Security update of nss
Ola Lundqvist
ola at inguza.com
Fri Jun 3 22:08:43 UTC 2016
Hi nss maintainer(s) and LTS team
I have prepared a security update of nss for wheezy to solve the problem
described in CVE-2015-4000, for more info see:
https://security-tracker.debian.org/tracker/CVE-2015-4000
One could argue that this is not a problem as the case:
"when a DHE_EXPORT ciphersuite is enabled on a server but not on a client"
in combination with TLS 1.2 is a rather rare combination.
However as this is a library and there are many services using this library
it is probably better to be safe than sorry.
So I have backported the "NSS patch increasing limit to 1023 bits" (see at
the bottom of the above CVE link) to the wheezy version.
For testing I have run the build test suite and it fail just as many times
as the previous version. That is 43 failures. So I guess I have not broken
anything.
You can find the test results for deb7u7 in nss-build.txt and the test
results for the previous version in nss-build-previousversion.txt.
There were no tests for this specific case and it turned out that it was
non-trivial to make such a test-case. The main reason was that the test
server did not have the possibility to enable DHE EXPORT ciphersuite. I
could not find any such way at least.
So I have not been ably to verify that the solution actually works in
practice. What I have been able to test is that I have not included any
(obvious) regression problem.
The change also export a new symbol in the library but as it is a new one
and no function have used it in the past it should not be an issue as far
as I can tell.
If anyone have a good idea on how to trigger the event described in
CVE-2015-4000 (without implementing an entirely new program), please let me
know.
You can find the updated package here:
http://apt.inguza.net/wheezy-security/nss
And the debdiff here:
http://apt.inguza.net/wheezy-security/nss/CVE-2015-4000.debdiff
If there are no objections I will upload the corrected packages in 4 days,
that is on Tuesday next week.
Best regards,
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola at inguza.com Folkebogatan 26 \
| opal at debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20160604/aa14d9f6/attachment.html>
More information about the pkg-mozilla-maintainers
mailing list