BEAST to be patched in NSS

Elio Maldonado Batiz emaldona at redhat.com
Sat Oct 19 15:23:18 UTC 2013 

On 10/18/2013 06:54 PM, Elio Maldonado Batiz wrote:
> On 10/18/2013 12:55 PM, Miloslav Trmač wrote:
>> On Wed, Oct 16, 2013 at 10:33 PM, Eric H. Christensen
>> <sparks at fedoraproject.org> wrote:
>>> Information on this fix is in Bugzilla[1].
>> There are >80 packages affected, would it be possible to give the
>> owners a shorter (and authoritative[1]) version, instead of asking
>> each maintainer to fish the information out of a bug with 135
>> comments?
>>
>> * Can I test my package right now, before the NSS change lands?  How?
>> * If I need a workaround, what is the workaround?  (Do I have to set
>> an environment variable, or is there a way to do it in the API?  If I
>> do have to set an environment variable, do I have to do it at the very
>> start before initializing NSS?  Before opening the specific socket?,
>
> The update has been now to f20 
> updates-testing.https://admin.fedoraproject.org/updates/FEDORA-2013-19396/nss-3.15.2-2.fc20
> I could hold it back very shortly give folks time but we really would 
> like this during beta so we get feedback.
>
> NSS checks the value of the SSL_CBC_RANDOM_IV_SSL variable and you 
> could programmatically set it to 0 with setenv,for example [1].
Poor reply, I admit. Disabling the fix is not what we want users to do 
of course.

Miloslav, you raise a good point. One problem I see is that many 
packages are affected indirectly. They may not be clients of nss but 
packages that they depend on are. The packager needs to be quite 
familiar with that part of the code, identify and implement a fix, 
submit it upstream, wait for feedback from upstream. Our fedora packager 
may diligently submit a patch upstream but it make take some time before 
there is an upstream review and the submission is either accepted or 
they may ask for changes or reject it. In the meantime end users are 
either inconvenienced or exposed. It has been two years, let's see what 
happens this time around. Ah, the joys of open source!

 > There are >80 packages affected, would it be possible to give the
It would useful if the list was available. Could those package owners be 
notified directly? There is is a lot discussed in this and other lists 
and the threads are sometimes long which causes folks to quickly scan 
them and sometimes miss out on important things.
> Elio
>
> [1] http://man7.org/linux/man-pages/man3/setenv.3.html
>
>
>> Or at a different time?)
>>
>> Thank you,
>>     Mirek
>>
>> [1] I'm intentionally not providing my guesses at the answers.
>> Set SSL_CBC_RANDOM_IV SSL=1
>

More information about the devel mailing list