{"id":"USN-3163-1","summary":"nss vulnerabilities","details":"It was discovered that NSS incorrectly handled certain invalid\nDiffie-Hellman keys. A remote attacker could possibly use this flaw to\ncause NSS to crash, resulting in a denial of service. This issue only\napplied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-5285)\n\nHubert Kario discovered that NSS incorrectly handled Diffie Hellman client\nkey exchanges. A remote attacker could possibly use this flaw to perform a\nsmall subgroup confinement attack and recover private keys. This issue only\napplied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.\n(CVE-2016-8635)\n\nFranziskus Kiefer discovered that NSS incorrectly mitigated certain timing\nside-channel attacks. A remote attacker could possibly use this flaw to\nrecover private keys. (CVE-2016-9074)\n\nThis update refreshes the NSS package to version 3.26.2 which includes\nthe latest CA certificate bundle.\n","modified":"2026-04-22T09:30:52.923250Z","published":"2017-01-04T16:32:54Z","related":["UBUNTU-CVE-2016-5285","UBUNTU-CVE-2016-8635","UBUNTU-CVE-2016-9074"],"upstream":["CVE-2016-5285","CVE-2016-8635","CVE-2016-9074","UBUNTU-CVE-2016-5285","UBUNTU-CVE-2016-8635","UBUNTU-CVE-2016-9074"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3163-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-5285"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-8635"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-9074"}],"affected":[{"package":{"name":"nss","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/nss@2:3.26.2-0ubuntu0.14.04.3?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:3.26.2-0ubuntu0.14.04.3"}]}],"versions":["2:3.15.1-1ubuntu1","2:3.15.2-1","2:3.15.3-1","2:3.15.3.1-1","2:3.15.3.1-1.1","2:3.15.3.1-1.1ubuntu1","2:3.15.4-1ubuntu3","2:3.15.4-1ubuntu4","2:3.15.4-1ubuntu5","2:3.15.4-1ubuntu6","2:3.15.4-1ubuntu7","2:3.15.4-1ubuntu7.1","2:3.17-0ubuntu0.14.04.1","2:3.17.1-0ubuntu0.14.04.1","2:3.17.1-0ubuntu0.14.04.2","2:3.17.4-0ubuntu0.14.04.1","2:3.19.2-0ubuntu0.14.04.1","2:3.19.2.1-0ubuntu0.14.04.1","2:3.19.2.1-0ubuntu0.14.04.2","2:3.21-0ubuntu0.14.04.1","2:3.21-0ubuntu0.14.04.2","2:3.23-0ubuntu0.14.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libnss3","binary_version":"2:3.26.2-0ubuntu0.14.04.3"},{"binary_name":"libnss3-1d","binary_version":"2:3.26.2-0ubuntu0.14.04.3"},{"binary_name":"libnss3-nssdb","binary_version":"2:3.26.2-0ubuntu0.14.04.3"},{"binary_name":"libnss3-tools","binary_version":"2:3.26.2-0ubuntu0.14.04.3"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:14.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2016-5285"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2016-8635"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2016-9074"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3163-1.json"}},{"package":{"name":"nss","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/nss@2:3.26.2-0ubuntu0.16.04.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:3.26.2-0ubuntu0.16.04.2"}]}],"versions":["2:3.19.2-1ubuntu1","2:3.19.2.1-0ubuntu1","2:3.21-1ubuntu2","2:3.21-1ubuntu3","2:3.21-1ubuntu4","2:3.23-0ubuntu0.16.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"libnss3","binary_version":"2:3.26.2-0ubuntu0.16.04.2"},{"binary_name":"libnss3-1d","binary_version":"2:3.26.2-0ubuntu0.16.04.2"},{"binary_name":"libnss3-nssdb","binary_version":"2:3.26.2-0ubuntu0.16.04.2"},{"binary_name":"libnss3-tools","binary_version":"2:3.26.2-0ubuntu0.16.04.2"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:16.04:LTS","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2016-5285"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2016-8635"},{"severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2016-9074"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3163-1.json"}}],"schema_version":"1.7.5"}