Hello Arturo, El 12/10/24 a las 13:08, Arturo Borrero Gonzalez escribió: > Hi there, > > this email is to propose we mark the nss package in debian bullseye as not > affected by CVE-2024-7531 [0]. > > The upstream patch is clearly identified [1], but debian/bullseye [2] just > doesn't contain the affected code. [snip]
According to the tracker, CVE-2024-7531 was introduced by: https://hg.mozilla.org/projects/nss/rev/d5deac55f54350d60fd6ae69899ac399fdfcfc72. That commit was pushed on Mon, 02 Mar 2020 16:28:40 +0000 (2020-03-02), which is prior to the bullseye release. Moreover, I do see the code introduced by that change as part of 2:3.61-1+deb11u3, that relate to HACL* AVX2 support for different crypto algorithms. Could you please give more details about why do you say bullseye doesn't contain the affected code? Cheers, -- Santiago
signature.asc
Description: PGP signature
