Summary: | <dev-libs/nss-3.12.5 TLS Session Renegotiation MITM vulnerability (CVE-2009-3555) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | kjackie |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://extendedsubset.com/?p=8 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 300606 | ||
Bug Blocks: | 292023 |
Description
Alex Legler (RETIRED)
![]() ![]() ![]() (In reply to comment #0) > This is tracked upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=524596 > which is restricted still -> anarchy, rbu https://bugzilla.mozilla.org/show_bug.cgi?id=526689 should be the right one and is public now. Stabilization via 300606 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed. mozilla-team: Is stabilizing 3.6.2 an option at the moment? (In reply to comment #3) > 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and > breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed. > mozilla-team: Is stabilizing 3.6.2 an option at the moment? > Don't really know; there hasn't been a 3.12.6 tarball released yet, we're using an artificial nss-3.12.6-gentoo extracted from the ff 3.2.6 sources for that. I want Anarchy's opinion before putting that up for stabilization. There's also a few packages that are broken with xulrunner-1.9.2*; I've yet to look at those from a stable perspective (there's no tracker bug for instance...) (In reply to comment #4) > (In reply to comment #3) > > 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and > > breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed. > > mozilla-team: Is stabilizing 3.6.2 an option at the moment? > > > > Don't really know; there hasn't been a 3.12.6 tarball released yet, we're using > an artificial nss-3.12.6-gentoo extracted from the ff 3.2.6 sources for that. I > want Anarchy's opinion before putting that up for stabilization. > > There's also a few packages that are broken with xulrunner-1.9.2*; I've yet to > look at those from a stable perspective (there's no tracker bug for > instance...) > Actually it has been officially released on the 25th. We will work to finish cleaning up for breakage and work to move to 3.6.x in 2 weeks. (In reply to comment #3) > 300606 is about stabilizing 3.12.5, which only disables tls renegotiation (and > breaks things). To really fix things, nss 3.12.6 and firefox 3.6.2 is needed. > mozilla-team: Is stabilizing 3.6.2 an option at the moment? > I have added official support for 3.12.6 to tree which replaces the incomplete snapshot. I do not see why you feel we must stabilize firefox-3.6.2 at this time, if you wanted we could fast track 3.12.6-r1 to stable and still allow for proper renegotiation. Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore. GLSA request filed. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |