Bug#542784: New upstream version available (2.0.0.23)

Mike Hommey mh at glandium.org
Fri Aug 21 20:11:16 UTC 2009


On Fri, Aug 21, 2009 at 08:10:02PM +0200, Alexander Sack wrote:
> On Fri, Aug 21, 2009 at 08:03:36PM +0200, Mike Hommey wrote:
> > On Fri, Aug 21, 2009 at 01:25:23PM +0200, Alexander Sack wrote:
> > > reassign 542784 nss
> > > thanks
> > > 
> > > That bug needs to be fixed in nss (with more fixes because of
> > > blackhat); we updated nss to 3.12.3.1 in ubuntu everywhere as we
> > > believe that it's better to not do manual-cherry-picking for security
> > > sensitive software like nss.
> > > 
> > > I would suggest the same for debian, but i am not nss maintainer
> > > so thats beyond my powers ...
> > 
> > Technically, as you are part of the team, you also are a nss
> > maintainer.
> 
> cool :).
> 
> > 
> > > if glandium or security team wants me to prepare such an update, I
> > > could do that after my vacation (will be back on 1st sep).
> > 
> > FWIW, the changes between 3.12.3 which we already have in squeeze and
> > 3.12.3.1 are:
> > - Additional root certs
> > - Fix for windows startup time (the infamous IE temporary files reading
> >   stuff)
> > - Removal of the CAPI module from the build
> > - Avoid calling RNG_SystemInfoForRNG twice at startup
> > 
> > In other words, squeeze is already ok.
> > 
> > As for Lenny, the security team is on it.
> 
> 
> My suggestion to do full upstream bump was for lenny.

I know, I was just giving status for squeeze.

> New upstream versions are normal for this kind of stuff in
> unstable/testing, so i thought it was not noteworthy.
> 
> Is the security team following that road?

The security team is backporting the fixes.

Mike





More information about the pkg-mozilla-maintainers mailing list