Re: BEAST to be patched in NSS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/18/2013 06:54 PM, Elio Maldonado Batiz wrote:

On 10/18/2013 12:55 PM, Miloslav Trmač wrote:

On Wed, Oct 16, 2013 at 10:33 PM, Eric H. Christensen
<sparks@xxxxxxxxxxxxxxxxx> wrote:

Information on this fix is in Bugzilla[1].

There are >80 packages affected, would it be possible to give the
owners a shorter (and authoritative[1]) version, instead of asking
each maintainer to fish the information out of a bug with 135
comments?

* Can I test my package right now, before the NSS change lands?  How?
* If I need a workaround, what is the workaround?  (Do I have to set
an environment variable, or is there a way to do it in the API?  If I
do have to set an environment variable, do I have to do it at the very
start before initializing NSS?  Before opening the specific socket?,
The update has been now to f20 updates-testing.https://admin.fedoraproject.org/updates/FEDORA-2013-19396/nss-3.15.2-2.fc20 I could hold it back very shortly give folks time but we really would like this during beta so we get feedback.
NSS checks the value of the SSL_CBC_RANDOM_IV_SSL variable and you could programmatically set it to 0 with setenv,for example [1].
Poor reply, I admit. Disabling the fix is not what we want users to do of course.
Miloslav, you raise a good point. One problem I see is that many packages are affected indirectly. They may not be clients of nss but packages that they depend on are. The packager needs to be quite familiar with that part of the code, identify and implement a fix, submit it upstream, wait for feedback from upstream. Our fedora packager may diligently submit a patch upstream but it make take some time before there is an upstream review and the submission is either accepted or they may ask for changes or reject it. In the meantime end users are either inconvenienced or exposed. It has been two years, let's see what happens this time around. Ah, the joys of open source! 

> There are >80 packages affected, would it be possible to give the
It would useful if the list was available. Could those package owners be notified directly? There is is a lot discussed in this and other lists and the threads are sometimes long which causes folks to quickly scan them and sometimes miss out on important things. 
Elio

[1] http://man7.org/linux/man-pages/man3/setenv.3.html



Or at a different time?)

Thank you,
    Mirek

[1] I'm intentionally not providing my guesses at the answers.
Set SSL_CBC_RANDOM_IV SSL=1





--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux