[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]

On 2016-01-23 09:04:53, Guido Günther wrote:
> Hi Luciano,
> On Thu, Dec 10, 2015 at 06:27:54PM +0100, Luciano Bello wrote:
>> On Saturday 28 November 2015 14.16.33 Guido Günther wrote:
>> > I've attached the patches for review. These also add some minimal
>> > autopkgtest to exercise the ASN1 parser (affected by the above CVEs).
>> > 
>> > I'm happy about any review.
>> Thanks for your work and sorry for the delay in the answer.
>> I will review your patches during the weekend. I have no idea how to handle your 
>> questions regarding CVE-2015-4000. Maybe somebody else in the security team 
>> has an opinion?
> Did you get a chance to look at the patches?

I don't know if Luciano did, but I looked at the patch and they are
okay, insofar as they match the upstream ones.

I was thinking of making a new debdiff to include other fixes, namely
CVE-2015-7575 and CVE-2016-1938 that have been fixed in squeeze but not
in wheezy yet. There's also CVE-2016-1950, CVE-2016-1978 and
CVE-2016-1979 that seems to need fixing in wheezy / jessie as well that
I'm considering.

Would the secteam welcome such a debdiff for wheezy and jessie?

Thanks for your feedback,


Ou bien Dieu voudrait supprimer le mal, mais il ne le peut pas
Ou bien Dieu pourrait supprimer le mal, mais il ne le veut pas.
                        - Sébastien Faure

Reply to: