From 5de44ac988c63e5457908f1a0b728f01f1135e091e1387dc8e6fe9cfcf2b0e21 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Wed, 24 Feb 2021 08:07:17 +0000 Subject: [PATCH 1/2] - Mozilla Thunderbird 78.8.0 * various bugfixes MFSA 2021-09 (bsc#1182614) * CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391, bmo#1687597) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=352 --- mozilla-nss.changes | 13 +++++++++++++ mozilla-nss.spec | 8 +++++--- nss-3.60.1.tar.gz | 3 --- nss-3.61.tar.gz | 3 +++ 4 files changed, 21 insertions(+), 6 deletions(-) delete mode 100644 nss-3.60.1.tar.gz create mode 100644 nss-3.61.tar.gz diff --git a/mozilla-nss.changes b/mozilla-nss.changes index fa9329e..689506b 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sun Feb 21 14:46:47 UTC 2021 - Wolfgang Rosenauer + +- update to NSS 3.61 + * required for Firefox 86 + * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key + values under certain conditions. + * bmo#1684300 - Fix default PBE iteration count when NSS is compiled + with NSS_DISABLE_DBM. + * bmo#1651411 - Improve constant-timeness in RSA operations. + * bmo#1677207 - Upgrade Google Test version to latest release. + * bmo#1654332 - Add aarch64-make target to nss-try. + ------------------------------------------------------------------- Sun Jan 24 09:55:03 UTC 2021 - Wolfgang Rosenauer diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 6a353b2..a12bb6a 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -17,14 +17,14 @@ # -%global nss_softokn_fips_version 3.60 +%global nss_softokn_fips_version 3.61 %define NSPR_min_version 4.29 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.60.1 +Version: 3.61 Release: 0 -%define underscore_version 3_60_1 +%define underscore_version 3_61 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -259,6 +259,7 @@ export LIBDIR=%{_libdir} %ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64 riscv64 export USE_64=1 %endif +export NSS_DISABLE_GTESTS=1 export NSS_USE_SYSTEM_SQLITE=1 #export SQLITE_LIB_NAME=nsssqlite3 MAKE_FLAGS="BUILD_OPT=1" @@ -396,6 +397,7 @@ install -m 644 %{SOURCE9} %{buildroot}%{nssdbdir} %postun -n libfreebl3 -p /sbin/ldconfig %post -n libsoftokn3 -p /sbin/ldconfig %postun -n libsoftokn3 -p /sbin/ldconfig + %post sysinit /sbin/ldconfig # make sure the current config is enabled diff --git a/nss-3.60.1.tar.gz b/nss-3.60.1.tar.gz deleted file mode 100644 index 7938e5f..0000000 --- a/nss-3.60.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2051c20b61112df24bad533ac37f6c66c1bc0d6ea70bb9d9cad102d20324279d -size 82036869 diff --git a/nss-3.61.tar.gz b/nss-3.61.tar.gz new file mode 100644 index 0000000..075bf77 --- /dev/null +++ b/nss-3.61.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:312e2d804b34ccf0fec70b57cf8cd6ac853f8ced60df53e30ebb0a7bcd0e1370 +size 82034245 From bac7e766cb2d2e162a97ed98e678cb0c8898c76d12de7725f6bcf25dc16d6097 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Sun, 28 Feb 2021 12:47:39 +0000 Subject: [PATCH 2/2] Accepting request 875772 from home:hellcp:branches:security:idm - Add nss-btrfs-sqlite.patch to address bmo#1690232 OBS-URL: https://build.opensuse.org/request/show/875772 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=353 --- mozilla-nss.changes | 5 +++++ mozilla-nss.spec | 2 ++ nss-btrfs-sqlite.patch | 18 ++++++++++++++++++ 3 files changed, 25 insertions(+) create mode 100644 nss-btrfs-sqlite.patch diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 689506b..59d91ca 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun Feb 28 12:01:32 UTC 2021 - Sasi Olin + +- Add nss-btrfs-sqlite.patch to address bmo#1690232 + ------------------------------------------------------------------- Sun Feb 21 14:46:47 UTC 2021 - Wolfgang Rosenauer diff --git a/mozilla-nss.spec b/mozilla-nss.spec index a12bb6a..acb9f55 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -68,6 +68,7 @@ Patch24: nss-fips-use-strong-random-pool.patch Patch25: nss-fips-detect-fips-mode-fixes.patch Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch Patch27: nss-fips-aes-keywrap-post.patch +Patch28: nss-btrfs-sqlite.patch %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references BuildRequires: gcc9-c++ @@ -223,6 +224,7 @@ cd nss %patch25 -p1 %patch26 -p1 %patch27 -p1 +%patch28 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins diff --git a/nss-btrfs-sqlite.patch b/nss-btrfs-sqlite.patch new file mode 100644 index 0000000..a8f5163 --- /dev/null +++ b/nss-btrfs-sqlite.patch @@ -0,0 +1,18 @@ +diff -up ./lib/softoken/sdb.c.orig ./lib/softoken/sdb.c +--- ./lib/softoken/sdb.c.orig 2020-12-11 22:49:26.961726193 -0500 ++++ ./lib/softoken/sdb.c 2020-12-11 23:01:30.739122494 -0500 +@@ -690,8 +690,14 @@ sdb_openDB(const char *name, sqlite3 **s + openFlags = SQLITE_OPEN_READONLY; + } else { + openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE; ++ /* btrfs and sqlite seem to incorrectly open readwrite. ++ * when the file is readonly explicitly reject that issue here */ ++ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) { ++ return SQLITE_READONLY; ++ } + } + ++ + /* Requires SQLite 3.5.0 or newer. */ + sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL); + if (sqlerr != SQLITE_OK) {