From the 3.76.1 release notes: "": This release improves the stability of NSS when used in a multi-threaded environment. In particular, it fixes memory safety violations that can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097). We presume that with enough effort these memory safety violations are exploitable. """ Please bump to 3.76.1.
Oops, already in tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d157cf9c7ecb644ca59c667e9b6a6e20c5a2200 commit 6d157cf9c7ecb644ca59c667e9b6a6e20c5a2200 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2022-03-30 04:56:41 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-03-30 04:56:41 +0000 dev-libs/nss: drop 3.75-r1, 3.76-r1 (security cleanup p1) Bug: https://bugs.gentoo.org/836386 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/Manifest | 2 - dev-libs/nss/nss-3.75-r1.ebuild | 361 ---------------------------------------- dev-libs/nss/nss-3.76-r1.ebuild | 361 ---------------------------------------- 3 files changed, 724 deletions(-)
please bump to 3.68.3 too, it has the same fix backported according to the changelogs
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0d5c3a907c56c8ab278f57a6261e8ea875f15e7 commit e0d5c3a907c56c8ab278f57a6261e8ea875f15e7 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2022-04-02 05:29:01 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-04-02 05:30:43 +0000 dev-libs/nss: add 3.68.3 Bug: https://bugs.gentoo.org/836386 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/Manifest | 1 + dev-libs/nss/nss-3.68.3.ebuild | 362 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 363 insertions(+)
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35b2d5cf4c16277977814b89becd779d20f84726 commit 35b2d5cf4c16277977814b89becd779d20f84726 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2022-04-10 12:58:00 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-04-10 12:58:00 +0000 dev-libs/nss: drop 3.68.2-r1 Bug: https://bugs.gentoo.org/836386 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/Manifest | 1 - dev-libs/nss/nss-3.68.2-r1.ebuild | 361 -------------------------------------- 2 files changed, 362 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=300d0a6989f134e6228f91cb9ea405db485ee8f0 commit 300d0a6989f134e6228f91cb9ea405db485ee8f0 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-12-19 02:01:58 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-19 02:04:29 +0000 [ GLSA 202212-05 ] Mozilla Network Security Service (NSS): Multiple Vulnerabilities Bug: https://bugs.gentoo.org/827946 Bug: https://bugs.gentoo.org/836386 Bug: https://bugs.gentoo.org/848984 Bug: https://bugs.gentoo.org/877169 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202212-05.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
GLSA released, all done.
