nss update for jessie
Mike Hommey
mh at glandium.org
Sun Oct 2 22:37:29 UTC 2016
On Sun, Oct 02, 2016 at 10:15:27PM +0200, Florian Weimer wrote:
> * Mike Hommey:
>
> > I'd go with the latter. You'll have conflict in the debian/patches, it
> > might be easier to pick the corresponding ones from the package in
> > unstable.
>
> Yeah.
>
> > You might want to consider removing the SPI CA certificate too (done in
> > 2:3.21-1)
>
> Good point.
>
> What about the 97_SSL_RENEGOTIATE_TRANSITIONAL.patch? The description
> says: “Disallow unsafe renegotiation in server sockets only, but allow
> clients to continue to renegotiate with vulnerable servers.” Can we
> drop it as well?
It was dropped in unstable in 2:3.21-1 too. Feel free to do the same.
> I have something that compiles, but I ran across this old issue (“old”
> in the sense that it is fixed upstream)
>
> <http://www.openwall.com/lists/oss-security/2016/10/02/>
>
> while building it. I used the s/PR_GetEnvSecure/secure_getenv/
> approach for NSS, but this isn't sufficient because some of the
> critical environment variables are actually processed by NSPR itself
> (which we could give a s/PR_GetEnv/secure_getenv/ treatment in the
> worrisome spots).
>
> So ideally, we would have to rebase NSPR as well.
>
> Do you still think that's the right way forward?
Updating NSPR seems better. Note debian/control in nss's package *does*
say NSPR 4.12 is needed.
Mike
More information about the pkg-mozilla-maintainers
mailing list