Hi, It seems the nss update broke chromium: https://lists.debian.org/debian-user/2016/10/msg00981.html
Maybe when we update gcc for firefox we can also continue supporting chromium: https://lists.debian.org/debian-security-announce/2015/msg00031.html Cheers, Balint 2016-10-23 23:43 GMT+02:00 Ola Lundqvist <o...@inguza.com>: > Hi all > > I have now been able to run the tests and also the abi version checker. > I think it looks good. > > I could not verify FIPS 140-1 tests due to some device error (I'm running in > a chroot so I guess that is the problem) but everything else is working. > > The ABI reports are available here: > > nspr: > http://apt.inguza.net/wheezy-security/nspr/compat_report.html > > nss: > http://apt.inguza.net/wheezy-security/nss/compat_report.html > > If I do not hear any further objections I'll upload this on early next week > > Best regards > > // Ola > > On 21 October 2016 at 23:40, Guido Günther <a...@sigxcpu.org> wrote: >> >> On Fri, Oct 21, 2016 at 11:16:54PM +0200, Ola Lundqvist wrote: >> > Hi Guido >> > >> > Thanks a lot for the information. I'll enable this and will also run >> > abi-compliance check tool. >> > Is it this [1] one you have used? >> > >> > [1] https://lvc.github.io/abi-compliance-checker/ >> >> IIRC I've used the abi-compliance-checker Debian package. >> Cheers, >> -- Guido >> >> > >> > Best regards >> > >> > // Ola >> > >> > On 20 October 2016 at 23:48, Guido Günther <a...@sigxcpu.org> wrote: >> > >> > > Hi Ola, >> > > On Thu, Oct 20, 2016 at 11:15:29PM +0200, Ola Lundqvist wrote: >> > > > Hi LTS team, Mozilla maintainers, Mike and Florian >> > > > >> > > > I have been working on the security problem reported in nss (and >> > > > nspr). >> > > > https://security-tracker.debian.org/tracker/TEMP-0000000-583651 >> > > > It is about unprotected environment variables. >> > > > >> > > > I did a check on what Florian Weimer had done for jessie-security >> > > > and >> > > > the solution there was simply to package the new upstream release. >> > > > So >> > > > I decided to do that approach as well. The advantage with this is >> > > > that >> > > > we will not only have this problem solved, but also a few more. >> > > > >> > > > TEMP-0000000-583651 (nspr and nss) >> > > > CVE-2014-3566 >> > > > CVE-2014-1490 >> > > > CVE-2013-1740 >> > > > >> > > > The disadvantage is that we are not playing safe. However it looks >> > > > backwards compatible, but you never know. >> > > > >> > > > So all in all I have produced the following: >> > > > >> > > > nspr: >> > > > http://apt.inguza.net/wheezy-security/nspr >> > > > This is essentially a mimic of the jessie-security package changes. >> > > > >> > > > nss: >> > > > http://apt.inguza.net/wheezy-security/nss >> > > > This is essentially a re-build of the jessie-security package with >> > > > changes file kept and only updated with one new entry. >> > > > >> > > > Call for advice: >> > > > 1) Do you have an opinion about the fact that I backport new >> > > > upstream >> > > release? >> > > >> > > See my discussion with the release team abot this: >> > > >> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824872 >> > > >> > > > 2) Will we have a build problem as nss depends on the latest nspr? I >> > > > guess I shall upload nspr first. >> > > >> > > See my runs of the abi compliance checker in the above URL. >> > > >> > > > 3) Shall I create one DLA covering both packages or shall I just >> > > > produce one DLA covering both nspr and nss? >> > > >> > > The rule is one DLA per package AFAIK. >> > > >> > > > I think one DLA is the best as both are needed to solve the problem >> > > > reported. But maybe that is against some practice. If you think I >> > > > shall write two, then please advice me what to write in the DLA for >> > > > nspr. >> > > > >> > > > Call for testing: >> > > > 4) As this package can have a rather big impact on lot of other >> > > > packages it would be good if all of you install the new version (nss >> > > > is the important one) to see if it works for you. >> > > >> > > See >> > > >> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806207 >> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806639 >> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=809723 >> > > >> > > that enable the internal test suites and add some autopkgtests. This >> > > should help to gain some confidence. >> > > Cheers, >> > > -- Guido >> > > >> > > > >> > > > I did not produce a debdiff as that diff was way too large to be >> > > > useful. >> > > > >> > > > I have installed it myself but I have not been able to verify that >> > > > the >> > > > tools using it is really working. Most are GUI tools and I do not >> > > > have >> > > > a GUI environment to test wheezy in. The libnss3-tools package seems >> > > > to work fine to the limit I was able to check. >> > > > >> > > > I have not tried to reproduce the problem as the report was too >> > > > vague >> > > > to give any good advice on what environment variable that could >> > > > actually cause a problem. >> > > > >> > > > If I do not hear any objections in four days I will upload anyway. >> > > > >> > > > Thanks in advance >> > > > >> > > > // Ola >> > > > >> > > > -- >> > > > --- Inguza Technology AB --- MSc in Information Technology ---- >> > > > | o...@inguza.com Folkebogatan 26 >> > > > | o...@debian.org 654 68 KARLSTAD >> > > > | http://inguza.com/ Mobile: +46 (0)70-332 1551 >> > > > | gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 >> > > > >> > > >> > >> > >> > >> > -- >> > --- Inguza Technology AB --- MSc in Information Technology ---- >> > / o...@inguza.com Folkebogatan 26 \ >> > | o...@debian.org 654 68 KARLSTAD | >> > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | >> > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / >> > --------------------------------------------------------------- > > > > > -- > --- Inguza Technology AB --- MSc in Information Technology ---- > / o...@inguza.com Folkebogatan 26 \ > | o...@debian.org 654 68 KARLSTAD | > | http://inguza.com/ Mobile: +46 (0)70-332 1551 | > \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / > --------------------------------------------------------------- >
