Bug#699888: new nss packages fixing cve-2013-1620
Mike Hommey
mh at glandium.org
Sat Mar 16 21:35:06 UTC 2013
On Sat, Mar 16, 2013 at 04:53:00PM -0400, Michael Gilbert wrote:
> > We can consider to put it into a DSA in which the text details how to disable
> > the options if they cause trouble. An alternative is to put it into spu
> > instead, where it may be slightly (probably just slightly) more acceptable to
> > change behaviour than in a DSA. But it will also mean having to wait a few
> > months at least.
> >
> > Do you know if RHEL is pushing it through the security channels or the stable
> > updates channels?
>
> For what its worth, ubuntu pushed 3.14 to all of its releases through
> their security update channel:
> http://www.ubuntu.com/usn/usn-1763-1
>
> It also looks like bumping nspr was also required:
> http://www.ubuntu.com/usn/usn-1763-2
IIRC, it's not required, but one of the releases between 4.9.2 and 4.9.5
fixed some issue that might be worth fixing at this point.
> Do you want me to look at preparing those updates for squeeze?
I'd rather know what we do wrt md5, ssl2 and beast.
> In the meantime, this should really be fixed in unstable. Mike, do
> you want to do a maintainer upload, or is ok if I go ahead with the
> nmu?
Likewise, I'd rather know what we do wrt md5, and while at it, cacert
(the cert of which uses a md5 signature at the moment, so it effectively
doesn't work ; see bug 682470) before uploading, so as to avoid doing
two uploads.
Mike
More information about the pkg-mozilla-maintainers
mailing list