Hi, On Sat, Nov 28, 2015 at 02:16:33PM +0100, Guido Günther wrote: > Hi, > On Wed, Nov 25, 2015 at 12:24:44PM +0100, Guido Günther wrote: > > Hi, > > I'm currently preparing fixes for nss and wonder if the security team > > already has a plan forward for CVE-2015-4000? Using the upstream patch > > would change defaults in a stable release. I think I'd be good to do the > > same for all currently supported releases. > > Since there wasn't any feedback on this one I went ahead and prepared > upates for Squeeze, Wheezy and Jessie of CVE-2015-7181 and CVE-2015-7182 > but skipped CVE-2015-4000 for now. I'm inclined to mark this as no-dsa > in Squeeze to not break existing installations.
Any opinions on how to handle CVE-2015-4000 consistently in all suites? According to the changelog openssl switched to 768 bits for DH in squeeze-lts and wheezy while nss upstream switched to 1024 bits. Should we follow upstream for wheezy/jessie but rather leave squeeze as is to not break old installations given the remaining time frame of squeeze-lts support? * squeeze: no-dsa * wheezy: 1024 bit * jessie: 1024 bit or is being consistent with openssl any concern? Cheers, -- Guido
