Re: nss security wheezy updates ready for testing

To: Antoine Beaupré <anarcat@orangeseeds.org>, Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: nss security wheezy updates ready for testing
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 1 Apr 2016 12:52:04 +0200
Message-id: <[🔎] 20160401105204.GA4040@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Antoine Beaupré <anarcat@orangeseeds.org>, Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <20160331141204.GA18997@bogon.m.sigxcpu.org>
References: <20151128131633.GA31725@bogon.m.sigxcpu.org> <8661852.gC6xeMkAlz@box> <20160123140453.GA10585@bogon.m.sigxcpu.org> <87k2kq1nvu.fsf@angela.anarcat.ath.cx> <20160326083329.GB2455@bogon.m.sigxcpu.org> <874mbpuiyz.fsf@angela.anarcat.ath.cx> <20160331141204.GA18997@bogon.m.sigxcpu.org>

On Thu, Mar 31, 2016 at 04:12:04PM +0200, Guido Günther wrote:
> On Tue, Mar 29, 2016 at 04:28:36PM -0400, Antoine Beaupré wrote:
> > On 2016-03-26 04:33:29, Guido Günther wrote:
> > > Thanks for reviewing this! I was about to look into more recent nss
> > > issues after handling dhcpcd but since you're at it, go ahead!
> > >
> > > Note that we still have CVE-2015-4000 which would most easily be fixed
> > > by having the same nss in all suites but since I got zero feedback from
> > > the release team going that route doesn't seem to be an option. We could
> > > still handle this via sec updates though.
> > 
> > So I am not sure how to deal with CVE-2015-4000. The patch is
> > substantial:
> > 
> > https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24
> > 
> > > Until that it might make sense to add
> > >
> > >     https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1
> > >     also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
> > >
> > > which (in addition to the certificate test I added) runs the standard
> > > nss test cycle as autopkgtest. I've tested this with the sid version but
> > > not with wheezy/jessie yet.
> > 
> > It seems like you had those already, and I have included them in the
> > package here.
> > 
> > So here's another debdiff for review and testing. This should fix all
> > standing issues on wheezy *but* CVE-2015-4000 and CVE-2015-7575.
> 
> $ diffstat nss_3.14.5-1+deb7u6.debdiff 
>  changelog                   |   33 ++++++++++
>  patches/CVE-2015-7181.patch |  142 ++++++++++++++++++++++++++++++++++++++++++++
>  patches/CVE-2015-7182.patch |  126 +++++++++++++++++++++++++++++++++++++++
>  patches/CVE-2016-1938.patch |   89 +++++++++++++++++++++++++++
>  patches/CVE-2016-1950.patch |   96 +++++++++++++++++++++++++++++
>  patches/CVE-2016-1978.patch |   96 +++++++++++++++++++++++++++++
>  patches/CVE-2016-1979.patch |   68 +++++++++++++++++++++
>  patches/series              |    6 +
>  rules                       |   14 ++++
>  9 files changed, 670 insertions(+)
> 
> doesn't add anything under debian/tests so it seems the autopkg
> mentioned in the changelog went missing.
> 
> > CVE-2015-4000 is pretty invasive. I tried porting the patch in, but it
> > is pretty invasive and fails to compile because it uses a new error
> > message (SSL_ERROR_WEAK_SERVER_CERT_KEY) introduced as part of those
> > checks. So I don't feel comfortable backporting all those unused error
> > messages or changing the integer identifier of the error message
> > here. This should really be fixed by backporting a newer version.
> 
> I think so too.
> 
> > Similarly, CVE-2015-7575 is marked as not-affected as wheezy doesn't
> > support TLS 1.2. It's somehow silly because wheezy should really support
> > TLS 1.2, in my opinion. Again, this goes back to the question of
> > shipping the same NSS release in all suites...
> 
> Could you add these comments to:
> 
>    https://lists.debian.org/debian-release/2016/02/msg00753.html
> 
> so we can hopefully get some traction on this?
> 
> > I haven't worked on updating the jessie package, but one should keep in
> > mind that both CVE-2015-4000 and CVE-2015-7575 *do* affect the jessie
> > package directly and should be backported.
> > 
> > I also put AMD64 builds of the packages here for further testing:
> > 
> > https://people.debian.org/~anarcat/debian/wheezy-lts/
> > 
> > Note that I have *not* tested those packages in any way, but the builtin
> > test suite seems to pass. Or at least it doesn't stop the package build,
> > yet it *says* there are some failures - I am not sure how to process
> > that either:
> > 
> > Tests summary:
> > --------------
> > Passed:             2352
> > Failed:             45
> > Failed with core:   0
> > Unknown status:     0
> 
> This looks unchanged to the unpatched version in wheezy (2:3.14.5-1+deb7u5):
> 
>     Tests summary:
>     --------------
>     Passed:             2352
>     Failed:             45
>     Failed with core:   0
>     Unknown status:     0
> 
> In my builds of 3.21-1 the test suite passes cleanly though:
> 
>     Tests summary:
>     --------------
>     Passed:             5669
>     Failed:             0
>     Failed with core:   0
>     Unknown status:     0
> 
> (yet another reason why switching to the stretch version would make
> sense).
> 
> The patches by itself look good to me.

Just to avoid dupliate work: I'll have a look at forward porting these
to jessie since the security team usually wants to update these together
(at least that's what I figured).
Cheers,
 -- Guido

Reply to:

Prev by Date: Supporting QEMU/KVM in wheezy-lts
Next by Date: PHP support for wheezy-lts
Previous by thread: Supporting QEMU/KVM in wheezy-lts
Next by thread: Re: nss security wheezy updates ready for testing
Index(es):
- Date
- Thread