Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]

To: Antoine Beaupré <anarcat@orangeseeds.org>, Guido Günther <agx@sigxcpu.org>
Cc: debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
From: Luciano Bello <luciano@debian.org>
Date: Fri, 25 Mar 2016 23:58:28 +0100
Message-id: <[🔎] 4206935.AO3lp96rMG@box>
In-reply-to: <[🔎] 87k2kq1nvu.fsf@angela.anarcat.ath.cx>
References: <20151128131633.GA31725@bogon.m.sigxcpu.org> <20160123140453.GA10585@bogon.m.sigxcpu.org> <[🔎] 87k2kq1nvu.fsf@angela.anarcat.ath.cx>

On Friday 25 March 2016 13.13.57 Antoine Beaupré wrote:
> I don't know if Luciano did, but I looked at the patch and they are
> okay, insofar as they match the upstream ones.

Oh.. geez. This fall out of my table. Sorry.

Two small comments, we usually use urgency=high (yes, even when I'm answering 
to this after two months) and the -security is missed in the 
2:3.17.2-1.1+deb8u3 changelog.

I'm all for Antoine suggestion about fixing the pending issues in the same 
upload.

CVE-2016-1938 looks, from the upstream patch, easy to fix also. I'm not sure 
if CVE-2015-7575 affects the stable version of nss. With these, all the 
pending issues affecting nss would be solved.

Thanks for your help and sorry again, luciano

Reply to:

References:
- Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
Next by Date: Re: working for wheezy-security until wheezy-lts starts
Previous by thread: Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
Next by thread: Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
Index(es):
- Date
- Thread