CVE-2013-1620

Publication date 8 February 2013

Last updated 24 July 2024

Ubuntu priority

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nss	12.10 quantal	Fixed 3.14.3-0ubuntu0.12.10.1
	12.04 LTS precise	Fixed 3.14.3-0ubuntu0.12.04.1
	11.10 oneiric	Fixed 3.14.3-0ubuntu0.11.10.1
	10.04 LTS lucid	Fixed 3.14.3-0ubuntu0.10.04.1
	8.04 LTS hardy	Ignored

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-1763-1
NSS vulnerability
14 March 2013

Other references

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://openwall.com/lists/oss-security/2013/02/05/24
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.3_release_notes
https://bugzilla.mozilla.org/show_bug.cgi?id=822365
https://www.cve.org/CVERecord?id=CVE-2013-1620