From Mozilla's advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/ "Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1. Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS." Maintainers, please update.
Ebuilds for both packages are in the tree now. Arches, please stabilize: dev-libs/nspr-4.10.10 dev-libs/nss-3.20.1
amd64 stable
x86 stable
Stable for HPPA PPC64.
ppc stable
arm stable
alpha stable
ia64 stable
sparc stable
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
It has been 30 days since last request. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06 by GLSA coordinator Yury German (BlueKnight).