oss-sec mailing list archives

Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 1 Dec 2021 09:11:15 -0800

On 12/1/21 8:43 AM, Dennis Jackson wrote:

Remediation:

NSS 3.73 [1] and NSS ESR 3.68.1 [2] have been released and contain the
fix. A patch suitable for backporting is also attached (patch.diff).

Acknowledgements:

This vulnerability was reported to the NSS team by Tavis Ormandy of
Project Zero.


https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 states that
"It's been 30 days since the initial thunderbird patches have been released".

Is there a corresponding Thunderbird patch/advisory/release distros should be
shipping as well?


--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Current thread:

CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures Dennis Jackson (Dec 01)
- Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures Alan Coopersmith (Dec 01)
  - Message not available
    - Message not available
    - Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures Kai Engert (Dec 01)