x86_64&distro=amazonlinux-2	amazonlinux	nss-softokn	< 3.90.0-6.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/nss-softokn?arch=i686&distro=amazonlinux-2	amazonlinux	nss-softokn	< 3.90.0-6.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/nss-softokn?arch=aarch64&distro=amazonlinux-2	amazonlinux	nss-softokn	< 3.90.0-6.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/nss-softokn-freebl?arch=x86_64&distro=amazonlinux-2	amazonlinux	nss-softokn-freebl	< 3.90.0-6.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/nss-softokn-freebl?arch=i686&distro=amazonlinux-2	amazonlinux	nss-softokn-freebl	< 3.90.0-6.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/nss-softokn-freebl?arch=aarch64&distro=amazonlinux-2	amazonlinux	nss-softokn-freebl	< 3.90.0-6.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/nss-softokn-freebl-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	nss-softokn-freebl-devel	< 3.90.0-6.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/nss-softokn-freebl-devel?arch=i686&distro=amazonlinux-2	amazonlinux	nss-softokn-freebl-devel	< 3.90.0-6.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/nss-softokn-freebl-devel?arch=aarch64&distro=amazonlinux-2	amazonlinux	nss-softokn-freebl-devel	< 3.90.0-6.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/nss-softokn-devel?arch=x86_64&distro=amazonlinux-2	amazonlinux	nss-softokn-devel	< 3.90.0-6.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/nss-softokn-devel?arch=i686&distro=amazonlinux-2	amazonlinux	nss-softokn-devel	< 3.90.0-6.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/nss-softokn-devel?arch=aarch64&distro=amazonlinux-2	amazonlinux	nss-softokn-devel	< 3.90.0-6.amzn2.0.1	amazonlinux-2	aarch64
Affected	pkg:rpm/amazonlinux/nss-softokn-debuginfo?arch=x86_64&distro=amazonlinux-2	amazonlinux	nss-softokn-debuginfo	< 3.90.0-6.amzn2.0.1	amazonlinux-2	x86_64
Affected	pkg:rpm/amazonlinux/nss-softokn-debuginfo?arch=i686&distro=amazonlinux-2	amazonlinux	nss-softokn-debuginfo	< 3.90.0-6.amzn2.0.1	amazonlinux-2	i686
Affected	pkg:rpm/amazonlinux/nss-softokn-debuginfo?arch=aarch64&distro=amazonlinux-2	amazonlinux	nss-softokn-debuginfo	< 3.90.0-6.amzn2.0.1	amazonlinux-2	aarch64

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date