CVE-2021-29991: 
NixOS vulnerability analysis and mitigation

CVE-2021-29991 is a security vulnerability discovered in Firefox and Thunderbird that was disclosed on August 16, 2021. The vulnerability affected Firefox versions prior to 91.0.1 and Thunderbird versions prior to 91.0.1. The issue arose when Firefox incorrectly accepted a newline in an HTTP/3 header, interpreting it as two separate headers, which allowed for a header splitting attack against servers using HTTP/3 (Mozilla Advisory, NVD).

The vulnerability was assigned a CVSS v3.1 base score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The issue stems from Firefox's incorrect interpretation of newlines in HTTP headers specifically in HTTP/3 connections, which could lead to HTTP request/response smuggling attacks. The vulnerability was classified under CWE-444 (Inconsistent Interpretation of HTTP Requests) (NVD).

The vulnerability could allow attackers to perform header splitting attacks against servers using HTTP/3, potentially leading to critical security problems on websites. This was particularly concerning as early adopters of HTTP/3 tend to be major, popular websites with large user bases (Bugzilla).

The vulnerability was fixed in Firefox 91.0.1 and Thunderbird 91.0.1. The fix involved sanitizing headers by replacing problematic control characters with spaces, making the HTTP/3 implementation behave similarly to HTTP/2 where this behavior was well-tested (Mozilla Advisory).