nss: CVE-2015-4000 again
Hi,
On Sat, Nov 28, 2015 at 02:16:33PM +0100, Guido Günther wrote:
> Hi,
> On Wed, Nov 25, 2015 at 12:24:44PM +0100, Guido Günther wrote:
> > Hi,
> > I'm currently preparing fixes for nss and wonder if the security team
> > already has a plan forward for CVE-2015-4000? Using the upstream patch
> > would change defaults in a stable release. I think I'd be good to do the
> > same for all currently supported releases.
>
> Since there wasn't any feedback on this one I went ahead and prepared
> upates for Squeeze, Wheezy and Jessie of CVE-2015-7181 and CVE-2015-7182
> but skipped CVE-2015-4000 for now. I'm inclined to mark this as no-dsa
> in Squeeze to not break existing installations.
Any opinions on how to handle CVE-2015-4000 consistently in all suites?
According to the changelog openssl switched to 768 bits for DH in
squeeze-lts and wheezy while nss upstream switched to 1024 bits.
Should we follow upstream for wheezy/jessie but rather leave squeeze as
is to not break old installations given the remaining time frame of
squeeze-lts support?
* squeeze: no-dsa
* wheezy: 1024 bit
* jessie: 1024 bit
or is being consistent with openssl any concern?
Cheers,
-- Guido
Reply to: