From: Marius Bakke <mbakke@fastmail.com>
To: Mark H Weaver <mhw@netris.org>
Cc: guix-devel@gnu.org
Subject: Re: NSS test failure on armhf
Date: Fri, 21 Apr 2017 00:18:07 +0200 [thread overview]
Message-ID: <87zifasoyo.fsf@fastmail.com> (raw)
In-Reply-To: <87bmrq7nn9.fsf@netris.org>
[-- Attachment #1: Type: text/plain, Size: 1816 bytes --]
Mark H Weaver <mhw@netris.org> writes:
> Marius Bakke <mbakke@fastmail.com> writes:
>
>> Marius Bakke <mbakke@fastmail.com> writes:
>>
>>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>>>>> CVE-2017-5461, a potential remote code execution vulnerability. 3.30.2
>>>>> has since been released, so I'm currently testing it and will push an
>>>>> update to it soon. Any issues on armhf will need to be dealt with in
>>>>> another way.
>>>>
>>>> Mark,
>>>>
>>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
>>>> not picked to the 3.30.2 release which only contains certificate
>>>> changes[1].
>>>>
>>>> Squashing these two commits into one should fix the problem (the first
>>>> fix was incomplete[2]):
>>>>
>>>> https://hg.mozilla.org/projects/nss/rev/802ec96a8dd1
>>>> https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
>
> Good find, thank you! Since seeing the above post, I prepared my own
> patches to update NSS to 3.30.2 and disable the long b64 tests.
>
> And now I see you've prepared your own patch that only updates to
> 3.30.1. I'm not sure why we would consider rebuilding everything with
> 3.30.1 when 3.30.2 already exists, even if the only changes are to
> certs.
>
> I'll push this batch of patches soon, including fixes to graphite2 and
> the icecat update, after a bit more testing.
Great, thanks! I could not find any compelling reason to use the 3.30.2
tarball (other than disk space on builders), and found the version
"mismatch" with between 'nss-certs' and 'nss' more distinctive.
However, after diffing 3.30.1 and 3.30.2, it seems certificate changes
also bump the library version:
https://hg.mozilla.org/projects/nss/diff/dc97a4930479/lib/ckfw/builtins/nssckbi.h
So I guess we should keep updating these together to the extent possible.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
prev parent reply other threads:[~2017-04-20 22:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-17 21:23 NSS test failure on armhf Marius Bakke
2017-04-17 21:52 ` Leo Famulari
2017-04-17 22:35 ` Marius Bakke
2017-04-20 18:39 ` Mark H Weaver
2017-04-20 18:49 ` Leo Famulari
2017-04-20 19:28 ` Marius Bakke
2017-04-20 19:43 ` Marius Bakke
2017-04-20 21:14 ` Marius Bakke
2017-04-20 21:52 ` Mark H Weaver
2017-04-20 22:18 ` Marius Bakke [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zifasoyo.fsf@fastmail.com \
--to=mbakke@fastmail.com \
--cc=guix-devel@gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.