Hi, On Thu, Dec 22, 2016 at 11:08:50AM +0100, Moritz Muehlenhoff wrote: > On Wed, Dec 21, 2016 at 05:27:30PM -0500, Antoine Beaupré wrote: > > Hi, > > > > We (the LTS team, but mainly me and buxy) are working on an update to > > the NSS package for wheezy, and we just packaged the upstream 3.26.2 > > release since it was a minimal diff that was easy to review. > > > > We can't really update with a 3.26.2 version without making sure jessie > > follows suite as well. > > > > Can I upload that package to 3.26.2? For now it looks like this: > > The only issue open in jessie is CVE-2016-9074, which doesn't really > warrant a DSA on it's own. We can reconsider a DSA if further nss > vulnerabilities appear. > > For LTS you could simply base on 2:3.26-1+debu8u1 and cherrypick > the patch for CVE-2016-9074 on top.
s/2:3.26-1+debu8u1/2:3.26-1+debu7u1/. It is as well fine if you want to ask SRM for inclusion of an update of nss via jessie-pu basend on an import of 3.26.2; the jessie point release is pending for 14th of January (and window for upload closing the weekend before on on 7th). https://lists.debian.org/debian-release/2016/12/msg00328.html Regards, Salvatore
