[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Possible update of libnss3


Upstream (nss) release 3.12.8 yesterday. Currently, what we have in the
archive is 3.12.6 in testing and 3.12.7 in unstable.

3.12.7 has one known issue that is the main reason I kept it out of
testing so far: #592315. There is a workaround patch upstream (mozilla)
that I haven't applied (yet):

3.12.8 has various additional changes, most notably a fix for
CVE-2010-3170 (which, btw, needs to be addressed in stable), a SSL
deadlock (https://bugzilla.mozilla.org/show_bug.cgi?id=588698), and
adds new root certificates.

Upstream (mozilla) is pushing nss 3.12.8 into both firefox 3.5 and 3.6
in their next round of stability/security updates for the 3 highlighted
reasons above. Technically, there shouldn't be any problem still using
3.12.6 or 3.12.7 except for the changes mentioned above that we'd lack.

We thus have several options:
- apply the 3 mentioned changes to 3.12.6 and update through t-p-u.
- apply the 3 mentioned changes and the upstream workaround for #592315
  to 3.12.7 and update through standard testing migration.
- upload 3.12.8 to unstable with the upstream workaround for #592315
  and update through standard testing migration.

Note that 3.12.7 and 3.12.8 need the latest nspr in unstable to go with

What would be your preferred course of action?

For the record, I'm attaching here the diff between 3.12.7 and 3.12.8.
I can provide a corresponding changelog if required.



Attachment: diff.gz
Description: Binary data

Reply to: