Re: NSS and logjam in wheezy (CVE-2015-4000)

To: Antoine Beaupré <anarcat@orangeseeds.org>
Cc: Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: NSS and logjam in wheezy (CVE-2015-4000)
From: Guido Günther <agx@sigxcpu.org>
Date: Thu, 19 May 2016 08:11:37 +0200
Message-id: <[🔎] 20160519061137.GA2826@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Antoine Beaupré <anarcat@orangeseeds.org>, Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 87vb2b9o4o.fsf@angela.anarcat.ath.cx>
References: <20151128131633.GA31725@bogon.m.sigxcpu.org> <8661852.gC6xeMkAlz@box> <20160123140453.GA10585@bogon.m.sigxcpu.org> <87k2kq1nvu.fsf@angela.anarcat.ath.cx> <20160326083329.GB2455@bogon.m.sigxcpu.org> <874mbpuiyz.fsf@angela.anarcat.ath.cx> <[🔎] 87vb2b9o4o.fsf@angela.anarcat.ath.cx>

On Wed, May 18, 2016 at 03:12:23PM -0400, Antoine Beaupré wrote:
> On 2016-03-29 16:28:36, Antoine Beaupré wrote:
> > On 2016-03-26 04:33:29, Guido Günther wrote:
> >> Thanks for reviewing this! I was about to look into more recent nss
> >> issues after handling dhcpcd but since you're at it, go ahead!
> >>
> >> Note that we still have CVE-2015-4000 which would most easily be fixed
> >> by having the same nss in all suites but since I got zero feedback from
> >> the release team going that route doesn't seem to be an option. We could
> >> still handle this via sec updates though.
> >
> > So I am not sure how to deal with CVE-2015-4000. The patch is
> > substantial:
> >
> > https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24
> 
> I just sent the DLA for NSS as is, without a fix for CVE-2015-4000. I am
> actually sorry I forgot about this issue, as I would have liked to use
> the opportunity of the DLA to clarify our position on logjam and TLS 1.2
> in wheezy.
> 
> Unfortunately, we still have to clarify that position now. :)
> 
> So far, I'm tempted to just mark the issue as <no-dsa> (too intrusive to
> backport), and considering how debian-release doesn't seem sympathetic
> to the idea of maintaining a similar nss version across suites.

Bringing up the "same nss in all suites" issue again is on my todo list
once I'm finished with icedove. There wasn't any feedback to my post[1]
so far though. We could still go through {jessie,wheezy}-security if the
security team agrees?

> Other ideas? Thoughts?

The heavy users of nss iceweasel and icedove use current implementations
but I don't feel well having wheezy and jessie with
CVE-2015-4000 unfixed. So wouldn't we better of uplading the current nss
to {jessie,wheezy}-security? If not we should IMHO invest the time to
backport the changes.

Cheers,
 -- Guido

[1] https://lists.debian.org/debian-release/2016/02/msg00753.html

Reply to:

Follow-Ups:
- Re: NSS and logjam in wheezy (CVE-2015-4000)
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- NSS and logjam in wheezy (CVE-2015-4000)
  - From: Antoine Beaupré <anarcat@orangeseeds.org>

Prev by Date: Re: imagemagick
Next by Date: Re: NSS and logjam in wheezy (CVE-2015-4000)
Previous by thread: NSS and logjam in wheezy (CVE-2015-4000)
Next by thread: Re: NSS and logjam in wheezy (CVE-2015-4000)
Index(es):
- Date
- Thread