Accepting request 452363 from mozilla:Factory

- update to NSS 3.28.1
  No new functionality is introduced in this release. This is a patch release to
  update the list of root CA certificates and address a minor TLS compatibility
  issue that some applications experienced with NSS 3.28.
  * The following CA certificates were Removed
    CN = Buypass Class 2 CA 1
    CN = Root CA Generalitat Valenciana
    OU = RSA Security 2048 V3
  * The following CA certificates were Added
    OU = AC RAIZ FNMT-RCM
    CN = Amazon Root CA 1
    CN = Amazon Root CA 2
    CN = Amazon Root CA 3
    CN = Amazon Root CA 4
    CN = LuxTrust Global Root 2
    CN = Symantec Class 1 Public Primary Certification Authority - G4
    CN = Symantec Class 1 Public Primary Certification Authority - G6
    CN = Symantec Class 2 Public Primary Certification Authority - G4
    CN = Symantec Class 2 Public Primary Certification Authority - G6
  * The version number of the updated root CA list has been set to 2.11
  * A misleading assertion/alert has been removed when NSS tries to flush data
    to the peer but the connection was already reset.
- update to NSS 3.28
  New functionality:
  * NSS includes support for TLS 1.3 draft -18. This includes a number
    of improvements to TLS 1.3:
    - The signed certificate timestamp, used in certificate
      transparency, is supported in TLS 1.3.
    - Key exporters for TLS 1.3 are supported. This includes the early
      key exporter, which can be used if 0-RTT is enabled. Note that

OBS-URL: https://build.opensuse.org/request/show/452363
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=120
This commit is contained in:
Dominique Leuenberger 2017-01-29 09:29:48 +00:00 committed by Git OBS Bridge
commit be2004984d
6 changed files with 97 additions and 47 deletions

View File

@ -1,3 +1,85 @@
-------------------------------------------------------------------
Wed Jan 18 22:00:31 UTC 2017 - wr@rosenauer.org
- update to NSS 3.28.1
No new functionality is introduced in this release. This is a patch release to
update the list of root CA certificates and address a minor TLS compatibility
issue that some applications experienced with NSS 3.28.
* The following CA certificates were Removed
CN = Buypass Class 2 CA 1
CN = Root CA Generalitat Valenciana
OU = RSA Security 2048 V3
* The following CA certificates were Added
OU = AC RAIZ FNMT-RCM
CN = Amazon Root CA 1
CN = Amazon Root CA 2
CN = Amazon Root CA 3
CN = Amazon Root CA 4
CN = LuxTrust Global Root 2
CN = Symantec Class 1 Public Primary Certification Authority - G4
CN = Symantec Class 1 Public Primary Certification Authority - G6
CN = Symantec Class 2 Public Primary Certification Authority - G4
CN = Symantec Class 2 Public Primary Certification Authority - G6
* The version number of the updated root CA list has been set to 2.11
* A misleading assertion/alert has been removed when NSS tries to flush data
to the peer but the connection was already reset.
- update to NSS 3.28
New functionality:
* NSS includes support for TLS 1.3 draft -18. This includes a number
of improvements to TLS 1.3:
- The signed certificate timestamp, used in certificate
transparency, is supported in TLS 1.3.
- Key exporters for TLS 1.3 are supported. This includes the early
key exporter, which can be used if 0-RTT is enabled. Note that
there is a difference between TLS 1.3 and key exporters in older
versions of TLS. TLS 1.3 does not distinguish between an empty
context and no context.
- The TLS 1.3 (draft) protocol can be enabled, by defining
NSS_ENABLE_TLS_1_3=1 when building NSS.
- NSS includes support for the X25519 key exchange algorithm,
which is supported and enabled by default in all versions of TLS.
New Functions:
* SSL_ExportEarlyKeyingMaterial
* SSL_SendAdditionalKeyShares
* SSL_SignatureSchemePrefSet
* SSL_SignatureSchemePrefGet
Notable Changes:
* NSS can no longer be compiled with support for additional elliptic curves.
This was previously possible by replacing certain NSS source files.
* NSS will now detect the presence of tokens that support additional
elliptic curves and enable those curves for use in TLS.
Note that this detection has a one-off performance cost, which can be
avoided by using the SSL_NamedGroupConfig function to limit supported
groups to those that NSS provides.
* PKCS#11 bypass for TLS is no longer supported and has been removed.
* Support for "export" grade SSL/TLS cipher suites has been removed.
* NSS now uses the signature schemes definition in TLS 1.3.
This also affects TLS 1.2. NSS will now only generate signatures with the
combinations of hash and signature scheme that are defined in TLS 1.3,
even when negotiating TLS 1.2.
- This means that SHA-256 will only be used with P-256 ECDSA certificates,
SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
compatibility reasons.
- New functions to configure signature schemes are provided:
SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet.
The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are
now deprecated.
- NSS will now no longer assume that default signature schemes are
supported by a peer if there was no commonly supported signature scheme.
* NSS will now check if RSA-PSS signing is supported by the token that holds
the private key prior to using it for TLS.
* The certificate validation code contains checks to no longer trust
certificates that are issued by old WoSign and StartCom CAs after
October 21, 2016. This is equivalent to the behavior that Mozilla will
release with Firefox 51.
- update to NSS 3.27.2
* SSL_SetTrustAnchors leaks (bmo#1318561)
- removed upstreamed patch
* nss-uninitialized.patch
- raised the minimum softokn/freebl version to 3.28 as reported in
boo#1021636
-------------------------------------------------------------------
Mon Nov 14 12:35:55 UTC 2016 - wr@rosenauer.org

View File

@ -1,7 +1,7 @@
#
# spec file for package mozilla-nss
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2006-2016 Wolfgang Rosenauer
#
# All modifications and additions to the file contributed by third parties
@ -17,15 +17,15 @@
#
%global nss_softokn_fips_version 3.21
%global nss_softokn_fips_version 3.28
Name: mozilla-nss
BuildRequires: gcc-c++
BuildRequires: mozilla-nspr-devel >= 4.12
BuildRequires: mozilla-nspr-devel >= 4.13.1
BuildRequires: pkg-config
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
Version: 3.26.2
Version: 3.28.1
Release: 0
# bug437293
%ifarch ppc64
@ -36,8 +36,8 @@ Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
Url: http://www.mozilla.org/projects/security/pki/nss/
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_26_2_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.26.2/nss ; cd nss-3.26.2/nss ; hg up NSS_3_26_2_RTM
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_1_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.28.1/nss ; cd nss-3.28.1/nss ; hg up NSS_3_28_1_RTM
#Source: nss-%{version}.tar.gz
Source1: nss.pc.in
Source3: nss-config.in
@ -51,7 +51,6 @@ Source9: pkcs11.txt
Source99: %{name}.changes
Patch1: nss-opt.patch
Patch2: system-nspr.patch
Patch3: nss-uninitialized.patch
Patch4: nss-no-rpath.patch
Patch5: renegotiate-transitional.patch
Patch6: malloc.patch
@ -88,7 +87,7 @@ Summary: Network (Netscape) Security Services development files
Group: Development/Libraries/Other
Requires: libfreebl3
Requires: libsoftokn3
Requires: mozilla-nspr-devel >= 4.9
Requires: mozilla-nspr-devel >= 4.13.1
Requires: mozilla-nss = %{version}-%{release}
# bug437293
%ifarch ppc64
@ -170,7 +169,6 @@ Mozilla project.
cd nss
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%if %suse_version > 1110
@ -200,6 +198,7 @@ export LIBDIR=%{_libdir}
export USE_64=1
%endif
export NSS_USE_SYSTEM_SQLITE=1
export NSS_ENABLE_TLS_1_3=1
#export SQLITE_LIB_NAME=nsssqlite3
MAKE_FLAGS="BUILD_OPT=1"
make nss_build_all $MAKE_FLAGS

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:13a40a2f97edf5fab3d4c7fdd928e77df36dc539cd8354b6b5d79ab93a131a5a
size 7388390

3
nss-3.28.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:58cc0c05c0ed9523e6d820bea74f513538f48c87aac931876e3d3775de1a82ad
size 7451477

View File

@ -1,22 +0,0 @@
diff --git a/lib/jar/jarfile.c b/lib/jar/jarfile.c
--- a/lib/jar/jarfile.c
+++ b/lib/jar/jarfile.c
@@ -652,17 +652,17 @@ jar_gen_index(JAR *jar, jarArch format,
* List the physical contents of a Phil Katz
* style .ZIP file into the JAR linked list.
*
*/
static int
jar_listzip(JAR *jar, JAR_FILE fp)
{
ZZLink *ent;
- JAR_Item *it;
+ JAR_Item *it = NULL;
JAR_Physical *phy = NULL;
struct ZipLocal *Local = PORT_ZNew(struct ZipLocal);
struct ZipCentral *Central = PORT_ZNew(struct ZipCentral);
struct ZipEnd *End = PORT_ZNew(struct ZipEnd);
int err = 0;
long pos = 0L;
unsigned int compression;

View File

@ -1,22 +1,13 @@
diff --git a/Makefile b/Makefile
index c824ba2..a5abe7b 100644
--- a/Makefile
+++ b/Makefile
@@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
#######################################################################
@@ -46,7 +46,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
-nss_build_all: build_nspr all
+nss_build_all: all
-nss_build_all: build_nspr all latest
+nss_build_all: all latest
nss_clean_all: clobber_nspr clobber
NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure
#
# Translate coreconf build options to NSPR configure options.