Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

From:	Marius Bakke
Subject:	Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
Date:	Sat, 22 Apr 2017 09:40:13 +0200
User-agent:	Notmuch/0.24.1 (https://notmuchmail.org) Emacs/25.1.1 (x86_64-unknown-linux-gnu)

Mark H Weaver <address@hidden> writes:

> Mark H Weaver <address@hidden> writes:
>
>> These patches update nss to 3.30.2 and disable long b64 tests which fail
>> on some systems including armhf.  I'll push them soon after some light
>> testing.
>
> Unfortunately, even with "nss-increase-test-timeout.patch" and
> "nss-disable-long-b64-tests.patch", the build still failed on armhf:
>
>   https://hydra.gnu.org/build/2010324
>
> It would be good to find a way to fix or work around this issue without
> forcing rebuilds on other platforms.  Also, I feel it's important to
> always run tests on NSS on all platforms.

Here is the relevant excerpt from the log:

[ RUN      ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0
Version: TLS 1.1
server: Changing state from INIT to CONNECTING
client: Changing state from INIT to CONNECTING
Dropping handshake: 11
record old: [531] 
020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8...
record new: [89] 
020000510302f666481a7e6747c16e682f37345e569db0d06bdb08b5a8894ec8...
server: Original packet: [536] 
1603020213020000510302f666481a7e6747c16e682f37345e569db0d06bdb08...
server: Filtered packet: [94] 
1603020059020000510302f666481a7e6747c16e682f37345e569db0d06bdb08...
Alert: [2] 020a
client: Alert sent: level=2 desc=10
client: Handshake failed with error SSL_ERROR_RX_UNEXPECTED_HELLO_DONE: SSL 
received an unexpected Server Hello Done handshake message.
client: Changing state from CONNECTING to ERROR
tls_connect.cc:238: Failure
Value of: (client_->state() != TlsAgent::STATE_CONNECTING) && (server_->state() 
!= TlsAgent::STATE_CONNECTING)
  Actual: false
Expected: true
tls_connect.cc:374: Failure
Value of: server_->state()
  Actual: CONNECTING
Expected: TlsAgent::STATE_ERROR
Which is: ERROR
[  FAILED  ] SkipVariants/TlsSkipTest.SkipCertificateRsa/0, where GetParam() = 
("TLS", 770) (50449 ms)

This looks very similar to the random connect timeouts that prompted the
"increase-test-timeouts" patch, except this time it took 50s instead of
~20s:

https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00412.html

(search for '[  FAILED' in the build logs)

I am 99% sure the attached patch will do the job. What do you think?

0001-gnu-nss-Further-increase-test-timeouts-on-armhf.patch
Description: Text Data

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461]., Mark H Weaver, 2017/04/20
- Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461]., Mark H Weaver, 2017/04/21
  - Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461]., Marius Bakke <=
    - Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461]., Mark H Weaver, 2017/04/22
    - Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461]., Marius Bakke, 2017/04/23

Prev by Date: Re: We need an RFC procedure [Re: Services can now have a default value]
Next by Date: Re: Icecat 52 crashing in file dialogues
Previous by thread: Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
Next by thread: Re: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
Index(es):
- Date
- Thread