ID CVE-2016-1979
Summary Use-after-free vulnerability in the PK11_ImportDERPrivateKeyInfoAndReturnKey function in Mozilla Network Security Services (NSS) before 3.21.1, as used in Mozilla Firefox before 45.0, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted key data with DER encoding.
References
Vulnerable Configurations
  • Mozilla Firefox 44.0.2
    cpe:2.3:a:mozilla:firefox:44.0.2
  • Mozilla Network Security Services 3.21
    cpe:2.3:a:mozilla:network_security_services:3.21
CVSS
Base: 6.8 (as of 24-06-2016 - 18:49)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
redhat via4
advisories
  • bugzilla
    id 1315565
    title CVE-2016-1978 nss: Use-after-free in NSS during SSL connections in low memory (MFSA 2016-15)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment nspr is earlier than 0:4.11.0-0.1.el6_7
          oval oval:com.redhat.rhsa:tst:20160591005
        • comment nspr is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111444032
      • AND
        • comment nspr-devel is earlier than 0:4.11.0-0.1.el6_7
          oval oval:com.redhat.rhsa:tst:20160591007
        • comment nspr-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111444034
      • AND
        • comment nss-util is earlier than 0:3.21.0-0.3.el6_7
          oval oval:com.redhat.rhsa:tst:20160591009
        • comment nss-util is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862016
      • AND
        • comment nss-util-devel is earlier than 0:3.21.0-0.3.el6_7
          oval oval:com.redhat.rhsa:tst:20160591011
        • comment nss-util-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862018
      • AND
        • comment nss is earlier than 0:3.21.0-0.3.el6_7
          oval oval:com.redhat.rhsa:tst:20160591019
        • comment nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862006
      • AND
        • comment nss-devel is earlier than 0:3.21.0-0.3.el6_7
          oval oval:com.redhat.rhsa:tst:20160591015
        • comment nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862014
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.21.0-0.3.el6_7
          oval oval:com.redhat.rhsa:tst:20160591017
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862010
      • AND
        • comment nss-sysinit is earlier than 0:3.21.0-0.3.el6_7
          oval oval:com.redhat.rhsa:tst:20160591021
        • comment nss-sysinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862008
      • AND
        • comment nss-tools is earlier than 0:3.21.0-0.3.el6_7
          oval oval:com.redhat.rhsa:tst:20160591013
        • comment nss-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862012
    rhsa
    id RHSA-2016:0591
    released 2016-04-05
    severity Moderate
    title RHSA-2016:0591: nss, nss-util, and nspr security, bug fix, and enhancement update (Moderate)
  • bugzilla
    id 1315565
    title CVE-2016-1978 nss: Use-after-free in NSS during SSL connections in low memory (MFSA 2016-15)
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment nspr is earlier than 0:4.11.0-1.el5_11
          oval oval:com.redhat.rhsa:tst:20160684004
        • comment nspr is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20081036022
      • AND
        • comment nspr-devel is earlier than 0:4.11.0-1.el5_11
          oval oval:com.redhat.rhsa:tst:20160684002
        • comment nspr-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20081036024
      • AND
        • comment nss is earlier than 0:3.21.0-6.el5_11
          oval oval:com.redhat.rhsa:tst:20160684012
        • comment nss is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080879012
      • AND
        • comment nss-devel is earlier than 0:3.21.0-6.el5_11
          oval oval:com.redhat.rhsa:tst:20160684008
        • comment nss-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080879016
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.21.0-6.el5_11
          oval oval:com.redhat.rhsa:tst:20160684010
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080879014
      • AND
        • comment nss-tools is earlier than 0:3.21.0-6.el5_11
          oval oval:com.redhat.rhsa:tst:20160684006
        • comment nss-tools is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080879018
    rhsa
    id RHSA-2016:0684
    released 2016-04-25
    severity Moderate
    title RHSA-2016:0684: nss and nspr security, bug fix, and enhancement update (Moderate)
  • bugzilla
    id 1315565
    title CVE-2016-1978 nss: Use-after-free in NSS during SSL connections in low memory (MFSA 2016-15)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment nspr is earlier than 0:4.11.0-1.el7_2
          oval oval:com.redhat.rhsa:tst:20160685007
        • comment nspr is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111444032
      • AND
        • comment nspr-devel is earlier than 0:4.11.0-1.el7_2
          oval oval:com.redhat.rhsa:tst:20160685005
        • comment nspr-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111444034
      • AND
        • comment nss-util is earlier than 0:3.21.0-2.2.el7_2
          oval oval:com.redhat.rhsa:tst:20160685011
        • comment nss-util is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862016
      • AND
        • comment nss-util-devel is earlier than 0:3.21.0-2.2.el7_2
          oval oval:com.redhat.rhsa:tst:20160685009
        • comment nss-util-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862018
      • AND
        • comment nss-softokn is earlier than 0:3.16.2.3-14.2.el7_2
          oval oval:com.redhat.rhsa:tst:20160685019
        • comment nss-softokn is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862020
      • AND
        • comment nss-softokn-devel is earlier than 0:3.16.2.3-14.2.el7_2
          oval oval:com.redhat.rhsa:tst:20160685013
        • comment nss-softokn-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862024
      • AND
        • comment nss-softokn-freebl is earlier than 0:3.16.2.3-14.2.el7_2
          oval oval:com.redhat.rhsa:tst:20160685015
        • comment nss-softokn-freebl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862022
      • AND
        • comment nss-softokn-freebl-devel is earlier than 0:3.16.2.3-14.2.el7_2
          oval oval:com.redhat.rhsa:tst:20160685017
        • comment nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131144014
      • AND
        • comment nss is earlier than 0:3.21.0-9.el7_2
          oval oval:com.redhat.rhsa:tst:20160685025
        • comment nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862006
      • AND
        • comment nss-devel is earlier than 0:3.21.0-9.el7_2
          oval oval:com.redhat.rhsa:tst:20160685029
        • comment nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862014
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.21.0-9.el7_2
          oval oval:com.redhat.rhsa:tst:20160685027
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862010
      • AND
        • comment nss-sysinit is earlier than 0:3.21.0-9.el7_2
          oval oval:com.redhat.rhsa:tst:20160685021
        • comment nss-sysinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862008
      • AND
        • comment nss-tools is earlier than 0:3.21.0-9.el7_2
          oval oval:com.redhat.rhsa:tst:20160685023
        • comment nss-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100862012
    rhsa
    id RHSA-2016:0685
    released 2016-04-25
    severity Moderate
    title RHSA-2016:0685: nss, nspr, nss-softokn, and nss-util security, bug fix, and enhancement update (Moderate)
rpms
  • nspr-0:4.11.0-0.1.el6_7
  • nspr-devel-0:4.11.0-0.1.el6_7
  • nss-util-0:3.21.0-0.3.el6_7
  • nss-util-devel-0:3.21.0-0.3.el6_7
  • nss-0:3.21.0-0.3.el6_7
  • nss-devel-0:3.21.0-0.3.el6_7
  • nss-pkcs11-devel-0:3.21.0-0.3.el6_7
  • nss-sysinit-0:3.21.0-0.3.el6_7
  • nss-tools-0:3.21.0-0.3.el6_7
  • nspr-0:4.11.0-1.el5_11
  • nspr-devel-0:4.11.0-1.el5_11
  • nss-0:3.21.0-6.el5_11
  • nss-devel-0:3.21.0-6.el5_11
  • nss-pkcs11-devel-0:3.21.0-6.el5_11
  • nss-tools-0:3.21.0-6.el5_11
  • nspr-0:4.11.0-1.el7_2
  • nspr-devel-0:4.11.0-1.el7_2
  • nss-util-0:3.21.0-2.2.el7_2
  • nss-util-devel-0:3.21.0-2.2.el7_2
  • nss-softokn-0:3.16.2.3-14.2.el7_2
  • nss-softokn-devel-0:3.16.2.3-14.2.el7_2
  • nss-softokn-freebl-0:3.16.2.3-14.2.el7_2
  • nss-softokn-freebl-devel-0:3.16.2.3-14.2.el7_2
  • nss-0:3.21.0-9.el7_2
  • nss-devel-0:3.21.0-9.el7_2
  • nss-pkcs11-devel-0:3.21.0-9.el7_2
  • nss-sysinit-0:3.21.0-9.el7_2
  • nss-tools-0:3.21.0-9.el7_2
refmap via4
bid 84221
confirm
debian DSA-3576
gentoo GLSA-201605-06
misc https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21.1_release_notes
sectrack 1035215
suse
  • SUSE-SU-2016:0727
  • SUSE-SU-2016:0777
  • SUSE-SU-2016:0820
  • SUSE-SU-2016:0909
  • openSUSE-SU-2016:0731
  • openSUSE-SU-2016:0733
ubuntu USN-2973-1
Last major update 02-12-2016 - 22:24
Published 13-03-2016 - 14:59
Last modified 08-08-2017 - 21:29
Back to Top