Accepting request 567964 from mozilla:Factory

NSS update as prerequisite for Firefox 58 to be released coming week (to TW).

- update to NSS 3.34.1
  Changes in 3.34:
  Notable changes
  * The following CA certificates were Added:
    GDCA TrustAUTH R5 ROOT
    SSL.com Root Certification Authority RSA
    SSL.com Root Certification Authority ECC
    SSL.com EV Root Certification Authority RSA R2
    SSL.com EV Root Certification Authority ECC
    TrustCor RootCert CA-1
    TrustCor RootCert CA-2
    TrustCor ECA-1
  * The following CA certificates were Removed:
    Certum CA, O=Unizeto Sp. z o.o.
    StartCom Certification Authority
    StartCom Certification Authority G2
    TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
    ACEDICOM Root
    Certinomis - Autorité Racine
    TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
    PSCProcert
    CA 沃通根证书, O=WoSign CA Limited
    Certification Authority of WoSign
    Certification Authority of WoSign G2
    CA WoSign ECC Root
  * libfreebl no longer requires SSE2 instructions
  New functionality
  * When listing an NSS database using certutil -L, but the database
    hasn't yet been initialized with any non-empty or empty password,
    the text "Database needs user init" will be included in the listing.
  * When using certutil to set an inacceptable password in FIPS mode,
    a correct explanation of acceptable passwords will be printed.
  * SSLKEYLOGFILE is now supported with TLS 1.3, see bmo#1287711 for details.
  * SSLChannelInfo has two new fields (bmo#1396525):
    SSLNamedGroup originalKeaGroup holds the key exchange group of
    the original handshake when the session was resumed.
    PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE
    otherwise.
  * RSA-PSS signatures are now supported on certificates. Certificates
    with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS
    signature on a certificate using the --pss-sign argument to certutil.
  Changes in 3.34.1:
  * The following CA certificate was Re-Added. It was removed in NSS
    3.34, but has been re-added with only the Email trust bit set.
    (bmo#1418678):
    libfreebl no longer requires SSE2 instructionsCN = Certum CA, O=Unizeto Sp. z o.o.
  * Removed entries from certdata.txt for actively distrusted
    certificates that have expired (bmo#1409872)
  * The version of the CA list was set to 2.20.

OBS-URL: https://build.opensuse.org/request/show/567964
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=132

mozilla-nss.changes

@@ -1,3 +1,56 @@
+-------------------------------------------------------------------
+Tue Jan  9 12:50:19 UTC 2018 - wr@rosenauer.org
+
+- update to NSS 3.34.1
+  Changes in 3.34:
+  Notable changes
+  * The following CA certificates were Added:
+    GDCA TrustAUTH R5 ROOT
+    SSL.com Root Certification Authority RSA
+    SSL.com Root Certification Authority ECC
+    SSL.com EV Root Certification Authority RSA R2
+    SSL.com EV Root Certification Authority ECC
+    TrustCor RootCert CA-1
+    TrustCor RootCert CA-2
+    TrustCor ECA-1
+  * The following CA certificates were Removed:
+    Certum CA, O=Unizeto Sp. z o.o.
+    StartCom Certification Authority
+    StartCom Certification Authority G2
+    TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
+    ACEDICOM Root
+    Certinomis - Autorité Racine
+    TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+    PSCProcert
+    CA 沃通根证书, O=WoSign CA Limited
+    Certification Authority of WoSign
+    Certification Authority of WoSign G2
+    CA WoSign ECC Root
+  * libfreebl no longer requires SSE2 instructions
+  New functionality
+  * When listing an NSS database using certutil -L, but the database
+    hasn't yet been initialized with any non-empty or empty password,
+    the text "Database needs user init" will be included in the listing.
+  * When using certutil to set an inacceptable password in FIPS mode,
+    a correct explanation of acceptable passwords will be printed.
+  * SSLKEYLOGFILE is now supported with TLS 1.3, see bmo#1287711 for details.
+  * SSLChannelInfo has two new fields (bmo#1396525):
+    SSLNamedGroup originalKeaGroup holds the key exchange group of
+    the original handshake when the session was resumed.
+    PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE
+    otherwise.
+  * RSA-PSS signatures are now supported on certificates. Certificates
+    with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS
+    signature on a certificate using the --pss-sign argument to certutil.
+  Changes in 3.34.1:
+  * The following CA certificate was Re-Added. It was removed in NSS
+    3.34, but has been re-added with only the Email trust bit set.
+    (bmo#1418678):
+    libfreebl no longer requires SSE2 instructionsCN = Certum CA, O=Unizeto Sp. z o.o.
+  * Removed entries from certdata.txt for actively distrusted
+    certificates that have expired (bmo#1409872)
+  * The version of the CA list was set to 2.20.
+
 -------------------------------------------------------------------
 Thu Dec  7 11:13:11 UTC 2017 - dimstar@opensuse.org
 

mozilla-nss.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package mozilla-nss
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2006-2017 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
@@ -17,7 +17,7 @@
 #
 
 
-%global nss_softokn_fips_version 3.28
+%global nss_softokn_fips_version 3.34.1
 
 Name:           mozilla-nss
 BuildRequires:  gcc-c++
@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.17
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.33
+Version:        3.34.1
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_33_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.33/nss ; cd nss-3.33/nss ; hg up NSS_3_33_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_34_1_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.34.1/nss ; cd nss-3.34.1/nss ; hg up NSS_3_34_1_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -88,7 +88,7 @@ Summary:        Network (Netscape) Security Services development files
 Group:          Development/Libraries/C and C++
 Requires:       libfreebl3
 Requires:       libsoftokn3
-Requires:       mozilla-nspr-devel >= 4.14
+Requires:       mozilla-nspr-devel >= 4.17
 Requires:       mozilla-nss = %{version}-%{release}
 # bug437293
 %ifarch ppc64
@@ -190,6 +190,7 @@ DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
 TIME="\"$(date -d "${modified}" "+%%R")\""
 find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +
 
+export NSS_NO_PKCS11_BYPASS=1
 export FREEBL_NO_DEPEND=1
 export FREEBL_LOWHASH=1
 export NSPR_INCLUDE_DIR=`nspr-config --includedir`

nss-3.33.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:98f0dabd36408e83dd3a11727336cc3cdfee4cbdd9aede2b2831eb2389c284e4
-size 9578033

nss-3.34.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a3c15d367caf784f33d96dbafbdffc16a8e42fb8c8aedfce97bf92a9f918dda0
+size 9562876