[Touch-packages] [Bug 1959126] Re: Consider update to 3.68.2
This bug was fixed in the package nss - 2:3.68.2-0ubuntu1 --- nss (2:3.68.2-0ubuntu1) jammy; urgency=medium * New upstream release. (LP: #1959126) * d/p/CVE-2021-43527.patch: drop patch applied upstream. [ Fixed in 3.68.1 ] -- Athos Ribeiro Mon, 21 Feb 2022 14:55:42 -0300 ** Changed in: nss (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1959126 Title: Consider update to 3.68.2 Status in nss package in Ubuntu: Fix Released Bug description: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959126] Re: Consider update to 3.68.2
** Tags removed: server-todo ** Tags added: server-next -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1959126 Title: Consider update to 3.68.2 Status in nss package in Ubuntu: In Progress Bug description: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959126] Re: Consider update to 3.68.2
** Merge proposal linked: https://code.launchpad.net/~athos-ribeiro/ubuntu/+source/nss/+git/nss/+merge/415883 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1959126 Title: Consider update to 3.68.2 Status in nss package in Ubuntu: In Progress Bug description: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959126] Re: Consider update to 3.68.2
Bug 1737470 fix introduced https://hg.mozilla.org/projects/nss/rev/dea71cbef9e03636f37c6cb120f8deccce6e17dd, which is the patch applied as debian/patches/CVE-2021-43527.patch in the current jammy package to fix CVE-2021-43527. While Bug 1735028 is also private, its fix is not included in our current patches. Finally, SHA-2 support to mozilla::pkix's OCSP implementation is also not present in our delta (https://bugzilla.mozilla.org/show_bug.cgi?id=966856). Meaning that going for the update would include support to SHA-2 hashes in CertIDs in OCSP responses. ** Bug watch added: Mozilla Bugzilla #966856 https://bugzilla.mozilla.org/show_bug.cgi?id=966856 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-43527 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1959126 Title: Consider update to 3.68.2 Status in nss package in Ubuntu: In Progress Bug description: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959126] Re: Consider update to 3.68.2
** Changed in: nss (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1959126 Title: Consider update to 3.68.2 Status in nss package in Ubuntu: In Progress Bug description: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959126] Re: Consider update to 3.68.2
** Changed in: nss (Ubuntu) Assignee: (unassigned) => Athos Ribeiro (athos-ribeiro) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1959126 Title: Consider update to 3.68.2 Status in nss package in Ubuntu: New Bug description: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
