about CVE-2024-7531 for nss 3.61 in Debian Bullseye

[Arturo Borrero Gonzalez]

Hi there,

I'm interesting in having a patch for CVE-2024-7531 available for the nss version we have in Debian Bullseye (nss 3.61).

We have some information [0] about the code that introduced the vulnerability [1] and the patch that fixes it [2], but the patch does not apply cleanly to the code in 3.61, and I would kindly ask if you can double check it, and provide a patch that applies directly to that branch.

Please, let me know if you can help with this.

thanks, regards.

[0] https://deb.freexian.com/extended-lts/tracker/CVE-2024-7531

[1] https://hg.mozilla.org/projects/nss/rev/d5deac55f54350d60fd6ae69899ac399fdfcfc72

[2] https://hg.mozilla.org/projects/nss/rev/525c5044cc9e53f5015c697b04b1405df91003ac

[John Schanck]

Hi Arturo, NSS 3.61 is not affected. The bug was introduced in 3.72.

Cheers,
John

> --
> You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/10f28996-666b-4b16-bae0-1acf2daa4c15n%40mozilla.org.

[Arturo Borrero Gonzalez]

El miércoles, 23 de octubre de 2024 a las 21:52:57 UTC+2, John Schanck escribió:

Hi Arturo, NSS 3.61 is not affected. The bug was introduced in 3.72.

Hi John,

thanks for this information, it is really valuable for us.

Additionally, I would like to double check if this patch [0] is the fix for CVE-2024-7531.

Could you please clarify if that one is correct?

thanks, regards.

[0] https://hg.mozilla.org/projects/nss/rev/525c5044cc9e53f5015c697b04b1405df91003ac

[John Schanck]

Yes, that's the patch for CVE-2024-7531.

John