Bug#774195: marked as done (libnss3: libpkix incorrect prefers older, weaker certs over stronger, newer certs)
Mike Hommey
mh at glandium.org
Mon Jun 1 07:46:35 UTC 2015
On Wed, May 27, 2015 at 08:11:35AM +0200, Moritz Mühlenhoff wrote:
> On Mon, May 25, 2015 at 11:21:26AM -0700, Andrew Ayer wrote:
> > On Wed, 20 May 2015 06:39:06 +0000
> > owner at bugs.debian.org (Debian Bug Tracking System) wrote:
> >
> > > On Wed, May 20, 2015 at 05:58:55PM +1200, VeNoMouS wrote:
> > > >
> > > >
> > > > Seriously, how long do we have to wait on this to be fixed...
> > >
> > > It *is* fixed, but somehow the BTS doesn't show it in the graph.
> > >
> > > Now it's up to the security team as to what to do for jessie.
> >
> > Mike, thanks for uploading the new nss to unstable.
> >
> > Security team, are you planning a DSA for Jessie to fix this issue, or
> > should it go through the upcoming stable point release? (Note that
> > the queue for the point release will be frozen this upcoming weekend.)
> >
> > In either case, I wanted to help, so I've taken the upstream patch[1],
> > which is quite minimal and cleanly applies to the version of nss in
> > Jessie, and prepared an updated package with the patch. Debdiff
> > attached, and .dsc available here:
> >
> > https://www.cloudmutt.com/s/nss_chain_patch/
> >
> > I've built it on Jessie and tested it - it fixes the problem and
> > doesn't appear to have had any adverse effects. Let me know if I've
> > missed anything or could do anything else to help.
>
> It's up to Mike whether to fix that in the upcoming point release. We're
> not planning a DSA for this issue alone, but it can be fixed along when
> upstream releases changes to address the weakdh issue.
... which, afaik, is in 3.19.1 released a few days ago (and now in
unstable).
Mike
More information about the pkg-mozilla-maintainers
mailing list