- update to 3.15.5

* required for Firefox 28
  * export FREEBL_LOWHASH to get the correct default headers
    (bnc#865539)
  New functionality
  * Added support for the TLS application layer protocol negotiation
    (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and
    SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both)
    should be used for application layer protocol negotiation.
  * Added the TLS padding extension. The extension type value is 35655,
    which may change when an official extension type value is assigned
    by IANA. NSS automatically adds the padding extension to ClientHello
    when necessary.
  * Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting
    the tail of a CERTCertList.
  Notable Changes
  * bmo#950129: Improve the OCSP fetching policy when verifying OCSP
    responses
  * bmo#949060: Validate the iov input argument (an array of PRIOVec
    structures) of ssl_WriteV (called via PR_Writev). Applications should
    still take care when converting struct iov to PRIOVec because the
    iov_len members of the two structures have different types
    (size_t vs. int). size_t is unsigned and may be larger than int.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=153

mozilla-nss.changes

@@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Tue Feb 25 11:31:18 UTC 2014 - wr@rosenauer.org
+
+- update to 3.15.5
+  * required for Firefox 28
+  * export FREEBL_LOWHASH to get the correct default headers
+    (bnc#865539)
+  New functionality
+  * Added support for the TLS application layer protocol negotiation
+    (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and
+    SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both)
+    should be used for application layer protocol negotiation.
+  * Added the TLS padding extension. The extension type value is 35655,
+    which may change when an official extension type value is assigned
+    by IANA. NSS automatically adds the padding extension to ClientHello
+    when necessary.
+  * Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting
+    the tail of a CERTCertList.
+  Notable Changes
+  * bmo#950129: Improve the OCSP fetching policy when verifying OCSP
+    responses
+  * bmo#949060: Validate the iov input argument (an array of PRIOVec
+    structures) of ssl_WriteV (called via PR_Writev). Applications should
+    still take care when converting struct iov to PRIOVec because the
+    iov_len members of the two structures have different types
+    (size_t vs. int). size_t is unsigned and may be larger than int.
+
 -------------------------------------------------------------------
 Thu Feb 20 10:55:30 UTC 2014 - aj@ajaissle.de
 

mozilla-nss.spec

@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.9
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.15.4
+Version:        3.15.5
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_4_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.15.4/nss ; cd nss-3.15.4/nss ; hg up NSS_3_15_4_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_5_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.15.5/nss ; cd nss-3.15.5/nss ; hg up NSS_3_15_5_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -185,6 +185,7 @@ TIME="\"$(date -d "${modified}" "+%%R")\""
 find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +
 
 export FREEBL_NO_DEPEND=1
+export FREEBL_LOWHASH=1
 export NSPR_INCLUDE_DIR=`nspr-config --includedir`
 export NSPR_LIB_DIR=`nspr-config --libdir`
 export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"

nss-3.15.4.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:14d69a0735c5af6b3cc12591f7ebf272203e889f09104182148091d0af682d7c
-size 6366271

nss-3.15.5.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1442c85624b7de74c7745132a65aa0de47d280c4f01f293d111bc0b6d8271f43
+size 6367893

renegotiate-transitional.patch

@@ -1,12 +1,8 @@
 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+index e6b2387..87fbe1d 100644
 --- a/lib/ssl/sslsock.c
 +++ b/lib/ssl/sslsock.c
-@@ -144,17 +144,17 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,	/* fdx                */
-     PR_FALSE,	/* v2CompatibleHello  */ /* now defaults to off in NSS 3.13 */
-     PR_TRUE,	/* detectRollBack     */
-     PR_FALSE,   /* noStepDown         */
-     PR_FALSE,   /* bypassPKCS11       */
+@@ -74,7 +74,7 @@ static sslOptions ssl_defaults = {
      PR_FALSE,   /* noLocks            */
      PR_FALSE,   /* enableSessionTickets */
      PR_FALSE,   /* enableDeflate      */
@@ -15,8 +11,3 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
      PR_FALSE,   /* requireSafeNegotiation */
      PR_FALSE,   /* enableFalseStart   */
      PR_TRUE,    /* cbcRandomIV        */
-     PR_FALSE    /* enableOCSPStapling */
- };
- 
- /*
-  * default range of enabled SSL/TLS protocols