3:57 p.m.
Release notes for FF 43.0.2 say that a security issue was fixed (MD5
signatures accepted within TLS 1.2 ServerKeyExchange in server
signature). Does this not affect Fedora builds?
PS. The link to that security issue is broken (https://www.mozilla.org/
en-US/security/advisories/mfsa2015-150/), so not quite sure any more
what is real and what's not on Mozilla site.
--
Bojan
4:44 p.m.
Am 28.12.2015 um 22:57 schrieb Bojan Smojver:
Release notes for FF 43.0.2 say that a security issue was fixed (MD5
signatures accepted within TLS 1.2 ServerKeyExchange in server
signature). Does this not affect Fedora builds?
what do you try to tell us with that question?
[harry@srv-rhsoft:~]$ rpm -q firefox
firefox-43.0-1.fc23.x86_64
4:49 p.m.
On Mon, 28 Dec 2015 23:44:51 +0100, Reindl Harald wrote:
Am 28.12.2015 um 22:57 schrieb Bojan Smojver:
> Release notes for FF 43.0.2 say that a security issue was fixed (MD5
> signatures accepted within TLS 1.2 ServerKeyExchange in server
> signature). Does this not affect Fedora builds?
what do you try to tell us with that question?
[harry@srv-rhsoft:~]$ rpm -q firefox
firefox-43.0-1.fc23.x86_64
43.0 vs. 43.0.2 (and 43.0.1)
https://www.mozilla.org/en-US/firefox/43.0.2/releasenotes/
12:34 a.m.
On Dec 28, 2015 18:02, "Bojan Smojver" <bojan(a)rexursive.com> wrote:
Reindl Harald <h.reindl <at> thelounge.net> writes:
> what do you try to tell us with that question?
I'm trying to establish whether Fedora needs a 43.0.2 (or better) build of
FF in order to close this security hole.
Is there any reason Fedora would not...? Regardless you could diff the
source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2
and see if the hole is unpatched.
4:13 p.m.
Eric Griffith <egriffith92 <at> gmail.com> writes:
Is there any reason Fedora would not...? Regardless you could diff
the
source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2
and see if the hole is unpatched.
There may be a reason. Fedora relies on NSS/NSPR packages for some of the
stuff that Windows folks get bundled with FF, AFAIK. So, a maintainer of FF
would know such things.
Comparing source will not necessarily give the correct answer, as that part
of it may be unused in Fedora builds. Again, maintainer of FF would know.
Ergo, the question.
--
Bojan
11:45 p.m.
On Tue, Dec 29, 2015 at 4:13 PM, Bojan Smojver <bojan(a)rexursive.com> wrote:
Eric Griffith <egriffith92 <at> gmail.com> writes:
> Is there any reason Fedora would not...? Regardless you could diff the
source code that was used to make the 43.0.1-fedora RPM vs whats in 43.0.2
and see if the hole is unpatched.
There may be a reason. Fedora relies on NSS/NSPR packages for some of the
stuff that Windows folks get bundled with FF, AFAIK. So, a maintainer of FF
would know such things.
Comparing source will not necessarily give the correct answer, as that part
of it may be unused in Fedora builds. Again, maintainer of FF would know.
Ergo, the question.
Is there a simple way to test if the issue is a problem on Fedora? I
don't even know of any sites with TLS 1.2 using MD5 signatures,
especially when Chrome "broke" signatures that weren't SHA-256 or
better for SSLv3 and stronger a year ago...
--
真実はいつも一つ!/ Always, there's only one truth!
2:57 p.m.
Neal Gompa <ngompa13 <at> gmail.com> writes:
Is there a simple way to test if the issue is a problem on Fedora? I
don't even know of any sites with TLS 1.2 using MD5 signatures,
especially when Chrome "broke" signatures that weren't SHA-256 or
better for SSLv3 and stronger a year ago...
I guess one can always generate a cert with MD5 signature and try over TLS
1.2. However, the plot thickens. Although 43.0.2 release notes say that
security issues were fixed, none are listed for that version any longer on
the detailed security fixes page. So, maybe Mozilla changed their mind or
something.
Anyhow, Fedora builds of 43.0.3 have been submitted for testing, so all this
is moot.
--
Bojan
3050
days inactive
3052
days old
7 comments
5 participants
participants (5)
-
Bojan Smojver -
Eric Griffith -
Michael Schwendt -
Neal Gompa -
Reindl Harald