Bug#774195: marked as done (libnss3: libpkix incorrect prefers older, weaker certs over stronger, newer certs)

Andrew Ayer agwa at andrewayer.name
Mon May 25 18:21:26 UTC 2015

On Wed, 20 May 2015 06:39:06 +0000
owner at bugs.debian.org (Debian Bug Tracking System) wrote:

> On Wed, May 20, 2015 at 05:58:55PM +1200, VeNoMouS wrote:
> >  
> > 
> > Seriously, how long do we have to wait on this to be fixed... 
> It *is* fixed, but somehow the BTS doesn't show it in the graph.
> Now it's up to the security team as to what to do for jessie.

Mike, thanks for uploading the new nss to unstable.

Security team, are you planning a DSA for Jessie to fix this issue, or
should it go through the upcoming stable point release?  (Note that
the queue for the point release will be frozen this upcoming weekend.)

In either case, I wanted to help, so I've taken the upstream patch[1],
which is quite minimal and cleanly applies to the version of nss in
Jessie, and prepared an updated package with the patch.  Debdiff
attached, and .dsc available here:


I've built it on Jessie and tested it - it fixes the problem and
doesn't appear to have had any adverse effects.  Let me know if I've
missed anything or could do anything else to help.


[1] https://hg.mozilla.org/projects/nss/rev/34e1379ff6c7
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nss-chain-patch.debdiff
Type: text/x-diff
Size: 6470 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150525/03893f09/attachment.diff>

More information about the pkg-mozilla-maintainers mailing list