Hi, El 24/10/24 a las 10:55, Arturo Borrero Gonzalez escribió: > Hi, > > On 10/23/24 23:48, Santiago Ruano Rincón wrote: > > I added the reference to the commit that introduced the vulnerability > > after you committed it to the elts security tracker. > > I have no recollection of this.
Given we are not sure about the commit reference that introduced the vulnerability, I have removed it from the security tracker data. I am not subscribed to dev-tech-crypto, and I don't have access to https://bugzilla.mozilla.org/show_bug.cgi?id=1905691. Even if the bug reference found at https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/#CVE-2024-7531 matches the data from https://hg.mozilla.org/projects/nss/rev/525c5044cc9e53f5015c697b04b1405df91003ac, I would feel more comfortable if upstream confirmed that the commit ^ above fixes the vulnerability. Arturo, could you please ask upstream to confirm that reference is correct? > In any case, upstream confirmed [0] the vulnerability was introduced in nss > 3.72. In this case, I think it is safe if you mark [bullseye] - nss <not-affected> (Vulnerable code introduced in 3.72) And it is also good if you include [0] as a NOTE for future reference. > So CVE-2024-7531/nss does not affect debian bullseye LTS. > > regards. > > [0] > https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/h3Q2S0n2vTg/m/abQtMoYYAgAJ TIA, -- Santiago
signature.asc
Description: PGP signature
