Re: nss security wheezy updates ready for testing
On Tue, Mar 29, 2016 at 04:28:36PM -0400, Antoine Beaupré wrote:
> On 2016-03-26 04:33:29, Guido Günther wrote:
> > Thanks for reviewing this! I was about to look into more recent nss
> > issues after handling dhcpcd but since you're at it, go ahead!
> >
> > Note that we still have CVE-2015-4000 which would most easily be fixed
> > by having the same nss in all suites but since I got zero feedback from
> > the release team going that route doesn't seem to be an option. We could
> > still handle this via sec updates though.
>
> So I am not sure how to deal with CVE-2015-4000. The patch is
> substantial:
>
> https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24
>
> > Until that it might make sense to add
> >
> > https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1
> > also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
> >
> > which (in addition to the certificate test I added) runs the standard
> > nss test cycle as autopkgtest. I've tested this with the sid version but
> > not with wheezy/jessie yet.
>
> It seems like you had those already, and I have included them in the
> package here.
>
> So here's another debdiff for review and testing. This should fix all
> standing issues on wheezy *but* CVE-2015-4000 and CVE-2015-7575.
$ diffstat nss_3.14.5-1+deb7u6.debdiff
changelog | 33 ++++++++++
patches/CVE-2015-7181.patch | 142 ++++++++++++++++++++++++++++++++++++++++++++
patches/CVE-2015-7182.patch | 126 +++++++++++++++++++++++++++++++++++++++
patches/CVE-2016-1938.patch | 89 +++++++++++++++++++++++++++
patches/CVE-2016-1950.patch | 96 +++++++++++++++++++++++++++++
patches/CVE-2016-1978.patch | 96 +++++++++++++++++++++++++++++
patches/CVE-2016-1979.patch | 68 +++++++++++++++++++++
patches/series | 6 +
rules | 14 ++++
9 files changed, 670 insertions(+)
doesn't add anything under debian/tests so it seems the autopkg
mentioned in the changelog went missing.
> CVE-2015-4000 is pretty invasive. I tried porting the patch in, but it
> is pretty invasive and fails to compile because it uses a new error
> message (SSL_ERROR_WEAK_SERVER_CERT_KEY) introduced as part of those
> checks. So I don't feel comfortable backporting all those unused error
> messages or changing the integer identifier of the error message
> here. This should really be fixed by backporting a newer version.
I think so too.
> Similarly, CVE-2015-7575 is marked as not-affected as wheezy doesn't
> support TLS 1.2. It's somehow silly because wheezy should really support
> TLS 1.2, in my opinion. Again, this goes back to the question of
> shipping the same NSS release in all suites...
Could you add these comments to:
https://lists.debian.org/debian-release/2016/02/msg00753.html
so we can hopefully get some traction on this?
> I haven't worked on updating the jessie package, but one should keep in
> mind that both CVE-2015-4000 and CVE-2015-7575 *do* affect the jessie
> package directly and should be backported.
>
> I also put AMD64 builds of the packages here for further testing:
>
> https://people.debian.org/~anarcat/debian/wheezy-lts/
>
> Note that I have *not* tested those packages in any way, but the builtin
> test suite seems to pass. Or at least it doesn't stop the package build,
> yet it *says* there are some failures - I am not sure how to process
> that either:
>
> Tests summary:
> --------------
> Passed: 2352
> Failed: 45
> Failed with core: 0
> Unknown status: 0
This looks unchanged to the unpatched version in wheezy (2:3.14.5-1+deb7u5):
Tests summary:
--------------
Passed: 2352
Failed: 45
Failed with core: 0
Unknown status: 0
In my builds of 3.21-1 the test suite passes cleanly though:
Tests summary:
--------------
Passed: 5669
Failed: 0
Failed with core: 0
Unknown status: 0
(yet another reason why switching to the stretch version would make
sense).
The patches by itself look good to me.
Cheers,
-- Guido
Reply to: