Marius Bakke <mba...@fastmail.com> writes:
> Marius Bakke <mba...@fastmail.com> writes:
>
>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>>>> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2
>>>> has since been released, so I'm currently testing it and will push an
>>>> update to it soon. Any issues on armhf will need to be dealt with in
>>>> another way.
>>>
>>> Mark,
>>>
>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
>>> not picked to the 3.30.2 release which only contains certificate
>>> changes[1].
>>>
>>> Squashing these two commits into one should fix the problem (the first
>>> fix was incomplete[2]):
>>>
>>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
>>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
Good find, thank you! Since seeing the above post, I prepared my own
patches to update NSS to 3.30.2 and disable the long b64 tests.
And now I see you've prepared your own patch that only updates to
3.30.1. I'm not sure why we would consider rebuilding everything with
3.30.1 when 3.30.2 already exists, even if the only changes are to
certs.
I'll push this batch of patches soon, including fixes to graphite2 and
the icecat update, after a bit more testing.
Thanks!
Mark
