On Wed, Dec 21, 2016 at 05:27:30PM -0500, Antoine Beaupré wrote:
> Hi,
>
> We (the LTS team, but mainly me and buxy) are working on an update to
> the NSS package for wheezy, and we just packaged the upstream 3.26.2
> release since it was a minimal diff that was easy to review.
>
> We can't really update with a 3.26.2 version without making sure jessie
> follows suite as well.
>
> Can I upload that package to 3.26.2? For now it looks like this:
The only issue open in jessie is CVE-2016-9074, which doesn't really
warrant a DSA on it's own. We can reconsider a DSA if further nss
vulnerabilities appear.
For LTS you could simply base on 2:3.26-1+debu8u1 and cherrypick
the patch for CVE-2016-9074 on top.
Cheers,
Moritz
