CVE-2019-11745

When encrypting with a block cipher, if a call to NSC_EncryptUpdate was made with data smaller than the block size, a small out of bounds write could occur. This could have caused heap corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 68.3, Firefox ESR < 68.3, and Firefox < 71.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox	19.10 eoan	Fixed 71.0+build5-0ubuntu0.19.10.1
	19.04 disco	Fixed 71.0+build5-0ubuntu0.19.04.1
	18.04 LTS bionic	Fixed 71.0+build5-0ubuntu0.18.04.1
	16.04 LTS xenial	Fixed 71.0+build5-0ubuntu0.16.04.1
	14.04 LTS trusty	Not in release
nss	19.10 eoan	Fixed 2:3.45-1ubuntu2.1
	19.04 disco	Fixed 2:3.42-1ubuntu2.3
	18.04 LTS bionic	Fixed 2:3.35-2ubuntu2.5
	16.04 LTS xenial	Fixed 2:3.28.4-0ubuntu0.16.04.8
	14.04 LTS trusty	Fixed 2:3.28.4-0ubuntu0.14.04.5+esm2 Ubuntu Pro
thunderbird	19.10 eoan	Fixed 1:68.4.1+build1-0ubuntu0.19.10.1
	19.04 disco	Ignored end of life
	18.04 LTS bionic	Fixed 1:68.4.1+build1-0ubuntu0.18.04.1
	16.04 LTS xenial	Fixed 1:68.7.0+build1-0ubuntu0.16.04.2
	14.04 LTS trusty	Not in release

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
nss	Upstream: https://hg.mozilla.org/projects/nss/rev/1e22a0c93afe9f46545560c86caedef9dab6cfda Upstream: https://hg.mozilla.org/projects/nss/rev/60bca7c6dc6dc44579b9b3e0fb62ca3b82d92eec Upstream: https://hg.mozilla.org/projects/nss/rev/4c20de402b3901df0cde590a46be2ba49adc028e

Severity score breakdown

Parameter	Value
Base score	8.8 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-4216-2
Firefox vulnerabilities
13 December 2019

USN-4216-1
Firefox vulnerabilities
9 December 2019

USN-4335-1
Thunderbird vulnerabilities
21 April 2020

USN-4241-1
Thunderbird vulnerabilities
16 January 2020

USN-4203-1
NSS vulnerability
27 November 2019

USN-4203-2
NSS vulnerability
27 November 2019