Hi there,
I am exploring how to fix CVE-2023-6125 in the nss package (version 3.42.1) in
Debian Buster.
There is a note from a Debian college saying that we should wait until you have
backported the fix to the 3.90 series, but scanning your releases did not
immediately showed to me where (if any) can I find a patch that I could cherry
pick for 3.42.1.
My college also tried to manually backport the published patches for nss Debian
version 3.42.1, find them here:
* part 1
https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2023-6135-part1.patch?ref_type=heads
* part 2
https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2023-6135-part2.patch?ref_type=heads
But I would like to be cautious before shipping them, given how sensitive the
matter is.
Do you have any advice on how to move forward with this?
If the answer is 'forget about CVE-2023-6125 for such an older nss version',
then I guess that's also a valid answer. Maybe I could try to backport an nss
ESR version into older Debian versions, if you have any ESR version with
CVE-2023-6125 fixed.
thanks, regards.
--
You received this message because you are subscribed to the Google Groups
"dev-tech-crypto@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/92cbadfa-0a9e-4f13-a096-0c7b2fe70d62%40gmail.com.
