On Fri, Aug 21, 2009 at 08:10:02PM +0200, Alexander Sack wrote: > On Fri, Aug 21, 2009 at 08:03:36PM +0200, Mike Hommey wrote: > > On Fri, Aug 21, 2009 at 01:25:23PM +0200, Alexander Sack wrote: > > > reassign 542784 nss > > > thanks > > > > > > That bug needs to be fixed in nss (with more fixes because of > > > blackhat); we updated nss to 3.12.3.1 in ubuntu everywhere as we > > > believe that it's better to not do manual-cherry-picking for security > > > sensitive software like nss. > > > > > > I would suggest the same for debian, but i am not nss maintainer > > > so thats beyond my powers ... > > > > Technically, as you are part of the team, you also are a nss > > maintainer. > > cool :). > > > > > > if glandium or security team wants me to prepare such an update, I > > > could do that after my vacation (will be back on 1st sep). > > > > FWIW, the changes between 3.12.3 which we already have in squeeze and > > 3.12.3.1 are: > > - Additional root certs > > - Fix for windows startup time (the infamous IE temporary files reading > > stuff) > > - Removal of the CAPI module from the build > > - Avoid calling RNG_SystemInfoForRNG twice at startup > > > > In other words, squeeze is already ok. > > > > As for Lenny, the security team is on it. > > > My suggestion to do full upstream bump was for lenny.
I know, I was just giving status for squeeze. > New upstream versions are normal for this kind of stuff in > unstable/testing, so i thought it was not noteworthy. > > Is the security team following that road? The security team is backporting the fixes. Mike -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

