Bug 1141322 (CVE-2019-11727)

Summary: VUL-1: CVE-2019-11727: mozilla-nss: A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequ
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Charles Robertson <cgrobertson>
Status: RESOLVED UPSTREAM QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: smash_bz, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/237026/
Whiteboard: CVSSv3:SUSE:CVE-2019-11727:5.0:(AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1152848    
Bug Blocks:    

Description Marcus Meissner 2019-07-12 13:08:55 UTC 
CVE-2019-11727

A vulnerability exists where it possible to force Network Security
Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when
those are the only ones advertised by server in CertificateRequest in TLS
1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11727
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html
Comment 2 Swamp Workflow Management 2019-07-30 22:11:04 UTC 
SUSE-RU-2019:2025-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1141322
CVE References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE OpenStack Cloud 8 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE OpenStack Cloud 7 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server 12-SP5 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server 12-SP4 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Desktop 12-SP5 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Enterprise Storage 5 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE Enterprise Storage 4 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
SUSE CaaS Platform 3.0 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1
HPE Helion Openstack 8 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Swamp Workflow Management 2019-08-03 22:10:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1141322) was mentioned in
https://build.opensuse.org/request/show/720828 Factory / mozilla-nss
Comment 4 Swamp Workflow Management 2019-08-14 22:11:04 UTC 
SUSE-RU-2019:2142-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1141322
CVE References: 
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    mozilla-nss-3.45-3.19.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    mozilla-nss-3.45-3.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    mozilla-nspr-4.21-3.6.1, mozilla-nss-3.45-3.19.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    mozilla-nspr-4.21-3.6.1, mozilla-nss-3.45-3.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2019-08-16 22:13:28 UTC 
SUSE-RU-2019:2025-2: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1141322
CVE References: 
Sources used:
SUSE Enterprise Storage 5 (src):    mozilla-nspr-4.21-19.9.1, mozilla-nss-3.45-58.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-08-20 16:12:55 UTC 
openSUSE-RU-2019:1976-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1141322
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    mozilla-nspr-4.21-lp151.2.3.1, mozilla-nss-3.45-lp151.2.6.1
openSUSE Leap 15.0 (src):    mozilla-nspr-4.21-lp150.7.1, mozilla-nss-3.45-lp150.2.27.1
Comment 7 Swamp Workflow Management 2019-10-02 16:27:45 UTC 
SUSE-SU-2019:2515-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-68.1.1-3.51.1
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-68.1.1-3.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-10-03 19:12:08 UTC 
SUSE-SU-2019:2545-1: An update that fixes 29 vulnerabilities is now available.

Category: security (important)
Bug References: 1109465,1117473,1123482,1124525,1133810,1138688,1140868,1141322,1145665,1149292,1149293,1149294,1149295,1149296,1149297,1149298,1149299,1149302,1149303,1149304,1149323
CVE References: CVE-2019-11710,CVE-2019-11714,CVE-2019-11716,CVE-2019-11718,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-9811,CVE-2019-9812
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    MozillaFirefox-68.1.0-3.54.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    MozillaFirefox-68.1.0-3.54.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    MozillaFirefox-68.1.0-3.54.2, MozillaFirefox-branding-SLE-68-4.8.5
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    MozillaFirefox-68.1.0-3.54.2, MozillaFirefox-branding-SLE-68-4.8.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-10-04 16:23:46 UTC 
openSUSE-SU-2019:2249-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-68.1.1-lp151.2.13.1, enigmail-2.1.2-lp151.2.6.1
Comment 10 Swamp Workflow Management 2019-10-04 16:27:46 UTC 
openSUSE-SU-2019:2248-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
openSUSE Leap 15.0 (src):    MozillaThunderbird-68.1.1-lp150.3.51.1, enigmail-2.1.2-lp150.34.1
Comment 11 Swamp Workflow Management 2019-10-05 04:12:12 UTC 
openSUSE-SU-2019:2251-1: An update that fixes 29 vulnerabilities is now available.

Category: security (important)
Bug References: 1109465,1117473,1123482,1124525,1133810,1138688,1140868,1141322,1145665,1149292,1149293,1149294,1149295,1149296,1149297,1149298,1149299,1149302,1149303,1149304,1149323
CVE References: CVE-2019-11710,CVE-2019-11714,CVE-2019-11716,CVE-2019-11718,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-9811,CVE-2019-9812
Sources used:
openSUSE Leap 15.1 (src):    MozillaFirefox-68.1.0-lp151.2.14.1
Comment 12 Swamp Workflow Management 2019-10-06 13:20:00 UTC 
openSUSE-SU-2019:2260-1: An update that fixes 29 vulnerabilities is now available.

Category: security (important)
Bug References: 1109465,1117473,1123482,1124525,1133810,1138688,1140868,1141322,1145665,1149292,1149293,1149294,1149295,1149296,1149297,1149298,1149299,1149302,1149303,1149304,1149323
CVE References: CVE-2019-11710,CVE-2019-11714,CVE-2019-11716,CVE-2019-11718,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-9811,CVE-2019-9812
Sources used:
openSUSE Leap 15.0 (src):    MozillaFirefox-68.1.0-lp150.3.66.1
Comment 15 Swamp Workflow Management 2019-12-30 17:11:28 UTC 
SUSE-SU-2019:3395-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1141322,1158527,1159819
CVE References: CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    mozilla-nss-3.47.1-3.22.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    mozilla-nss-3.47.1-3.22.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    mozilla-nspr-4.23-3.9.1, mozilla-nss-3.47.1-3.22.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    mozilla-nspr-4.23-3.9.1, mozilla-nss-3.47.1-3.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-01-11 23:10:59 UTC 
openSUSE-SU-2020:0008-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1141322,1158527,1159819
CVE References: CVE-2018-18508,CVE-2019-11745,CVE-2019-17006
Sources used:
openSUSE Leap 15.1 (src):    mozilla-nspr-4.23-lp151.2.6.1, mozilla-nss-3.47.1-lp151.2.9.1
Comment 17 Swamp Workflow Management 2020-01-13 23:33:08 UTC 
SUSE-SU-2020:0088-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1141322,1158527,1159819
CVE References: CVE-2019-11745,CVE-2019-17006
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE OpenStack Cloud 8 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE OpenStack Cloud 7 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP5 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP4 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE Enterprise Storage 5 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
SUSE CaaS Platform 3.0 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1
HPE Helion Openstack 8 (src):    mozilla-nspr-4.23-19.12.1, mozilla-nss-3.47.1-58.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-07-06 19:16:50 UTC 
SUSE-SU-2020:14418-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1141322,1158527,1159819,1168669,1169746,1170908,1171978,1173032
CVE References: CVE-2019-11727,CVE-2019-11745,CVE-2019-17006,CVE-2020-12399,CVE-2020-12402
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    mozilla-nspr-4.25-29.12.2, mozilla-nss-3.53.1-38.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Charles Robertson 2023-12-12 18:17:44 UTC 
A fix was applied in 2019 upstream with NSS 3.45 and Firefox 68 updates. Closing.