Bug#774195: marked as done (libnss3: libpkix incorrect prefers older, weaker certs over stronger, newer certs)

Andrew Ayer agwa at andrewayer.name
Thu May 28 18:46:16 UTC 2015

On Wed, 27 May 2015 08:11:35 +0200
Moritz Mühlenhoff <jmm at inutil.org> wrote:

> It's up to Mike whether to fix that in the upcoming point release.
> We're not planning a DSA for this issue alone, but it can be fixed
> along when upstream releases changes to address the weakdh issue.

Mike, are you planning to upload this fix for the upcoming point
release?  A couple reasons why this bug is important to fix:

1. It causes users of NSS to construct a SHA-1 certificate chain even
when a server serves a SHA-2 certificate chain.  Chrome shows a
security warning because of this.  Users will either become
unnecessarily alarmed by the warning, or ignore it and become
desensitized to security warnings.

2. It allows a mild form of DoS - a website could maliciously serve a
SHA-1 chain, polluting the cache, triggering security warnings when
visiting other websites.

The patch is minimal and applies cleanly to the version of nss in
Jessie.  The debdiff I provided should be ready for upload once you
finalize debian/changelog with `dch -r`.


More information about the pkg-mozilla-maintainers mailing list