[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

NSS and logjam in wheezy (CVE-2015-4000)

On 2016-03-29 16:28:36, Antoine Beaupré wrote:
> On 2016-03-26 04:33:29, Guido Günther wrote:
>> Thanks for reviewing this! I was about to look into more recent nss
>> issues after handling dhcpcd but since you're at it, go ahead!
>>
>> Note that we still have CVE-2015-4000 which would most easily be fixed
>> by having the same nss in all suites but since I got zero feedback from
>> the release team going that route doesn't seem to be an option. We could
>> still handle this via sec updates though.
>
> So I am not sure how to deal with CVE-2015-4000. The patch is
> substantial:
>
> https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24

I just sent the DLA for NSS as is, without a fix for CVE-2015-4000. I am
actually sorry I forgot about this issue, as I would have liked to use
the opportunity of the DLA to clarify our position on logjam and TLS 1.2
in wheezy.

Unfortunately, we still have to clarify that position now. :)

So far, I'm tempted to just mark the issue as <no-dsa> (too intrusive to
backport), and considering how debian-release doesn't seem sympathetic
to the idea of maintaining a similar nss version across suites.

Other ideas? Thoughts?

A.

-- 
Every one of us is, in the cosmic perspective, precious. If a human
disagrees with you, let him live. In a hundred billion galaxies, you
will not find another.  - Carl Sagan
Reply to: