CVE-2024-7531/nss for debian/bullseye LTS

To: debian-lts@lists.debian.org
Subject: CVE-2024-7531/nss for debian/bullseye LTS
From: Arturo Borrero Gonzalez <arturo.bg@arturo.bg>
Date: Sat, 12 Oct 2024 13:08:55 +0200
Message-id: <[🔎] 859cd208-44b9-4b7f-a5e0-8c3f2647786e@arturo.bg>

Hi there,

this email is to propose we mark the nss package in debian bullseye as notaffected by CVE-2024-7531 [0].

The upstream patch is clearly identified [1], but debian/bullseye [2] justdoesn't contain the affected code.


We did a similar thing for debian/{jessie,stretch,buster} already [3].

Please let me know.

regards.

[0] https://deb.freexian.com/extended-lts/tracker/CVE-2024-7531
[1] https://hg.mozilla.org/projects/nss/rev/525c5044cc9e53f5015c697b04b1405df91003ac

[2]https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/bullseye/nss/lib/freebl/chacha20poly1305.c[3]https://salsa.debian.org/freexian-team/extended-lts/security-tracker/-/commit/63a2644df9b5a350d6976c5ba571a535c931fd14

Reply to:

Follow-Ups:
- Re: CVE-2024-7531/nss for debian/bullseye LTS
  - From: Santiago Ruano Rincón <santiagorr@riseup.net>

Prev by Date: Ticket Received - [SECURITY] [DLA 3916-1] thunderbird security update
Next by Date: Re: Question about risk of regression for git
Previous by thread: Ticket Received - [SECURITY] [DLA 3916-1] thunderbird security update
Next by thread: Re: CVE-2024-7531/nss for debian/bullseye LTS
Index(es):
- Date
- Thread