Bug#699888: new nss packages fixing cve-2013-1620

Mike Hommey mh at glandium.org
Fri Mar 15 17:52:45 UTC 2013

On Fri, Mar 15, 2013 at 05:50:08PM +0100, Yves-Alexis Perez wrote:
> On jeu., 2013-03-14 at 22:48 -0400, Michael Gilbert wrote:
> > Hi,
> > 
> > I've prepared new nss packages fixing the "lucky 13" issue:
> > http://people.debian.org/~mgilbert
> > 
> > For the mozilla team, this is a new upstream, so would you be ok with
> > it uploaded as an nmu, or would you like to upload?
> > 
> > For the security team, these fixes are so large that I think a
> > backport is likely impossible.  Should (can) we attempt to convince
> > the release team to jump from 3.13.6 to 3.14.3 in testing, or is that
> > crazy at this point in the freeze?  If not, then what?
> > 
> Manually adding Mike in the loop because of the broken BTS.

I was considering we should get 3.14.x in both testing and
stable-security, actually, but it needs some work to make it on par with
the versions in testing and stable, because in its current state it
breaks some things people might expect not to be broken with a stable
update (most notoriously, md5 signature of certificates are rejected,
and there are a few other things like that)


More information about the pkg-mozilla-maintainers mailing list