Re: Firefox build?
Neal Gompa gmail.com> writes: > Is there a simple way to test if the issue is a problem on Fedora? I > don't even know of any sites with TLS 1.2 using MD5 signatures, > especially when Chrome "broke" signatures that weren't SHA-256 or > better for SSLv3 and stronger a year ago... I guess one can always generate a cert with MD5 signature and try over TLS 1.2. However, the plot thickens. Although 43.0.2 release notes say that security issues were fixed, none are listed for that version any longer on the detailed security fixes page. So, maybe Mozilla changed their mind or something. Anyhow, Fedora builds of 43.0.3 have been submitted for testing, so all this is moot. -- Bojan -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Firefox build?
Eric Griffith gmail.com> writes: > Is there any reason Fedora would not...? Regardless you could diff the source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2 and see if the hole is unpatched. There may be a reason. Fedora relies on NSS/NSPR packages for some of the stuff that Windows folks get bundled with FF, AFAIK. So, a maintainer of FF would know such things. Comparing source will not necessarily give the correct answer, as that part of it may be unused in Fedora builds. Again, maintainer of FF would know. Ergo, the question. -- Bojan -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Firefox build?
On Tue, Dec 29, 2015 at 4:13 PM, Bojan Smojverwrote: > Eric Griffith gmail.com> writes: > >> Is there any reason Fedora would not...? Regardless you could diff the > source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2 > and see if the hole is unpatched. > > There may be a reason. Fedora relies on NSS/NSPR packages for some of the > stuff that Windows folks get bundled with FF, AFAIK. So, a maintainer of FF > would know such things. > > Comparing source will not necessarily give the correct answer, as that part > of it may be unused in Fedora builds. Again, maintainer of FF would know. > Ergo, the question. > Is there a simple way to test if the issue is a problem on Fedora? I don't even know of any sites with TLS 1.2 using MD5 signatures, especially when Chrome "broke" signatures that weren't SHA-256 or better for SSLv3 and stronger a year ago... -- 真実はいつも一つ!/ Always, there's only one truth! -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Firefox build?
Am 28.12.2015 um 22:57 schrieb Bojan Smojver: Release notes for FF 43.0.2 say that a security issue was fixed (MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature). Does this not affect Fedora builds? what do you try to tell us with that question? [harry@srv-rhsoft:~]$ rpm -q firefox firefox-43.0-1.fc23.x86_64 signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Firefox build?
On Mon, 28 Dec 2015 23:44:51 +0100, Reindl Harald wrote: > Am 28.12.2015 um 22:57 schrieb Bojan Smojver: > > Release notes for FF 43.0.2 say that a security issue was fixed (MD5 > > signatures accepted within TLS 1.2 ServerKeyExchange in server > > signature). Does this not affect Fedora builds? > > what do you try to tell us with that question? > > [harry@srv-rhsoft:~]$ rpm -q firefox > firefox-43.0-1.fc23.x86_64 43.0 vs. 43.0.2 (and 43.0.1) https://www.mozilla.org/en-US/firefox/43.0.2/releasenotes/ -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Firefox build?
Reindl Harald thelounge.net> writes: > what do you try to tell us with that question? I'm trying to establish whether Fedora needs a 43.0.2 (or better) build of FF in order to close this security hole. -- Bojan -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: Firefox build?
On Dec 28, 2015 18:02, "Bojan Smojver"wrote: > > Reindl Harald thelounge.net> writes: > > > what do you try to tell us with that question? > > I'm trying to establish whether Fedora needs a 43.0.2 (or better) build of > FF in order to close this security hole. > Is there any reason Fedora would not...? Regardless you could diff the source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2 and see if the hole is unpatched. -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org