On Tue, Mar 29, 2016 at 04:28:36PM -0400, Antoine Beaupré wrote: > On 2016-03-26 04:33:29, Guido Günther wrote: > > Thanks for reviewing this! I was about to look into more recent nss > > issues after handling dhcpcd but since you're at it, go ahead! > > > > Note that we still have CVE-2015-4000 which would most easily be fixed > > by having the same nss in all suites but since I got zero feedback from > > the release team going that route doesn't seem to be an option. We could > > still handle this via sec updates though. > > So I am not sure how to deal with CVE-2015-4000. The patch is > substantial: > > https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24 > > > Until that it might make sense to add > > > > > > https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1 > > also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639 > > > > which (in addition to the certificate test I added) runs the standard > > nss test cycle as autopkgtest. I've tested this with the sid version but > > not with wheezy/jessie yet. > > It seems like you had those already, and I have included them in the > package here. > > So here's another debdiff for review and testing. This should fix all > standing issues on wheezy *but* CVE-2015-4000 and CVE-2015-7575.
$ diffstat nss_3.14.5-1+deb7u6.debdiff changelog | 33 ++++++++++ patches/CVE-2015-7181.patch | 142 ++++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2015-7182.patch | 126 +++++++++++++++++++++++++++++++++++++++ patches/CVE-2016-1938.patch | 89 +++++++++++++++++++++++++++ patches/CVE-2016-1950.patch | 96 +++++++++++++++++++++++++++++ patches/CVE-2016-1978.patch | 96 +++++++++++++++++++++++++++++ patches/CVE-2016-1979.patch | 68 +++++++++++++++++++++ patches/series | 6 + rules | 14 ++++ 9 files changed, 670 insertions(+) doesn't add anything under debian/tests so it seems the autopkg mentioned in the changelog went missing. > CVE-2015-4000 is pretty invasive. I tried porting the patch in, but it > is pretty invasive and fails to compile because it uses a new error > message (SSL_ERROR_WEAK_SERVER_CERT_KEY) introduced as part of those > checks. So I don't feel comfortable backporting all those unused error > messages or changing the integer identifier of the error message > here. This should really be fixed by backporting a newer version. I think so too. > Similarly, CVE-2015-7575 is marked as not-affected as wheezy doesn't > support TLS 1.2. It's somehow silly because wheezy should really support > TLS 1.2, in my opinion. Again, this goes back to the question of > shipping the same NSS release in all suites... Could you add these comments to: https://lists.debian.org/debian-release/2016/02/msg00753.html so we can hopefully get some traction on this? > I haven't worked on updating the jessie package, but one should keep in > mind that both CVE-2015-4000 and CVE-2015-7575 *do* affect the jessie > package directly and should be backported. > > I also put AMD64 builds of the packages here for further testing: > > https://people.debian.org/~anarcat/debian/wheezy-lts/ > > Note that I have *not* tested those packages in any way, but the builtin > test suite seems to pass. Or at least it doesn't stop the package build, > yet it *says* there are some failures - I am not sure how to process > that either: > > Tests summary: > -------------- > Passed: 2352 > Failed: 45 > Failed with core: 0 > Unknown status: 0 This looks unchanged to the unpatched version in wheezy (2:3.14.5-1+deb7u5): Tests summary: -------------- Passed: 2352 Failed: 45 Failed with core: 0 Unknown status: 0 In my builds of 3.21-1 the test suite passes cleanly though: Tests summary: -------------- Passed: 5669 Failed: 0 Failed with core: 0 Unknown status: 0 (yet another reason why switching to the stretch version would make sense). The patches by itself look good to me. Cheers, -- Guido
