Security update of nss

Ola Lundqvist ola at inguza.com
Fri Jun 3 22:08:43 UTC 2016 

Hi nss maintainer(s) and LTS team

I have prepared a security update of nss for wheezy to solve the problem
described in CVE-2015-4000, for more info see:
https://security-tracker.debian.org/tracker/CVE-2015-4000

One could argue that this is not a problem as the case:
"when a DHE_EXPORT ciphersuite is enabled on a server but not on a client"
in combination with TLS 1.2 is a rather rare combination.
However as this is a library and there are many services using this library
it is probably better to be safe than sorry.

So I have backported the "NSS patch increasing limit to 1023 bits" (see at
the bottom of the above CVE link) to the wheezy version.

For testing I have run the build test suite and it fail just as many times
as the previous version. That is 43 failures. So I guess I have not broken
anything.
You can find the test results for deb7u7 in nss-build.txt and the test
results for the previous version in nss-build-previousversion.txt.

There were no tests for this specific case and it turned out that it was
non-trivial to make such a test-case. The main reason was that the test
server did not have the possibility to enable DHE EXPORT ciphersuite. I
could not find any such way at least.

So I have not been ably to verify that the solution actually works in
practice. What I have been able to test is that I have not included any
(obvious) regression problem.

The change also export a new symbol in the library but as it is a new one
and no function have used it in the past it should not be an issue as far
as I can tell.

If anyone have a good idea on how to trigger the event described in
CVE-2015-4000 (without implementing an entirely new program), please let me
know.

You can find the updated package here:
http://apt.inguza.net/wheezy-security/nss

And the debdiff here:
http://apt.inguza.net/wheezy-security/nss/CVE-2015-4000.debdiff

If there are no objections I will upload the corrected packages in 4 days,
that is on Tuesday next week.

Best regards,

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola at inguza.com                    Folkebogatan 26            \
|  opal at debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20160604/aa14d9f6/attachment.html>

More information about the pkg-mozilla-maintainers mailing list