Hello community, here is the log from the commit of package mozilla-nss.2378 for openSUSE:13.1:Update checked in at 2013-12-13 13:32:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/mozilla-nss.2378 (Old) and /work/SRC/openSUSE:13.1:Update/.mozilla-nss.2378.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss.2378" Changes: -------- New Changes file: --- /dev/null 2013-11-25 01:44:08.036031256 +0100 +++ /work/SRC/openSUSE:13.1:Update/.mozilla-nss.2378.new/mozilla-nss.changes 2013-12-13 13:32:10.000000000 +0100 @@ -0,0 +1,798 @@ +------------------------------------------------------------------- +Thu Dec 5 18:59:27 UTC 2013 - [email protected] + +- update to 3.15.3.1 (bnc#854367) + * includes certstore update (1.95) (bmo#946351) + (explicitely distrust AC DG Tresor SSL) + +------------------------------------------------------------------- +Wed Dec 4 14:40:39 CET 2013 - [email protected] + +- adapt specfile to ppc64le + +------------------------------------------------------------------- +Mon Nov 11 22:11:57 UTC 2013 - [email protected] + +- update to 3.15.3 (bnc#850148) + * CERT_VerifyCert returns SECSuccess (saying certificate is good) + even for bad certificates, when the CERTVerifyLog log parameter + is given (bmo#910438) + * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello + (bmo#919677) + * fix CVE-2013-5605 + +------------------------------------------------------------------- +Sat Sep 28 04:20:41 UTC 2013 - [email protected] + +- update to 3.15.2 (bnc#842979) + * Support for AES-GCM ciphersuites that use the SHA-256 PRF + * MD2, MD4, and MD5 signatures are no longer accepted for OCSP + or CRLs + * Add PK11_CipherFinal macro + * sizeof() used incorrectly + * nssutil_ReadSecmodDB() leaks memory + * Allow SSL_HandshakeNegotiatedExtension to be called before + the handshake is finished. + * Deprecate the SSL cipher policy code + * Avoid uninitialized data read in the event of a decryption + failure. (CVE-2013-1739) + +------------------------------------------------------------------- +Fri Jul 5 08:08:57 UTC 2013 - [email protected] + +- fix 32bit requirement, it's without () actually + +------------------------------------------------------------------- +Wed Jul 3 11:55:58 UTC 2013 - [email protected] + +- update to 3.15.1 + * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites + (RFC 5246 and RFC 5289) are supported, allowing TLS to be used + without MD5 and SHA-1. + Note the following limitations: + The hash function used in the signature for TLS 1.2 client + authentication must be the hash function of the TLS 1.2 PRF, + which is always SHA-256 in NSS 3.15.1. + AES GCM cipher suites are not yet supported. + * some bugfixes and improvements + +------------------------------------------------------------------- +Fri Jun 28 09:27:24 UTC 2013 - [email protected] + +- require libnssckbi instead of mozilla-nss-certs so p11-kit can + conflict with the latter (fate#314991) + +------------------------------------------------------------------- +Tue Jun 11 04:58:56 UTC 2013 - [email protected] + +- update to 3.15 + * Packaging + + removed obsolete patches + * nss-disable-expired-testcerts.patch + * bug-834091.patch + * New Functionality + + Support for OCSP Stapling (RFC 6066, Certificate Status + Request) has been added for both client and server sockets. + TLS client applications may enable this via a call to + SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + + Added function SECITEM_ReallocItemV2. It replaces function + SECITEM_ReallocItem, which is now declared as obsolete. + + Support for single-operation (eg: not multi-part) symmetric + key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + + certutil has been updated to support creating name constraints + extensions. + * New Functions + in ssl.h + SSL_PeerStapledOCSPResponse - Returns the server's stapled + OCSP response, when used with a TLS client socket that + negotiated the status_request extension. + SSL_SetStapledOCSPResponses - Set's a stapled OCSP response + for a TLS server socket to return when clients send the + status_request extension. + in ocsp.h + CERT_PostOCSPRequest - Primarily intended for testing, permits + the sending and receiving of raw OCSP request/responses. + in secpkcs7.h + SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 + signature at a specific time other than the present time. + in xconst.h + CERT_EncodeNameConstraintsExtension - Matching function for + CERT_DecodeNameConstraintsExtension, added in NSS 3.10. + in secitem.h + SECITEM_AllocArray + SECITEM_DupArray + SECITEM_FreeArray + SECITEM_ZfreeArray - Utility functions to handle the + allocation and deallocation of SECItemArrays + SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is + now obsolete. SECITEM_ReallocItemV2 better matches caller + expectations, in that it updates item->len on allocation. + For more details of the issues with SECITEM_ReallocItem, + see Bug 298649 and Bug 298938. + in pk11pub.h + PK11_Decrypt - Performs decryption as a single PKCS#11 + operation (eg: not multi-part). This is necessary for AES-GCM. + PK11_Encrypt - Performs encryption as a single PKCS#11 + operation (eg: not multi-part). This is necessary for AES-GCM. + * New Types + in secitem.h + SECItemArray - Represents a variable-length array of SECItems. + * New Macros + in ssl.h + SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure + TLS client sockets to request the certificate_status extension + (eg: OCSP stapling) when set to PR_TRUE + * Notable changes + + SECITEM_ReallocItem is now deprecated. Please consider using + SECITEM_ReallocItemV2 in all future code. + + The list of root CA certificates in the nssckbi module has + been updated. + + The default implementation of SSL_AuthCertificate has been + updated to add certificate status responses stapled by the TLS + server to the OCSP cache. + * a lot of bugfixes + +------------------------------------------------------------------- +Tue Apr 16 10:27:04 UTC 2013 - [email protected] + +- Add Source URL, see https://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Sun Mar 24 20:07:59 UTC 2013 - [email protected] + +- disable tests with expired certificates + (nss-disable-expired-testcerts.patch) +- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from + mozilla tree to fulfill Firefox 21 requirements + (bug-834091.patch; bmo#834091) + +------------------------------------------------------------------- +Thu Feb 28 21:55:49 UTC 2013 - [email protected] + +- update to 3.14.3 + * No new major functionality is introduced in this release. This + release is a patch release to address CVE-2013-1620 (bmo#822365) + * "certutil -a" was not correctly producing ASCII output as + requested. (bmo#840714) + * NSS 3.14.2 broke compilation with older versions of sqlite that + lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now + properly compiles when used with older versions of sqlite + (bmo#837799) - remove system-sqlite.patch +- add aarch64 support + +------------------------------------------------------------------- +Tue Feb 5 12:51:56 UTC 2013 - [email protected] + +- added system-sqlite.patch (bmo#837799) + * do not depend on latest sqlite just for a #define +- enable system sqlite usage again + +------------------------------------------------------------------- +Sat Feb 2 16:05:20 UTC 2013 - [email protected] + +- update to 3.14.2 + * required for Firefox >= 20 + * removed obsolete nssckbi update patch + * MFSA 2013-40/CVE-2013-0791 (bmo#629816) + Out-of-bounds array read in CERT_DecodeCertPackage +- disable system sqlite usage since we depend on 3.7.15 which is + not provided in any openSUSE distribution + * add nss-sqlitename.patch to avoid any name clash + +------------------------------------------------------------------- +Sun Dec 30 17:59:34 UTC 2012 - [email protected] + +- updated CA database (nssckbi-1.93.patch) + * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) + revoke mis-issued intermediate certificates from TURKTRUST + +------------------------------------------------------------------- +Tue Dec 18 13:36:09 UTC 2012 - [email protected] + +- update to 3.14.1 RTM + * minimal requirement for Gecko 20 + * several bugfixes + +------------------------------------------------------------------- +Thu Oct 25 12:02:22 UTC 2012 - [email protected] ++++ 601 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.mozilla-nss.2378.new/mozilla-nss.changes New: ---- baselibs.conf cert9.db char.patch key4.db malloc.patch mozilla-nss-rpmlintrc mozilla-nss.changes mozilla-nss.spec nss-3.15.3.1.tar.gz nss-config.in nss-disable-ocsp-test.patch nss-no-rpath.patch nss-opt.patch nss-sqlitename.patch nss.pc.in pkcs11.txt renegotiate-transitional.patch setup-nsssysinit.sh system-nspr.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ # # spec file for package mozilla-nss # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2006-2013 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %global nss_softokn_fips_version 3.12.4 Name: mozilla-nss BuildRequires: gcc-c++ BuildRequires: mozilla-nspr-devel BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel Version: 3.15.3.1 Release: 0 # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-64bit %endif # Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ # hg clone https://hg.mozilla.org/projects/nss nss-3.15.3.1 ; cd nss-3.15.3.1 ; hg up NSS_3_15_3_1_RTM #Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_3_1_RTM/src/nss-%{version}.tar.gz Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in Source4: %{name}-rpmlintrc Source5: baselibs.conf Source6: setup-nsssysinit.sh Source7: cert9.db Source8: key4.db Source9: pkcs11.txt #Source10: PayPalEE.cert Patch1: nss-opt.patch Patch2: system-nspr.patch Patch3: char.patch Patch4: nss-no-rpath.patch Patch5: renegotiate-transitional.patch Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} PreReq: libsoftokn3 >= %{nss_softokn_fips_version} %if %{_lib} == lib64 Requires: libnssckbi.so()(64bit) %else Requires: libnssckbi.so %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build %define nssdbdir %{_sysconfdir}/pki/nssdb %ifnarch %sparc %if ! 0%{?qemu_user_space_build} %define run_testsuite 1 %endif %endif %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package devel Summary: Network (Netscape) Security Services development files Group: Development/Libraries/Other Requires: libfreebl3 Requires: libsoftokn3 Requires: mozilla-nspr-devel Requires: mozilla-nss = %{version}-%{release} # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-devel-64bit %endif %description devel Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package tools Summary: Tools for developing, debugging, and managing applications that use NSS Group: System/Management PreReq: mozilla-nss >= %{version} %description tools The NSS Security Tools allow developers to test, debug, and manage applications that use NSS. %package sysinit Summary: System NSS Initialization Group: System/Management Requires: mozilla-nss >= %{version} Requires(post): coreutils %description sysinit Default Operation System module that manages applications loading NSS globally on the system. This module loads the system defined PKCS #11 modules for NSS and chains with other NSS modules to load any system or user configured modules. %package -n libfreebl3 Summary: Freebl library for the Network Security Services Group: System/Libraries %description -n libfreebl3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This package installs the freebl library from NSS. %package -n libsoftokn3 Summary: Network Security Services Softoken Module Group: System/Libraries Requires: libfreebl3 = %{version}-%{release} %description -n libsoftokn3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. Network Security Services Softoken Cryptographic Module %package certs Summary: CA certificates for NSS Group: Productivity/Networking/Security %description certs This package contains the integrated CA root certificates from the Mozilla project. %prep %setup -n nss-%{version} -q cd nss %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %if %suse_version > 1110 %patch6 -p1 %endif %patch7 -p1 %patch8 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt #make generate %build cd nss modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" TIME="\"$(date -d "${modified}" "+%%R")\"" find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} + export FREEBL_NO_DEPEND=1 export NSPR_INCLUDE_DIR=`nspr-config --includedir` export NSPR_LIB_DIR=`nspr-config --libdir` export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" export LIBDIR=%{_libdir} %ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64 export USE_64=1 %endif export NSS_USE_SYSTEM_SQLITE=1 #export SQLITE_LIB_NAME=nsssqlite3 MAKE_FLAGS="BUILD_OPT=1 NSS_ENABLE_ECC=1" make nss_build_all $MAKE_FLAGS # run testsuite %if 0%{?run_testsuite} export BUILD_OPT=1 export HOST="localhost" export DOMSUF=" " export USE_IP=TRUE export IP_ADDRESS="127.0.0.1" cd tests ./all.sh if grep "FAILED" ../../../tests_results/security/localhost.1/output.log ; then echo "Testsuite FAILED" exit 1 fi %endif %install cd nss mkdir -p $RPM_BUILD_ROOT%{_libdir} mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3 mkdir -p $RPM_BUILD_ROOT%{_bindir} mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT%{nssdbdir} pushd ../dist/Linux* # copy headers cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3 # copy dynamic libs cp -L lib/libnss3.so \ lib/libnssdbm3.so \ lib/libnssdbm3.chk \ lib/libnssutil3.so \ lib/libnssckbi.so \ lib/libnsssysinit.so \ lib/libsmime3.so \ lib/libsoftokn3.so \ lib/libsoftokn3.chk \ lib/libssl3.so \ $RPM_BUILD_ROOT%{_libdir} cp -L lib/libfreebl3.so \ lib/libfreebl3.chk \ $RPM_BUILD_ROOT/%{_lib} #cp -L lib/libnsssqlite3.so \ # $RPM_BUILD_ROOT%{_libdir} # copy static libs cp -L lib/libcrmf.a \ lib/libnssb.a \ lib/libnssckfw.a \ $RPM_BUILD_ROOT%{_libdir} # copy tools cp -L bin/certutil \ bin/cmsutil \ bin/crlutil \ bin/modutil \ bin/pk12util \ bin/signtool \ bin/signver \ bin/ssltap \ $RPM_BUILD_ROOT%{_bindir} # copy unsupported tools cp -L bin/atob \ bin/btoa \ bin/derdump \ bin/ocspclnt \ bin/pp \ bin/selfserv \ bin/shlibsign \ bin/strsclnt \ bin/symkeyutil \ bin/tstclnt \ bin/vfyserv \ bin/vfychain \ $RPM_BUILD_ROOT%{_libexecdir}/nss # prepare pkgconfig file mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/ sed "s:%%LIBDIR%%:%{_libdir}:g s:%%VERSION%%:%{version}:g s:%%NSPR_VERSION%%:%{nspr_ver}:g" \ %{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc # prepare nss-config file popd NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` NSS_VMINOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` NSS_VPATCH=`cat lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss3,g" \ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ > $RPM_BUILD_ROOT/%{_bindir}/nss-config chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config # setup-nsssysinfo.sh install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/ # create empty NSS database #LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir "sql:$RPM_BUILD_ROOT%{nssdbdir}" -create #LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/certutil -N -d "sql:$RPM_BUILD_ROOT%{nssdbdir}" -f /dev/null 2>&1 > /dev/null #chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/* #sed "s:%{buildroot}::g #s/^library=$/library=libnsssysinit.so/ #/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \ # $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt > $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed # mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,} # copy empty NSS database install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir} # create shlib sigs after extracting debuginfo %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ %{nil} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %post -n libfreebl3 -p /sbin/ldconfig %postun -n libfreebl3 -p /sbin/ldconfig %post -n libsoftokn3 -p /sbin/ldconfig %postun -n libsoftokn3 -p /sbin/ldconfig %post sysinit /sbin/ldconfig # make sure the current config is enabled %{_sbindir}/setup-nsssysinit.sh on %preun sysinit if [ $1 = 0 ]; then %{_sbindir}/setup-nsssysinit.sh off fi %postun sysinit -p /sbin/ldconfig %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-, root, root) %{_libdir}/libnss3.so %{_libdir}/libnssutil3.so %{_libdir}/libsmime3.so %{_libdir}/libssl3.so #%{_libdir}/libnsssqlite3.so %files devel %defattr(644, root, root, 755) %{_includedir}/nss3/ %{_libdir}/*.a %{_libdir}/pkgconfig/* %attr(755,root,root) %{_bindir}/nss-config %files tools %defattr(-, root, root) %{_bindir}/* %exclude %{_sbindir}/setup-nsssysinit.sh %{_libexecdir}/nss/ %exclude %{_bindir}/nss-config %files sysinit %defattr(-, root, root) %dir %{_sysconfdir}/pki %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %{_sysconfdir}/pki/nssdb/* %{_libdir}/libnsssysinit.so %{_sbindir}/setup-nsssysinit.sh %files -n libfreebl3 %defattr(-, root, root) /%{_lib}/libfreebl3.so /%{_lib}/libfreebl3.chk %files -n libsoftokn3 %defattr(-, root, root) %{_libdir}/libsoftokn3.so %{_libdir}/libsoftokn3.chk %{_libdir}/libnssdbm3.so %{_libdir}/libnssdbm3.chk %files certs %defattr(-, root, root) %{_libdir}/libnssckbi.so %changelog ++++++ baselibs.conf ++++++ mozilla-nss requires "libfreebl3-<targettype>" requires "libsoftokn3-<targettype>" requires "mozilla-nss-certs-<targettype>" libsoftokn3 requires "libfreebl3-<targettype> = <version>" +/usr/lib/libsoftokn3.chk +/usr/lib/libnssdbm3.chk libfreebl3 +/lib/libfreebl3.chk mozilla-nss-sysinit mozilla-nss-certs ++++++ char.patch ++++++ Index: security/nss/cmd/modutil/install-ds.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/cmd/modutil/install-ds.c,v retrieving revision 1.2 diff -u -p -6 -r1.2 install-ds.c --- security/nss/cmd/modutil/install-ds.c 25 Apr 2004 15:02:47 -0000 1.2 +++ nss/cmd/modutil/install-ds.c 5 Feb 2007 06:57:38 -0000 @@ -249,13 +249,13 @@ Pk11Install_File_Generate(Pk11Install_Fi if(!subval || (subval->type != STRING_VALUE)){ errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS], _this->jarPath); goto loser; } _this->permissions = (int) strtol(subval->string, &endp, 8); - if(*endp != '\0' || subval->string == "\0") { + if(*endp != '\0' || subval->string[0] == '\0') { errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS], _this->jarPath); goto loser; } gotPerms = PR_TRUE; Pk11Install_ListIter_delete(subiter); ++++++ malloc.patch ++++++ Index: security/nss/tests/ssl/ssl.sh =================================================================== RCS file: /cvsroot/mozilla/security/nss/tests/ssl/ssl.sh,v retrieving revision 1.100 diff -u -r1.100 ssl.sh --- security/nss/tests/ssl/ssl.sh 26 Mar 2009 23:14:34 -0000 1.100 +++ nss/tests/ssl/ssl.sh 6 Jun 2009 06:21:07 -0000 @@ -974,6 +974,7 @@ ################################# main ################################# +unset MALLOC_CHECK_ ssl_init ssl_run_tests ssl_cleanup ++++++ mozilla-nss-rpmlintrc ++++++ addFilter("shlib-policy-name-error") addFilter("shlib-policy-missing-lib") addFilter("shlib-policy-missing-suffix") addFilter("shlib-unversioned-lib") addFilter("shlib-fixed-dependency") ++++++ nss-config.in ++++++ #!/bin/sh prefix=@prefix@ major_version=@MOD_MAJOR_VERSION@ minor_version=@MOD_MINOR_VERSION@ patch_version=@MOD_PATCH_VERSION@ usage() { cat <<EOF Usage: nss-config [OPTIONS] [LIBRARIES] Options: [--prefix[=DIR]] [--exec-prefix[=DIR]] [--includedir[=DIR]] [--libdir[=DIR]] [--version] [--libs] [--cflags] Dynamic Libraries: nss ssl smime EOF exit $1 } if test $# -eq 0; then usage 1 1>&2 fi lib_ssl=yes lib_smime=yes lib_nss=yes lib_nssutil=yes while test $# -gt 0; do case "$1" in -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; *) optarg= ;; esac case $1 in --prefix=*) prefix=$optarg ;; --prefix) echo_prefix=yes ;; --exec-prefix=*) exec_prefix=$optarg ;; --exec-prefix) echo_exec_prefix=yes ;; --includedir=*) includedir=$optarg ;; --includedir) echo_includedir=yes ;; --libdir=*) libdir=$optarg ;; --libdir) echo_libdir=yes ;; --version) echo ${major_version}.${minor_version}.${patch_version} ;; --cflags) echo_cflags=yes ;; --libs) echo_libs=yes ;; ssl) lib_ssl=yes ;; smime) lib_smime=yes ;; nss) lib_nss=yes ;; nssutil) lib_nssutil=yes ;; *) usage 1 1>&2 ;; esac shift done # Set variables that may be dependent upon other variables if test -z "$exec_prefix"; then exec_prefix=@exec_prefix@ fi if test -z "$includedir"; then includedir=@includedir@ fi if test -z "$libdir"; then libdir=@libdir@ fi if test "$echo_prefix" = "yes"; then echo $prefix fi if test "$echo_exec_prefix" = "yes"; then echo $exec_prefix fi if test "$echo_includedir" = "yes"; then echo $includedir fi if test "$echo_libdir" = "yes"; then echo $libdir fi if test "$echo_cflags" = "yes"; then echo -I$includedir fi if test "$echo_libs" = "yes"; then libdirs="-Wl,-rpath-link,$libdir -L$libdir" if test -n "$lib_ssl"; then libdirs="$libdirs -lssl${major_version}" fi if test -n "$lib_smime"; then libdirs="$libdirs -lsmime${major_version}" fi if test -n "$lib_nss"; then libdirs="$libdirs -lnss${major_version}" fi if test -n "$lib_nssutil"; then libdirs="$libdirs -lnssutil${major_version}" fi echo $libdirs fi ++++++ nss-disable-ocsp-test.patch ++++++ diff --git a/tests/chains/scenarios/scenarios b/tests/chains/scenarios/scenarios --- a/tests/chains/scenarios/scenarios +++ b/tests/chains/scenarios/scenarios @@ -45,12 +45,11 @@ mapping.cfg mapping2.cfg aia.cfg bridgewithaia.cfg bridgewithhalfaia.cfg bridgewithpolicyextensionandmapping.cfg realcerts.cfg dsa.cfg revoc.cfg -ocsp.cfg crldp.cfg trustanchors.cfg nameconstraints.cfg ++++++ nss-no-rpath.patch ++++++ Index: security/nss/cmd/platlibs.mk =================================================================== RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v retrieving revision 1.71 diff -u -p -6 -r1.71 platlibs.mk --- security/nss/cmd/platlibs.mk 17 Jul 2012 15:22:42 -0000 1.71 +++ nss/cmd/platlibs.mk 25 Oct 2012 12:07:35 -0000 @@ -15,15 +15,15 @@ else EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' endif endif ifeq ($(OS_ARCH), Linux) ifeq ($(USE_64), 1) -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' else -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' endif endif endif # BUILD_SUN_PKG ifdef NSS_DISABLE_DBM ++++++ nss-opt.patch ++++++ Index: security/coreconf/Linux.mk =================================================================== RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v retrieving revision 1.45.2.1 diff -u -r1.45.2.1 Linux.mk --- security/coreconf/Linux.mk 31 Jul 2010 04:23:37 -0000 1.45.2.1 +++ nss/coreconf/Linux.mk 5 Aug 2010 07:35:06 -0000 @@ -112,11 +112,7 @@ endif ifdef BUILD_OPT -ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) - OPTIMIZER = -Os -else - OPTIMIZER = -O2 -endif + OPTIMIZER = $(OPT_FLAGS) ifdef MOZ_DEBUG_SYMBOLS ifdef MOZ_DEBUG_FLAGS OPTIMIZER += $(MOZ_DEBUG_FLAGS) ++++++ nss-sqlitename.patch ++++++ Index: security/nss/lib/sqlite/manifest.mn =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v retrieving revision 1.5 diff -u -r1.5 manifest.mn --- security/nss/lib/sqlite/manifest.mn 25 Apr 2012 14:50:11 -0000 1.5 +++ nss/lib/sqlite/manifest.mn 28 Jan 2013 20:48:22 -0000 @@ -6,9 +6,10 @@ MODULE = nss -LIBRARY_NAME = sqlite +LIBRARY_NAME = nsssqlite LIBRARY_VERSION = 3 MAPFILE = $(OBJDIR)/sqlite.def +MAPFILE_SOURCE = sqlite.def DEFINES += -DSQLITE_THREADSAFE=1 EXPORTS = \ ++++++ nss.pc.in ++++++ prefix=/usr exec_prefix=${prefix} libdir=%LIBDIR% includedir=${prefix}/include/nss3 Name: NSS Description: Network Security Services Version: %VERSION% Requires: nspr >= %NSPR_VERSION% Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3 Cflags: -I${includedir} ++++++ pkcs11.txt ++++++ library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) ++++++ renegotiate-transitional.patch ++++++ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c @@ -144,17 +144,17 @@ static sslOptions ssl_defaults = { PR_FALSE, /* fdx */ PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ PR_TRUE, /* detectRollBack */ PR_FALSE, /* noStepDown */ PR_FALSE, /* bypassPKCS11 */ PR_FALSE, /* noLocks */ PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ - 2, /* enableRenegotiation (default: requires extension) */ + 3, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ PR_TRUE, /* cbcRandomIV */ PR_FALSE /* enableOCSPStapling */ }; /* * default range of enabled SSL/TLS protocols ++++++ setup-nsssysinit.sh ++++++ #!/bin/sh # # Turns on or off the nss-sysinit module db by editing the # global PKCS #11 congiguration file. # # This script can be invoked by the user as super user. # It is invoked at nss-sysinit post install time with argument on # and at nss-sysinit pre uninstall with argument off. # usage() { cat <<EOF Usage: setup-nsssysinit [on|off] on - turns on nsssysinit off - turns off nsssysinit EOF exit $1 } # validate if test $# -eq 0; then usage 1 1>&2 fi # the system-wide configuration file p11conf="/etc/pki/nssdb/pkcs11.txt" # must exist, otherwise report it and exit with failure if [ ! -f $p11conf ]; then echo "Could not find ${p11conf}" exit 1 fi on="1" case "$1" in on | ON ) cat ${p11conf} | \ sed -e 's/^library=$/library=libnsssysinit.so/' \ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ ${p11conf}.on mv ${p11conf}.on ${p11conf} ;; off | OFF ) if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then exit 0 fi cat ${p11conf} | \ sed -e 's/^library=libnsssysinit.so/library=/' \ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ ${p11conf}.off mv ${p11conf}.off ${p11conf} ;; * ) usage 1 1>&2 ;; esac ++++++ system-nspr.patch ++++++ diff --git a/Makefile b/Makefile --- a/Makefile +++ b/Makefile @@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk ####################################################################### ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # ####################################################################### -nss_build_all: build_nspr all +nss_build_all: all nss_clean_all: clobber_nspr clobber NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure # # Translate coreconf build options to NSPR configure options. -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
