Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
From: Guido Günther <agx@sigxcpu.org>
Date: Sat, 26 Mar 2016 09:33:29 +0100
Message-id: <[🔎] 20160326083329.GB2455@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Antoine Beaupré <anarcat@orangeseeds.org>, Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 87k2kq1nvu.fsf@angela.anarcat.ath.cx>
References: <20151128131633.GA31725@bogon.m.sigxcpu.org> <8661852.gC6xeMkAlz@box> <20160123140453.GA10585@bogon.m.sigxcpu.org> <[🔎] 87k2kq1nvu.fsf@angela.anarcat.ath.cx>

On Fri, Mar 25, 2016 at 01:13:57PM -0400, Antoine Beaupré wrote:
> On 2016-01-23 09:04:53, Guido Günther wrote:
> > Hi Luciano,
> > On Thu, Dec 10, 2015 at 06:27:54PM +0100, Luciano Bello wrote:
> >> On Saturday 28 November 2015 14.16.33 Guido Günther wrote:
> >> > I've attached the patches for review. These also add some minimal
> >> > autopkgtest to exercise the ASN1 parser (affected by the above CVEs).
> >> > 
> >> > I'm happy about any review.
> >> 
> >> Thanks for your work and sorry for the delay in the answer.
> >> 
> >> I will review your patches during the weekend. I have no idea how to handle your 
> >> questions regarding CVE-2015-4000. Maybe somebody else in the security team 
> >> has an opinion?
> >
> > Did you get a chance to look at the patches?
> 
> I don't know if Luciano did, but I looked at the patch and they are
> okay, insofar as they match the upstream ones.
> 
> I was thinking of making a new debdiff to include other fixes, namely
> CVE-2015-7575 and CVE-2016-1938 that have been fixed in squeeze but not
> in wheezy yet. There's also CVE-2016-1950, CVE-2016-1978 and
> CVE-2016-1979 that seems to need fixing in wheezy / jessie as well that
> I'm considering.
> 
> Would the secteam welcome such a debdiff for wheezy and jessie?

Thanks for reviewing this! I was about to look into more recent nss
issues after handling dhcpcd but since you're at it, go ahead!

Note that we still have CVE-2015-4000 which would most easily be fixed
by having the same nss in all suites but since I got zero feedback from
the release team going that route doesn't seem to be an option. We could
still handle this via sec updates though.

Until that it might make sense to add

    https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1
    also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639

which (in addition to the certificate test I added) runs the standard
nss test cycle as autopkgtest. I've tested this with the sid version but
not with wheezy/jessie yet.

Cheers,
 -- Guido

Reply to:

Follow-Ups:
- nss security wheezy updates ready for testing
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

References:
- Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: imagemagick
Next by Date: Re: imagemagick
Previous by thread: Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
Next by thread: nss security wheezy updates ready for testing
Index(es):
- Date
- Thread