Re: NSS and logjam in wheezy (CVE-2015-4000)

To: Guido Günther <agx@sigxcpu.org>
Cc: Antoine Beaupré <anarcat@orangeseeds.org>, Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: NSS and logjam in wheezy (CVE-2015-4000)
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 19 May 2016 08:28:15 +0200
Message-id: <[🔎] 20160519062815.GA11350@lorien.valinor.li>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Antoine Beaupré <anarcat@orangeseeds.org>, Luciano Bello <luciano@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 20160519061137.GA2826@bogon.m.sigxcpu.org>
References: <20151128131633.GA31725@bogon.m.sigxcpu.org> <8661852.gC6xeMkAlz@box> <20160123140453.GA10585@bogon.m.sigxcpu.org> <87k2kq1nvu.fsf@angela.anarcat.ath.cx> <20160326083329.GB2455@bogon.m.sigxcpu.org> <874mbpuiyz.fsf@angela.anarcat.ath.cx> <[🔎] 87vb2b9o4o.fsf@angela.anarcat.ath.cx> <[🔎] 20160519061137.GA2826@bogon.m.sigxcpu.org>

Hi Guido,

On Thu, May 19, 2016 at 08:11:37AM +0200, Guido Günther wrote:
> On Wed, May 18, 2016 at 03:12:23PM -0400, Antoine Beaupré wrote:
> > On 2016-03-29 16:28:36, Antoine Beaupré wrote:
> > > On 2016-03-26 04:33:29, Guido Günther wrote:
> > >> Thanks for reviewing this! I was about to look into more recent nss
> > >> issues after handling dhcpcd but since you're at it, go ahead!
> > >>
> > >> Note that we still have CVE-2015-4000 which would most easily be fixed
> > >> by having the same nss in all suites but since I got zero feedback from
> > >> the release team going that route doesn't seem to be an option. We could
> > >> still handle this via sec updates though.
> > >
> > > So I am not sure how to deal with CVE-2015-4000. The patch is
> > > substantial:
> > >
> > > https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24
> > 
> > I just sent the DLA for NSS as is, without a fix for CVE-2015-4000. I am
> > actually sorry I forgot about this issue, as I would have liked to use
> > the opportunity of the DLA to clarify our position on logjam and TLS 1.2
> > in wheezy.
> > 
> > Unfortunately, we still have to clarify that position now. :)
> > 
> > So far, I'm tempted to just mark the issue as <no-dsa> (too intrusive to
> > backport), and considering how debian-release doesn't seem sympathetic
> > to the idea of maintaining a similar nss version across suites.
> 
> Bringing up the "same nss in all suites" issue again is on my todo list
> once I'm finished with icedove. There wasn't any feedback to my post[1]
> so far though. We could still go through {jessie,wheezy}-security if the
> security team agrees?

Not sure if I missed something. But if we haven't had a reply from SRM
on [1], maybe it is better to open a bug with that question raised
against release.debian.org. In past SRM have said that they prefer to
have an actual bug (e.g. as well for other requests instead of a post
to the release mailinglist). It just might have slept trough.

Could you do that? I think we should really go trough that path and
have .e.g then the packages first esposed in the
$codename-proposed-updates instead of pushing the "same nss in all
suites + version bump" via -security.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: NSS and logjam in wheezy (CVE-2015-4000)
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: NSS and logjam in wheezy (CVE-2015-4000)
  - From: Guido Günther <agx@sigxcpu.org>

References:
- NSS and logjam in wheezy (CVE-2015-4000)
  - From: Antoine Beaupré <anarcat@orangeseeds.org>
- Re: NSS and logjam in wheezy (CVE-2015-4000)
  - From: Guido Günther <agx@sigxcpu.org>

Prev by Date: Re: NSS and logjam in wheezy (CVE-2015-4000)
Next by Date: what to do with LTS-backports?
Previous by thread: Re: NSS and logjam in wheezy (CVE-2015-4000)
Next by thread: Re: NSS and logjam in wheezy (CVE-2015-4000)
Index(es):
- Date
- Thread