CVE-2016-1938 — nss - security update

Description

The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.

How to fix CVE-2016-1938

To remediate CVE-2016-1938, upgrade the affected package to a fixed version below.

—upgrade to 2:3.21-1 or later
—upgrade to 3.12.8-1+squeeze14 or later

Is CVE-2016-1938 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2:3.21-1
from 0, < 3.12.8-1+squeeze14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-1938