intrigeri wrote:
> it's getting that obvious nobody has time to manage an interim
> release, so we should put out a security advisory. The least we can do
> is to tell users what the risks are.
It sounds like only NSS (libnss) have to be updated [1].
Is it unlikely that Debian will update the NSS backport with this security
update?
Because if it was updated, the user would only need to run a simple apt or
dpkg command, right?
By the way, it seems that we are currently running an outdated vulnerable
libnss version anyway, because it is installed from backports and not
updated there. Version 3.14.4 also fixed a security issue [2], and
backports has an unpatched [3] version 3.14.3.
[1]
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
[2]
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes
[3]
http://ftp.us.debian.org/debian-backports/pool/main/n/nss/nss_3.14.3-1~bpo60%2b1.debian.tar.gz
