Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
On Fri, Mar 25, 2016 at 01:13:57PM -0400, Antoine Beaupré wrote:
> On 2016-01-23 09:04:53, Guido Günther wrote:
> > Hi Luciano,
> > On Thu, Dec 10, 2015 at 06:27:54PM +0100, Luciano Bello wrote:
> >> On Saturday 28 November 2015 14.16.33 Guido Günther wrote:
> >> > I've attached the patches for review. These also add some minimal
> >> > autopkgtest to exercise the ASN1 parser (affected by the above CVEs).
> >> >
> >> > I'm happy about any review.
> >> Thanks for your work and sorry for the delay in the answer.
> >> I will review your patches during the weekend. I have no idea how to handle your
> >> questions regarding CVE-2015-4000. Maybe somebody else in the security team
> >> has an opinion?
> > Did you get a chance to look at the patches?
> I don't know if Luciano did, but I looked at the patch and they are
> okay, insofar as they match the upstream ones.
> I was thinking of making a new debdiff to include other fixes, namely
> CVE-2015-7575 and CVE-2016-1938 that have been fixed in squeeze but not
> in wheezy yet. There's also CVE-2016-1950, CVE-2016-1978 and
> CVE-2016-1979 that seems to need fixing in wheezy / jessie as well that
> I'm considering.
> Would the secteam welcome such a debdiff for wheezy and jessie?
Thanks for reviewing this! I was about to look into more recent nss
issues after handling dhcpcd but since you're at it, go ahead!
Note that we still have CVE-2015-4000 which would most easily be fixed
by having the same nss in all suites but since I got zero feedback from
the release team going that route doesn't seem to be an option. We could
still handle this via sec updates though.
Until that it might make sense to add
also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
which (in addition to the certificate test I added) runs the standard
nss test cycle as autopkgtest. I've tested this with the sid version but
not with wheezy/jessie yet.