Hi, Upstream (nss) release 3.12.8 yesterday. Currently, what we have in the archive is 3.12.6 in testing and 3.12.7 in unstable. 3.12.7 has one known issue that is the main reason I kept it out of testing so far: #592315. There is a workaround patch upstream (mozilla) that I haven't applied (yet): https://bug583337.bugzilla.mozilla.org/attachment.cgi?id=465229 3.12.8 has various additional changes, most notably a fix for CVE-2010-3170 (which, btw, needs to be addressed in stable), a SSL deadlock (https://bugzilla.mozilla.org/show_bug.cgi?id=588698), and adds new root certificates. Upstream (mozilla) is pushing nss 3.12.8 into both firefox 3.5 and 3.6 in their next round of stability/security updates for the 3 highlighted reasons above. Technically, there shouldn't be any problem still using 3.12.6 or 3.12.7 except for the changes mentioned above that we'd lack. We thus have several options: - apply the 3 mentioned changes to 3.12.6 and update through t-p-u. - apply the 3 mentioned changes and the upstream workaround for #592315 to 3.12.7 and update through standard testing migration. - upload 3.12.8 to unstable with the upstream workaround for #592315 and update through standard testing migration. Note that 3.12.7 and 3.12.8 need the latest nspr in unstable to go with them. What would be your preferred course of action? For the record, I'm attaching here the diff between 3.12.7 and 3.12.8. I can provide a corresponding changelog if required. Thanks, Mike
Attachment:
diff.gz
Description: Binary data