Bug#699888: new nss packages fixing cve-2013-1620
Thijs Kinkhorst
thijs at debian.org
Sun Mar 17 09:10:06 UTC 2013
On Sat, March 16, 2013 22:35, Mike Hommey wrote:
> On Sat, Mar 16, 2013 at 04:53:00PM -0400, Michael Gilbert wrote:
>> > We can consider to put it into a DSA in which the text details how to
>> disable
>> > the options if they cause trouble. An alternative is to put it into
>> spu
>> > instead, where it may be slightly (probably just slightly) more
>> acceptable to
>> > change behaviour than in a DSA. But it will also mean having to wait a
>> few
>> > months at least.
>> >
>> > Do you know if RHEL is pushing it through the security channels or the
>> stable
>> > updates channels?
>>
>> For what its worth, ubuntu pushed 3.14 to all of its releases through
>> their security update channel:
>> http://www.ubuntu.com/usn/usn-1763-1
>>
>> It also looks like bumping nspr was also required:
>> http://www.ubuntu.com/usn/usn-1763-2
>
> IIRC, it's not required, but one of the releases between 4.9.2 and 4.9.5
> fixed some issue that might be worth fixing at this point.
>
>> Do you want me to look at preparing those updates for squeeze?
>
> I'd rather know what we do wrt md5, ssl2 and beast.
>
>> In the meantime, this should really be fixed in unstable. Mike, do
>> you want to do a maintainer upload, or is ok if I go ahead with the
>> nmu?
>
> Likewise, I'd rather know what we do wrt md5, and while at it, cacert
> (the cert of which uses a md5 signature at the moment, so it effectively
> doesn't work ; see bug 682470) before uploading, so as to avoid doing
> two uploads.
What information is still lacking to make a decision on that?
Thijs
More information about the pkg-mozilla-maintainers
mailing list