StarlingX

  1. Bug #1957929
  2. Activity log

Activity log for bug #1957929

Date Who What changed Old value New value Message
2022-01-14 15:16:53 Ghada Khalil bug added bug
2022-01-14 15:17:02 Ghada Khalil information type Public Public Security
2022-01-14 15:17:14 Ghada Khalil tags stx.security
2022-01-17 17:11:40 Ghada Khalil starlingx: assignee Joe Slater (jslater0wind)
2022-01-17 17:11:59 Ghada Khalil tags stx.security stx.7.0 stx.security
2022-01-19 18:41:32 OpenStack Infra starlingx: status New In Progress
2022-01-19 19:04:30 Joe Slater description CVE-2021-43527: nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) Score: CVSSv2: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Description: NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1. References: http://nvd.nist.gov/vuln/detail/CVE-2021-43527 https://access.redhat.com/errata/RHSA-2021:4904 https://access.redhat.com/security/cve/CVE-2021-43527 https://lists.centos.org/pipermail/centos-announce/2021-December/060972.html Required package version: nss-3.67.0-4.el7_9.x86_64.rpm nss-devel-3.67.0-4.el7_9.x86_64.rpm nss-pkcs11-devel-3.67.0-4.el7_9.x86_64.rpm nss-sysinit-3.67.0-4.el7_9.x86_64.rpm' Packages: nss Found during January 2022 CVE Scan CVE-2021-43527: nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) Score: CVSSv2: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Description: NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1. References: http://nvd.nist.gov/vuln/detail/CVE-2021-43527 https://access.redhat.com/errata/RHSA-2021:4904 https://access.redhat.com/security/cve/CVE-2021-43527 https://lists.centos.org/pipermail/centos-announce/2021-December/060972.html Required package version: nspr-4.32.0-1.el7_9.x86_64.rpm nspr-devel-4.32.0-1.el7_9.x86_64.rpm nss-3.67.0-4.el7_9.x86_64.rpm nss-devel-3.67.0-4.el7_9.x86_64.rpm nss-softokn-3.67.0-3.el7_9.x86_64.rpm nss-softokn-devel-3.67.0-3.el7_9.x86_64.rpm nss-softokn-freebl-3.67.0-3.el7_9.x86_64.rpm nss-softokn-freebl-devel-3.67.0-3.el7_9.x86_64.rpm nss-sysinit-3.67.0-4.el7_9.x86_64.rpm nss-tools-3.67.0-4.el7_9.x86_64.rpm nss-util-3.67.0-1.el7_9.x86_64.rpm nss-util-devel-3.67.0-1.el7_9.x86_64.rpm Packages: nspr, nss, nss-softokn, nss-softokn, nss-util Found during January 2022 CVE Scan
2022-01-19 21:18:04 OpenStack Infra starlingx: status In Progress Fix Released
2022-01-19 21:18:05 OpenStack Infra cve linked 2021-43527
2022-01-19 21:30:09 Ghada Khalil starlingx: importance Undecided Medium