Hi Guido Thanks a lot for the information. I'll enable this and will also run abi-compliance check tool. Is it this [1] one you have used?
[1] https://lvc.github.io/abi-compliance-checker/ Best regards // Ola On 20 October 2016 at 23:48, Guido Günther <a...@sigxcpu.org> wrote: > Hi Ola, > On Thu, Oct 20, 2016 at 11:15:29PM +0200, Ola Lundqvist wrote: > > Hi LTS team, Mozilla maintainers, Mike and Florian > > > > I have been working on the security problem reported in nss (and nspr). > > https://security-tracker.debian.org/tracker/TEMP-0000000-583651 > > It is about unprotected environment variables. > > > > I did a check on what Florian Weimer had done for jessie-security and > > the solution there was simply to package the new upstream release. So > > I decided to do that approach as well. The advantage with this is that > > we will not only have this problem solved, but also a few more. > > > > TEMP-0000000-583651 (nspr and nss) > > CVE-2014-3566 > > CVE-2014-1490 > > CVE-2013-1740 > > > > The disadvantage is that we are not playing safe. However it looks > > backwards compatible, but you never know. > > > > So all in all I have produced the following: > > > > nspr: > > http://apt.inguza.net/wheezy-security/nspr > > This is essentially a mimic of the jessie-security package changes. > > > > nss: > > http://apt.inguza.net/wheezy-security/nss > > This is essentially a re-build of the jessie-security package with > > changes file kept and only updated with one new entry. > > > > Call for advice: > > 1) Do you have an opinion about the fact that I backport new upstream > release? > > See my discussion with the release team abot this: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824872 > > > 2) Will we have a build problem as nss depends on the latest nspr? I > > guess I shall upload nspr first. > > See my runs of the abi compliance checker in the above URL. > > > 3) Shall I create one DLA covering both packages or shall I just > > produce one DLA covering both nspr and nss? > > The rule is one DLA per package AFAIK. > > > I think one DLA is the best as both are needed to solve the problem > > reported. But maybe that is against some practice. If you think I > > shall write two, then please advice me what to write in the DLA for > > nspr. > > > > Call for testing: > > 4) As this package can have a rather big impact on lot of other > > packages it would be good if all of you install the new version (nss > > is the important one) to see if it works for you. > > See > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806207 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809723 > > that enable the internal test suites and add some autopkgtests. This > should help to gain some confidence. > Cheers, > -- Guido > > > > > I did not produce a debdiff as that diff was way too large to be useful. > > > > I have installed it myself but I have not been able to verify that the > > tools using it is really working. Most are GUI tools and I do not have > > a GUI environment to test wheezy in. The libnss3-tools package seems > > to work fine to the limit I was able to check. > > > > I have not tried to reproduce the problem as the report was too vague > > to give any good advice on what environment variable that could > > actually cause a problem. > > > > If I do not hear any objections in four days I will upload anyway. > > > > Thanks in advance > > > > // Ola > > > > -- > > --- Inguza Technology AB --- MSc in Information Technology ---- > > | o...@inguza.com Folkebogatan 26 > > | o...@debian.org 654 68 KARLSTAD > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 > > | gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 > > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
