Call for advice and testing of nss (and nspr) and intention to upload correction
Ola Lundqvist
ola at inguza.com
Sun Oct 23 21:43:15 UTC 2016
Hi all
I have now been able to run the tests and also the abi version checker.
I think it looks good.
I could not verify FIPS 140-1 tests due to some device error (I'm running
in a chroot so I guess that is the problem) but everything else is working.
The ABI reports are available here:
nspr:
http://apt.inguza.net/wheezy-security/nspr/compat_report.html
nss:
http://apt.inguza.net/wheezy-security/nss/compat_report.html
If I do not hear any further objections I'll upload this on early next week
Best regards
// Ola
On 21 October 2016 at 23:40, Guido Günther <agx at sigxcpu.org> wrote:
> On Fri, Oct 21, 2016 at 11:16:54PM +0200, Ola Lundqvist wrote:
> > Hi Guido
> >
> > Thanks a lot for the information. I'll enable this and will also run
> > abi-compliance check tool.
> > Is it this [1] one you have used?
> >
> > [1] https://lvc.github.io/abi-compliance-checker/
>
> IIRC I've used the abi-compliance-checker Debian package.
> Cheers,
> -- Guido
>
> >
> > Best regards
> >
> > // Ola
> >
> > On 20 October 2016 at 23:48, Guido Günther <agx at sigxcpu.org> wrote:
> >
> > > Hi Ola,
> > > On Thu, Oct 20, 2016 at 11:15:29PM +0200, Ola Lundqvist wrote:
> > > > Hi LTS team, Mozilla maintainers, Mike and Florian
> > > >
> > > > I have been working on the security problem reported in nss (and
> nspr).
> > > > https://security-tracker.debian.org/tracker/TEMP-0000000-583651
> > > > It is about unprotected environment variables.
> > > >
> > > > I did a check on what Florian Weimer had done for jessie-security and
> > > > the solution there was simply to package the new upstream release. So
> > > > I decided to do that approach as well. The advantage with this is
> that
> > > > we will not only have this problem solved, but also a few more.
> > > >
> > > > TEMP-0000000-583651 (nspr and nss)
> > > > CVE-2014-3566
> > > > CVE-2014-1490
> > > > CVE-2013-1740
> > > >
> > > > The disadvantage is that we are not playing safe. However it looks
> > > > backwards compatible, but you never know.
> > > >
> > > > So all in all I have produced the following:
> > > >
> > > > nspr:
> > > > http://apt.inguza.net/wheezy-security/nspr
> > > > This is essentially a mimic of the jessie-security package changes.
> > > >
> > > > nss:
> > > > http://apt.inguza.net/wheezy-security/nss
> > > > This is essentially a re-build of the jessie-security package with
> > > > changes file kept and only updated with one new entry.
> > > >
> > > > Call for advice:
> > > > 1) Do you have an opinion about the fact that I backport new upstream
> > > release?
> > >
> > > See my discussion with the release team abot this:
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824872
> > >
> > > > 2) Will we have a build problem as nss depends on the latest nspr? I
> > > > guess I shall upload nspr first.
> > >
> > > See my runs of the abi compliance checker in the above URL.
> > >
> > > > 3) Shall I create one DLA covering both packages or shall I just
> > > > produce one DLA covering both nspr and nss?
> > >
> > > The rule is one DLA per package AFAIK.
> > >
> > > > I think one DLA is the best as both are needed to solve the problem
> > > > reported. But maybe that is against some practice. If you think I
> > > > shall write two, then please advice me what to write in the DLA for
> > > > nspr.
> > > >
> > > > Call for testing:
> > > > 4) As this package can have a rather big impact on lot of other
> > > > packages it would be good if all of you install the new version (nss
> > > > is the important one) to see if it works for you.
> > >
> > > See
> > >
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806207
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809723
> > >
> > > that enable the internal test suites and add some autopkgtests. This
> > > should help to gain some confidence.
> > > Cheers,
> > > -- Guido
> > >
> > > >
> > > > I did not produce a debdiff as that diff was way too large to be
> useful.
> > > >
> > > > I have installed it myself but I have not been able to verify that
> the
> > > > tools using it is really working. Most are GUI tools and I do not
> have
> > > > a GUI environment to test wheezy in. The libnss3-tools package seems
> > > > to work fine to the limit I was able to check.
> > > >
> > > > I have not tried to reproduce the problem as the report was too vague
> > > > to give any good advice on what environment variable that could
> > > > actually cause a problem.
> > > >
> > > > If I do not hear any objections in four days I will upload anyway.
> > > >
> > > > Thanks in advance
> > > >
> > > > // Ola
> > > >
> > > > --
> > > > --- Inguza Technology AB --- MSc in Information Technology ----
> > > > | ola at inguza.com Folkebogatan 26
> > > > | opal at debian.org 654 68 KARLSTAD
> > > > | http://inguza.com/ Mobile: +46 (0)70-332 1551
> > > > | gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9
> > > >
> > >
> >
> >
> >
> > --
> > --- Inguza Technology AB --- MSc in Information Technology ----
> > / ola at inguza.com Folkebogatan 26 \
> > | opal at debian.org 654 68 KARLSTAD |
> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 |
> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
> > ---------------------------------------------------------------
>
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola at inguza.com Folkebogatan 26 \
| opal at debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20161023/fb871773/attachment-0001.html>
More information about the pkg-mozilla-maintainers
mailing list