Mark H Weaver <m...@netris.org> writes: > Marius Bakke <mba...@fastmail.com> writes: > >> Marius Bakke <mba...@fastmail.com> writes: >> >>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes >>>>> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2 >>>>> has since been released, so I'm currently testing it and will push an >>>>> update to it soon. Any issues on armhf will need to be dealt with in >>>>> another way. >>>> >>>> Mark, >>>> >>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was >>>> not picked to the 3.30.2 release which only contains certificate >>>> changes[1]. >>>> >>>> Squashing these two commits into one should fix the problem (the first >>>> fix was incomplete[2]): >>>> >>>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1 >>>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 > > Good find, thank you! Since seeing the above post, I prepared my own > patches to update NSS to 3.30.2 and disable the long b64 tests. > > And now I see you've prepared your own patch that only updates to > 3.30.1. I'm not sure why we would consider rebuilding everything with > 3.30.1 when 3.30.2 already exists, even if the only changes are to > certs. > > I'll push this batch of patches soon, including fixes to graphite2 and > the icecat update, after a bit more testing.
Great, thanks! I could not find any compelling reason to use the 3.30.2 tarball (other than disk space on builders), and found the version "mismatch" with between 'nss-certs' and 'nss' more distinctive. However, after diffing 3.30.1 and 3.30.2, it seems certificate changes also bump the library version: https://hg.mozilla.org/projects/nss/diff/dc97a4930479/lib/ckfw/builtins/nssckbi.h So I guess we should keep updating these together to the extent possible.
signature.asc
Description: PGP signature