Bug#774195: libnss3: libpkix incorrect prefers older, weaker certs over stronger, newer certs
Robert Norris
rob at eatenbyagrue.org
Tue Dec 30 02:57:46 UTC 2014
Package: libnss3
Version: 2:3.17.2-1.1
Severity: normal
Tags: upstream
Upstream has this patch:
https://bugzilla.mozilla.org/show_bug.cgi?id=1112461
The version in Debian does not have it (reasonable, its not released
yet). Right now it causes Chrome/Chromium 40+ to show some sites as
using "insecure" TLS settings[1] and more importantly, removing the green
EV badge where available. https://www.fastmail.com/ is one such site.
Normally I'd be happy to wait for upstream to release this and for it to
trickle down into Debian as normal. There is some urgency on this
however - Jessie will be released soon, and Chromium 40 will become the
stable branch soon[2]. At that point many sites will be affected that
shouldn't be unless NSS recieves this patch.
I don't know if you want to include it directly in Debian, or push
Mozilla to get it done, or whatever. I'm just flagging it to make sure
that you're aware of it.
Cheers,
Rob N.
1. https://code.google.com/p/chromium/issues/detail?id=437733
2. http://googleonlinesecurity.blogspot.com.au/2014/09/gradually-sunsetting-sha-1.html
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libnss3 depends on:
ii libc6 2.19-13
ii libnspr4 2:4.10.7-1
ii libsqlite3-0 3.8.7.2-1
ii multiarch-support 2.19-13
ii zlib1g 1:1.2.8.dfsg-2+b1
libnss3 recommends no packages.
libnss3 suggests no packages.
-- no debconf information
More information about the pkg-mozilla-maintainers
mailing list