Re: nss security wheezy updates ready for testing

To: Guido Günther <agx@sigxcpu.org>
Cc: Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: nss security wheezy updates ready for testing
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Thu, 07 Apr 2016 16:44:07 -0400
Message-id: <[🔎] 87mvp5qhd4.fsf@angela.anarcat.ath.cx>
In-reply-to: <20160331141204.GA18997@bogon.m.sigxcpu.org>
References: <20151128131633.GA31725@bogon.m.sigxcpu.org> <8661852.gC6xeMkAlz@box> <20160123140453.GA10585@bogon.m.sigxcpu.org> <87k2kq1nvu.fsf@angela.anarcat.ath.cx> <20160326083329.GB2455@bogon.m.sigxcpu.org> <874mbpuiyz.fsf@angela.anarcat.ath.cx> <20160331141204.GA18997@bogon.m.sigxcpu.org>

On 2016-03-31 10:12:04, Guido Günther wrote:
> On Tue, Mar 29, 2016 at 04:28:36PM -0400, Antoine Beaupré wrote:
>> On 2016-03-26 04:33:29, Guido Günther wrote:
>> > Until that it might make sense to add
>> >
>> >     https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1
>> >     also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
>> >
>> > which (in addition to the certificate test I added) runs the standard
>> > nss test cycle as autopkgtest. I've tested this with the sid version but
>> > not with wheezy/jessie yet.
>> 
>> It seems like you had those already, and I have included them in the
>> package here.
>> 
>> So here's another debdiff for review and testing. This should fix all
>> standing issues on wheezy *but* CVE-2015-4000 and CVE-2015-7575.
>
> $ diffstat nss_3.14.5-1+deb7u6.debdiff 
>  changelog                   |   33 ++++++++++
>  patches/CVE-2015-7181.patch |  142 ++++++++++++++++++++++++++++++++++++++++++++
>  patches/CVE-2015-7182.patch |  126 +++++++++++++++++++++++++++++++++++++++
>  patches/CVE-2016-1938.patch |   89 +++++++++++++++++++++++++++
>  patches/CVE-2016-1950.patch |   96 +++++++++++++++++++++++++++++
>  patches/CVE-2016-1978.patch |   96 +++++++++++++++++++++++++++++
>  patches/CVE-2016-1979.patch |   68 +++++++++++++++++++++
>  patches/series              |    6 +
>  rules                       |   14 ++++
>  9 files changed, 670 insertions(+)
>
> doesn't add anything under debian/tests so it seems the autopkg
> mentioned in the changelog went missing.

Hmm... maybe I misunderstand how that stuff works, but the tests were
ran anyways...

[...]

>> Similarly, CVE-2015-7575 is marked as not-affected as wheezy doesn't
>> support TLS 1.2. It's somehow silly because wheezy should really support
>> TLS 1.2, in my opinion. Again, this goes back to the question of
>> shipping the same NSS release in all suites...
>
> Could you add these comments to:
>
>    https://lists.debian.org/debian-release/2016/02/msg00753.html
>
> so we can hopefully get some traction on this?

Done.

[...]

> The patches by itself look good to me.

Alright, I'll rebuild with the tests/ directory, we'll see how that
goes. :)

A.

-- 
During the initial stage of the struggle, the oppressed, instead of
striving for liberation, tend themselves to become oppressors The very
structure of their thought has been conditioned by the contradictions of
the concrete, existential situation by which they were shaped. Their
ideal is to be men; but for them, to be men is to be oppressors. This is
their model of humanity.
                        - Paulo Freire, Pedagogy of the Oppressed

Reply to:

Follow-Ups:
- Updated: nss security wheezy updates ready for testing
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: nss security wheezy updates ready for testing
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: Xen security updates on Wheezy
Next by Date: Updated: nss security wheezy updates ready for testing
Previous by thread: Re: nss security wheezy updates ready for testing
Next by thread: Updated: nss security wheezy updates ready for testing
Index(es):
- Date
- Thread