Consider update to 3.68.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nss (Ubuntu) |
Fix Released
|
Undecided
|
Athos Ribeiro |
Bug Description
Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2.
Here are upstream's release notes:
3.68.1: https:/
Changes:
- Bug 1735028 - check for missing signedData field.
- Bug 1737470 - Ensure DER encoded signatures are within size limits.
3.68.2: https:/
Change:
- Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation
Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private.
The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x.
Ubuntu has been on 3.68 since impish.
Related branches
- Lucas Kanashiro (community): Approve
- Canonical Server: Pending requested
-
Diff: 1147 lines (+350/-421)16 files modifieddebian/changelog (+8/-0)
debian/patches/series (+0/-1)
dev/null (+0/-282)
nss/.hg_archival.txt (+3/-3)
nss/gtests/certdb_gtest/decode_certs_unittest.cc (+13/-0)
nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp (+71/-1)
nss/lib/cryptohi/secvfy.c (+121/-71)
nss/lib/mozpkix/include/pkix-test/pkixtestutil.h (+8/-0)
nss/lib/mozpkix/include/pkix/pkixutil.h (+14/-0)
nss/lib/mozpkix/lib/pkixocsp.cpp (+55/-37)
nss/lib/mozpkix/lib/pkixverify.cpp (+1/-8)
nss/lib/mozpkix/test-lib/pkixtestutil.cpp (+45/-12)
nss/lib/nss/nss.h (+2/-2)
nss/lib/pkcs7/certread.c (+5/-0)
nss/lib/softoken/softkver.h (+2/-2)
nss/lib/util/nssutil.h (+2/-2)
CVE References
Changed in nss (Ubuntu): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
Changed in nss (Ubuntu): | |
status: | New → In Progress |
tags: |
added: server-next removed: server-todo |
Bug 1737470 fix introduced https:/ /hg.mozilla. org/projects/ nss/rev/ dea71cbef9e0363 6f37c6cb120f8de ccce6e17dd, which is the patch applied as debian/ patches/ CVE-2021- 43527.patch in the current jammy package to fix CVE-2021-43527.
While Bug 1735028 is also private, its fix is not included in our current patches.
Finally, SHA-2 support to mozilla::pkix's OCSP implementation is also not present in our delta (https:/ /bugzilla. mozilla. org/show_ bug.cgi? id=966856). Meaning that going for the update would include support to SHA-2 hashes in CertIDs in OCSP responses.