The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Mozilla NSS: information disclosure via Timing Side-channel Resistance

Synthesis of the vulnerability 

An attacker can bypass access restrictions to data via Timing Side-channel Resistance of Mozilla NSS, in order to obtain sensitive information.
Vulnerable products: Debian, Fedora, Firefox, NSS, SeaMonkey, Thunderbird, openSUSE, openSUSE Leap, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this weakness: 1/4.
Creation date: 16/11/2016.
Références of this bulletin: CVE-2016-9074, DLA-730-1, DLA-752-1, DLA-759-1, DSA-3716-1, DSA-3730-1, FEDORA-2016-5bf1a34211, FEDORA-2016-e39b7c826b, MFSA-2016-89, MFSA-2016-93, openSUSE-SU-2016:2861-1, openSUSE-SU-2016:3011-1, SSA:2016-323-01, SUSE-SU-2016:3014-1, SUSE-SU-2016:3080-1, SUSE-SU-2016:3105-1, USN-3163-1, VIGILANCE-VUL-21126.

Description of the vulnerability 

An attacker can bypass access restrictions to data via Timing Side-channel Resistance of Mozilla NSS, in order to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness note impacts software or systems such as Debian, Fedora, Firefox, NSS, SeaMonkey, Thunderbird, openSUSE, openSUSE Leap, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this threat note is low.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer weakness.

Solutions for this threat 

Mozilla NSS: version 3.26.1.
The version 3.26.1 is fixed:
  http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/

Mozilla Firefox: version 50.
The version 50 is fixed:
  http://www.mozilla.org/firefox/

Thunderbird: version 45.5.
The version 45.5 is fixed:
  https://www.mozilla.org/fr/thunderbird/

Debian 7: new nss packages.
New packages are available:
  Debian 7: nss 2:3.26-1+debu7u2

Debian: new firefox-esr packages.
New packages are available:
  Debian 7: firefox-esr 45.5.1esr-1~deb7u1
  Debian 8: firefox-esr 45.5.0esr-1~deb8u1

Debian: new icedove packages.
New packages are available:
  Debian 8: icedove 1:45.5.1-1~deb8u1
  Debian 7: icedove 45.5.1-1~deb7u1

Fedora: new firefox packages.
New packages are available:
  Fedora 23: firefox 50.0-1.fc23
  Fedora 24: firefox 50.0-1.fc24

Mozilla SeaMonkey: version 2.46.
The version 2.46 is fixed:
  http://www.seamonkey-project.org/releases/

openSUSE 13.1: new MozillaFirefox / MozillaThunderbird packages.
New packages are available:
  openSUSE 13.1: MozillaFirefox 50.0.2-131.1, MozillaThunderbird 45.5.1-70.92.1, mozilla-nss 3.26.2-94.1

openSUSE: new MozillaFirefox packages.
New packages are available:
  openSUSE 13.2: mozilla-nss 3.26.2-49.1, MozillaFirefox 50.0-88.1
  openSUSE Leap 42.1: mozilla-nss 3.26.2-32.1, MozillaFirefox 50.0-39.1
  openSUSE Leap 42.2: mozilla-nss 3.26.2-32.1, MozillaFirefox 50.0-39.2

Slackware: new mozilla-firefox packages.
New packages are available:
  Slackware 14.1: mozilla-firefox 45.5.0esr-*-1_slack14.1
  Slackware 14.2: mozilla-firefox 45.5.0esr-*-1_slack14.2

SUSE LE 11: new MozillaFirefox packages.
New packages are available:
  SUSE LE 11 SP3: MozillaFirefox 45.5.1esr-59.1, mozilla-nss 3.21.3-39.1
  SUSE LE 11 SP4: MozillaFirefox 45.5.1esr-59.1, mozilla-nss 3.21.3-39.1
  SUSE LE 11 SP2: MozillaFirefox 45.5.1esr-63.1, mozilla-nss 3.21.3-30.1

SUSE LE 12: new MozillaFirefox packages (06/12/2016).
New packages are available:
  SUSE LE 12 RTM: MozillaFirefox 45.5.0esr-88.1, mozilla-nss 3.21.3-50.1
  SUSE LE 12 SP1: MozillaFirefox 45.5.0esr-88.1, mozilla-nss 3.21.3-50.1
  SUSE LE 12 SP2: MozillaFirefox 45.5.0esr-88.1, mozilla-nss 3.21.3-50.1

Ubuntu: new libnss3 packages.
New packages are available:
  Ubuntu 16.10: libnss3 2:3.26.2-0ubuntu0.16.10.1
  Ubuntu 16.04 LTS: libnss3 2:3.26.2-0ubuntu0.16.04.2
  Ubuntu 14.04 LTS: libnss3 2:3.26.2-0ubuntu0.14.04.3
  Ubuntu 12.04 LTS: libnss3 2:3.26.2-0ubuntu0.12.04.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability announce. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.