CVE-2023-6135: 
NixOS vulnerability analysis and mitigation

Multiple NSS NIST curves were found to be susceptible to a side-channel attack known as "Minerva", which could potentially allow an attacker to recover the private key. This vulnerability, identified as CVE-2023-6135, was discovered in late 2023 and affects Firefox versions prior to 121.0 (Mozilla Advisory, NVD).

The vulnerability was identified as a timing side-channel attack that could expose information about the private key through observable timing differences during cryptographic operations. Testing revealed a timing difference of approximately 50 nanoseconds, with particularly noticeable effects on P-521 curve implementations. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

The vulnerability could allow an attacker to recover the private key through careful timing analysis of cryptographic operations. This impact is particularly significant as it affects the security of NIST curves used in NSS (Network Security Services), which is a fundamental component of Firefox's security infrastructure (Mozilla Advisory).

The vulnerability has been fixed in Firefox 121.0 and Firefox ESR 115.6.0. Users are advised to upgrade to these or later versions. The fix involved modifications to the NSS implementation of NIST curves to eliminate the timing side-channel (Gentoo Advisory, Mozilla Advisory).