Accepting request 452363 from mozilla:Factory
- update to NSS 3.28.1 No new functionality is introduced in this release. This is a patch release to update the list of root CA certificates and address a minor TLS compatibility issue that some applications experienced with NSS 3.28. * The following CA certificates were Removed CN = Buypass Class 2 CA 1 CN = Root CA Generalitat Valenciana OU = RSA Security 2048 V3 * The following CA certificates were Added OU = AC RAIZ FNMT-RCM CN = Amazon Root CA 1 CN = Amazon Root CA 2 CN = Amazon Root CA 3 CN = Amazon Root CA 4 CN = LuxTrust Global Root 2 CN = Symantec Class 1 Public Primary Certification Authority - G4 CN = Symantec Class 1 Public Primary Certification Authority - G6 CN = Symantec Class 2 Public Primary Certification Authority - G4 CN = Symantec Class 2 Public Primary Certification Authority - G6 * The version number of the updated root CA list has been set to 2.11 * A misleading assertion/alert has been removed when NSS tries to flush data to the peer but the connection was already reset. - update to NSS 3.28 New functionality: * NSS includes support for TLS 1.3 draft -18. This includes a number of improvements to TLS 1.3: - The signed certificate timestamp, used in certificate transparency, is supported in TLS 1.3. - Key exporters for TLS 1.3 are supported. This includes the early key exporter, which can be used if 0-RTT is enabled. Note that OBS-URL: https://build.opensuse.org/request/show/452363 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=120
This commit is contained in:
commit
be2004984d
@ -1,3 +1,85 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 18 22:00:31 UTC 2017 - wr@rosenauer.org
|
||||
|
||||
- update to NSS 3.28.1
|
||||
No new functionality is introduced in this release. This is a patch release to
|
||||
update the list of root CA certificates and address a minor TLS compatibility
|
||||
issue that some applications experienced with NSS 3.28.
|
||||
* The following CA certificates were Removed
|
||||
CN = Buypass Class 2 CA 1
|
||||
CN = Root CA Generalitat Valenciana
|
||||
OU = RSA Security 2048 V3
|
||||
* The following CA certificates were Added
|
||||
OU = AC RAIZ FNMT-RCM
|
||||
CN = Amazon Root CA 1
|
||||
CN = Amazon Root CA 2
|
||||
CN = Amazon Root CA 3
|
||||
CN = Amazon Root CA 4
|
||||
CN = LuxTrust Global Root 2
|
||||
CN = Symantec Class 1 Public Primary Certification Authority - G4
|
||||
CN = Symantec Class 1 Public Primary Certification Authority - G6
|
||||
CN = Symantec Class 2 Public Primary Certification Authority - G4
|
||||
CN = Symantec Class 2 Public Primary Certification Authority - G6
|
||||
* The version number of the updated root CA list has been set to 2.11
|
||||
* A misleading assertion/alert has been removed when NSS tries to flush data
|
||||
to the peer but the connection was already reset.
|
||||
- update to NSS 3.28
|
||||
New functionality:
|
||||
* NSS includes support for TLS 1.3 draft -18. This includes a number
|
||||
of improvements to TLS 1.3:
|
||||
- The signed certificate timestamp, used in certificate
|
||||
transparency, is supported in TLS 1.3.
|
||||
- Key exporters for TLS 1.3 are supported. This includes the early
|
||||
key exporter, which can be used if 0-RTT is enabled. Note that
|
||||
there is a difference between TLS 1.3 and key exporters in older
|
||||
versions of TLS. TLS 1.3 does not distinguish between an empty
|
||||
context and no context.
|
||||
- The TLS 1.3 (draft) protocol can be enabled, by defining
|
||||
NSS_ENABLE_TLS_1_3=1 when building NSS.
|
||||
- NSS includes support for the X25519 key exchange algorithm,
|
||||
which is supported and enabled by default in all versions of TLS.
|
||||
New Functions:
|
||||
* SSL_ExportEarlyKeyingMaterial
|
||||
* SSL_SendAdditionalKeyShares
|
||||
* SSL_SignatureSchemePrefSet
|
||||
* SSL_SignatureSchemePrefGet
|
||||
Notable Changes:
|
||||
* NSS can no longer be compiled with support for additional elliptic curves.
|
||||
This was previously possible by replacing certain NSS source files.
|
||||
* NSS will now detect the presence of tokens that support additional
|
||||
elliptic curves and enable those curves for use in TLS.
|
||||
Note that this detection has a one-off performance cost, which can be
|
||||
avoided by using the SSL_NamedGroupConfig function to limit supported
|
||||
groups to those that NSS provides.
|
||||
* PKCS#11 bypass for TLS is no longer supported and has been removed.
|
||||
* Support for "export" grade SSL/TLS cipher suites has been removed.
|
||||
* NSS now uses the signature schemes definition in TLS 1.3.
|
||||
This also affects TLS 1.2. NSS will now only generate signatures with the
|
||||
combinations of hash and signature scheme that are defined in TLS 1.3,
|
||||
even when negotiating TLS 1.2.
|
||||
- This means that SHA-256 will only be used with P-256 ECDSA certificates,
|
||||
SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
|
||||
SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
|
||||
compatibility reasons.
|
||||
- New functions to configure signature schemes are provided:
|
||||
SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet.
|
||||
The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are
|
||||
now deprecated.
|
||||
- NSS will now no longer assume that default signature schemes are
|
||||
supported by a peer if there was no commonly supported signature scheme.
|
||||
* NSS will now check if RSA-PSS signing is supported by the token that holds
|
||||
the private key prior to using it for TLS.
|
||||
* The certificate validation code contains checks to no longer trust
|
||||
certificates that are issued by old WoSign and StartCom CAs after
|
||||
October 21, 2016. This is equivalent to the behavior that Mozilla will
|
||||
release with Firefox 51.
|
||||
- update to NSS 3.27.2
|
||||
* SSL_SetTrustAnchors leaks (bmo#1318561)
|
||||
- removed upstreamed patch
|
||||
* nss-uninitialized.patch
|
||||
- raised the minimum softokn/freebl version to 3.28 as reported in
|
||||
boo#1021636
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 14 12:35:55 UTC 2016 - wr@rosenauer.org
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package mozilla-nss
|
||||
#
|
||||
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2006-2016 Wolfgang Rosenauer
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
@ -17,15 +17,15 @@
|
||||
#
|
||||
|
||||
|
||||
%global nss_softokn_fips_version 3.21
|
||||
%global nss_softokn_fips_version 3.28
|
||||
|
||||
Name: mozilla-nss
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: mozilla-nspr-devel >= 4.12
|
||||
BuildRequires: mozilla-nspr-devel >= 4.13.1
|
||||
BuildRequires: pkg-config
|
||||
BuildRequires: sqlite-devel
|
||||
BuildRequires: zlib-devel
|
||||
Version: 3.26.2
|
||||
Version: 3.28.1
|
||||
Release: 0
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
@ -36,8 +36,8 @@ Summary: Network Security Services
|
||||
License: MPL-2.0
|
||||
Group: System/Libraries
|
||||
Url: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_26_2_RTM/src/nss-%{version}.tar.gz
|
||||
# hg clone https://hg.mozilla.org/projects/nss nss-3.26.2/nss ; cd nss-3.26.2/nss ; hg up NSS_3_26_2_RTM
|
||||
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_1_RTM/src/nss-%{version}.tar.gz
|
||||
# hg clone https://hg.mozilla.org/projects/nss nss-3.28.1/nss ; cd nss-3.28.1/nss ; hg up NSS_3_28_1_RTM
|
||||
#Source: nss-%{version}.tar.gz
|
||||
Source1: nss.pc.in
|
||||
Source3: nss-config.in
|
||||
@ -51,7 +51,6 @@ Source9: pkcs11.txt
|
||||
Source99: %{name}.changes
|
||||
Patch1: nss-opt.patch
|
||||
Patch2: system-nspr.patch
|
||||
Patch3: nss-uninitialized.patch
|
||||
Patch4: nss-no-rpath.patch
|
||||
Patch5: renegotiate-transitional.patch
|
||||
Patch6: malloc.patch
|
||||
@ -88,7 +87,7 @@ Summary: Network (Netscape) Security Services development files
|
||||
Group: Development/Libraries/Other
|
||||
Requires: libfreebl3
|
||||
Requires: libsoftokn3
|
||||
Requires: mozilla-nspr-devel >= 4.9
|
||||
Requires: mozilla-nspr-devel >= 4.13.1
|
||||
Requires: mozilla-nss = %{version}-%{release}
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
@ -170,7 +169,6 @@ Mozilla project.
|
||||
cd nss
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%if %suse_version > 1110
|
||||
@ -200,6 +198,7 @@ export LIBDIR=%{_libdir}
|
||||
export USE_64=1
|
||||
%endif
|
||||
export NSS_USE_SYSTEM_SQLITE=1
|
||||
export NSS_ENABLE_TLS_1_3=1
|
||||
#export SQLITE_LIB_NAME=nsssqlite3
|
||||
MAKE_FLAGS="BUILD_OPT=1"
|
||||
make nss_build_all $MAKE_FLAGS
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:13a40a2f97edf5fab3d4c7fdd928e77df36dc539cd8354b6b5d79ab93a131a5a
|
||||
size 7388390
|
3
nss-3.28.1.tar.gz
Normal file
3
nss-3.28.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:58cc0c05c0ed9523e6d820bea74f513538f48c87aac931876e3d3775de1a82ad
|
||||
size 7451477
|
@ -1,22 +0,0 @@
|
||||
diff --git a/lib/jar/jarfile.c b/lib/jar/jarfile.c
|
||||
--- a/lib/jar/jarfile.c
|
||||
+++ b/lib/jar/jarfile.c
|
||||
@@ -652,17 +652,17 @@ jar_gen_index(JAR *jar, jarArch format,
|
||||
* List the physical contents of a Phil Katz
|
||||
* style .ZIP file into the JAR linked list.
|
||||
*
|
||||
*/
|
||||
static int
|
||||
jar_listzip(JAR *jar, JAR_FILE fp)
|
||||
{
|
||||
ZZLink *ent;
|
||||
- JAR_Item *it;
|
||||
+ JAR_Item *it = NULL;
|
||||
JAR_Physical *phy = NULL;
|
||||
struct ZipLocal *Local = PORT_ZNew(struct ZipLocal);
|
||||
struct ZipCentral *Central = PORT_ZNew(struct ZipCentral);
|
||||
struct ZipEnd *End = PORT_ZNew(struct ZipEnd);
|
||||
|
||||
int err = 0;
|
||||
long pos = 0L;
|
||||
unsigned int compression;
|
@ -1,22 +1,13 @@
|
||||
diff --git a/Makefile b/Makefile
|
||||
index c824ba2..a5abe7b 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
#######################################################################
|
||||
|
||||
|
||||
|
||||
#######################################################################
|
||||
@@ -46,7 +46,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
#######################################################################
|
||||
|
||||
-nss_build_all: build_nspr all
|
||||
+nss_build_all: all
|
||||
-nss_build_all: build_nspr all latest
|
||||
+nss_build_all: all latest
|
||||
|
||||
nss_clean_all: clobber_nspr clobber
|
||||
|
||||
NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
|
||||
NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure
|
||||
|
||||
#
|
||||
# Translate coreconf build options to NSPR configure options.
|
||||
|
Loading…
Reference in New Issue
Block a user