On 2016-03-26 04:33:29, Guido Günther wrote: > Thanks for reviewing this! I was about to look into more recent nss > issues after handling dhcpcd but since you're at it, go ahead! > > Note that we still have CVE-2015-4000 which would most easily be fixed > by having the same nss in all suites but since I got zero feedback from > the release team going that route doesn't seem to be an option. We could > still handle this via sec updates though. So I am not sure how to deal with CVE-2015-4000. The patch is substantial: https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24 > Until that it might make sense to add > > https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1 > also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639 > > which (in addition to the certificate test I added) runs the standard > nss test cycle as autopkgtest. I've tested this with the sid version but > not with wheezy/jessie yet. It seems like you had those already, and I have included them in the package here. So here's another debdiff for review and testing. This should fix all standing issues on wheezy *but* CVE-2015-4000 and CVE-2015-7575.
Attachment:
nss_3.14.5-1+deb7u6.debdiff
Description: Binary data
CVE-2015-4000 is pretty invasive. I tried porting the patch in, but it is pretty invasive and fails to compile because it uses a new error message (SSL_ERROR_WEAK_SERVER_CERT_KEY) introduced as part of those checks. So I don't feel comfortable backporting all those unused error messages or changing the integer identifier of the error message here. This should really be fixed by backporting a newer version. Similarly, CVE-2015-7575 is marked as not-affected as wheezy doesn't support TLS 1.2. It's somehow silly because wheezy should really support TLS 1.2, in my opinion. Again, this goes back to the question of shipping the same NSS release in all suites... I haven't worked on updating the jessie package, but one should keep in mind that both CVE-2015-4000 and CVE-2015-7575 *do* affect the jessie package directly and should be backported. I also put AMD64 builds of the packages here for further testing: https://people.debian.org/~anarcat/debian/wheezy-lts/ Note that I have *not* tested those packages in any way, but the builtin test suite seems to pass. Or at least it doesn't stop the package build, yet it *says* there are some failures - I am not sure how to process that either: Tests summary: -------------- Passed: 2352 Failed: 45 Failed with core: 0 Unknown status: 0 Phew, that one was quite a load! A. -- While the creative works from the 16th century can still be accessed and used by others, the data in some software programs from the 1990s is already inaccessible. - Lawrence Lessig