When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719
Acknowledgments: Name: the Mozilla project Upstream: Henry Corrigan-Gibbs
Statement: Firefox on Red Hat Enterprise Linux is built against the system nss library.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1951 https://access.redhat.com/errata/RHSA-2019:1951
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11719
This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
The library nss-altfiles does not share any import and/or certificate code with nss. * nss-altfiles only reads information from files in same format as /etc/passwd and /etc/group
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4076 https://access.redhat.com/errata/RHSA-2020:4076