Re: nss 3.26.2 in jessie?
Hi,
On Thu, Dec 22, 2016 at 11:08:50AM +0100, Moritz Muehlenhoff wrote:
> On Wed, Dec 21, 2016 at 05:27:30PM -0500, Antoine Beaupré wrote:
> > Hi,
> >
> > We (the LTS team, but mainly me and buxy) are working on an update to
> > the NSS package for wheezy, and we just packaged the upstream 3.26.2
> > release since it was a minimal diff that was easy to review.
> >
> > We can't really update with a 3.26.2 version without making sure jessie
> > follows suite as well.
> >
> > Can I upload that package to 3.26.2? For now it looks like this:
>
> The only issue open in jessie is CVE-2016-9074, which doesn't really
> warrant a DSA on it's own. We can reconsider a DSA if further nss
> vulnerabilities appear.
>
> For LTS you could simply base on 2:3.26-1+debu8u1 and cherrypick
> the patch for CVE-2016-9074 on top.
s/2:3.26-1+debu8u1/2:3.26-1+debu7u1/.
It is as well fine if you want to ask SRM for inclusion of an update
of nss via jessie-pu basend on an import of 3.26.2; the jessie point
release is pending for 14th of January (and window for upload closing
the weekend before on on 7th).
https://lists.debian.org/debian-release/2016/12/msg00328.html
Regards,
Salvatore
Reply to: