Bug#542784: New upstream version available (2.0.0.23)
Mike Hommey
mh at glandium.org
Fri Aug 21 20:11:16 UTC 2009
On Fri, Aug 21, 2009 at 08:10:02PM +0200, Alexander Sack wrote:
> On Fri, Aug 21, 2009 at 08:03:36PM +0200, Mike Hommey wrote:
> > On Fri, Aug 21, 2009 at 01:25:23PM +0200, Alexander Sack wrote:
> > > reassign 542784 nss
> > > thanks
> > >
> > > That bug needs to be fixed in nss (with more fixes because of
> > > blackhat); we updated nss to 3.12.3.1 in ubuntu everywhere as we
> > > believe that it's better to not do manual-cherry-picking for security
> > > sensitive software like nss.
> > >
> > > I would suggest the same for debian, but i am not nss maintainer
> > > so thats beyond my powers ...
> >
> > Technically, as you are part of the team, you also are a nss
> > maintainer.
>
> cool :).
>
> >
> > > if glandium or security team wants me to prepare such an update, I
> > > could do that after my vacation (will be back on 1st sep).
> >
> > FWIW, the changes between 3.12.3 which we already have in squeeze and
> > 3.12.3.1 are:
> > - Additional root certs
> > - Fix for windows startup time (the infamous IE temporary files reading
> > stuff)
> > - Removal of the CAPI module from the build
> > - Avoid calling RNG_SystemInfoForRNG twice at startup
> >
> > In other words, squeeze is already ok.
> >
> > As for Lenny, the security team is on it.
>
>
> My suggestion to do full upstream bump was for lenny.
I know, I was just giving status for squeeze.
> New upstream versions are normal for this kind of stuff in
> unstable/testing, so i thought it was not noteworthy.
>
> Is the security team following that road?
The security team is backporting the fixes.
Mike
More information about the pkg-mozilla-maintainers
mailing list