On 2016-03-29 16:28:36, Antoine Beaupré wrote: > On 2016-03-26 04:33:29, Guido Günther wrote: >> Thanks for reviewing this! I was about to look into more recent nss >> issues after handling dhcpcd but since you're at it, go ahead! >> >> Note that we still have CVE-2015-4000 which would most easily be fixed >> by having the same nss in all suites but since I got zero feedback from >> the release team going that route doesn't seem to be an option. We could >> still handle this via sec updates though. > > So I am not sure how to deal with CVE-2015-4000. The patch is > substantial: > > https://hg.mozilla.org/projects/nss/rev/ae72d76f8d24
I just sent the DLA for NSS as is, without a fix for CVE-2015-4000. I am actually sorry I forgot about this issue, as I would have liked to use the opportunity of the DLA to clarify our position on logjam and TLS 1.2 in wheezy. Unfortunately, we still have to clarify that position now. :) So far, I'm tempted to just mark the issue as <no-dsa> (too intrusive to backport), and considering how debian-release doesn't seem sympathetic to the idea of maintaining a similar nss version across suites. Other ideas? Thoughts? A. -- Every one of us is, in the cosmic perspective, precious. If a human disagrees with you, let him live. In a hundred billion galaxies, you will not find another. - Carl Sagan
