Bug#699888: new nss packages fixing cve-2013-1620

Mike Hommey mh at glandium.org
Sat Mar 16 07:34:02 UTC 2013


On Fri, Mar 15, 2013 at 06:52:45PM +0100, Mike Hommey wrote:
> I was considering we should get 3.14.x in both testing and
> stable-security, actually, but it needs some work to make it on par with
> the versions in testing and stable, because in its current state it
> breaks some things people might expect not to be broken with a stable
> update (most notoriously, md5 signature of certificates are rejected,
> and there are a few other things like that)

So, here are a few more info:
- 3.13 disabled SSL 2.0 by default
- 3.13 added a defense against the Rizzo and Duong attack, which is
  known to break applications. It can be disabled easily.
- 3.14 removed support for md5 signature of certificates.

These are the main compatibility issues we'd have with bumping NSS to
3.14 in stable (where it's 3.12) and testing (where it's 3.13). All of
them can be fixed by turning some constants to PR_FALSE. That would
leave us with the possibility of pure bugs emerging. I think we should
take that risk, especially considering the fixes we can't backport.
That would also fix bug 697865 (that one is backportable, but that's
painful and risky).

FWIW, AFAIK, RedHat is pushing 3.14 to all its long term support
releases.

Mike



More information about the pkg-mozilla-maintainers mailing list