[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSS test failure on armhf

From: Marius Bakke
Subject: Re: NSS test failure on armhf
Date: Fri, 21 Apr 2017 00:18:07 +0200
User-agent: Notmuch/0.24.1 ( Emacs/25.1.1 (x86_64-unknown-linux-gnu)

Mark H Weaver <address@hidden> writes:

> Marius Bakke <address@hidden> writes:
>> Marius Bakke <address@hidden> writes:
>>>>> It turns out that the bug fix in 3.30.1 is critical: it fixes
>>>>> CVE-2017-5461, a potential remote code execution vulnerability.  3.30.2
>>>>> has since been released, so I'm currently testing it and will push an
>>>>> update to it soon.  Any issues on armhf will need to be dealt with in
>>>>> another way.
>>>> Mark,
>>>> I checked this. The upstream 3.30 branch[0] contains a fix, but it was
>>>> not picked to the 3.30.2 release which only contains certificate
>>>> changes[1].
>>>> Squashing these two commits into one should fix the problem (the first
>>>> fix was incomplete[2]):
> Good find, thank you!  Since seeing the above post, I prepared my own
> patches to update NSS to 3.30.2 and disable the long b64 tests.
> And now I see you've prepared your own patch that only updates to
> 3.30.1.  I'm not sure why we would consider rebuilding everything with
> 3.30.1 when 3.30.2 already exists, even if the only changes are to
> certs.
> I'll push this batch of patches soon, including fixes to graphite2 and
> the icecat update, after a bit more testing.

Great, thanks! I could not find any compelling reason to use the 3.30.2
tarball (other than disk space on builders), and found the version
"mismatch" with between 'nss-certs' and 'nss' more distinctive.

However, after diffing 3.30.1 and 3.30.2, it seems certificate changes
also bump the library version:

So I guess we should keep updating these together to the extent possible.

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]