nss update for jessie
Florian Weimer
fw at deneb.enyo.de
Mon Oct 3 18:19:03 UTC 2016
* Mike Hommey:
>> What about the 97_SSL_RENEGOTIATE_TRANSITIONAL.patch? The description
>> says: “Disallow unsafe renegotiation in server sockets only, but allow
>> clients to continue to renegotiate with vulnerable servers.” Can we
>> drop it as well?
>
> It was dropped in unstable in 2:3.21-1 too. Feel free to do the same.
Fine with me, will do so.
>> I have something that compiles, but I ran across this old issue (“old”
>> in the sense that it is fixed upstream)
>>
>> <http://www.openwall.com/lists/oss-security/2016/10/02/>
>>
>> while building it. I used the s/PR_GetEnvSecure/secure_getenv/
>> approach for NSS, but this isn't sufficient because some of the
>> critical environment variables are actually processed by NSPR itself
>> (which we could give a s/PR_GetEnv/secure_getenv/ treatment in the
>> worrisome spots).
>>
>> So ideally, we would have to rebase NSPR as well.
>>
>> Do you still think that's the right way forward?
>
> Updating NSPR seems better. Note debian/control in nss's package *does*
> say NSPR 4.12 is needed.
Yes, but I had to try anyway. I noted that the packaging is rather
clean, which is quite nice.
Here are the untested nspr bits:
<https://people.debian.org/~fw/nss-201610/>
I'll add the nss bits later and test them together (with mod_nss for
Apache httpd, and hopefully I can find a Debian NSS client, too).
More information about the pkg-mozilla-maintainers
mailing list