- update to NSS 3.41.1

* (3.41) required by Firefox 65.0
  New functionality
  * Implemented EKU handling for IPsec IKE. (bmo#1252891)
  * Enable half-closed states for TLS. (bmo#1423043)
  * Enabled the following ciphersuites by default: (bmo#1493215)
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_256_GCM_SHA384
  Notable changes
  * The following CA certificates were added:
    CN = Certigna Root CA
    CN = GTS Root R1
    CN = GTS Root R2
    CN = GTS Root R3
    CN = GTS Root R4
    CN = UCA Global G2 Root
    CN = UCA Extended Validation Root
  * The following CA certificates were removed:
    CN = AC Raíz Certicámara S.A.
    CN = Certplus Root CA G1
    CN = Certplus Root CA G2
    CN = OpenTrust Root CA G1
    CN = OpenTrust Root CA G2
    CN = OpenTrust Root CA G3
  Bugs fixed
  * Reject empty supported_signature_algorithms in Certificate
    Request in TLS 1.2 (bmo#1412829)
  * Cache side-channel variant of the Bleichenbacher attack (bmo#1485864)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=276

mozilla-nss.changes

@@ -1,3 +1,45 @@
+-------------------------------------------------------------------
+Wed Jan 23 16:30:27 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- update to NSS 3.41.1
+  * (3.41) required by Firefox 65.0
+  New functionality
+  * Implemented EKU handling for IPsec IKE. (bmo#1252891)
+  * Enable half-closed states for TLS. (bmo#1423043)
+  * Enabled the following ciphersuites by default: (bmo#1493215)
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+    TLS_RSA_WITH_AES_256_GCM_SHA384
+  Notable changes
+  * The following CA certificates were added:
+    CN = Certigna Root CA
+    CN = GTS Root R1
+    CN = GTS Root R2
+    CN = GTS Root R3
+    CN = GTS Root R4
+    CN = UCA Global G2 Root
+    CN = UCA Extended Validation Root
+  * The following CA certificates were removed:
+    CN = AC Raíz Certicámara S.A.
+    CN = Certplus Root CA G1
+    CN = Certplus Root CA G2
+    CN = OpenTrust Root CA G1
+    CN = OpenTrust Root CA G2
+    CN = OpenTrust Root CA G3
+  Bugs fixed
+  * Reject empty supported_signature_algorithms in Certificate
+    Request in TLS 1.2 (bmo#1412829)
+  * Cache side-channel variant of the Bleichenbacher attack (bmo#1485864)
+    (CVE-2018-12404)
+  * Resend the same ticket in ClientHello after HelloRetryRequest (bmo#1481271)
+  * Set session_id for external resumption tokens (bmo#1493769)
+  * Reject CCS after handshake is complete in TLS 1.3 (bmo#1507179)
+  * Add additional null checks to several CMS functions to fix a rare
+    CMS crash. (bmo#1507135, bmo#1507174) (3.41.1)
+- removed obsolete patches
+  nss-disable-ocsp-test.patch
+
 -------------------------------------------------------------------
 Mon Dec 10 21:39:03 UTC 2018 - Wolfgang Rosenauer <wr@rosenauer.org>
 

mozilla-nss.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package mozilla-nss
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2006-2018 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.20
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.40.1
+Version:        3.41.1
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_40_1_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.40.1/nss ; cd nss-3.40.1/nss ; hg up NSS_3_40_1_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_41_1_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.41.1/nss ; cd nss-3.41.1/nss ; hg up NSS_3_41_1_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -54,9 +54,8 @@ Patch2:         system-nspr.patch
 Patch3:         nss-no-rpath.patch
 Patch4:         add-relro-linker-option.patch
 Patch5:         malloc.patch
-Patch6:         nss-disable-ocsp-test.patch
+Patch6:         bmo-1400603.patch
 Patch7:         nss-sqlitename.patch
-Patch8:         bmo-1400603.patch
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@@ -88,7 +87,7 @@ Summary:        Network (Netscape) Security Services development files
 Group:          Development/Libraries/C and C++
 Requires:       libfreebl3
 Requires:       libsoftokn3
-Requires:       mozilla-nspr-devel >= 4.19
+Requires:       mozilla-nspr-devel >= 4.20
 Requires:       mozilla-nss = %{version}-%{release}
 # bug437293
 %ifarch ppc64
@@ -177,7 +176,6 @@ cd nss
 %endif
 %patch6 -p1
 %patch7 -p1
-%patch8 -p1
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt

nss-3.40.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5e0e6bae2a79c86e506684955d736bfe875ec5a8e95ed3e4ba0852d1aec2c8f1
-size 23311074

nss-3.41.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f2f6336ce63aa1c487b7f17abd378c0c25f93750b872d4937da60e7260441830
+size 23320948

nss-disable-ocsp-test.patch

@@ -1,19 +0,0 @@
-# HG changeset patch
-# Parent  487d452261dc8de3ff4446be102ea5c41685f253
-
-diff --git a/tests/chains/scenarios/scenarios b/tests/chains/scenarios/scenarios
---- a/tests/chains/scenarios/scenarios
-+++ b/tests/chains/scenarios/scenarios
-@@ -13,12 +13,11 @@ mapping.cfg
- mapping2.cfg
- aia.cfg
- bridgewithaia.cfg
- bridgewithhalfaia.cfg
- bridgewithpolicyextensionandmapping.cfg
- realcerts.cfg
- dsa.cfg
- revoc.cfg
--ocsp.cfg
- crldp.cfg
- trustanchors.cfg
- nameconstraints.cfg