[SECURITY] [DLA 3937-1] nss security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3937-1] nss security update
From: Arturo Borrero Gonzalez <pochu27@gmail.com>
Date: Mon, 28 Oct 2024 11:48:34 +0100
Message-id: <[🔎] 20241028104834.67D3C2A01AF@andromeda>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3937-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/              Arturo Borrero Gonzalez
October 27, 2024                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : nss
Version        : 2:3.61-1+deb11u4
CVE ID         : CVE-2024-0743 CVE-2024-6602 CVE-2024-6609

nss - Network Security Service libraries

This is a set of libraries designed to support cross-platform development
of security-enabled client and server applications. It can support SSLv2
and  v4, TLS, PKCS #5, #7, #11, #12, S/MIME, X.509 v3 certificates and
other security standards.

Among other utilities, this package includes:
  * certutil: manages certificate and key databases (cert7.db and key3.db)
  * modutil: manages the database of PKCS11 modules (secmod.db)
  * pk12util: imports/exports keys and certificates between the cert/key
    databases and files in PKCS12 format.
  * shlibsign: creates .chk files for use in FIPS mode.
  * signtool: creates digitally-signed jar archives containing files and/or
    code.
  * ssltap: proxy requests for an SSL server and display the contents of
    the messages exchanged between the client and server.

CVE-2024-0743

    An unchecked return value in TLS handshake code could have caused
    a potentially exploitable crash.

CVE-2024-6602

    A mismatch between allocator and deallocator could have lead to
    memory corruption.

CVE-2024-6609

    When almost out-of-memory an elliptic curve key which was never
    allocated could have been freed again.

For Debian 11 bullseye, these problems have been fixed in version
2:3.61-1+deb11u4.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmcfa/8ACgkQnUbEiOQ2
gwIsnxAAq+ktywBDV2TgoDJGSgF3V27yIPQ+24zaDNM6PmeusD4VO72Y3FlTClwI
aRftIbxkuWv6XsHDasKsEUIWKvNrEQRrn8Slxb4cVoXS2U+NxSLK6PIT7mu2A+8D
EIeDv7ltqfOnNYuwBY/r5NEOtdtVPRTtmOGa6TMgjcJ0gHywLWCxxY/SplAEUHoW
//bPzqgrtCYfUdT4eFyzic9thcFdcA/qu3qirYE9FELk/JRFkk31hkX45oCjIWoa
c7PGDtjs7MCWUfMjADjmhpg6OJ/yd+7IdxVyKyrN6mCKpIFQ4VARxb5ZjnLLThvt
gZLx3vazq8yt29GHezdm7dGrDzPMfRZeQqRUDOfmXi/X5gcd3HyQpOcgTJP2tCnI
az3uub2mW4YMf72C/mAVM+s/ylDVtXrFF/oGlFnJTgCH6LBoHGXR6W9r71Mp6YCc
ZUsI6BYfxl0yOYLZMF3Yn5UN8XKRxRVCvvUx4kmXcFslEH4VMJASDBf6/R3DONwJ
9xb82TFk4L+xUHMx4bQCwcHDhQx05Ic4FSU6pYOUQ3/fSlQnNPLV9LthLogfyFEQ
6k6lR1pixHN8M2GwA6xSg9k04cFeXibtQsPW2v/ioMhmaW9RbUV80n+ZN0Bl8ee2
DWYR7yWDwY04XAtF/bqrdJdU9sLlGNfeqbqt9xkYf1ZiaGTRCbQ=
=FtCt
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3936-1] activemq security update
Next by Date: [SECURITY] [DLA 3938-1] exim4 security update
Previous by thread: [SECURITY] [DLA 3936-1] activemq security update
Next by thread: [SECURITY] [DLA 3938-1] exim4 security update
Index(es):
- Date
- Thread