On Thu, Mar 31, 2016 at 04:12:04PM +0200, Guido Günther wrote: > On Tue, Mar 29, 2016 at 04:28:36PM -0400, Antoine Beaupré wrote: > > On 2016-03-26 04:33:29, Guido Günther wrote: > > > Thanks for reviewing this! I was about to look into more recent nss > > > issues after handling dhcpcd but since you're at it, go ahead! > > > > > > Note that we still have CVE-2015-4000 which would most easily be fixed > > > by having the same nss in all suites but since I got zero feedback from > > > the release team going that route doesn't seem to be an option. We could > > > still handle this via sec updates though. > > > > So I am not sure how to deal with CVE-2015-4000. The patch is > > substantial: > > > > https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24 > > > > > Until that it might make sense to add > > > > > > > > > https://github.com/agx/nss-debian/commit/98ff42c58343d70b1b51c8c997b471822c1675f1 > > > also at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639 > > > > > > which (in addition to the certificate test I added) runs the standard > > > nss test cycle as autopkgtest. I've tested this with the sid version but > > > not with wheezy/jessie yet. > > > > It seems like you had those already, and I have included them in the > > package here. > > > > So here's another debdiff for review and testing. This should fix all > > standing issues on wheezy *but* CVE-2015-4000 and CVE-2015-7575. > > $ diffstat nss_3.14.5-1+deb7u6.debdiff > changelog | 33 ++++++++++ > patches/CVE-2015-7181.patch | 142 > ++++++++++++++++++++++++++++++++++++++++++++ > patches/CVE-2015-7182.patch | 126 +++++++++++++++++++++++++++++++++++++++ > patches/CVE-2016-1938.patch | 89 +++++++++++++++++++++++++++ > patches/CVE-2016-1950.patch | 96 +++++++++++++++++++++++++++++ > patches/CVE-2016-1978.patch | 96 +++++++++++++++++++++++++++++ > patches/CVE-2016-1979.patch | 68 +++++++++++++++++++++ > patches/series | 6 + > rules | 14 ++++ > 9 files changed, 670 insertions(+) > > doesn't add anything under debian/tests so it seems the autopkg > mentioned in the changelog went missing. > > > CVE-2015-4000 is pretty invasive. I tried porting the patch in, but it > > is pretty invasive and fails to compile because it uses a new error > > message (SSL_ERROR_WEAK_SERVER_CERT_KEY) introduced as part of those > > checks. So I don't feel comfortable backporting all those unused error > > messages or changing the integer identifier of the error message > > here. This should really be fixed by backporting a newer version. > > I think so too. > > > Similarly, CVE-2015-7575 is marked as not-affected as wheezy doesn't > > support TLS 1.2. It's somehow silly because wheezy should really support > > TLS 1.2, in my opinion. Again, this goes back to the question of > > shipping the same NSS release in all suites... > > Could you add these comments to: > > https://lists.debian.org/debian-release/2016/02/msg00753.html > > so we can hopefully get some traction on this? > > > I haven't worked on updating the jessie package, but one should keep in > > mind that both CVE-2015-4000 and CVE-2015-7575 *do* affect the jessie > > package directly and should be backported. > > > > I also put AMD64 builds of the packages here for further testing: > > > > https://people.debian.org/~anarcat/debian/wheezy-lts/ > > > > Note that I have *not* tested those packages in any way, but the builtin > > test suite seems to pass. Or at least it doesn't stop the package build, > > yet it *says* there are some failures - I am not sure how to process > > that either: > > > > Tests summary: > > -------------- > > Passed: 2352 > > Failed: 45 > > Failed with core: 0 > > Unknown status: 0 > > This looks unchanged to the unpatched version in wheezy (2:3.14.5-1+deb7u5): > > Tests summary: > -------------- > Passed: 2352 > Failed: 45 > Failed with core: 0 > Unknown status: 0 > > In my builds of 3.21-1 the test suite passes cleanly though: > > Tests summary: > -------------- > Passed: 5669 > Failed: 0 > Failed with core: 0 > Unknown status: 0 > > (yet another reason why switching to the stretch version would make > sense). > > The patches by itself look good to me.
Just to avoid dupliate work: I'll have a look at forward porting these to jessie since the security team usually wants to update these together (at least that's what I figured). Cheers, -- Guido
