Operating System:

[Debian]

Published:

03 December 2021

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.4091
                            nss security update
                              3 December 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           nss
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Reduced Security                -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-43527  

Reference:         ESB-2021.4082
                   ESB-2021.4064

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2021/12/msg00000.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -----------------------------------------------------------------------
Debian LTS Advisory DLA-2836-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
December 02, 2021                           https://wiki.debian.org/LTS
- - -----------------------------------------------------------------------

Package        : nss
Version        : 2:3.26.2-1.1+deb9u3
CVE ID         : CVE-2021-43527

Tavis Ormandy discovered that nss, the Mozilla Network Security Service
library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS
signatures, which could result in denial of service or potentially the
execution of arbitrary code.

For Debian 9 stretch, this problem has been fixed in version
2:3.26.2-1.1+deb9u3.

We recommend that you upgrade your nss packages.

For the detailed security status of nss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/nss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmGow+AACgkQgj6WdgbD
S5Z2WxAAq1KeuWH0hjS5AhRv9lYQmlwHIjCph16QfrLQZ168gBtL3uXlH5GUr3uJ
K/A7gvZp45y+Z/vsPSVMjSYOpoxuWwk1XO9kP2DmuoFLrytfkkQ6k7/ElBbaFApV
74Ob5nIxbqANMRH7/Jr2JEeaCvTzNn4D3z6dtrTiZyL9ufoOjEg/DYrjk5lsoLIy
KXQvLQPVsh6j3UOZcuoydvxZYLcSSY9299OlOTDnkY0F4XnlCV4Vd6ENNRJnEt0z
RPWi/eIos5eaePn9uzu9VqEwEJo7O3iYuxXSQlt3b1enHtwxhSYRB50WvUkxk3Wt
8VRtsGaSMl5QswDsMDFsNWn1HllbMNIwTjZSb65zvfjGmzxqvQbf5YFz4dYWlfY9
f/FhdYCHkifSZRuPPoB2S6XyhdmDvQyK5386YhOg8+DdHoEPSXFKYTsti9Q43c/f
yL0tim5vItmuSuVfDkXMP2yOojA3Qux+PWFMeh2G3LfBZ2/7+y6BGVhFssQvpXhM
iTvfmVF6y+xIEa7OO3XOsoGdpbFfbgXS+WgHJ0uouPrfSI0LvZMRq0DRmPbLgwXf
5gsJ0O+5qjPUXrKvbBXRnUkS0/EQz3FVgdIG2UzO1OexkZRyYgl/H5+cb3Rj5ckn
H4+hFDeU1808VZTX/HXppDRpbUQs2mz8a+IXmTKwrwEJ0YLq9uM=
=uAs4
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYalUleNLKJtyKPYoAQguOhAAjnuHVOL9A4+fXzU3KCYLsJCAttSv/vO/
ijCPrMK0EWt//zJxNHpRBsfmeyxkD7sRk5ov+IbFYMpe56b8hhDB46SE2wjzDQEP
22GQCcuf9zgWQ2jlL++CyekKvoV+gP+dDq72F4lkfNtxUA4UI+L450wIMFpQuUz1
3A5B5JOr8gaSsgAmb7M0h44cGeAt7syMuJuHeiO50F59nDW+2kQfS7JFGHDveEWT
/Erqvk+szsmutmNUMxfupQM8V+raminVzUe750FgX3OM00xaPphD49V2GwVAvKYU
jE3IqGrhgMTFC8WJZqFRN7fRlfgj4MOQEzbEF9/b9KgK+tklEw9hjb77vmRtNshU
9aa6UlgfZDgR0P818lzEe/GKs1yoceny8uz6EqmHKALuSv26qjBaz1BGeIy4k+pE
kfgP/5bftYszX48O1Axgc4UZZz4sOfaU+OiQPzulGnvYTT7Slkdk35jczujiwtrV
PlQOa9qi/cbQPbqtrik8mGBAOmy2bAkD3kNFkUUGEG4weLOicmoqOyV/F3IPAYHr
uR72uNtqeY7DL6e6kqsBBkRH5pEQu45sybSPfoWM//mkYTONFQdDqs1/ywcdL6MM
w3ZcV0qO0lRblomA3t0lx6bCUlcMNiXKxngH8GGUYV8x9anp/uGrNYRfjkJR6EYF
7KmNntyV8k0=
=ZmvC
-----END PGP SIGNATURE-----