nss should use transitional scheme for renegotiation

Bug #553251 reported by Jamie Strandboge on 2010-04-01
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss (Ubuntu)
High
Chris Coulson
Lucid
High
Chris Coulson

Bug Description

3.12.6-0ubuntu1 in Ubuntu includes a fix for CVE-2009-3555, however it uses strict checking which breaks clients connecting to unpatched servers. This is http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918. While not the current upstream default, transitional is the recommendation from upstream (from email exchange).

Related branches

Changed in nss (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-10.04-beta-2
status: New → In Progress
assignee: nobody → Chris Coulson (chrisccoulson)
Changed in nss (Ubuntu Lucid):
status: In Progress → Fix Committed
Reed Loden (reed) wrote :

Why isn't Firefox (from mozilla.org) affected by this issue? Trunk Minefield uses NSS 3.12.6.2, and I haven't heard any problems similar to this...

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nss - 3.12.6-0ubuntu2

---------------
nss (3.12.6-0ubuntu2) lucid; urgency=low

  * Enable transitional scheme for SSL renegotiation (LP: #553251)
    - add 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
    - update debian/patches/series
 -- Chris Coulson <email address hidden> Wed, 31 Mar 2010 20:42:18 +0100

Changed in nss (Ubuntu Lucid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers