Ubuntu
nss package

Consider update to 3.68.2

Bug #1959126 reported by Andreas Hasenack
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss (Ubuntu)
Fix Released
Undecided
Athos Ribeiro

Bug Description

Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2.

Here are upstream's release notes:
3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk
Changes:
 - Bug 1735028 - check for missing signedData field.
 - Bug 1737470 - Ensure DER encoded signatures are within size limits.

3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8
Change:
   - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation

Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private.

The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x.

Ubuntu has been on 3.68 since impish.

Tags: server-next

Related branches

~athos-ribeiro/ubuntu/+source/nss:lp1959126-upstream-3.68.2
Lucas Kanashiro (community): Approve
Canonical Server: Pending requested
Diff: 1147 lines (+350/-421)
16 files modified
debian/changelog (+8/-0)
debian/patches/series (+0/-1)
dev/null (+0/-282)
nss/.hg_archival.txt (+3/-3)
nss/gtests/certdb_gtest/decode_certs_unittest.cc (+13/-0)
nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp (+71/-1)
nss/lib/cryptohi/secvfy.c (+121/-71)
nss/lib/mozpkix/include/pkix-test/pkixtestutil.h (+8/-0)
nss/lib/mozpkix/include/pkix/pkixutil.h (+14/-0)
nss/lib/mozpkix/lib/pkixocsp.cpp (+55/-37)
nss/lib/mozpkix/lib/pkixverify.cpp (+1/-8)
nss/lib/mozpkix/test-lib/pkixtestutil.cpp (+45/-12)
nss/lib/nss/nss.h (+2/-2)
nss/lib/pkcs7/certread.c (+5/-0)
nss/lib/softoken/softkver.h (+2/-2)
nss/lib/util/nssutil.h (+2/-2)

CVE References

Christian Ehrhardt  (paelzer)
Changed in nss (Ubuntu):
assignee: nobody → Athos Ribeiro (athos-ribeiro)
Athos Ribeiro (athos-ribeiro)
Changed in nss (Ubuntu):
status: New → In Progress
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Bug 1737470 fix introduced https://hg.mozilla.org/projects/nss/rev/dea71cbef9e03636f37c6cb120f8deccce6e17dd, which is the patch applied as debian/patches/CVE-2021-43527.patch in the current jammy package to fix CVE-2021-43527.

While Bug 1735028 is also private, its fix is not included in our current patches.

Finally, SHA-2 support to mozilla::pkix's OCSP implementation is also not present in our delta (https://bugzilla.mozilla.org/show_bug.cgi?id=966856). Meaning that going for the update would include support to SHA-2 hashes in CertIDs in OCSP responses.

Christian Ehrhardt  (paelzer)
tags: added: server-next
removed: server-todo
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 2:3.68.2-0ubuntu1

---------------
nss (2:3.68.2-0ubuntu1) jammy; urgency=medium

  * New upstream release. (LP: #1959126)
  * d/p/CVE-2021-43527.patch: drop patch applied upstream.
    [ Fixed in 3.68.1 ]

 -- Athos Ribeiro <email address hidden> Mon, 21 Feb 2022 14:55:42 -0300

Changed in nss (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.