This bug was fixed in the package nss - 2:3.68.2-0ubuntu1
---------------
nss (2:3.68.2-0ubuntu1) jammy; urgency=medium
* New upstream release. (LP: #1959126)
* d/p/CVE-2021-43527.patch: drop patch applied upstream.
[ Fixed in 3.68.1 ]
-- Athos Ribeiro <athos.ribe...@canonical.com> Mon, 21 Feb 2022
14:55:42 -0300
** Changed in: nss (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1959126
Title:
Consider update to 3.68.2
Status in nss package in Ubuntu:
Fix Released
Bug description:
Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu
is on 3.68, which is ESR, but two releases behind: upstream has
3.68.2.
Here are upstream's release notes:
3.68.1:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk
Changes:
- Bug 1735028 - check for missing signedData field.
- Bug 1737470 - Ensure DER encoded signatures are within size limits.
3.68.2:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8
Change:
- Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation
Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any
of the above changes is that CVE. The most promising one was bug
1737470, but the bug is private.
The request here is to investigate if our patched 3.68 has one or more
of the fixes in the above point releases, and if it would be worth it
to go to 3.68.2. I think we should not go to 3.7x.
Ubuntu has been on 3.68 since impish.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
