Summary: | please stabilise dev-libs/nss-3.12.5 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Gordon Pettey <petteyg359> |
Component: | Current packages | Assignee: | Mozilla Gentoo Team <mozilla> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bts, egore |
Priority: | High | Keywords: | STABLEREQ |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.mozilla.org/show_bug.cgi?id=490495 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 292034 |
Description
Gordon Pettey
2010-01-11 16:50:42 UTC
E.g. Adblock Plus uses the StartCom certificate, see https://adblockplus.org/en/changelog-1.1.2 This means until we stabilize >=dev-libs/nss-3.12.4 you can't install Adblock Plus on Gentoo anymore. 3.12.5 is in the tree, it does have a fix included to handle security issue, all arches are advised to please mark stable. x86 stable Stable for HPPA. IMHO stabilizing 3.12.5 is not a good idea. It badly breaks user experience and we will get loads of bugs from it. From the release notes[1]: "All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF." If you define "secure == doesn't work", then everything is ok. It's a decision between a possible breakdown and a known breakdown. Just my 2 cents. [1] https://developer.mozilla.org/NSS_3.12.5_release_notes I'm sure it won't break "user experience badly". TLS renegotioation is not commonly used, usually with client X.509 certs. Nearly all software using TLS has adopted this "fix" like nss, without a large number if complaints. IETF proposes a solution, which has to be implemented in the future: http://www.ietf.org/id/draft-ietf-tls-renegotiation-03.txt Until then it should be fine to simply disable TLS renegotiation, better than working with vulnerable (#2)/malfunctioning(#0,#1) libraries. We should consider adding an einfo that renegotiation is now (temporarily) disabled. ppc64 stable ppc stable alpha/arm/ia64/sparc stable amd64 stable |