Bug#774195: marked as done (libnss3: libpkix incorrect prefers older, weaker certs over stronger, newer certs)

Moritz Mühlenhoff jmm at inutil.org
Wed May 27 06:11:35 UTC 2015

On Mon, May 25, 2015 at 11:21:26AM -0700, Andrew Ayer wrote:
> On Wed, 20 May 2015 06:39:06 +0000
> owner at bugs.debian.org (Debian Bug Tracking System) wrote:
> > On Wed, May 20, 2015 at 05:58:55PM +1200, VeNoMouS wrote:
> > >  
> > > 
> > > Seriously, how long do we have to wait on this to be fixed... 
> > 
> > It *is* fixed, but somehow the BTS doesn't show it in the graph.
> > 
> > Now it's up to the security team as to what to do for jessie.
> Mike, thanks for uploading the new nss to unstable.
> Security team, are you planning a DSA for Jessie to fix this issue, or
> should it go through the upcoming stable point release?  (Note that
> the queue for the point release will be frozen this upcoming weekend.)
> In either case, I wanted to help, so I've taken the upstream patch[1],
> which is quite minimal and cleanly applies to the version of nss in
> Jessie, and prepared an updated package with the patch.  Debdiff
> attached, and .dsc available here:
> 	https://www.cloudmutt.com/s/nss_chain_patch/
> I've built it on Jessie and tested it - it fixes the problem and
> doesn't appear to have had any adverse effects.  Let me know if I've
> missed anything or could do anything else to help.

It's up to Mike whether to fix that in the upcoming point release. We're
not planning a DSA for this issue alone, but it can be fixed along when
upstream releases changes to address the weakdh issue.


More information about the pkg-mozilla-maintainers mailing list