29714 – nss new security issue CVE-2021-43527

Bug 29714 - nss new security issue CVE-2021-43527

Summary: nss new security issue CVE-2021-43527

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-12-01 22:24 CET by David Walser
Modified:	2021-12-02 17:50 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	nss-3.72.0-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-12-01 22:24:23 CET

RedHat has issued an advisory today (December 1):
https://access.redhat.com/errata/RHSA-2021:4903

Upstream announcement and advisory:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/Wm_PgG-4Xas
https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/

The issue is fixed upstream in 3.73 (release notes not available yet):
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/vy9284s8APM
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_73.html

Updated packages uploaded for Mageia 8 and Cauldron.

libnss-static-devel-3.73.0-1.mga8
libnss3-3.73.0-1.mga8
libnss-devel-3.73.0-1.mga8
nss-doc-3.73.0-1.mga8
nss-3.73.0-1.mga8

from nss-3.73.0-1.mga8.src.rpm

Comment 1 Herman Viaene 2021-12-02 16:36:23 CET

MGA8-64 Plasma on Lenovo B50
Installed
lib64nss-static-devel-3.73.0-1.mga8
lib64nss3-3.73.0-1.mga8
lib64nss-devel-3.73.0-1.mga8
nss-doc-3.73.0-1.mga8
nss-3.73.0-1.mga8
No issues.

CC: (none) => herman.viaene

Comment 2 Herman Viaene 2021-12-02 16:53:54 CET

Restarted firefox after installation
Ref bug 25792 Comment 1 for testing
Firefox seems OK.
Tests as per bug 25792 Comment 1
$ bltest -F
CK_RV: 48.
$ certdb_gtest 
no feedback
$ certdb_gtest -h
This program contains tests written using Google Test. You can use the
following command line flags to control its behavior:

Test Selection:
  --gtest_list_tests
      List the names of all tests instead of running them. The name of
      TEST(Foo, Bar) is "Foo.Bar".
and a load more ......

$ certdb_gtest --gtest_list_tests
no feedback
$ certdb_gtest --gtest_also_run_disabled_tests
no feedback
$ dbtest
dbdir selected is /home/tester8/.netscape

ERROR: Directory "/home/tester8/.netscape" does not exist.
dbtest: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
 This is all along the lines of the previous update, so OK for me.

Whiteboard: (none) => MGA8-64-OK

Comment 3 Thomas Andrews 2021-12-02 16:58:15 CET

Validating. Advisory information in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2021-12-02 17:13:46 CET

Keywords: (none) => advisory

Comment 4 Mageia Robot 2021-12-02 17:50:49 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0534.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.