nss update for jessie
Florian Weimer
fw at deneb.enyo.de
Sun Oct 2 20:15:27 UTC 2016
* Mike Hommey:
> I'd go with the latter. You'll have conflict in the debian/patches, it
> might be easier to pick the corresponding ones from the package in
> unstable.
Yeah.
> You might want to consider removing the SPI CA certificate too (done in
> 2:3.21-1)
Good point.
What about the 97_SSL_RENEGOTIATE_TRANSITIONAL.patch? The description
says: “Disallow unsafe renegotiation in server sockets only, but allow
clients to continue to renegotiate with vulnerable servers.” Can we
drop it as well?
I have something that compiles, but I ran across this old issue (“old”
in the sense that it is fixed upstream)
<http://www.openwall.com/lists/oss-security/2016/10/02/>
while building it. I used the s/PR_GetEnvSecure/secure_getenv/
approach for NSS, but this isn't sufficient because some of the
critical environment variables are actually processed by NSPR itself
(which we could give a s/PR_GetEnv/secure_getenv/ treatment in the
worrisome spots).
So ideally, we would have to rebase NSPR as well.
Do you still think that's the right way forward?
More information about the pkg-mozilla-maintainers
mailing list