"NSS (Network Security Services) versions prior to 3.73 are vulnerable
to a heap overflow when handling DER-encoded DSA or RSA-PSS
signatures. Applications using NSS for handling signatures encoded
within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted.
Applications using NSS for certificate validation or other TLS, X.509,
OCSP or CRL functionality may be impacted, depending on how they
This vulnerability does NOT impact Mozilla Firefox, Tor Browser or
Chromium. However, other applications that use NSS for signature
verification are likely to be impacted."
"NSS 3.73  and NSS ESR 3.68.1  have been released and contain the
fix. A patch suitable for backporting is also attached (patch.diff)."
We should check which other packages may be affected by this.
According to the advisory this can affect thunderbird. The thunderbird-bin package ships its own libnss copy, so at least thunderbird-bin should be bumped as well.
From MFSA-2021-51 (https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/):
"Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted."
GLSA request filed
The bug has been referenced in the following commit(s):
Author: GLSAMaker <email@example.com>
AuthorDate: 2022-12-19 02:01:58 +0000
Commit: John Helmert III <firstname.lastname@example.org>
CommitDate: 2022-12-19 02:04:29 +0000
[ GLSA 202212-05 ] Mozilla Network Security Service (NSS): Multiple Vulnerabilities
Signed-off-by: GLSAMaker <email@example.com>
Signed-off-by: John Helmert III <firstname.lastname@example.org>
glsa-202212-05.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
GLSA released, all done.