| Message ID | 20211202213347.14374-1-peter@korsgaard.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | package/libnss: security bump to version 3.73 | expand |
Hi Peter, > Il giorno 2 dic 2021, alle ore 22:34, Peter Korsgaard <peter@korsgaard.com> ha scritto: > > Fixes the following security issue: > > - CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS > DER-encoded signatures > > For more details, see the advisory: > https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ > > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> You’ve beaten me on time :-) Reviewed-by: Giulio Benetti <giulio.benetti@benettiengineering.com> Best regards Giulio Benetti > --- > package/libnss/libnss.hash | 4 ++-- > package/libnss/libnss.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) > > diff --git a/package/libnss/libnss.hash b/package/libnss/libnss.hash > index 3dc6cb185a..803b234c83 100644 > --- a/package/libnss/libnss.hash > +++ b/package/libnss/libnss.hash > @@ -1,4 +1,4 @@ > -# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_72_RTM/src/SHA256SUMS > -sha256 6ea60a9ff113e493ea2ab25f41ea75a9fbd10af7903f26f703dac8680732d02e nss-3.72.tar.gz > +# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/src/SHA256SUMS > +sha256 566d3a68da9b10d7da9ef84eb4fe182f8f04e20d85c55d1bf360bb2c0096d8e5 nss-3.73.tar.gz > # Locally calculated > sha256 a20c1a32d1f8102432360b42e932869f7c11c7cdbacf9cac554c422132af47f4 nss/COPYING > diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk > index 2d880d2336..6504f30d31 100644 > --- a/package/libnss/libnss.mk > +++ b/package/libnss/libnss.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -LIBNSS_VERSION = 3.72 > +LIBNSS_VERSION = 3.73 > LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz > LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src > LIBNSS_DISTDIR = dist > -- > 2.20.1 >
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: > Fixes the following security issue: > - CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS > DER-encoded signatures > For more details, see the advisory: > https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ > Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Committed, thanks.
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes: >> Fixes the following security issue: >> - CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS >> DER-encoded signatures >> For more details, see the advisory: >> https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ >> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> For 2021.02.x / 2021.08.x I have instead bumped to 3.68.1, which fixes the same vulnerability.
diff --git a/package/libnss/libnss.hash b/package/libnss/libnss.hash index 3dc6cb185a..803b234c83 100644 --- a/package/libnss/libnss.hash +++ b/package/libnss/libnss.hash @@ -1,4 +1,4 @@ -# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_72_RTM/src/SHA256SUMS -sha256 6ea60a9ff113e493ea2ab25f41ea75a9fbd10af7903f26f703dac8680732d02e nss-3.72.tar.gz +# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/src/SHA256SUMS +sha256 566d3a68da9b10d7da9ef84eb4fe182f8f04e20d85c55d1bf360bb2c0096d8e5 nss-3.73.tar.gz # Locally calculated sha256 a20c1a32d1f8102432360b42e932869f7c11c7cdbacf9cac554c422132af47f4 nss/COPYING diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk index 2d880d2336..6504f30d31 100644 --- a/package/libnss/libnss.mk +++ b/package/libnss/libnss.mk @@ -4,7 +4,7 @@ # ################################################################################ -LIBNSS_VERSION = 3.72 +LIBNSS_VERSION = 3.73 LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src LIBNSS_DISTDIR = dist
Fixes the following security issue: - CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures For more details, see the advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/ Signed-off-by: Peter Korsgaard <peter@korsgaard.com> --- package/libnss/libnss.hash | 4 ++-- package/libnss/libnss.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)