Re: Firefox build?

2015-12-30 Thread Bojan Smojver 
Neal Gompa  gmail.com> writes:

> Is there a simple way to test if the issue is a problem on Fedora? I
> don't even know of any sites with TLS 1.2 using MD5 signatures,
> especially when Chrome "broke" signatures that weren't SHA-256 or
> better for SSLv3 and stronger a year ago...

I guess one can always generate a cert with MD5 signature and try over TLS
1.2. However, the plot thickens. Although 43.0.2 release notes say that
security issues were fixed, none are listed for that version any longer on
the detailed security fixes page. So, maybe Mozilla changed their mind or
something.

Anyhow, Fedora builds of 43.0.3 have been submitted for testing, so all this
is moot.

--
Bojan



--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Firefox build?

2015-12-29 Thread Bojan Smojver 
Eric Griffith  gmail.com> writes:

> Is there any reason Fedora would not...? Regardless you could diff the
source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2
and see if the hole is unpatched.

There may be a reason. Fedora relies on NSS/NSPR packages for some of the
stuff that Windows folks get bundled with FF, AFAIK. So, a maintainer of FF
would know such things.

Comparing source will not necessarily give the correct answer, as that part
of it may be unused in Fedora builds. Again, maintainer of FF would know.
Ergo, the question.

--
Bojan
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Firefox build?

2015-12-29 Thread Neal Gompa 
On Tue, Dec 29, 2015 at 4:13 PM, Bojan Smojver  wrote:
> Eric Griffith  gmail.com> writes:
>
>> Is there any reason Fedora would not...? Regardless you could diff the
> source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2
> and see if the hole is unpatched.
>
> There may be a reason. Fedora relies on NSS/NSPR packages for some of the
> stuff that Windows folks get bundled with FF, AFAIK. So, a maintainer of FF
> would know such things.
>
> Comparing source will not necessarily give the correct answer, as that part
> of it may be unused in Fedora builds. Again, maintainer of FF would know.
> Ergo, the question.
>

Is there a simple way to test if the issue is a problem on Fedora? I
don't even know of any sites with TLS 1.2 using MD5 signatures,
especially when Chrome "broke" signatures that weren't SHA-256 or
better for SSLv3 and stronger a year ago...


-- 
真実はいつも一つ!/ Always, there's only one truth!
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Firefox build?

2015-12-28 Thread Bojan Smojver 
Release notes for FF 43.0.2 say that a security issue was fixed (MD5
signatures accepted within TLS 1.2 ServerKeyExchange in server
signature). Does this not affect Fedora builds?

PS. The link to that security issue is broken (https://www.mozilla.org/
en-US/security/advisories/mfsa2015-150/), so not quite sure any more
what is real and what's not on Mozilla site.

-- 
Bojan

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Firefox build?

2015-12-28 Thread Reindl Harald 



Am 28.12.2015 um 22:57 schrieb Bojan Smojver:

Release notes for FF 43.0.2 say that a security issue was fixed (MD5
signatures accepted within TLS 1.2 ServerKeyExchange in server
signature). Does this not affect Fedora builds?


what do you try to tell us with that question?

[harry@srv-rhsoft:~]$ rpm -q firefox
firefox-43.0-1.fc23.x86_64



signature.asc
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Firefox build?

2015-12-28 Thread Michael Schwendt 
On Mon, 28 Dec 2015 23:44:51 +0100, Reindl Harald wrote:

> Am 28.12.2015 um 22:57 schrieb Bojan Smojver:
> > Release notes for FF 43.0.2 say that a security issue was fixed (MD5
> > signatures accepted within TLS 1.2 ServerKeyExchange in server
> > signature). Does this not affect Fedora builds?  
> 
> what do you try to tell us with that question?
>
> [harry@srv-rhsoft:~]$ rpm -q firefox
> firefox-43.0-1.fc23.x86_64

43.0 vs. 43.0.2 (and 43.0.1)

https://www.mozilla.org/en-US/firefox/43.0.2/releasenotes/
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Firefox build?

2015-12-28 Thread Bojan Smojver 
Reindl Harald  thelounge.net> writes:

> what do you try to tell us with that question?

I'm trying to establish whether Fedora needs a 43.0.2 (or better) build of
FF in order to close this security hole.

--
Bojan
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: Firefox build?

2015-12-28 Thread Eric Griffith 
On Dec 28, 2015 18:02, "Bojan Smojver"  wrote:
>
> Reindl Harald  thelounge.net> writes:
>
> > what do you try to tell us with that question?
>
> I'm trying to establish whether Fedora needs a 43.0.2 (or better) build of
> FF in order to close this security hole.
>
Is there any reason Fedora would not...? Regardless you could diff the
source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2
and see if the hole is unpatched.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org