On Fri, Aug 21, 2009 at 08:03:36PM +0200, Mike Hommey wrote: > On Fri, Aug 21, 2009 at 01:25:23PM +0200, Alexander Sack wrote: > > reassign 542784 nss > > thanks > > > > That bug needs to be fixed in nss (with more fixes because of > > blackhat); we updated nss to 3.12.3.1 in ubuntu everywhere as we > > believe that it's better to not do manual-cherry-picking for security > > sensitive software like nss. > > > > I would suggest the same for debian, but i am not nss maintainer > > so thats beyond my powers ... > > Technically, as you are part of the team, you also are a nss > maintainer.
cool :). > > > if glandium or security team wants me to prepare such an update, I > > could do that after my vacation (will be back on 1st sep). > > FWIW, the changes between 3.12.3 which we already have in squeeze and > 3.12.3.1 are: > - Additional root certs > - Fix for windows startup time (the infamous IE temporary files reading > stuff) > - Removal of the CAPI module from the build > - Avoid calling RNG_SystemInfoForRNG twice at startup > > In other words, squeeze is already ok. > > As for Lenny, the security team is on it. My suggestion to do full upstream bump was for lenny. New upstream versions are normal for this kind of stuff in unstable/testing, so i thought it was not noteworthy. Is the security team following that road? - Alexander -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
