The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Mozilla NSS: NULL pointer dereference via CERT_DecodeCertPackage

Synthesis of the vulnerability 

An attacker can force a NULL pointer to be dereferenced via CERT_DecodeCertPackage() of Mozilla NSS, in order to trigger a denial of service.
Vulnerable software: Debian, Fedora, NSS, Ubuntu.
Severity of this announce: 2/4.
Creation date: 22/03/2019.
Références of this computer vulnerability: 1798, CVE-2019-17007, DLA-2015-1, DSA-4579-1, FEDORA-2019-481a343318, USN-4215-1, VIGILANCE-VUL-28825.

Description of the vulnerability 

An attacker can force a NULL pointer to be dereferenced via CERT_DecodeCertPackage() of Mozilla NSS, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat announce impacts software or systems such as Debian, Fedora, NSS, Ubuntu.

Our Vigil@nce team determined that the severity of this computer vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this cybersecurity alert.

Solutions for this threat 

Mozilla NSS: patch for CERT_DecodeCertPackage.
A patch is indicated in information sources.

Debian 10: new nss packages.
New packages are available:
  Debian 10: nss 2:3.42.1-1+deb10u2

Debian 8: new nss packages.
New packages are available:
  Debian 8: nss 2:3.26-1+debu8u8

Fedora: new nss packages.
New packages are available:
  Fedora 30: nss 3.44.0-2.fc30

Ubuntu: new libnss3 packages.
New packages are available:
  Ubuntu 19.04: libnss3 2:3.42-1ubuntu2.4
  Ubuntu 18.04 LTS: libnss3 2:3.35-2ubuntu2.6
  Ubuntu 16.04 LTS: libnss3 2:3.28.4-0ubuntu0.16.04.9
  Ubuntu 14.04 ESM: libnss3 2:3.28.4-0ubuntu0.14.04.5+esm3
  Ubuntu 12.04 ESM: libnss3 2:3.28.4-0ubuntu0.12.04.6
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a networks vulnerabilities workaround. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.