ALAS-2021-1518

Affecting nss package, versions <3.53.1-7.85.amzn1

Report new vulnerabilities
medium severity
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream nss package. See Remediation section below for Amazon-Linux:2018.03 relevant versions.

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities: CVE-2020-25648: A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. 1887319: CVE-2020-25648 nss: TLS 1.3 CCS flood remote DoS Attack

Remediation

Upgrade Amazon-Linux:2018.03 nss to version 3.53.1-7.85.amzn1 or higher.
This issue was patched in None.

References

CVE
ALAS-2021-1518
Snyk ID
SNYK-AMZN201803-NSS-1316612
Published
13 Jul, 2021