Comment 1 Jory A. Pratt 2013-09-27 01:23:55 UTC

Bring in the teams, it has been added to tree.

Comment 2 Sean Amoss (RETIRED) 2013-09-29 16:19:57 UTC

Arches, please test and mark stable:
=dev-libs/nss-3.15.2
Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 ~s390 sparc x86"

Comment 3 Agostino Sarubbo 2013-09-30 06:23:39 UTC

amd64 stable

Comment 4 Agostino Sarubbo 2013-09-30 06:23:48 UTC

x86 stable

Comment 5 Jeroen Roovers (RETIRED) 2013-10-01 13:25:29 UTC

Stable for HPPA.

Comment 6 Agostino Sarubbo 2013-10-06 10:12:16 UTC

ia64 stable

Comment 7 Agostino Sarubbo 2013-10-06 15:20:23 UTC

alpha stable

Comment 8 Agostino Sarubbo 2013-10-07 19:30:33 UTC

ppc stable

Comment 9 Agostino Sarubbo 2013-10-09 11:16:59 UTC

arm stable

Comment 10 Agostino Sarubbo 2013-10-09 11:18:57 UTC

ppc64 stable

Comment 11 Agostino Sarubbo 2013-10-09 17:10:19 UTC

sparc stable

Comment 12 Chris Reffett (RETIRED) 2013-10-24 00:11:12 UTC

Cleanup, please.

Comment 13 GLSAMaker/CVETool Bot 2013-10-24 00:11:41 UTC

CVE-2013-1739 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1739):
  Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that
  data structures are initialized before read operations, which allow remote
  attackers to cause a denial of service or possibly have unspecified other
  impact via vectors that trigger a decryption failure.

Comment 14 Lars Wendler (Polynomial-C) (RETIRED) 2013-10-24 08:35:12 UTC

+  24 Oct 2013; Lars Wendler <polynomial-c@gentoo.org> -nss-3.14.3.ebuild,
+  -nss-3.15.1-r1.ebuild:
+  Removed vulnerable versions (bug #486114).
+

Comment 15 Dirkjan Ochtman (RETIRED) 2013-10-24 11:09:25 UTC

Do we want to add back 3.14.4?

https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes

Comment 16 Lars Wendler (Polynomial-C) (RETIRED) 2013-10-24 11:45:03 UTC

(In reply to Dirkjan Ochtman from comment #15)
> Do we want to add back 3.14.4?
> 
> https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes

Please don't. nss-3.15 introduced TLS-1.2 which is the only TLS implementation out there that AFAIK has no known attack vector. And besides, nss-3.15.2 is already stable where it's necessary.

Comment 17 Dirkjan Ochtman (RETIRED) 2013-10-24 11:50:59 UTC

I have no problem with that, but I thought we might have stuff in the tree that depends on the 3.14 slot.

Comment 18 Ian Stakenvicius (RETIRED) 2013-10-24 13:20:47 UTC

(In reply to Dirkjan Ochtman from comment #17)
> I have no problem with that, but I thought we might have stuff in the tree
> that depends on the 3.14 slot.

if we do, it's not specified in *DEPEND -- if it was then repoman would've caught it.  I also grepped the tree just to be safe and didn't get any hits.

Comment 19 Yury German 2014-06-19 02:30:12 UTC

Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.

Comment 20 GLSAMaker/CVETool Bot 2014-06-21 22:14:02 UTC

This issue was resolved and addressed in
 GLSA 201406-19 at http://security.gentoo.org/glsa/glsa-201406-19.xml
by GLSA coordinator Mikle Kolyada (Zlogene).