Public bug reported: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2.
Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. ** Affects: nss (Ubuntu) Importance: Undecided Status: New ** Tags: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1959126 Title: Consider update to 3.68.2 Status in nss package in Ubuntu: New Bug description: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
