On Mon, May 25, 2015 at 11:21:26AM -0700, Andrew Ayer wrote:
> On Wed, 20 May 2015 06:39:06 +0000
> ow...@bugs.debian.org (Debian Bug Tracking System) wrote:
>
> > On Wed, May 20, 2015 at 05:58:55PM +1200, VeNoMouS wrote:
> > >
> > >
> > > Seriously, how long do we have to wait on this to be fixed...
> >
> > It *is* fixed, but somehow the BTS doesn't show it in the graph.
> >
> > Now it's up to the security team as to what to do for jessie.
>
> Mike, thanks for uploading the new nss to unstable.
>
> Security team, are you planning a DSA for Jessie to fix this issue, or
> should it go through the upcoming stable point release? (Note that
> the queue for the point release will be frozen this upcoming weekend.)
>
> In either case, I wanted to help, so I've taken the upstream patch[1],
> which is quite minimal and cleanly applies to the version of nss in
> Jessie, and prepared an updated package with the patch. Debdiff
> attached, and .dsc available here:
>
> https://www.cloudmutt.com/s/nss_chain_patch/
>
> I've built it on Jessie and tested it - it fixes the problem and
> doesn't appear to have had any adverse effects. Let me know if I've
> missed anything or could do anything else to help.
It's up to Mike whether to fix that in the upcoming point release. We're
not planning a DSA for this issue alone, but it can be fixed along when
upstream releases changes to address the weakdh issue.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
