From 16cafcfa6d3f96bbb8eedecae0d4acd6e7ba0baa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= <adrian@suse.de>
Date: Mon, 7 Oct 2024 09:29:01 +0200
Subject: [PATCH] Adding patchinfo
 patchinfo.20240821152252846955.269002615871826

---
 .../_patchinfo                                | 346 ++++++++++++++++++
 1 file changed, 346 insertions(+)
 create mode 100644 patchinfo.20240821152252846955.269002615871826/_patchinfo

diff --git a/patchinfo.20240821152252846955.269002615871826/_patchinfo b/patchinfo.20240821152252846955.269002615871826/_patchinfo
new file mode 100644
index 0000000..2c62191
--- /dev/null
+++ b/patchinfo.20240821152252846955.269002615871826/_patchinfo
@@ -0,0 +1,346 @@
+<patchinfo>
+  <!-- generated from request(s) 341235 -->
+  <issue tracker="bmo" id="215997"/>
+  <issue tracker="bmo" id="671060"/>
+  <issue tracker="bmo" id="676100"/>
+  <issue tracker="bmo" id="676118"/>
+  <issue tracker="bmo" id="864039"/>
+  <issue tracker="bmo" id="1325335"/>
+  <issue tracker="bmo" id="1548723"/>
+  <issue tracker="bmo" id="1573097"/>
+  <issue tracker="bmo" id="1615555"/>
+  <issue tracker="bmo" id="1748105"/>
+  <issue tracker="bmo" id="1753026"/>
+  <issue tracker="bmo" id="1757758"/>
+  <issue tracker="bmo" id="1774659"/>
+  <issue tracker="bmo" id="1775046"/>
+  <issue tracker="bmo" id="1780432"/>
+  <issue tracker="bmo" id="1784253"/>
+  <issue tracker="bmo" id="1793811"/>
+  <issue tracker="bmo" id="1813401"/>
+  <issue tracker="bmo" id="1818766"/>
+  <issue tracker="bmo" id="1822450"/>
+  <issue tracker="bmo" id="1822935"/>
+  <issue tracker="bmo" id="1822936"/>
+  <issue tracker="bmo" id="1826451"/>
+  <issue tracker="bmo" id="1826652"/>
+  <issue tracker="bmo" id="1827224"/>
+  <issue tracker="bmo" id="1827303"/>
+  <issue tracker="bmo" id="1827444"/>
+  <issue tracker="bmo" id="1829112"/>
+  <issue tracker="bmo" id="1830415"/>
+  <issue tracker="bmo" id="1830978"/>
+  <issue tracker="bmo" id="1831552"/>
+  <issue tracker="bmo" id="1833270"/>
+  <issue tracker="bmo" id="1834851"/>
+  <issue tracker="bmo" id="1835357"/>
+  <issue tracker="bmo" id="1835425"/>
+  <issue tracker="bmo" id="1835828"/>
+  <issue tracker="bmo" id="1836781"/>
+  <issue tracker="bmo" id="1836925"/>
+  <issue tracker="bmo" id="1837431"/>
+  <issue tracker="bmo" id="1837617"/>
+  <issue tracker="bmo" id="1837987"/>
+  <issue tracker="bmo" id="1839327"/>
+  <issue tracker="bmo" id="1839795"/>
+  <issue tracker="bmo" id="1839992"/>
+  <issue tracker="bmo" id="1840429"/>
+  <issue tracker="bmo" id="1840437"/>
+  <issue tracker="bmo" id="1840505"/>
+  <issue tracker="bmo" id="1840510"/>
+  <issue tracker="bmo" id="1841029"/>
+  <issue tracker="bmo" id="1842928"/>
+  <issue tracker="bmo" id="1842932"/>
+  <issue tracker="bmo" id="1842935"/>
+  <issue tracker="bmo" id="1842937"/>
+  <issue tracker="bmo" id="1847845"/>
+  <issue tracker="bmo" id="1848183"/>
+  <issue tracker="bmo" id="1849077"/>
+  <issue tracker="bmo" id="1849471"/>
+  <issue tracker="bmo" id="1850598"/>
+  <issue tracker="bmo" id="1850982"/>
+  <issue tracker="bmo" id="1851044"/>
+  <issue tracker="bmo" id="1851049"/>
+  <issue tracker="bmo" id="1852011"/>
+  <issue tracker="bmo" id="1852179"/>
+  <issue tracker="bmo" id="1853737"/>
+  <issue tracker="bmo" id="1854438"/>
+  <issue tracker="bmo" id="1854439"/>
+  <issue tracker="bmo" id="1854795"/>
+  <issue tracker="bmo" id="1855318"/>
+  <issue tracker="bmo" id="1858241"/>
+  <issue tracker="bmo" id="1860670"/>
+  <issue tracker="bmo" id="1861265"/>
+  <issue tracker="bmo" id="1861728"/>
+  <issue tracker="bmo" id="1863605"/>
+  <issue tracker="bmo" id="1865450"/>
+  <issue tracker="bmo" id="1867408"/>
+  <issue tracker="bmo" id="1869378"/>
+  <issue tracker="bmo" id="1869408"/>
+  <issue tracker="bmo" id="1869642"/>
+  <issue tracker="bmo" id="1870673"/>
+  <issue tracker="bmo" id="1871152"/>
+  <issue tracker="bmo" id="1871219"/>
+  <issue tracker="bmo" id="1871630"/>
+  <issue tracker="bmo" id="1871631"/>
+  <issue tracker="bmo" id="1873095"/>
+  <issue tracker="bmo" id="1873296"/>
+  <issue tracker="bmo" id="1874017"/>
+  <issue tracker="bmo" id="1874111"/>
+  <issue tracker="bmo" id="1874458"/>
+  <issue tracker="bmo" id="1874937"/>
+  <issue tracker="bmo" id="1875356"/>
+  <issue tracker="bmo" id="1875506"/>
+  <issue tracker="bmo" id="1875965"/>
+  <issue tracker="bmo" id="1876179"/>
+  <issue tracker="bmo" id="1876390"/>
+  <issue tracker="bmo" id="1876800"/>
+  <issue tracker="bmo" id="1877344"/>
+  <issue tracker="bmo" id="1877730"/>
+  <issue tracker="bmo" id="1879513"/>
+  <issue tracker="bmo" id="1879945"/>
+  <issue tracker="bmo" id="1880857"/>
+  <issue tracker="bmo" id="1881027"/>
+  <issue tracker="bmo" id="1884276"/>
+  <issue tracker="bmo" id="1884444"/>
+  <issue tracker="bmo" id="1885404"/>
+  <issue tracker="bmo" id="1887996"/>
+  <issue tracker="bmo" id="1889671"/>
+  <issue tracker="bmo" id="1890069"/>
+  <issue tracker="bmo" id="1893029"/>
+  <issue tracker="bmo" id="1893162"/>
+  <issue tracker="bmo" id="1893334"/>
+  <issue tracker="bmo" id="1893404"/>
+  <issue tracker="bmo" id="1893752"/>
+  <issue tracker="bmo" id="1894572"/>
+  <issue tracker="bmo" id="1895012"/>
+  <issue tracker="bmo" id="1895032"/>
+  <issue tracker="bmo" id="1896353"/>
+  <issue tracker="bmo" id="1897487"/>
+  <issue tracker="bmo" id="1898074"/>
+  <issue tracker="bmo" id="1898627"/>
+  <issue tracker="bmo" id="1898825"/>
+  <issue tracker="bmo" id="1898830"/>
+  <issue tracker="bmo" id="1898858"/>
+  <issue tracker="bmo" id="1899593"/>
+  <issue tracker="bmo" id="1899759"/>
+  <issue tracker="bmo" id="1899883"/>
+  <issue tracker="bmo" id="1900413"/>
+  <issue tracker="bmo" id="1901080"/>
+  <issue tracker="bmo" id="1901932"/>
+  <issue tracker="bmo" id="1905691"/>
+  <issue tracker="bnc" id="1214980">mozilla-nss: FTBFS because expired certificate since 2023-09-04</issue>
+  <issue tracker="bnc" id="1216198">VUL-0: CVE-2023-5388: mozilla-nss: timing attack against RSA decryption</issue>
+  <issue tracker="bnc" id="1222804">[FIPS 140-3][NSS] Disable DSA</issue>
+  <issue tracker="bnc" id="1222807">[FIPS 140-3][NSS] Remove unsafe prime group</issue>
+  <issue tracker="bnc" id="1222811">[FIPS 140-3][NSS] RNG checks</issue>
+  <issue tracker="bnc" id="1222813">[FIPS 140-3][NSS] TLS 1.2 KDF</issue>
+  <issue tracker="bnc" id="1222814">[FIPS 140-3][NSS] using only  allowed primitived IKE KDF/HMAC combinations</issue>
+  <issue tracker="bnc" id="1222821">[FIPS 140-3][NSS] Only use approved hash functions</issue>
+  <issue tracker="bnc" id="1222822">[FIPS 140-3][NSS] Use long enough key material</issue>
+  <issue tracker="bnc" id="1222826">[FIPS 140-3][NSS] KDF compliance</issue>
+  <issue tracker="bnc" id="1222828">[FIPS 140-3][NSS] Powerup selftest not in compliance</issue>
+  <issue tracker="bnc" id="1222830">[FIPS 140-3][NSS] GCM Usage not in compliance</issue>
+  <issue tracker="bnc" id="1222833">[FIPS 140-3][NSS] block non approved KDFs</issue>
+  <issue tracker="bnc" id="1222834">[FIPS 140-3][NSS] RSA 1024 considerations</issue>
+  <issue tracker="bnc" id="1223724">[SECURITY][FIPS] Firefox won't start on 15-SP4 and 15-SP5 if master password is set</issue>
+  <issue tracker="bnc" id="1224113">[FIPS 140-3] [NSS] Consider adding the CKM_ECDH1_COFACTOR_DERIVE to the approved mechanisms list.</issue>
+  <issue tracker="bnc" id="1224115">[FIPS 140-3] [NSS] Consider adding CKM_NSS_AES_KEY_WRAP and CKM_NSS_AES_KEY_WRAP_PAD</issue>
+  <issue tracker="bnc" id="1224116">[FIPS 140-3] [NSS] NSC_GenerateKey Mechanism</issue>
+  <issue tracker="bnc" id="1224118">[FIPS 140-3] [NSS] Block ECDH+ANS X9.63</issue>
+  <issue tracker="bnc" id="1227918">[security][fips] openjdk crash in FIPS mode</issue>
+  <issue tracker="cve" id="2023-5388"/>
+  <issue tracker="jsc" id="PED-6358"/>
+  <packager>MSirringhaus</packager>
+  <rating>critical</rating>
+  <category>security</category>
+  <summary>Security update for mozilla-nss</summary>
+  <description>This update for mozilla-nss fixes the following issues:
+
+- update to NSS 3.101.2
+  - ChaChaXor to return after the function
+
+- update to NSS 3.101.1 
+  - missing sqlite header.
+  - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
+
+- update to NSS 3.101
+  - add diagnostic assertions for SFTKObject refcount.
+  - freeing the slot in DeleteCertAndKey if authentication failed
+  - fix formatting issues.
+  - Add Firmaprofesional CA Root-A Web to NSS.
+  - remove invalid acvp fuzz test vectors.
+  - pad short P-384 and P-521 signatures gtests.
+  - remove unused FreeBL ECC code.
+  - pad short P-384 and P-521 signatures.
+  - be less strict about ECDSA private key length.
+  - Integrate HACL* P-521.
+  - Integrate HACL* P-384.
+  - memory leak in create_objects_from_handles.
+  - ensure all input is consumed in a few places in mozilla::pkix
+  - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
+  - clean up escape handling
+  - Use lib::pkix as default validator instead of the old-one
+  - Need to add high level support for PQ signing.
+  - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
+  - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
+  - Allow for non-full length ecdsa signature when using softoken
+  - Modification of .taskcluster.yml due to mozlint indent defects
+  - Implement support for PBMAC1 in PKCS#12
+  - disable VLA warnings for fuzz builds.
+  - remove redundant AllocItem implementation.
+  - add PK11_ReadDistrustAfterAttribute.
+  - Clang-formatting of SEC_GetMgfTypeByOidTag update
+  - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
+  - sftk_getParameters(): Fix fallback to default variable after error with configfile.
+  - Switch to the mozillareleases/image_builder image
+
+- update to NSS 3.100
+ - merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations.
+ - remove ckcapi.
+ - avoid a potential PK11GenericObject memory leak.
+ - Remove incomplete ESDH code.
+ - Decrypt RSA OAEP encrypted messages.
+ - Fix certutil CRLDP URI code.
+ - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
+ - Add ability to encrypt and decrypt CMS messages using ECDH.
+ - Correct Templates for key agreement in smime/cmsasn.c.
+ - Moving the decodedCert allocation to NSS.
+ - Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
+
+- update to NSS 3.99
+  - Removing check for message len in ed25519
+  - add ed25519 to SECU_ecName2params.
+  - add EdDSA wycheproof tests.
+  - nss/lib layer code for EDDSA.
+  - Adding EdDSA implementation.
+  - Exporting Certificate Compression types
+  - Updating ACVP docker to rust 1.74
+  - Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552
+  - Add NSS_CMSRecipient_IsSupported.
+
+- update to NSS 3.98
+  - CVE-2023-5388: Timing attack against RSA decryption in TLS
+  - Certificate Compression: enabling the check that the compression was advertised
+  - Move Windows workers to nss-1/b-win2022-alpha
+  - Remove Email trust bit from OISTE WISeKey Global Root GC CA
+  - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`
+  - Certificate Compression: Updating nss_bogo_shim to support Certificate compression
+  - TLS Certificate Compression (RFC 8879) Implementation
+  - Add valgrind annotations to freebl kyber operations for constant-time execution tests
+  - Set nssckbi version number to 2.66
+  - Add Telekom Security roots
+  - Add D-Trust 2022 S/MIME roots
+  - Remove expired Security Communication RootCA1 root
+  - move keys to a slot that supports concatenation in PK11_ConcatSymKeys
+  - remove unmaintained tls-interop tests
+  - bogo: add support for the -ipv6 and -shim-id shim flags
+  - bogo: add support for the -curves shim flag and update Kyber expectations
+  - bogo: adjust expectation for a key usage bit test
+  - mozpkix: add option to ignore invalid subject alternative names
+  - Fix selfserv not stripping `publicname:` from -X value
+  - take ownership of ecckilla shims
+  - add valgrind annotations to freebl/ec.c
+  - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
+  - Update zlib to 1.3.1
+
+- update to NSS 3.97
+  - make Xyber768d00 opt-in by policy
+  - add libssl support for xyber768d00
+  - add PK11_ConcatSymKeys
+  - add Kyber and a PKCS#11 KEM interface to softoken
+  - add a FreeBL API for Kyber
+  - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
+  - part 1: add a script for vendoring kyber from pq-crystals repo
+  - Removing the calls to RSA Blind from loader.*
+  - fix worker type for level3 mac tasks
+  - RSA Blind implementation
+  - Remove DSA selftests
+  - read KWP testvectors from JSON
+  - Backed out changeset dcb174139e4f
+  - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
+  - Wrap CC shell commands in gyp expansions
+
+- update to NSS 3.96.1
+  - Use pypi dependencies for MacOS worker in ./build_gyp.sh
+  - p7sign: add -a hash and -u certusage (also p7verify cleanups)
+  - add a defensive check for large ssl_DefSend return values
+  - Add dependency to the taskcluster script for Darwin
+  - Upgrade version of the MacOS worker for the CI
+
+- update to NSS 3.95
+  - Bump builtins version number.
+  - Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert.
+  - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
+  - Remove 3 TrustCor Root Certificates from NSS.
+  - Remove Camerfirma root certificates from NSS.
+  - Remove old Autoridad de Certificacion Firmaprofesional Certificate.
+  - Add four Commscope root certificates to NSS.
+  - Add TrustAsia Global Root CA G3 and G4 root certificates.
+  - Include P-384 and P-521 Scalar Validation from HACL*
+  - Include P-256 Scalar Validation from HACL*.
+  - After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level
+  - Add means to provide library parameters to C_Initialize
+  - clang format
+  - add OSXSAVE and XCR0 tests to AVX2 detection.
+  - Typo in ssl3_AppendHandshakeNumber
+  - Introducing input check of ssl3_AppendHandshakeNumber
+  - Fix Invalid casts in instance.c
+
+- update to NSS 3.94
+  - Updated code and commit ID for HACL*
+  - update ACVP fuzzed test vector: refuzzed with current NSS
+  - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants
+  - NSS needs a database tool that can dump the low level representation of the database
+  - declare string literals using char in pkixnames_tests.cpp
+  - avoid implicit conversion for ByteString
+  - update rust version for acvp docker
+  - Moving the init function of the mpi_ints before clean-up in ec.c
+  - P-256 ECDH and ECDSA from HACL*
+  - Add ACVP test vectors to the repository
+  - Stop relying on std::basic_string&lt;uint8_t&gt;
+  - Transpose the PPC_ABI check from Makefile to gyp
+
+- Update to NSS 3.93:
+  - Update zlib in NSS to 1.3.
+  - softoken: iterate hashUpdate calls for long inputs.
+  - regenerate NameConstraints test certificates (bsc#1214980).
+
+- update to NSS 3.92
+  - Set nssckbi version number to 2.62
+  - Add 4 Atos TrustedRoot Root CA certificates to NSS
+  - Add 4 SSL.com Root CA certificates
+  - Add Sectigo E46 and R46 Root CA certificates
+  - Add LAWtrust Root CA2 (4096)
+  - Remove E-Tugra Certification Authority root
+  - Remove Camerfirma Chambers of Commerce Root.
+  - Remove Hongkong Post Root CA 1
+  - Remove E-Tugra Global Root CA ECC v3 and RSA v3
+  - Avoid redefining BYTE_ORDER on hppa Linux
+
+- update to NSS 3.91
+  - Implementation of the HW support check for ADX instruction
+  - Removing the support of Curve25519
+  - Fix comment about the addition of ticketSupportsEarlyData
+  - Adding args to enable-legacy-db build
+  - dbtests.sh failure in "certutil dump keys with explicit default trust flags"
+  - Initialize flags in slot structures
+  - Improve the length check of RSA input to avoid heap overflow
+  - Followup Fixes
+  - avoid processing unexpected inputs by checking for m_exptmod base sign
+  - add a limit check on order_k to avoid infinite loop
+  - Update HACL* to commit 5f6051d2
+  - add SHA3 to cryptohi and softoken
+  - HACL SHA3
+  - Disabling ASM C25519 for A but X86_64
+
+- update to NSS 3.90.3
+  - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
+  - clean up escape handling.
+  - remove redundant AllocItem implementation.
+  - Disable ASM support for Curve25519.
+  - Disable ASM support for Curve25519 for all but X86_64. 
+</description>
+  <package>mozilla-nss</package>
+  <seperate_build_arch/>
+</patchinfo>