Amazon Linux 2.0.20211201.0 release notes

Updated NSS to fix CVE-2021-43527. Network Security Services (NSS) up to and including version 3.73 is vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications that use NSS for handling signatures that are encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications that use NSS for certificate validation or other TLS, X.509, OCSP, or CRL functionality might be impacted. This depends on how they configure NSS. When verifying a DER-encoded signature, NSS decodes the signature into a fixed-size buffer and passes the buffer to the underlying PKCS \#11 module. The length of the signature isn't correctly checked when processing DSA and RSA-PSS signatures. DSA and RSA-PSS signatures larger than 16,384 bits overflows the buffer in VFYContextStr. The vulnerable code is located within secvfy.c:vfy_CreateContext.

nspr-4.32.0-1.amzn2.aarch64

nspr-4.32.0-1.amzn2.x86_64

nss-3.67.0-4.amzn2.0.1.aarch64

nss-3.67.0-4.amzn2.0.1.x86_64

nss-softokn-3.67.0-3.amzn2.aarch64

nss-softokn-3.67.0-3.amzn2.x86_64

nss-softokn-freebl-3.67.0-3.amzn2.aarch6

nss-softokn-freebl-3.67.0-3.amzn2.x86_64

nss-sysinit-3.67.0-4.amzn2.0.1.aarch64

nss-sysinit-3.67.0-4.amzn2.0.1.x86_64

nss-tools-3.67.0-4.amzn2.0.1.aarch64

nss-tools-3.67.0-4.amzn2.0.1.x86_64

nss-util-3.67.0-1.amzn2.aarch64

nss-util-3.67.0-1.amzn2.x86_64

selinux-policy-3.13.1-268.amzn2.2.2.noarch

selinux-policy-targeted-3.13.1-268.amzn2.2.2.noarch