Your submission was sent successfully! Close

CVE-2021-43527

Published: 01 December 2021

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

Priority

High

CVSS 3 base score: 9.8

Status

Package Release Status
nss
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri)
Released (2:3.68-1ubuntu1.1)
Ubuntu 21.04 (Hirsute Hippo)
Released (2:3.61-1ubuntu2.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2:3.49.1-1ubuntu1.6)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2:3.35-2ubuntu2.13)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2:3.28.4-0ubuntu0.16.04.14+esm2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2:3.28.4-0ubuntu0.14.04.5+esm10)
thunderbird
Launchpad, Ubuntu, Debian
Upstream
Released (91.4.0)
Ubuntu 21.10 (Impish Indri)
Released (1:91.3.1+build1-0ubuntu0.21.10.2)
Ubuntu 21.04 (Hirsute Hippo)
Released (1:78.14.0+build1-0ubuntu0.21.04.2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1:78.14.0+build1-0ubuntu0.20.04.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:78.14.0+build1-0ubuntu0.18.04.2)
Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist