[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Release-critical bugs
|
From: |
Ted Zlatanov |
|
Subject: |
Re: Release-critical bugs |
|
Date: |
Wed, 24 Sep 2014 09:48:08 -0400 |
|
User-agent: |
Gnus/5.130008 (Ma Gnus v0.8) Emacs/24.4.50 (gnu/linux) |
On Wed, 17 Sep 2014 15:40:39 -0400 Glenn Morris <address@hidden> wrote:
GM> David Engster wrote:
>> Especially the GnuTLS stuff goes way over my head, I'm afraid.
GM> And most people's I think. That's why these are long-term issues that
GM> don't see much progress. It seems far too late to make any changes
GM> related to GnuTLS for this release anyway. But nevertheless they remain
GM> important issues (which is why using severity in this way is not great).
Let me try to summarize (adding CCs to the parties involved that may not
read emacs-devel):
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16978 [i|*| ] [emacs] 24.3;
SSL/TLS with multiple man-in-the-middle vulnerabilities
Reported by: Jens Lechtenboerger <jens.lechtenboerger <at> fsfe.org>; Date:
Mon, 10 Mar 2014 07:00:02 UTC; Severity: important; Tags: security; Found in
version 24.3; Filed 198
days ago; Modified 184 days ago;
We made some fixes. To make things work well we'll need a certificate
management UI, which IMO can happen after the current release.
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17625 [i|*| ] [emacs] details of
package signing mechanism
Reported by: Eric Abrahamsen <eric <at> ericabrahamsen.net>; Date: Thu, 29
May 2014 03:12:01 UTC; Severity: important; Tags: security; Found in version
24.4.50; Filed 118 days
ago; Modified 89 days ago;
Daiki Ueno made some fixes. Stefan got the detailed steps for generating
a package signature and we need at least one package plus the
archive-contents signed by the maintainer in the GNU ELPA to test the
client behavior. This seems OK to me as far as the code.
Stefan suggested some behavior changes that we can implement and test
easily, but are not IMO critical for the release.
http://debbugs.gnu.org/cgi/bugreport.cgi?bug=17660 [i|*| ] [emacs] 24.3;
gnutls-min-prime-bits is 256
Reported by: Juliusz Chroboczek <jch <at> pps.univ-paris-diderot.fr>; Date:
Sun, 1 Jun 2014 13:25:01 UTC; Severity: important; Tags: security; Found in
version 24.3; Filed 115
days ago; Modified 110 days ago;
This touches several older tickets.
I said "the proper fix seems to be to change the default for
`gnutls-algorithm-priority' but that may break some people's setups
(just like raising `gnutls-min-prime-bits' would)" and it's still the
case. Opinions are welcome.
Considering the Emacs user base, I'd rather live with a slightly
insecure setting in 24.4 and address this in 24.5 together with the
certificate management UI.
I hope that's helpful.
Ted
- Re: Release-critical bugs, (continued)
- Re: Release-critical bugs, Glenn Morris, 2014/09/17
- Re: Release-critical bugs, Ivan Andrus, 2014/09/17
- Re: Release-critical bugs, Eli Zaretskii, 2014/09/17
- Re: Release-critical bugs, Glenn Morris, 2014/09/18
- Re: Release-critical bugs, Eli Zaretskii, 2014/09/18
- Re: Release-critical bugs, Glenn Morris, 2014/09/19
- Re: Release-critical bugs, Eli Zaretskii, 2014/09/19
Re: Release-critical bugs,
Ted Zlatanov <=