[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Security update of nss

Hi nss maintainer(s) and LTS team

I have prepared a security update of nss for wheezy to solve the problem described in CVE-2015-4000, for more info see:

One could argue that this is not a problem as the case:
"when a DHE_EXPORT ciphersuite is enabled on a server but not on a client" in combination with TLS 1.2 is a rather rare combination.
However as this is a library and there are many services using this library it is probably better to be safe than sorry.

So I have backported the "NSS patch increasing limit to 1023 bits" (see at the bottom of the above CVE link) to the wheezy version.

For testing I have run the build test suite and it fail just as many times as the previous version. That is 43 failures. So I guess I have not broken anything.
You can find the test results for deb7u7 in nss-build.txt and the test results for the previous version in nss-build-previousversion.txt.

There were no tests for this specific case and it turned out that it was non-trivial to make such a test-case. The main reason was that the test server did not have the possibility to enable DHE EXPORT ciphersuite. I could not find any such way at least.

So I have not been ably to verify that the solution actually works in practice. What I have been able to test is that I have not included any (obvious) regression problem.

The change also export a new symbol in the library but as it is a new one and no function have used it in the past it should not be an issue as far as I can tell.

If anyone have a good idea on how to trigger the event described in CVE-2015-4000 (without implementing an entirely new program), please let me know.

You can find the updated package here:

And the debdiff here:

If there are no objections I will upload the corrected packages in 4 days, that is on Tuesday next week.

Best regards,

// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: