Re: Firefox build?

2015-12-30 Thread Bojan Smojver
Neal Gompa gmail.com> writes: > Is there a simple way to test if the issue is a problem on Fedora? I > don't even know of any sites with TLS 1.2 using MD5 signatures, > especially when Chrome "broke" signatures that weren't SHA-256 or > better for SSLv3 and stronger a year ago... I guess one

Re: Firefox build?

2015-12-29 Thread Bojan Smojver
Eric Griffith gmail.com> writes: > Is there any reason Fedora would not...? Regardless you could diff the source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2 and see if the hole is unpatched. There may be a reason. Fedora relies on NSS/NSPR packages for some of the stuff

Re: Firefox build?

2015-12-29 Thread Neal Gompa
On Tue, Dec 29, 2015 at 4:13 PM, Bojan Smojver wrote: > Eric Griffith gmail.com> writes: > >> Is there any reason Fedora would not...? Regardless you could diff the > source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2 > and see if the hole is

Firefox build?

2015-12-28 Thread Bojan Smojver
Release notes for FF 43.0.2 say that a security issue was fixed (MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature). Does this not affect Fedora builds? PS. The link to that security issue is broken (https://www.mozilla.org/ en-US/security/advisories/mfsa2015-150/), so

Re: Firefox build?

2015-12-28 Thread Reindl Harald
Am 28.12.2015 um 22:57 schrieb Bojan Smojver: Release notes for FF 43.0.2 say that a security issue was fixed (MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature). Does this not affect Fedora builds? what do you try to tell us with that question?

Re: Firefox build?

2015-12-28 Thread Michael Schwendt
On Mon, 28 Dec 2015 23:44:51 +0100, Reindl Harald wrote: > Am 28.12.2015 um 22:57 schrieb Bojan Smojver: > > Release notes for FF 43.0.2 say that a security issue was fixed (MD5 > > signatures accepted within TLS 1.2 ServerKeyExchange in server > > signature). Does this not affect Fedora builds?

Re: Firefox build?

2015-12-28 Thread Bojan Smojver
Reindl Harald thelounge.net> writes: > what do you try to tell us with that question? I'm trying to establish whether Fedora needs a 43.0.2 (or better) build of FF in order to close this security hole. -- Bojan -- devel mailing list devel@lists.fedoraproject.org

Re: Firefox build?

2015-12-28 Thread Eric Griffith
On Dec 28, 2015 18:02, "Bojan Smojver" wrote: > > Reindl Harald thelounge.net> writes: > > > what do you try to tell us with that question? > > I'm trying to establish whether Fedora needs a 43.0.2 (or better) build of > FF in order to close this security hole. > Is there