nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) (CVE-2021-43527)

Issues related to applications and software problems
Post Reply
dushyantk.sun
Posts: 1
Joined: 2021/12/01 21:58:51

nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) (CVE-2021-43527)

Post by dushyantk.sun » 2021/12/07 00:03:37

Hello Team,

We have centos 7.x running in our environment and recently security team found "nss: Memory corruption in decodeECorDsaSignature with DSA signatures (andRSA-PSS) (CVE-2021-43527)" vulnerability for CentOS 7.x.

When we checked for udpated version of nss rpm we could not see in centos repos.

Hence would like to know if there is any plan on releasing the latest version of nss.
I see Redhat has already released latest version of nss to mitigate the vulnerability.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) (CVE-2021-43527)

Post by TrevorH » 2021/12/07 01:01:48

The fixes were pushed to the mirror network this morning and I'd guess they should be just about everywhere by now. Try running yum clean all then fololw that with an update and you should find them. If you run your own local mirror then you might need to kick that to have it catch up.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

felipe.aguiar2
Posts: 1
Joined: 2021/12/07 12:53:49

Re: nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) (CVE-2021-43527)

Post by felipe.aguiar2 » 2021/12/07 13:14:11

The fix for CVE-2021-43527 is the update of package nss.x86_64 version 3.67.0-4.el7_9?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS) (CVE-2021-43527)

Post by TrevorH » 2021/12/07 17:01:55

Code: Select all

[root@centos7 ~]# rpm -q --changelog nss | less
* Thu Nov 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
- fix CVE-2021-43527
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply