Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <b3684dd2-0215-a119-2301-8c2ad2ef957e@kuix.de>
Date: Wed, 1 Dec 2021 18:37:27 +0100
From: Kai Engert <kaie@...x.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2021-43527: Heap overflow in NSS when verifying DSA/RSA-PSS
 DER-encoded signatures

>> https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 states that
>> "It's been 30 days since the initial thunderbird patches have been released".
>>
>> Is there a corresponding Thunderbird patch/advisory/release distros should be
>> shipping as well?

Thunderbird 91.3.0 had shipped a workaround, that should protect against 
the most risky attack vector (executing the vulnerable code path when 
importing certificates contained in a received S/MIME message).

The workaround commits are here:
https://hg.mozilla.org/releases/comm-esr91/rev/54507526da82
https://hg.mozilla.org/releases/comm-esr91/rev/bea1eb4e98a3

We intend to add a separate CVE to the corresponding tracking bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1738501
and also amend the release notes of the 91.3.0 release.

In addition, to ensure that potential secondary attack vectors will be 
protected as well, it is recommended that Thunderbird uses NSS binaries 
that contain the NSS level patch. The Thunderbird team will ship NSS 
3.68.1 in the upcoming 91.4.0 release.

Kai

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.