* CVE-2020-12400: Description: "This is a side channel attack which can used to extract pirate keys when ECDSA signatures are being generated. This attack is only feasible when the attacker is local to the machine or in certain cross-VM scenarios where the signature is being generated. Attacks over the network or via the internet are not feasible." * CVE-2020-12401: Description: "A timing attacker against ECDSA signature generation is able to obtain information from the secret nonce measuring the time an ECDSA signature generation takes." * CVE-2020-12403: From upstream: "Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length".
arm stable
s390 stable
sparc stable
arm64 done
x86 done
amd64 done
hppa stable
This issue was resolved and addressed in GLSA 202008-08 at https://security.gentoo.org/glsa/202008-08 by GLSA coordinator Sam James (sam_c).
Reopening for ppc{,64}.
Looking good on ppc. # cat nspr-734986.report USE tests started on Fr 21. Aug 14:50:42 CEST 2020 FEATURES=' test' USE='' succeeded for =dev-libs/nspr-4.26 USE='' succeeded for =dev-libs/nspr-4.26 FEATURES=' test' USE='' succeeded for =dev-libs/nss-3.55 USE='-cacert -utils' succeeded for =dev-libs/nss-3.55 USE='cacert -utils' succeeded for =dev-libs/nss-3.55 USE='-cacert utils' succeeded for =dev-libs/nss-3.55 USE='cacert utils' succeeded for =dev-libs/nss-3.55 revdep tests started on Fr 21. Aug 17:26:29 CEST 2020 FEATURES=' test' USE='' succeeded for dev-libs/volume_key FEATURES=' test' USE='nsplugin' succeeded for media-video/gxine merging test dependencies of mail-client/thunderbird failed FEATURES=' test' USE='nss' succeeded for dev-libs/xmlsec FEATURES=' test' USE='' succeeded for dev-lang/spidermonkey FEATURES=' test' USE='ssl' succeeded for dev-util/systemtap FEATURES=' test' USE='-gnutls' succeeded for net-im/pidgin merging test dependencies of mail-client/thunderbird failed FEATURES=' test' USE='nss' succeeded for dev-libs/apr-util FEATURES=' test' USE='' succeeded for app-arch/rpm FEATURES=' test' USE='nss' succeeded for dev-libs/xmlsec FEATURES=' test' USE='' succeeded for sys-auth/libfprint FEATURES=' test' USE='-gnutls' succeeded for net-im/pidgin FEATURES=' test' USE='nss' succeeded for net-libs/liboauth FEATURES=' test' USE='' succeeded for x11-plugins/pidgin-encryption FEATURES=' test' USE='nss' succeeded for dev-libs/pkcs11-helper FEATURES=' test' USE='cryptsetup escrow' succeeded for sys-libs/libblockdev
ppc stable thanks to ernsteiswuerfel !
ppc64 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9522aa465f097bca10a2e9ee5c3e2586d3fcd26e commit 9522aa465f097bca10a2e9ee5c3e2586d3fcd26e Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-30 22:56:35 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-30 22:56:35 +0000 dev-libs/nss: security cleanup Bug: https://bugs.gentoo.org/734986 Package-Manager: Portage-3.0.4, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/nss/Manifest | 4 - dev-libs/nss/files/nss-3.47-gentoo-fixups.patch | 242 ---------------- dev-libs/nss/nss-3.51.ebuild | 357 ----------------------- dev-libs/nss/nss-3.52.1-r1.ebuild | 361 ------------------------ dev-libs/nss/nss-3.53.1.ebuild | 351 ----------------------- dev-libs/nss/nss-3.54-r1.ebuild | 351 ----------------------- 6 files changed, 1666 deletions(-)
Repository is clean, all done.
