Bug#774195: marked as done (libnss3: libpkix incorrect prefers older, weaker certs over stronger, newer certs)
agwa at andrewayer.name
Thu May 28 18:46:16 UTC 2015
On Wed, 27 May 2015 08:11:35 +0200
Moritz Mühlenhoff <jmm at inutil.org> wrote:
> It's up to Mike whether to fix that in the upcoming point release.
> We're not planning a DSA for this issue alone, but it can be fixed
> along when upstream releases changes to address the weakdh issue.
Mike, are you planning to upload this fix for the upcoming point
release? A couple reasons why this bug is important to fix:
1. It causes users of NSS to construct a SHA-1 certificate chain even
when a server serves a SHA-2 certificate chain. Chrome shows a
security warning because of this. Users will either become
unnecessarily alarmed by the warning, or ignore it and become
desensitized to security warnings.
2. It allows a mild form of DoS - a website could maliciously serve a
SHA-1 chain, polluting the cache, triggering security warnings when
visiting other websites.
The patch is minimal and applies cleanly to the version of nss in
Jessie. The debdiff I provided should be ready for upload once you
finalize debian/changelog with `dch -r`.
More information about the pkg-mozilla-maintainers