Re: nss: CVE-2015-7181, CVE-2015-7182 and CVE-2015-4000 [was nss: CVE-2015-4000]
On 2016-01-23 09:04:53, Guido Günther wrote:
> Hi Luciano,
> On Thu, Dec 10, 2015 at 06:27:54PM +0100, Luciano Bello wrote:
>> On Saturday 28 November 2015 14.16.33 Guido Günther wrote:
>> > I've attached the patches for review. These also add some minimal
>> > autopkgtest to exercise the ASN1 parser (affected by the above CVEs).
>> >
>> > I'm happy about any review.
>>
>> Thanks for your work and sorry for the delay in the answer.
>>
>> I will review your patches during the weekend. I have no idea how to handle your
>> questions regarding CVE-2015-4000. Maybe somebody else in the security team
>> has an opinion?
>
> Did you get a chance to look at the patches?
I don't know if Luciano did, but I looked at the patch and they are
okay, insofar as they match the upstream ones.
I was thinking of making a new debdiff to include other fixes, namely
CVE-2015-7575 and CVE-2016-1938 that have been fixed in squeeze but not
in wheezy yet. There's also CVE-2016-1950, CVE-2016-1978 and
CVE-2016-1979 that seems to need fixing in wheezy / jessie as well that
I'm considering.
Would the secteam welcome such a debdiff for wheezy and jessie?
Thanks for your feedback,
A.
--
Ou bien Dieu voudrait supprimer le mal, mais il ne le peut pas
Ou bien Dieu pourrait supprimer le mal, mais il ne le veut pas.
- Sébastien Faure
Reply to: