Accepting request 1160555 from mozilla:Factory

- update to NSS 3.98
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
                  in TLS
  * bmo#1879513 - Certificate Compression: enabling the check that
                  the compression was advertised
  * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
  * bmo#1879945 - Remove Email trust bit from OISTE WISeKey
                  Global Root GC CA
  * bmo#1877344 - Replace `distutils.spawn.find_executable` with
                  `shutil.which` within `mach` in `nss`
  * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
                  support Certificate compression
  * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
  * bmo#1875356 - Add valgrind annotations to freebl kyber operations
                  for constant-time execution tests
  * bmo#1870673 - Set nssckbi version number to 2.66
  * bmo#1874017 - Add Telekom Security roots
  * bmo#1873095 - Add D-Trust 2022 S/MIME roots
  * bmo#1865450 - Remove expired Security Communication RootCA1 root
  * bmo#1876179 - move keys to a slot that supports concatenation in
                  PK11_ConcatSymKeys
  * bmo#1876800 - remove unmaintained tls-interop tests
  * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
                  flags
  * bmo#1874937 - bogo: add support for the -curves shim flag and
                  update Kyber expectations
  * bmo#1874937 - bogo: adjust expectation for a key usage bit test
  * bmo#1757758 - mozpkix: add option to ignore invalid subject
                  alternative names
  * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value

OBS-URL: https://build.opensuse.org/request/show/1160555
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=215

mozilla-nss.changes

@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Sat Mar 16 21:39:31 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- update to NSS 3.98
+  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
+                  in TLS
+  * bmo#1879513 - Certificate Compression: enabling the check that
+                  the compression was advertised
+  * bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
+  * bmo#1879945 - Remove Email trust bit from OISTE WISeKey
+                  Global Root GC CA
+  * bmo#1877344 - Replace `distutils.spawn.find_executable` with
+                  `shutil.which` within `mach` in `nss`
+  * bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
+                  support Certificate compression
+  * bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
+  * bmo#1875356 - Add valgrind annotations to freebl kyber operations
+                  for constant-time execution tests
+  * bmo#1870673 - Set nssckbi version number to 2.66
+  * bmo#1874017 - Add Telekom Security roots
+  * bmo#1873095 - Add D-Trust 2022 S/MIME roots
+  * bmo#1865450 - Remove expired Security Communication RootCA1 root
+  * bmo#1876179 - move keys to a slot that supports concatenation in
+                  PK11_ConcatSymKeys
+  * bmo#1876800 - remove unmaintained tls-interop tests
+  * bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
+                  flags
+  * bmo#1874937 - bogo: add support for the -curves shim flag and
+                  update Kyber expectations
+  * bmo#1874937 - bogo: adjust expectation for a key usage bit test
+  * bmo#1757758 - mozpkix: add option to ignore invalid subject
+                  alternative names
+  * bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
+  * bmo#1876390 - take ownership of ecckilla shims
+  * bmo#1874458 - add valgrind annotations to freebl/ec.c
+  * bmo#864039  - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
+  * bmo#1875965 - Update zlib to 1.3.1
+
+-------------------------------------------------------------------
+Thu Feb 29 10:07:57 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Add crypto-policies support [bsc#1211301]
+  deactivated for now
+
 -------------------------------------------------------------------
 Fri Feb 23 11:55:45 UTC 2024 - pgajdos@suse.com
 

mozilla-nss.spec

@@ -2,7 +2,7 @@
 # spec file for package mozilla-nss
 #
 # Copyright (c) 2024 SUSE LLC
-# Copyright (c) 2006-2023 Wolfgang Rosenauer
+# Copyright (c) 2006-2024 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,14 +17,15 @@
 #
 
 
-%global nss_softokn_fips_version 3.97
+%global nss_softokn_fips_version 3.98
 %define NSPR_min_version 4.35
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
+%global crypto_policies_version 20210118
 Name:           mozilla-nss
-Version:        3.97
+Version:        3.98
 Release:        0
-%define underscore_version 3_97
+%define underscore_version 3_98
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
@@ -95,6 +96,9 @@ BuildRequires:  jitterentropy-devel
 Requires(pre):  libjitterentropy3
 Requires:       libjitterentropy3
 %endif
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires:       crypto-policies >= %{crypto_policies_version}
+%endif
 Requires:       libfreebl3 >= %{nss_softokn_fips_version}
 Requires:       libsoftokn3 >= %{nss_softokn_fips_version}
 Requires:       mozilla-nspr >= %{NSPR_min_version}
@@ -277,6 +281,13 @@ export NSS_ENABLE_FIPS_INDICATORS=1
 export NSS_FIPS_MODULE_ID="\"SUSE Linux Enterprise NSS %{version}-%{release}\""
 #export SQLITE_LIB_NAME=nsssqlite3
 export MAKE_FLAGS="BUILD_OPT=1"
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+#export POLICY_FILE="nss.config"
+# location of the policy file
+#export POLICY_PATH="/etc/crypto-policies/back-ends"
+%endif
 EOF
 
 source ../obsenv.sh
@@ -298,6 +309,11 @@ export HOST="localhost"
 export DOMSUF="localdomain"
 export USE_IP=TRUE
 export IP_ADDRESS="127.0.0.1"
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+# This is necessary because the test suite tests algorithms that are
+# disabled by the system policy.
+export NSS_IGNORE_SYSTEM_POLICY=1
+%endif
 EOF
 source ../obsenv.sh
 source ../obstestenv.sh
@@ -462,6 +478,11 @@ fi
 
 %postun sysinit -p /sbin/ldconfig
 
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+%posttrans
+update-crypto-policies &> /dev/null || :
+%endif
+
 %files
 %{_libdir}/libnss3.so
 %{_libdir}/libnssutil3.so

nss-3.97.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:078efb8393f32e40b1fb4bf6930fff7f1aabed01287fcc5fe58aba736765fa0a
-size 76664827

nss-3.98.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f549cc33d35c0601674bfacf7c6ad683c187595eb4125b423238d3e9aa4209ce
+size 76685475