On Wed, 27 May 2015 08:11:35 +0200 Moritz Mühlenhoff <j...@inutil.org> wrote:
> It's up to Mike whether to fix that in the upcoming point release. > We're not planning a DSA for this issue alone, but it can be fixed > along when upstream releases changes to address the weakdh issue. Mike, are you planning to upload this fix for the upcoming point release? A couple reasons why this bug is important to fix: 1. It causes users of NSS to construct a SHA-1 certificate chain even when a server serves a SHA-2 certificate chain. Chrome shows a security warning because of this. Users will either become unnecessarily alarmed by the warning, or ignore it and become desensitized to security warnings. 2. It allows a mild form of DoS - a website could maliciously serve a SHA-1 chain, polluting the cache, triggering security warnings when visiting other websites. The patch is minimal and applies cleanly to the version of nss in Jessie. The debdiff I provided should be ready for upload once you finalize debian/changelog with `dch -r`. Thanks, Andrew -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
