Your message dated Wed, 20 May 2015 15:14:46 +0900
with message-id <[email protected]>
and subject line Re: Bug#774195:
has caused the Debian Bug report #774195,
regarding libnss3: libpkix incorrect prefers older, weaker certs over stronger,
newer certs
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774195: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774195
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libnss3
Version: 2:3.17.2-1.1
Severity: normal
Tags: upstream
Upstream has this patch:
https://bugzilla.mozilla.org/show_bug.cgi?id=1112461
The version in Debian does not have it (reasonable, its not released
yet). Right now it causes Chrome/Chromium 40+ to show some sites as
using "insecure" TLS settings[1] and more importantly, removing the green
EV badge where available. https://www.fastmail.com/ is one such site.
Normally I'd be happy to wait for upstream to release this and for it to
trickle down into Debian as normal. There is some urgency on this
however - Jessie will be released soon, and Chromium 40 will become the
stable branch soon[2]. At that point many sites will be affected that
shouldn't be unless NSS recieves this patch.
I don't know if you want to include it directly in Debian, or push
Mozilla to get it done, or whatever. I'm just flagging it to make sure
that you're aware of it.
Cheers,
Rob N.
1. https://code.google.com/p/chromium/issues/detail?id=437733
2.
http://googleonlinesecurity.blogspot.com.au/2014/09/gradually-sunsetting-sha-1.html
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libnss3 depends on:
ii libc6 2.19-13
ii libnspr4 2:4.10.7-1
ii libsqlite3-0 3.8.7.2-1
ii multiarch-support 2.19-13
ii zlib1g 1:1.2.8.dfsg-2+b1
libnss3 recommends no packages.
libnss3 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2:3.17.4-1
On Wed, May 20, 2015 at 05:58:55PM +1200, VeNoMouS wrote:
>
>
> Seriously, how long do we have to wait on this to be fixed...
It *is* fixed, but somehow the BTS doesn't show it in the graph.
Now it's up to the security team as to what to do for jessie.
Mike
--- End Message ---
