[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

nss security wheezy updates ready for testing

On 2016-03-26 04:33:29, Guido Günther wrote:
> Thanks for reviewing this! I was about to look into more recent nss
> issues after handling dhcpcd but since you're at it, go ahead!
>
> Note that we still have CVE-2015-4000 which would most easily be fixed
> by having the same nss in all suites but since I got zero feedback from
> the release team going that route doesn't seem to be an option. We could
> still handle this via sec updates though.

So I am not sure how to deal with CVE-2015-4000. The patch is
substantial:

https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24

> Until that it might make sense to add
>
>     https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1
>     also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
>
> which (in addition to the certificate test I added) runs the standard
> nss test cycle as autopkgtest. I've tested this with the sid version but
> not with wheezy/jessie yet.

It seems like you had those already, and I have included them in the
package here.

So here's another debdiff for review and testing. This should fix all
standing issues on wheezy *but* CVE-2015-4000 and CVE-2015-7575.

Attachment: nss_3.14.5-1+deb7u6.debdiff
Description: Binary data

CVE-2015-4000 is pretty invasive. I tried porting the patch in, but it
is pretty invasive and fails to compile because it uses a new error
message (SSL_ERROR_WEAK_SERVER_CERT_KEY) introduced as part of those
checks. So I don't feel comfortable backporting all those unused error
messages or changing the integer identifier of the error message
here. This should really be fixed by backporting a newer version.

Similarly, CVE-2015-7575 is marked as not-affected as wheezy doesn't
support TLS 1.2. It's somehow silly because wheezy should really support
TLS 1.2, in my opinion. Again, this goes back to the question of
shipping the same NSS release in all suites...

I haven't worked on updating the jessie package, but one should keep in
mind that both CVE-2015-4000 and CVE-2015-7575 *do* affect the jessie
package directly and should be backported.

I also put AMD64 builds of the packages here for further testing:

https://people.debian.org/~anarcat/debian/wheezy-lts/

Note that I have *not* tested those packages in any way, but the builtin
test suite seems to pass. Or at least it doesn't stop the package build,
yet it *says* there are some failures - I am not sure how to process
that either:

Tests summary:
--------------
Passed:             2352
Failed:             45
Failed with core:   0
Unknown status:     0

Phew, that one was quite a load!

A.

-- 
While the creative works from the 16th century can still be accessed
and used by others, the data in some software programs from the 1990s
is already inaccessible.
                         - Lawrence Lessig
Reply to: