Bug#699888: new nss packages fixing cve-2013-1620

Yves-Alexis Perez corsac at debian.org
Sat Mar 16 08:37:25 UTC 2013


On sam., 2013-03-16 at 08:34 +0100, Mike Hommey wrote:
> So, here are a few more info:
> - 3.13 disabled SSL 2.0 by default
> - 3.13 added a defense against the Rizzo and Duong attack, which is
>   known to break applications. It can be disabled easily.
> - 3.14 removed support for md5 signature of certificates.
> 
> These are the main compatibility issues we'd have with bumping NSS to
> 3.14 in stable (where it's 3.12) and testing (where it's 3.13). All of
> them can be fixed by turning some constants to PR_FALSE. That would
> leave us with the possibility of pure bugs emerging. I think we should
> take that risk, especially considering the fixes we can't backport.
> That would also fix bug 697865 (that one is backportable, but that's
> painful and risky).
> 
> FWIW, AFAIK, RedHat is pushing 3.14 to all its long term support
> releases.

I know it's invasive but I'm not sure we won't have to do anyway during
Wheezy support life. I mean, nobody should do SSL 2.0 at all anyway
(OpenSSL already disable SSLv2 in 1.0.1, even though it doesn't matter
for browsers), and md5 for certificates is known broken too.

I'ts definitely late for such surprise for users, but will it be better
if it's done during the life of a stable release?

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20130316/a606dfa4/attachment-0001.pgp>


More information about the pkg-mozilla-maintainers mailing list