To save others from potential confusion, the CVE in question is CVE-2023-6135, not 6125.
On Sun, Jun 23, 2024 at 11:55 PM Arturo Borrero Gonzalez < arturo.borrero.g...@gmail.com> wrote: > Hi there, > > I am exploring how to fix CVE-2023-6125 in the nss package (version > 3.42.1) in > Debian Buster. > > There is a note from a Debian college saying that we should wait until you > have > backported the fix to the 3.90 series, but scanning your releases did not > immediately showed to me where (if any) can I find a patch that I could > cherry > pick for 3.42.1. > > My college also tried to manually backport the published patches for nss > Debian > version 3.42.1, find them here: > > * part 1 > > https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2023-6135-part1.patch?ref_type=heads > * part 2 > > https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2023-6135-part2.patch?ref_type=heads > > But I would like to be cautious before shipping them, given how sensitive > the > matter is. > > Do you have any advice on how to move forward with this? > > If the answer is 'forget about CVE-2023-6125 for such an older nss > version', > then I guess that's also a valid answer. Maybe I could try to backport an > nss > ESR version into older Debian versions, if you have any ESR version with > CVE-2023-6125 fixed. > > thanks, regards. > > -- > You received this message because you are subscribed to the Google Groups " > dev-tech-crypto@mozilla.org" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to dev-tech-crypto+unsubscr...@mozilla.org. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/92cbadfa-0a9e-4f13-a096-0c7b2fe70d62%40gmail.com > . > -- You received this message because you are subscribed to the Google Groups "dev-tech-crypto@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-crypto+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAHP1u2hfKbYu0kpteRtsyH5-iZBof%3DLk9BChf6nJBFSsJUZvNQ%40mail.gmail.com.
