Hi nss maintainer(s) and LTS team
I have prepared a security update of nss for wheezy to solve the problem described in CVE-2015-4000, for more info see:
One could argue that this is not a problem as the case:
"when a DHE_EXPORT ciphersuite is enabled on a server but not on a client" in combination with TLS 1.2 is a rather rare combination.
However as this is a library and there are many services using this library it is probably better to be safe than sorry.
So I have backported the "NSS patch increasing limit to 1023 bits" (see at the bottom of the above CVE link) to the wheezy version.
For testing I have run the build test suite and it fail just as many times as the previous version. That is 43 failures. So I guess I have not broken anything.
You can find the test results for deb7u7 in nss-build.txt and the test results for the previous version in nss-build-previousversion.txt.
There were no tests for this specific case and it turned out that it was non-trivial to make such a test-case. The main reason was that the test server did not have the possibility to enable DHE EXPORT ciphersuite. I could not find any such way at least.
So I have not been ably to verify that the solution actually works in practice. What I have been able to test is that I have not included any (obvious) regression problem.
The change also export a new symbol in the library but as it is a new one and no function have used it in the past it should not be an issue as far as I can tell.
If anyone have a good idea on how to trigger the event described in CVE-2015-4000 (without implementing an entirely new program), please let me know.
You can find the updated package here:
And the debdiff here:
If there are no objections I will upload the corrected packages in 4 days, that is on Tuesday next week.
Best regards,
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------