Bug#699888: new nss packages fixing cve-2013-1620

[Mike Hommey]

On Sun, Mar 17, 2013 at 10:10:06AM +0100, Thijs Kinkhorst wrote:
> On Sat, March 16, 2013 22:35, Mike Hommey wrote:
> > On Sat, Mar 16, 2013 at 04:53:00PM -0400, Michael Gilbert wrote:
> >> > We can consider to put it into a DSA in which the text details how to
> >> disable
> >> > the options if they cause trouble. An alternative is to put it into
> >> spu
> >> > instead, where it may be slightly (probably just slightly) more
> >> acceptable to
> >> > change behaviour than in a DSA. But it will also mean having to wait a
> >> few
> >> > months at least.
> >> >
> >> > Do you know if RHEL is pushing it through the security channels or the
> >> stable
> >> > updates channels?
> >>
> >> For what its worth, ubuntu pushed 3.14 to all of its releases through
> >> their security update channel:
> >> http://www.ubuntu.com/usn/usn-1763-1
> >>
> >> It also looks like bumping nspr was also required:
> >> http://www.ubuntu.com/usn/usn-1763-2
> >
> > IIRC, it's not required, but one of the releases between 4.9.2 and 4.9.5
> > fixed some issue that might be worth fixing at this point.
> >
> >> Do you want me to look at preparing those updates for squeeze?
> >
> > I'd rather know what we do wrt md5, ssl2 and beast.
> >
> >> In the meantime, this should really be fixed in unstable.  Mike, do
> >> you want to do a maintainer upload, or is ok if I go ahead with the
> >> nmu?
> >
> > Likewise, I'd rather know what we do wrt md5, and while at it, cacert
> > (the cert of which uses a md5 signature at the moment, so it effectively
> > doesn't work ; see bug 682470) before uploading, so as to avoid doing
> > two uploads.
> 
> What information is still lacking to make a decision on that?

Rereading your message, nothing, so I'm preparing an upload of 3.14.3
with no other change. Turns out the cacert md5 signature is not a
problem in itself, and bug 682470 is actualy about another cacert root.

Now, the problem with 3.14 is that it apparently broke other things:
bug 682470.

Mike