[Arm-dev] nss-3.67.0-4 (and related packages) missing for arm-64

Sat Mar 5 01:10:30 UTC 2022
Raj Shekhar <rajlist at rajshekhar.net>

Hi

I a running centos-7.9 (CentOS Linux release 7.9.2009 (AltArch))

nss had a vulnerability reported with a CVSS score of 9.8
(https://access.redhat.com/security/cve/CVE-2021-43527).

I can see that there is a x86_64 package for nss that fixes this
vulnerability (nss-3.67.0-4.el7_9.x86_64)

rpm -q nss --changelog |head -n 10
* Thu Nov 18 2021 Bob Relyea <rrelyea at redhat.com> - 3.67.0-4
- fix CVE-2021-43527

However, when I tried to find the updated package for aarch64, I don't see
a package fixing this vulnerability for aarch64.  Reading the security
report seems to indicate that this affects all architectures.  I can also
see that amazonlinux and oracle linux have released nss packages to
address this vulnerability.

Looking through the centos forums, I have not been able to figure out why
this package is missing for aarch64.  Does someone know why this package
with high vulnerability has not been updated for centos-7.9?

Thanks for your guidance.



-- 
Raj Shekhar