Call for advice and testing of nss (and nspr) and intention to upload correction

Bálint Réczey balint at balintreczey.hu
Tue Nov 1 16:53:20 UTC 2016


Hi,

It seems the nss update broke chromium:
https://lists.debian.org/debian-user/2016/10/msg00981.html

Maybe when we update gcc for firefox we can also continue supporting chromium:
https://lists.debian.org/debian-security-announce/2015/msg00031.html

Cheers,
Balint

2016-10-23 23:43 GMT+02:00 Ola Lundqvist <ola at inguza.com>:
> Hi all
>
> I have now been able to run the tests and also the abi version checker.
> I think it looks good.
>
> I could not verify FIPS 140-1 tests due to some device error (I'm running in
> a chroot so I guess that is the problem) but everything else is working.
>
> The ABI reports are available here:
>
> nspr:
> http://apt.inguza.net/wheezy-security/nspr/compat_report.html
>
> nss:
> http://apt.inguza.net/wheezy-security/nss/compat_report.html
>
> If I do not hear any further objections I'll upload this on early next week
>
> Best regards
>
> // Ola
>
> On 21 October 2016 at 23:40, Guido Günther <agx at sigxcpu.org> wrote:
>>
>> On Fri, Oct 21, 2016 at 11:16:54PM +0200, Ola Lundqvist wrote:
>> > Hi Guido
>> >
>> > Thanks a lot for the information. I'll enable this and will also run
>> > abi-compliance check tool.
>> > Is it this [1] one you have used?
>> >
>> > [1] https://lvc.github.io/abi-compliance-checker/
>>
>> IIRC I've used the abi-compliance-checker Debian package.
>> Cheers,
>>  -- Guido
>>
>> >
>> > Best regards
>> >
>> > // Ola
>> >
>> > On 20 October 2016 at 23:48, Guido Günther <agx at sigxcpu.org> wrote:
>> >
>> > > Hi Ola,
>> > > On Thu, Oct 20, 2016 at 11:15:29PM +0200, Ola Lundqvist wrote:
>> > > > Hi LTS team, Mozilla maintainers, Mike and Florian
>> > > >
>> > > > I have been working on the security problem reported in nss (and
>> > > > nspr).
>> > > > https://security-tracker.debian.org/tracker/TEMP-0000000-583651
>> > > > It is about unprotected environment variables.
>> > > >
>> > > > I did a check on what Florian Weimer had done for jessie-security
>> > > > and
>> > > > the solution there was simply to package the new upstream release.
>> > > > So
>> > > > I decided to do that approach as well. The advantage with this is
>> > > > that
>> > > > we will not only have this problem solved, but also a few more.
>> > > >
>> > > > TEMP-0000000-583651 (nspr and nss)
>> > > > CVE-2014-3566
>> > > > CVE-2014-1490
>> > > > CVE-2013-1740
>> > > >
>> > > > The disadvantage is that we are not playing safe. However it looks
>> > > > backwards compatible, but you never know.
>> > > >
>> > > > So all in all I have produced the following:
>> > > >
>> > > > nspr:
>> > > > http://apt.inguza.net/wheezy-security/nspr
>> > > > This is essentially a mimic of the jessie-security package changes.
>> > > >
>> > > > nss:
>> > > > http://apt.inguza.net/wheezy-security/nss
>> > > > This is essentially a re-build of the jessie-security package with
>> > > > changes file kept and only updated with one new entry.
>> > > >
>> > > > Call for advice:
>> > > > 1) Do you have an opinion about the fact that I backport new
>> > > > upstream
>> > > release?
>> > >
>> > > See my discussion with the release team abot this:
>> > >
>> > >       https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824872
>> > >
>> > > > 2) Will we have a build problem as nss depends on the latest nspr? I
>> > > > guess I shall upload nspr first.
>> > >
>> > > See my runs of the abi compliance checker in the above URL.
>> > >
>> > > > 3) Shall I create one DLA covering both packages or shall I just
>> > > > produce one DLA covering both nspr and nss?
>> > >
>> > > The rule is one DLA per package AFAIK.
>> > >
>> > > >  I think one DLA is the best as both are needed to solve the problem
>> > > > reported. But maybe that is against some practice. If you think I
>> > > > shall write two, then please advice me what to write in the DLA for
>> > > > nspr.
>> > > >
>> > > > Call for testing:
>> > > > 4) As this package can have a rather big impact on lot of other
>> > > > packages it would be good if all of you install the new version (nss
>> > > > is the important one) to see if it works for you.
>> > >
>> > > See
>> > >
>> > >    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806207
>> > >    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
>> > >    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809723
>> > >
>> > > that enable the internal test suites and add some autopkgtests. This
>> > > should help to gain some confidence.
>> > > Cheers,
>> > >  -- Guido
>> > >
>> > > >
>> > > > I did not produce a debdiff as that diff was way too large to be
>> > > > useful.
>> > > >
>> > > > I have installed it myself but I have not been able to verify that
>> > > > the
>> > > > tools using it is really working. Most are GUI tools and I do not
>> > > > have
>> > > > a GUI environment to test wheezy in. The libnss3-tools package seems
>> > > > to work fine to the limit I was able to check.
>> > > >
>> > > > I have not tried to reproduce the problem as the report was too
>> > > > vague
>> > > > to give any good advice on what environment variable that could
>> > > > actually cause a problem.
>> > > >
>> > > > If I do not hear any objections in four days I will upload anyway.
>> > > >
>> > > > Thanks in advance
>> > > >
>> > > > // Ola
>> > > >
>> > > > --
>> > > >  --- Inguza Technology AB --- MSc in Information Technology ----
>> > > > |  ola at inguza.com                  Folkebogatan 26
>> > > > |  opal at debian.org                  654 68 KARLSTAD
>> > > > |  http://inguza.com/                Mobile: +46 (0)70-332 1551
>> > > > |  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9
>> > > >
>> > >
>> >
>> >
>> >
>> > --
>> >  --- Inguza Technology AB --- MSc in Information Technology ----
>> > /  ola at inguza.com                    Folkebogatan 26            \
>> > |  opal at debian.org                   654 68 KARLSTAD            |
>> > |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
>> > \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>> >  ---------------------------------------------------------------
>
>
>
>
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola at inguza.com                    Folkebogatan 26            \
> |  opal at debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>



More information about the pkg-mozilla-maintainers mailing list