Bug#736061: libnss3: system shared db enabled leads to local overrides being ignored

Yves-Alexis Perez corsac at debian.org
Mon Jan 20 10:02:22 UTC 2014 

On Sun, Jan 19, 2014 at 11:08:24AM +0100, Yves-Alexis Perez wrote:
> Package: libnss3
> Version: 2:3.15.4-1
> Severity: important
> 
> Hi,
> 
> I use evolution which uses the shared db in ~/.pki since a long time.
> I've added my own root AC there, and disabled pretty much every other AC
> since I won't use them (and actually receiving a certificate chain
> leading to a common AC would mean someone is trying to MITM me…).
> 
> With the 2:3.15.4-1 nss upload (which apparently enable the system
> shared db) my local AC is gone from the authority and all the other
> trust bits have been reset to the default.
> 
> I've not set it RC, but it's really pretty annoying and can be
> dangerous. I'm unsure if the problem lies in nss or in the way evolution
> loads the DB.

Actually, it might be an ABI issue with evolution or something like
that. On the system where I've not added back my certificates (and thus
I can't access my mails from evolution), here's the output from
evolution startup:

----
corsac at scapa: evolution

(evolution:29460): camel-WARNING **: Failed to initialize NSS SQL database in sql:/etc/pki/nssdb: NSS error -8187

(evolution:29460): camel-WARNING **: Unable to load store summary: Expected version (1), got (0)

(evolution:29460): camel-WARNING **: Cannot load summary file: Success

(evolution:29460): camel-WARNING **: Unable to load store summary: Expected version (1), got (0)

(evolution:29460): camel-WARNING **: Cannot load summary file: Success
----

Same output on the one where I did add back my local AC, but it still
manages to initialize NSS since it'll later correctly connect to my mail
server.

If you need more information, please ask.

Regards,
-- 
Yves-Alexis Perez
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20140120/8960ea67/attachment.sig>

More information about the pkg-mozilla-maintainers mailing list