Re: CVE-2024-7531/nss for debian/bullseye LTS

2024-10-27 Thread Arturo Borrero Gonzalez
On 10/25/24 14:32, Santiago Ruano Rincón wrote: I am not subscribed to dev-tech-crypto, and I don't have access to https://bugzilla.mozilla.org/show_bug.cgi?id=1905691. Even if the bug reference found at https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/#CVE-2024-7531 matches the d

Re: CVE-2024-7531/nss for debian/bullseye LTS

2024-10-25 Thread Santiago Ruano Rincón
Hi, El 24/10/24 a las 10:55, Arturo Borrero Gonzalez escribió: > Hi, > > On 10/23/24 23:48, Santiago Ruano Rincón wrote: > > I added the reference to the commit that introduced the vulnerability > > after you committed it to the elts security tracker. > > I have no recollection of this. Given w

Re: CVE-2024-7531/nss for debian/bullseye LTS

2024-10-24 Thread Arturo Borrero Gonzalez
Hi, On 10/23/24 23:48, Santiago Ruano Rincón wrote: I added the reference to the commit that introduced the vulnerability after you committed it to the elts security tracker. I have no recollection of this. In any case, upstream confirmed [0] the vulnerability was introduced in nss 3.72. So

Re: CVE-2024-7531/nss for debian/bullseye LTS

2024-10-23 Thread Santiago Ruano Rincón
El 23/10/24 a las 13:03, Arturo Borrero Gonzalez escribió: > Hi, sorry for the late follow up. > > On 10/16/24 00:38, Santiago Ruano Rincón wrote: > > > > Again, you can also ask upstream. They are in a better position to tell > > you if the vulnerability is present in 3.61 or not. > > > > For

Re: CVE-2024-7531/nss for debian/bullseye LTS

2024-10-23 Thread Arturo Borrero Gonzalez
Hi, sorry for the late follow up. On 10/16/24 00:38, Santiago Ruano Rincón wrote: Again, you can also ask upstream. They are in a better position to tell you if the vulnerability is present in 3.61 or not. For the record, I have just now sent an email to upstream: https://groups.google.com/

Re: CVE-2024-7531/nss for debian/bullseye LTS

2024-10-15 Thread Santiago Ruano Rincón
Hola, El 15/10/24 a las 23:07, Arturo Borrero Gonzalez escribió: > On 10/15/24 16:58, Santiago Ruano Rincón wrote: > > > > Moreover, I do see the code introduced by that change as part of > > 2:3.61-1+deb11u3, that relate to HACL* AVX2 support for different crypto > > algorithms. Could you please

Re: CVE-2024-7531/nss for debian/bullseye LTS

2024-10-15 Thread Arturo Borrero Gonzalez
On 10/15/24 16:58, Santiago Ruano Rincón wrote: Moreover, I do see the code introduced by that change as part of 2:3.61-1+deb11u3, that relate to HACL* AVX2 support for different crypto algorithms. Could you please give more details about why do you say bullseye doesn't contain the affected code

Re: CVE-2024-7531/nss for debian/bullseye LTS

2024-10-15 Thread Santiago Ruano Rincón
Hello Arturo, El 12/10/24 a las 13:08, Arturo Borrero Gonzalez escribió: > Hi there, > > this email is to propose we mark the nss package in debian bullseye as not > affected by CVE-2024-7531 [0]. > > The upstream patch is clearly identified [1], but debian/bullseye [2] just > doesn't contain th