Date: Wed, 1 Dec 2021 18:37:27 +0100 From: Kai Engert <kaie@...x.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS DER-encoded signatures >> https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 states that >> "It's been 30 days since the initial thunderbird patches have been released". >> >> Is there a corresponding Thunderbird patch/advisory/release distros should be >> shipping as well? Thunderbird 91.3.0 had shipped a workaround, that should protect against the most risky attack vector (executing the vulnerable code path when importing certificates contained in a received S/MIME message). The workaround commits are here: https://hg.mozilla.org/releases/comm-esr91/rev/54507526da82 https://hg.mozilla.org/releases/comm-esr91/rev/bea1eb4e98a3 We intend to add a separate CVE to the corresponding tracking bug https://bugzilla.mozilla.org/show_bug.cgi?id=1738501 and also amend the release notes of the 91.3.0 release. In addition, to ensure that potential secondary attack vectors will be protected as well, it is recommended that Thunderbird uses NSS binaries that contain the NSS level patch. The Thunderbird team will ship NSS 3.68.1 in the upcoming 91.4.0 release. Kai
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.