300606 – please stabilise dev-libs/nss-3.12.5

Bug 300606 - please stabilise dev-libs/nss-3.12.5

Summary: please stabilise dev-libs/nss-3.12.5

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Mozilla Gentoo Team

URL:	https://bugzilla.mozilla.org/show_bug...
Whiteboard:
Keywords:	STABLEREQ

Depends on:
Blocks:	292034
	Show dependency tree

Reported:	2010-01-11 16:50 UTC by Gordon Pettey
Modified:	2010-02-09 11:44 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gordon Pettey 2010-01-11 16:50:42 UTC

http://hg.mozilla.org/mozilla-central/rev/0b821db9a67e
"EV enablement for 6 roots. b=493709 r=kaie
WellsSecure, SECOM Trust, StartCom, SwissSign, Cybertrust, DigiNotar"

https://bugzilla.mozilla.org/show_bug.cgi?id=490495
"Enable Object Signing Trust Bit in NSS for the StartCom Certification Authority
Target Milestone: 	3.12.4"

Reproducible: Always

Steps to Reproduce:
1. Use NSS <dev-libs/nss-3.12.4
2. Attempt to install mozilla-firefox extension signed by StartCom or any other listed CA
Actual Results:  
Installation fails

Expected Results:  
Installation succeeds

Comment 1 Roland Ramthun 2010-01-15 13:10:07 UTC

E.g. Adblock Plus uses the StartCom certificate, see https://adblockplus.org/en/changelog-1.1.2

This means until we stabilize >=dev-libs/nss-3.12.4 you can't install Adblock Plus on Gentoo anymore.

Comment 2 Jory A. Pratt gentoo-dev

2010-01-17 17:29:24 UTC

3.12.5 is in the tree, it does have a fix included to handle security issue, all arches are advised to please mark stable.

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2010-01-17 18:58:08 UTC

x86 stable

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2010-01-19 03:07:59 UTC

Stable for HPPA.

Comment 5 Christoph Brill (egore) (RESIGNED) 2010-01-19 08:59:00 UTC

IMHO stabilizing 3.12.5 is not a good idea. It badly breaks user experience and we will get loads of bugs from it. From the release notes[1]:

"All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF."

If you define "secure == doesn't work", then everything is ok. It's a decision between a possible breakdown and a known breakdown. Just my 2 cents.

[1] https://developer.mozilla.org/NSS_3.12.5_release_notes

Comment 6 Roland Ramthun 2010-01-19 12:17:40 UTC

I'm sure it won't break "user experience badly". TLS renegotioation is not commonly used, usually with client X.509 certs.
Nearly all software using TLS has adopted this "fix" like nss, without a large number if complaints.

IETF proposes a solution, which has to be implemented in the future: http://www.ietf.org/id/draft-ietf-tls-renegotiation-03.txt

Until then it should be fine to simply disable TLS renegotiation, better than working with vulnerable (#2)/malfunctioning(#0,#1) libraries.

We should consider adding an einfo that renegotiation is now (temporarily) disabled.

Comment 7 Brent Baude (RETIRED) gentoo-dev

2010-01-20 02:27:36 UTC

ppc64 stable

Comment 8 Brent Baude (RETIRED) gentoo-dev

2010-01-23 15:43:10 UTC

ppc stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2010-01-30 19:00:07 UTC

alpha/arm/ia64/sparc stable

Comment 10 Pacho Ramos gentoo-dev

2010-02-09 11:44:21 UTC

amd64 stable