Re: nss security wheezy updates ready for testing
On Thu, Mar 31, 2016 at 04:12:04PM +0200, Guido Günther wrote:
> On Tue, Mar 29, 2016 at 04:28:36PM -0400, Antoine Beaupré wrote:
> > On 2016-03-26 04:33:29, Guido Günther wrote:
> > > Thanks for reviewing this! I was about to look into more recent nss
> > > issues after handling dhcpcd but since you're at it, go ahead!
> > >
> > > Note that we still have CVE-2015-4000 which would most easily be fixed
> > > by having the same nss in all suites but since I got zero feedback from
> > > the release team going that route doesn't seem to be an option. We could
> > > still handle this via sec updates though.
> >
> > So I am not sure how to deal with CVE-2015-4000. The patch is
> > substantial:
> >
> > https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24
> >
> > > Until that it might make sense to add
> > >
> > > https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1
> > > also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
> > >
> > > which (in addition to the certificate test I added) runs the standard
> > > nss test cycle as autopkgtest. I've tested this with the sid version but
> > > not with wheezy/jessie yet.
> >
> > It seems like you had those already, and I have included them in the
> > package here.
> >
> > So here's another debdiff for review and testing. This should fix all
> > standing issues on wheezy *but* CVE-2015-4000 and CVE-2015-7575.
>
> $ diffstat nss_3.14.5-1+deb7u6.debdiff
> changelog | 33 ++++++++++
> patches/CVE-2015-7181.patch | 142 ++++++++++++++++++++++++++++++++++++++++++++
> patches/CVE-2015-7182.patch | 126 +++++++++++++++++++++++++++++++++++++++
> patches/CVE-2016-1938.patch | 89 +++++++++++++++++++++++++++
> patches/CVE-2016-1950.patch | 96 +++++++++++++++++++++++++++++
> patches/CVE-2016-1978.patch | 96 +++++++++++++++++++++++++++++
> patches/CVE-2016-1979.patch | 68 +++++++++++++++++++++
> patches/series | 6 +
> rules | 14 ++++
> 9 files changed, 670 insertions(+)
>
> doesn't add anything under debian/tests so it seems the autopkg
> mentioned in the changelog went missing.
>
> > CVE-2015-4000 is pretty invasive. I tried porting the patch in, but it
> > is pretty invasive and fails to compile because it uses a new error
> > message (SSL_ERROR_WEAK_SERVER_CERT_KEY) introduced as part of those
> > checks. So I don't feel comfortable backporting all those unused error
> > messages or changing the integer identifier of the error message
> > here. This should really be fixed by backporting a newer version.
>
> I think so too.
>
> > Similarly, CVE-2015-7575 is marked as not-affected as wheezy doesn't
> > support TLS 1.2. It's somehow silly because wheezy should really support
> > TLS 1.2, in my opinion. Again, this goes back to the question of
> > shipping the same NSS release in all suites...
>
> Could you add these comments to:
>
> https://lists.debian.org/debian-release/2016/02/msg00753.html
>
> so we can hopefully get some traction on this?
>
> > I haven't worked on updating the jessie package, but one should keep in
> > mind that both CVE-2015-4000 and CVE-2015-7575 *do* affect the jessie
> > package directly and should be backported.
> >
> > I also put AMD64 builds of the packages here for further testing:
> >
> > https://people.debian.org/~anarcat/debian/wheezy-lts/
> >
> > Note that I have *not* tested those packages in any way, but the builtin
> > test suite seems to pass. Or at least it doesn't stop the package build,
> > yet it *says* there are some failures - I am not sure how to process
> > that either:
> >
> > Tests summary:
> > --------------
> > Passed: 2352
> > Failed: 45
> > Failed with core: 0
> > Unknown status: 0
>
> This looks unchanged to the unpatched version in wheezy (2:3.14.5-1+deb7u5):
>
> Tests summary:
> --------------
> Passed: 2352
> Failed: 45
> Failed with core: 0
> Unknown status: 0
>
> In my builds of 3.21-1 the test suite passes cleanly though:
>
> Tests summary:
> --------------
> Passed: 5669
> Failed: 0
> Failed with core: 0
> Unknown status: 0
>
> (yet another reason why switching to the stretch version would make
> sense).
>
> The patches by itself look good to me.
Just to avoid dupliate work: I'll have a look at forward porting these
to jessie since the security team usually wants to update these together
(at least that's what I figured).
Cheers,
-- Guido
Reply to: