nss: CVE-2015-4000 again

To: debian-lts@lists.debian.org, team@security.debian.org
Subject: nss: CVE-2015-4000 again
From: Guido Günther <agx@sigxcpu.org>
Date: Mon, 7 Dec 2015 09:36:23 +0100
Message-id: <[🔎] 20151207083623.GA1792@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <20151128131633.GA31725@bogon.m.sigxcpu.org>
References: <20151128131633.GA31725@bogon.m.sigxcpu.org>

Hi,
On Sat, Nov 28, 2015 at 02:16:33PM +0100, Guido Günther wrote:
> Hi,
> On Wed, Nov 25, 2015 at 12:24:44PM +0100, Guido Günther wrote:
> > Hi,
> > I'm currently preparing fixes for nss and wonder if the security team
> > already has a plan forward for CVE-2015-4000? Using the upstream patch
> > would change defaults in a stable release. I think I'd be good to do the
> > same for all currently supported releases.
> 
> Since there wasn't any feedback on this one I went ahead and prepared
> upates for Squeeze, Wheezy and Jessie of CVE-2015-7181 and CVE-2015-7182
> but skipped CVE-2015-4000 for now. I'm inclined to mark this as no-dsa
> in Squeeze to not break existing installations.

Any opinions on how to handle CVE-2015-4000 consistently in all suites?
According to the changelog openssl switched to 768 bits for DH in
squeeze-lts and wheezy while nss upstream switched to 1024 bits.

Should we follow upstream for wheezy/jessie but rather leave squeeze as
is to not break old installations given the remaining time frame of
squeeze-lts support?

* squeeze: no-dsa
* wheezy: 1024 bit
* jessie: 1024 bit

or is being consistent with openssl any concern?

Cheers,
 -- Guido

Reply to:

Prev by Date: My Squeeze LTS work on November 2015
Next by Date: Re: Further Review Of MySQL 5.5 Packages [1]
Previous by thread: My Squeeze LTS work on November 2015
Next by thread: Re: DSA for libphp-phpmailer?
Index(es):
- Date
- Thread