On 2016-12-21 21:29:35, Antoine Beaupré wrote: > Hi, > > I finally got around to finishing the work I started back in november: > updating the nss package in wheezy, again. > > Packages are available here, only for armel unfortunately, but source is > there so it can be recompiled properly. As usual: > > https://people.debian.org/~anarcat/debian/wheezy-lts/
The binary packages in the above URL are correct, but the source package wasn't properly rebuilt and, obviously, the debdiff was also incorrect. Here's a more up to date debdiff:
diff -Nru nss-3.26/debian/changelog nss-3.26.2/debian/changelog --- nss-3.26/debian/changelog 2016-11-30 15:25:52.000000000 -0500 +++ nss-3.26.2/debian/changelog 2016-11-30 15:09:36.000000000 -0500 @@ -1,3 +1,25 @@ +nss (2:3.26.2-1+deb7u1) UNRELEASED; urgency=high + + [ Antoine Beaupré ] + * Non-maintainer upload by the LTS Security Team. + * New upstream release to fix CVE-2016-9074 + * CVE-2016-9074: existing mitigation of timing side-channel attacks + insufficient + * also includes a fix for aborted client connexions with MD5 algorithm + selection + * remove weird debian/changelog.n file from previous upload + + [ Raphaël Hertzog ] + * Run upstream test suite (cf #806639). + * Add autopkgtest (cf #806207). + * Force use of gcc-4.7 and g++-4.7 to fix FTBFS on arm*. + * Update nss/tests/libpkix/certs/PayPal*.cert to work-around + the fact that the former certificates have expired. Also + update the expected OID through + debian/patches/replace_expired_paypal_cert.patch. + + -- Antoine Beaupré <[email protected]> Wed, 30 Nov 2016 15:09:36 -0500 + nss (2:3.26-1+debu7u1) wheezy-security; urgency=medium * New upstream release. Closes: #583651. diff -Nru nss-3.26/debian/changelog.n nss-3.26.2/debian/changelog.n --- nss-3.26/debian/changelog.n 2016-11-30 15:26:06.000000000 -0500 +++ nss-3.26.2/debian/changelog.n 1969-12-31 19:00:00.000000000 -0500 @@ -1,839 +0,0 @@ -nss (2:3.26-1+debu8u1) jessie-security; urgency=medium - - * New upstream release. Closes: #583651. - * Remove SPI CA certificate. - * Remove transitional compatibility kludge for renegotiation handling. - * Update watch file and Vcs URLs, and the symbols file from unstable. - - -- Florian Weimer <[email protected]> Mon, 03 Oct 2016 21:17:21 +0200 - -nss (2:3.17.2-1.1+deb8u2) jessie; urgency=medium - - [ Andrew Ayer ] - * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix - certificate chain generation to prefer stronger/newer certificates - over weaker/older certs. Closes: #774195. - - -- Christoph Egger <[email protected]> Sat, 15 Aug 2015 12:40:31 +0200 - -nss (2:3.17.2-1.1+deb8u1) jessie-security; urgency=high - - * Non-maintainer upload by the Security Team. - * Add 99_CVE-2015-2721.patch patch. - CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange. - * Add 100_CVE-2015-2730.patch patch. - CVE-2015-2730: ECDSA signature validation fails to handle some - signatures correctly. - - -- Salvatore Bonaccorso <[email protected]> Tue, 11 Aug 2015 19:37:12 +0200 - -nss (2:3.17.2-1.1) unstable; urgency=medium - - * Non-maintainer upload. - * Fix CVE-2014-1569. Closes: #773625. - - -- Matt Kraai <[email protected]> Sun, 21 Dec 2014 19:46:52 -0800 - -nss (2:3.17.2-1) unstable; urgency=medium - - * New upstream release. - - -- Mike Hommey <[email protected]> Sat, 18 Oct 2014 13:22:04 +0900 - -nss (2:3.17.1-1) unstable; urgency=high - - * New upstream release. - - Fixes CVE-2014-1568. - - Add support for ppc64el, with a non-broken patch. Closes: #745757. - * debian/libnss3.symbols: Add NSSUTIL_3.17.1 symbol versions. - - -- Mike Hommey <[email protected]> Wed, 24 Sep 2014 22:16:32 +0900 - -nss (2:3.17-1) unstable; urgency=medium - - * New upstream release. - * nss/coreconf/Linux.mk: Actually add support for ppc64el. Closes: #745757. - - -- Mike Hommey <[email protected]> Sun, 24 Aug 2014 08:41:37 +0900 - -nss (2:3.16.3-1.1) unstable; urgency=low - - * Non-maintainer upload to delayed. - * Add support for ppc64el. Closes: #745757 - - -- Andreas Barth <[email protected]> Mon, 18 Aug 2014 20:01:00 +0000 - -nss (2:3.16.3-1) unstable; urgency=medium - - * New upstream release. - * debian/libnss3.symbols: Add NSS_3.16.2 symbol versions. - - -- Mike Hommey <[email protected]> Sun, 13 Jul 2014 09:24:12 +0900 - -nss (2:3.16.1-1) unstable; urgency=medium - - * New upstream release. - * debian/libnss3.symbols: Add NSS_3.16.1 symbol versions. - - -- Mike Hommey <[email protected]> Sat, 07 Jun 2014 17:24:57 +0900 - -nss (2:3.16-1) unstable; urgency=medium - - * New upstream release. - * debian/libnss3.symbols: Add NSS_3.16 symbol versions. - * nss/lib/ckfw/builtins/certdata.txt: Remove CACert root certificates. - - -- Mike Hommey <[email protected]> Fri, 21 Mar 2014 08:10:24 +0900 - -nss (2:3.15.4-2) unstable; urgency=high - - * Upstream release 3.15.4 fixed MFSA-2014-12, also known as CVE-2014-1490 - and CVE-2014-1491. Bumping urgency as such. - * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules: - Revert changes from 2:3.15.4-1. Reopens: #537866, Closes: #735329, #736061. - - -- Mike Hommey <[email protected]> Wed, 05 Feb 2014 16:26:06 +0900 - -nss (2:3.15.4-1) unstable; urgency=low - - * New upstream release. - * Acknowledge NMU. - * debian/rules: Avoid long one-liner with semi-colons. - * debian/patches/*: Refresh patches. - * debian/copyright: Update. Closes: #730428. - * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules: - Add shared cert and key databases. Thanks Timo Aaltonen. Closes: #537866. - * debian/rules: Use DEB_HOST_ARCH instead of DEB_BUILD_ARCH. - * debian/control: Mark libnss3-dev as Multi-Arch: same. Thanks Shawn - Landden. Closes: #682925. - * debian/libnss3.symbols: Add NSS_3.15.4 symbol versions. - - -- Mike Hommey <[email protected]> Mon, 13 Jan 2014 10:46:04 +0900 - -nss (2:3.15.3.1-1.1) unstable; urgency=low - - * Non-Maintainer Upload - - ship extra NSS utilities (Closes: #701141) - - -- Daniel Kahn Gillmor <[email protected]> Sat, 04 Jan 2014 11:34:41 -0500 - -nss (2:3.15.3.1-1) unstable; urgency=high - - * New upstream release. - - Distrusts AC DG Tresor SSL CA. - - -- Mike Hommey <[email protected]> Sun, 15 Dec 2013 10:09:48 +0900 - -nss (2:3.15.3-1) unstable; urgency=high - - * New upstream release. - - Fixes CVE-2013-1741, CVE-2013-5605, CVE-2013-5606. - - -- Mike Hommey <[email protected]> Sat, 16 Nov 2013 08:50:45 +0900 - -nss (2:3.15.2-1) unstable; urgency=low - - * New upstream release. - - Fixes CVE-2013-1739. Closes: #726473. - - -- Mike Hommey <[email protected]> Mon, 21 Oct 2013 08:05:24 +0900 - -nss (2:3.15.1-1) unstable; urgency=low - - * New upstream release. - * debian/patches/*: Refresh patches. - * debian/patches/lower-dhe-priority.patch: Removed, as it was only necessary - for Iceweasel 3.5, which is long gone. - - -- Mike Hommey <[email protected]> Mon, 05 Aug 2013 14:41:14 +0900 - -nss (2:3.15-1) unstable; urgency=low - - * New upstream release. - * debian/patches/*: Refresh patches and removed unused ones. - * debian/rules: Adjusted to the new source layout. - * debian/libnss3.symbols: Add NSS*_3.15 symbol versions. - * debian/control: Bump nspr build dependency. - - -- Mike Hommey <[email protected]> Sat, 15 Jun 2013 19:23:12 +0900 - -nss (2:3.14.3-1) unstable; urgency=high - - * New upstream release. - - Fixes TLS timing attack (luck 13). Closes: #699888. - * debian/libnss3.symbols: Add NSS_3.14.3 symbol version. - * debian/control: Unbump sqlite3 build dependency, 3.14.3 lifted the need - for sqlite 3.7.15. - - -- Mike Hommey <[email protected]> Sun, 17 Mar 2013 15:01:06 +0100 - -nss (2:3.14.2-1) unstable; urgency=low - - * New upstream release. - * debian/control: Bump sqlite3 build dependency. - * debian/rules: Avoid installing freebl, softokn, nssckbi and nssdbm in two - places. - * debian/libnss3-1d.lintian-overrides.in: Stop preprocessing, it has nothing - to preprocess anymore. - * debian/libnss3.lintian-overrides.in: Fix not to contain a reference to the - libnss3-1d package. - - -- Mike Hommey <[email protected]> Fri, 15 Feb 2013 10:06:59 +0100 - -nss (2:3.14.1.with.ckbi.1.93-1) unstable; urgency=low - - * New upstream release. - - Explicitly distrust two intermediate CA certificates mis-issued by - TURKTRUST. - * debian/patches/95_add_spi+cacert_ca_certs.patch: Refreshed. - - -- Mike Hommey <[email protected]> Fri, 04 Jan 2013 11:16:33 +0100 - -nss (2:3.14.1-1) unstable; urgency=low - - * New upstream release. - * debian/patches: Removed patches applied upstream, and refreshed - the others. - * debian/libnss3.symbols: Updated for new symbols. - - -- Mike Hommey <[email protected]> Sun, 23 Dec 2012 17:40:21 +0100 - -nss (2:3.14-2) unstable; urgency=low - - * debian/nss-config.in: Fix nss-config when version is in the x.y form - instead of x.y.z. - - -- Mike Hommey <[email protected]> Fri, 07 Dec 2012 17:07:05 +0100 - -nss (2:3.14-1) unstable; urgency=low - - * New upstream release. - * debian/patches: Removed patches applied upstream, and refreshed - the others. - * debian/libnss3.symbols: Updated for new symbols. - - -- Mike Hommey <[email protected]> Thu, 01 Nov 2012 10:37:39 +0100 - -nss (2:3.13.6-1) unstable; urgency=low - - * New upstream release. - * debian/rules: Use xz compression for binary packages. - Thanks Ansgar Burchardt. Closes: #683835. - - -- Mike Hommey <[email protected]> Fri, 31 Aug 2012 09:56:53 +0200 - -nss (2:3.13.5-1) unstable; urgency=low - - * New upstream release. - - -- Mike Hommey <[email protected]> Fri, 15 Jun 2012 09:40:00 +0200 - -nss (2:3.13.4-3) unstable; urgency=low - - * debian/rules: Skip epoch when getting upstream version number. - - -- Mike Hommey <[email protected]> Sun, 20 May 2012 07:36:11 +0200 - -nss (2:3.13.4-2) unstable; urgency=low - - * debian/control, debian/libnss3*, debian/rules, - mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn: - Move to unversioned library. ABI compatibility is ensured upstream, and - the SO version, if it needed a change at any time, would be a change in - the library name. There is no reason to keep making compatibility more - difficult with other distros and upstream binary releases. While previous - versions were one-way compatible (binaries built against other distros or - upstream nspr could work on Debian), this approach works both ways. - * debian/control: - - Bump Standards-Version to 3.9.3.0. No changes required. - - Force to build against libnspr4-dev >= 2:4.9 - * Removed unapplied patches. - * Adding an epoch to match the old libnss3 package that used to be in - the Debian archive. - - -- Mike Hommey <[email protected]> Thu, 17 May 2012 09:45:36 +0200 - -nss (3.13.4-1) unstable; urgency=low - - * New upstream release. - - Changed __GNUC_MINOR__ use in pkcs11n.h. Closes: #650319. - * mozilla/security/nss/cmd/certcgi/certcgi.c, - mozilla/security/nss/cmd/digest/digest.c, - mozilla/security/nss/cmd/signver/pk7print.c: Import patch from Moritz - Muehlenhoff for hardened format strings. - * debian/make.mk, debian/rules, debian/control: Enable hardening. - Closes: #657325. - * debian/libnss3-1d.lintian-overrides.in, debian/rules: Use wildcards in - lintian override. Closes: #670013. - * debian/compat, debian/control: Bump debian/compat to 9. This has the - effect of using build-id for debug files, thus Closes: #670015. - * debian/libnss3-1d.symbols: Add symbols for /usr/lib/nss/ libraries. - - -- Mike Hommey <[email protected]> Sun, 29 Apr 2012 09:48:58 +0200 - -nss (3.13.3-1) unstable; urgency=low - - * New upstream release. - * debian/libnss3-1d.symbols: Updated to fit new upstream. - - -- Mike Hommey <[email protected]> Fri, 24 Feb 2012 09:56:10 +0100 - -nss (3.13.2~beta1-3) experimental; urgency=low - - * debian/libnss3-1d.symbols: Fix symbol version for the symbol added in - -2. - - -- Mike Hommey <[email protected]> Fri, 23 Dec 2011 19:20:23 +0100 - -nss (3.13.2~beta1-2) experimental; urgency=low - - * mozilla/security/nss/lib/ssl/*, - mozilla/security/nss/cmd/tstclnt/tstclnt.c, - mozilla/security/nss/tests/ssl/ssl.sh: Apply patches from bz#542832, - required for Iceweasel 11. - * debian/libnss3-1d.symbols: Add corresponding symbol. - - -- Mike Hommey <[email protected]> Fri, 23 Dec 2011 17:54:03 +0100 - -nss (3.13.2~beta1-1) experimental; urgency=low - - * New upstream snapshot, picked from NSS_3_13_2_BETA1 cvs tag. - * debian/libnss3-1d.symbols: Add NSS 3.13.2 symbols. - - -- Mike Hommey <[email protected]> Fri, 23 Dec 2011 16:22:05 +0100 - -nss (3.13.1.with.ckbi.1.88-1) unstable; urgency=low - - * New upstream release. - - Distrusts malaysian Digicert Sdn. Bhd CA certificate. - - Addresses CVE-2011-3640 (Untrusted search path vulnerability). - Closes: #647614. - * debian/patches/*: Refreshed patches. - * debian/libnss3-1d.symbols: Add NSS 3.13 symbols. - - -- Mike Hommey <[email protected]> Sat, 05 Nov 2011 17:05:26 +0100 - -nss (3.12.11-3) unstable; urgency=high - - * mozilla/security/nss/lib/ckfw/builtins/certdata.*: - Explicitely distrust various DigiNotar CAs: - - DigiNotar Root CA - - DigiNotar Services 1024 CA - - DigiNotar Cyber CA - - DigiNotar Cyber CA 2nd - - DigiNotar PKIoverheid - - DigiNotar PKIoverheid G2 - - -- Mike Hommey <[email protected]> Sat, 03 Sep 2011 09:33:28 +0200 - -nss (3.12.11-2) unstable; urgency=high - - * mozilla/security/nss/lib/ckfw/builtins/certdata.*: - Remove DigiNotar Root CA. - - -- Mike Hommey <[email protected]> Wed, 31 Aug 2011 08:49:00 +0200 - -nss (3.12.11-1) unstable; urgency=low - - * New upstream release. - * mozilla/security/nss/lib/ckfw/builtins/certdata.*, - * mozilla/security/coreconf/{config,Linux}.mk: Refreshed. - * debian/copyright: Update dbm license according to that in the source. - Closes: #624310 - - -- Mike Hommey <[email protected]> Fri, 12 Aug 2011 12:45:08 +0200 - -nss (3.12.10-3) unstable; urgency=low - - * debian/nss-config.in, debian/nss.pc.in, debian/rules: Return the multiarch - path in nss-config and nss.pc. - - -- Mike Hommey <[email protected]> Thu, 21 Jul 2011 18:08:48 +0200 - -nss (3.12.10-2) unstable; urgency=low - - * debian/control, debian/libnss3-1d.dirs, - debian/libnss3-1d.lintian-overrides.in, debian/libnss3-dev.dirs, - debian/libnss3-1d.links.in, debian/libnss3-dev.links.in, - debian/rules: Switch to multi-arch while keeping backports easy. - Closes: #497088. - - -- Mike Hommey <[email protected]> Mon, 04 Jul 2011 11:24:18 +0200 - -nss (3.12.10-1) unstable; urgency=low - - * New upstream release. - * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed. - * debian/control: Build depend on libnspr4-dev >= 4.8.8. - * debian/libnss3-1d.symbols: Add new symbol version. - - -- Mike Hommey <[email protected]> Wed, 25 May 2011 10:20:59 +0200 - -nss (3.12.9.with.ckbi.1.82-1) unstable; urgency=low - - * New upstream release. - - Marks fraudulent Comodo certificates as untrusted. - * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed. - - -- Mike Hommey <[email protected]> Thu, 24 Mar 2011 16:37:46 +0100 - -nss (3.12.9-2) unstable; urgency=low - - * Upload to unstable. - * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't - support DEB_BUILD_ARCH_BITS. - * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which - was the previous value. - * mozilla/security/nss/lib/freebl/unix_rand.c: We don't need to prevent - using netstat for entropy seeding. The seeding will stop before netstat - if it could get data from /dev/urandom. - * mozilla/security/coreconf/Linux.mk: We shouldn't need to special case - mips64 anymore. - * mozilla/security/nss/cmd/shlibsign/Makefile, debian/rules: Don't rely - on patching the source to not create .chk files during build. - - -- Mike Hommey <[email protected]> Sun, 06 Mar 2011 09:58:41 +0100 - -nss (3.12.9-1) experimental; urgency=low - - * New upstream release. - - -- Mike Hommey <[email protected]> Sat, 15 Jan 2011 11:33:35 +0100 - -nss (3.12.9~beta2-1) experimental; urgency=low - - * New upstream snapshot, picked from NSS_3_12_9_BETA2 cvs tag. - * debian/patches/*: Refresh patches. - * debian/libnss3-1d.symbols: Add new symbol versions. - * debian/rules: Bump shlibs. - - -- Mike Hommey <[email protected]> Fri, 17 Dec 2010 15:01:31 +0100 - -nss (3.12.8-1) unstable; urgency=low - - * New upstream release. - * debian/patches/*: Refresh patches. - * debian/patches/series: - + lower-dhe-priority.patch: Upstream patch from bz#583337 to lower DHE - priority. Closes: #592315. - - -- Mike Hommey <[email protected]> Thu, 07 Oct 2010 08:50:48 +0200 - -nss (3.12.8~b2-1) experimental; urgency=low - - * New upstream snapshot, picked from NSS_3_12_8_BETA2 cvs tag. - * debian/patches/*: Refresh patches. - - -- Mike Hommey <[email protected]> Mon, 23 Aug 2010 18:11:12 +0200 - -nss (3.12.7-1) unstable; urgency=low - - * New upstream release. - * debian/patches/*: Refresh patches. - * debian/control: - - Bump Standards-Version to 3.9.1.0. - - Build depend on libnspr4-dev >= 4.8.6. - * debian/libnss3-1d.symbols: Simplify symbols file and add new symbols. - * debian/rules: Bump shlibs. - - -- Mike Hommey <[email protected]> Fri, 06 Aug 2010 13:55:14 +0200 - -nss (3.12.6-3) unstable; urgency=low - - * debian/rules: - + Sign libnssdbm3.so. Closes: #588806. - + Test that the FIPS mode can be properly enabled during build. - * debian/control: - + Remove conflicts with very old packages. - + Bump Standards-Version to 3.9.0.0. - - -- Mike Hommey <[email protected]> Mon, 12 Jul 2010 15:12:24 +0200 - -nss (3.12.6-2) unstable; urgency=low - - * debian/patches/series: - + 00_ckbi_1.79.patch: New patch to update CKBI to 1.79. - + 95_add_spi+cacert_ca_certs.patch: Refreshed against CKBI 1.79. - - -- Mike Hommey <[email protected]> Fri, 09 Apr 2010 10:45:01 +0200 - -nss (3.12.6-1) unstable; urgency=low - - * New upstream release. - * debian/patches/*: Refresh patches. - * debian/libnss3-1d.symbols, debian/rules: Update symbols file with new - symbols and bump shlibs. - * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch, - debian/patches/series: Enable transitional scheme for ssl renegotiation. - Closes: #561918. - * debian/control: - + Bump Standards-Version to 3.8.4.0. - + Drop libnss3-1d dependency on dpkg. The versions it didn't really like - were between oldstable and stable. - + Don't allow different versions of libnss3-1d, libnss3-1d-dbg and - libnss3-tools to be installed at the same time. - + Add ${misc:Depends} to libnss3-1d-dbg dependencies. - * debian/rules: Revert workaround for gcc 4.4 bug on powerpc with -Os. - * debian/rules, debian/control, debian/compat: Simplify debian/rules by - using dh. - - -- Mike Hommey <[email protected]> Wed, 17 Mar 2010 20:33:32 +0100 - -nss (3.12.5-2) unstable; urgency=low - - * debian/control: - + Remove build dependency on autotools-dev, we don't use it. - + libnss3-dev depends on libnspr4-dev >= 4.6.6-1. 4.6.6-1 was the first - version where the pkg-config file was nspr.pc instead of - xulrunner-nspr.pc. Closes: #567134. - * debian/patches/96_NSS_VersionCheck.patch, debian/patches/series: - Remove runtime check of NSPR version in NSS_VersionCheck, which seems to - be pointless. Closes: #567136. - - -- Mike Hommey <[email protected]> Thu, 28 Jan 2010 12:12:35 +0100 - -nss (3.12.5-1) unstable; urgency=low - - * New upstream release. - * debian/copyright: Modify with new location for the embedded copy of zlib. - * debian/patches/*: - + Adapt patches to new upstream. - + Switch to quilt format - * debian/source/format: Switch to 3.0 (quilt) format. - * debian/rules, debian/control: Stop using dpatch. - * debian/patches/38_intel_aes_executable_stack.patch: Removed. An upstream - change in version 3.12.4 obsoleted it. - * debian/rules: - + Remove DEB_{BUILD,HOST}_* variables, they are not used. - + Use DEB_BUILD_ARCH_BITS to determine whether to build with USE_64 or not. - + Ship more tools in libnss3-tools. Closes: #526267. - + Work around gcc 4.4 bug on powerpc with -Os. - + Force non parallel build. There are too many race conditions in the - build system to support parallel builds. Closes: #536248. - + Bump shlibs. - * debian/control: - + Bump Standards-Version to 3.8.3.0. - + Build-depend on dpkg-dev (>= 1.15.4) for DEB_BUILD_ARCH_BITS. - + Stricter dependency between libnss3-dev and libnss3-1d. - * debian/libnss3-1d.symbols: - + Add new symbols. - + Remove debian revision for symbols added in 3.12.4. - * debian/patches/38_hurd.patch: Fix FTBFS on Hurd due to PATH_MAX usage in - unix_rand.c. Closes: #550995. - - -- Mike Hommey <[email protected]> Fri, 18 Dec 2009 11:48:14 +0100 - -nss (3.12.4-1) unstable; urgency=low - - * New upstream release. - * debian/patches/38_kbsd.dpatch: - + Use CHECK_FORK_PTHREAD on kfreebsd and hurd. Closes: #547301. - + Adapt to upstream changes. - * debian/patches/95_add_spi+cacert_ca_certs.dpatch, - * debian/patches/81_sonames.dpatch: Adapt to upstream changes. - * debian/libnss3-1d.symbols: Update symbols file with new symbols. - * debian/rules: Bumped shlibs. - - -- Mike Hommey <[email protected]> Sun, 11 Oct 2009 01:26:14 +0200 - -nss (3.12.3.1-1) unstable; urgency=low - - * New upstream release. - * debian/patches/95_add_spi+cacert_ca_certs.dpatch, Adapted to upstream - changes. - - -- Mike Hommey <[email protected]> Fri, 21 Aug 2009 23:47:24 +0200 - -nss (3.12.3-1) unstable; urgency=low - - * New upstream release. - * debian/watch: Updated to catch new upstream .bz2 tarballs. - * debian/copyright: Add information about - mozilla/security/corecond/mkdepend. - * debian/patches/38_hurd.dpatch, debian/patches/38_kbsd.dpatch: Adapted - to upstream changes. - * debian/patches/85_security_load.dpatch: Load libsoftokn3.so from - /usr/lib/nss when unable to load it from standard ld.so paths in - shlibsign. - * debian/rules: - + Add debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH when running - shlibsign during build. - + Bumped shlibs. - * debian/libnss3-1d.symbols: Update symbols file with new symbols. - * debian/control: - + Bumped Standards-Version to 3.8.1.0. No changes needed. - + Put the libnss3-1d-dbg package in the "debug" section. - + Correct libnss3-1d-dbg short description. - + Remove redundant section on libnss3-1d. - + Build-depend on proper version of debhelper for dh_lintian. - * debian/*.lintian-overrides, debian/rules: Install some Lintian - overrides with dh_lintian. - * debian/patches/38_intel_aes_executable_stack.dpatch: Indicate that - we don't need executable stack in intel-aes.s. - * debian/patches/00list: Updated accordingly. - - -- Mike Hommey <[email protected]> Sat, 18 Apr 2009 09:37:31 +0200 - -nss (3.12.2.with.ckbi.1.73-2) unstable; urgency=low - - * mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h: - Apply patch from upstream to fix alignment issues on sparc and ia64. - Closes: #509930. - - -- Mike Hommey <[email protected]> Mon, 06 Apr 2009 20:24:01 +0200 - -nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low - - * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression - in previous release that led to FTBFS on i386 only. Closes: #513101. - Thanks Steffen Joeris, Sebastian Andrzej Siewior and Petr Salinger. - * debian/patches/95_add_spi+cacert_ca_certs.dpatch, - debian/patches/80_security_tools.dpatch: Adapted to upstream changes. - * debian/libnss3-1d.symbols: Update symbols file with new symbols. - * debian/rules: Bumped shlibs. - - -- Mike Hommey <[email protected]> Sat, 31 Jan 2009 16:41:26 +0100 - -nss (3.12.1-1) unstable; urgency=low - - * New upstream release. - * debian/patches/95_add_spi+cacert_ca_certs.dpatch, - debian/patches/38_mips64_build.dpatch, - debian/patches/38_kbsd.dpatch: Adapted to upstream changes. - * debian/libnss3-1d.symbols: Update symbols file with new symbols. - * debian/rules: Bumped shlibs. - - -- Mike Hommey <[email protected]> Sat, 20 Dec 2008 12:11:28 +0100 - -nss (3.12.0-5) unstable; urgency=low - - * debian/control: - + Conflict with libnss3-0d >= 3.11.5, that has conflicting files in - /usr/lib/nss. Older versions (those from etch) don't conflict. - This makes updates from old testing smoother. Closes: #492332. - + Build-depend on libsqlite3-dev >= 3.3.9, since API introduced in this - version is used. Closes: #493191. - - -- Mike Hommey <[email protected]> Sun, 03 Aug 2008 09:42:03 +0200 - -nss (3.12.0-4) unstable; urgency=low - - * debian/control: Remove conflict with libnss3-0d, it was only useful when - libnss3-0d was a transitional package. Closes: #490995. - - -- Mike Hommey <[email protected]> Wed, 16 Jul 2008 21:29:19 +0200 - -nss (3.12.0-3) unstable; urgency=low - - * debian/rules: - + Enable ECC cypher suite. Closes: #490826. - + Build with the same optimization level as upstream. - - -- Mike Hommey <[email protected]> Mon, 14 Jul 2008 17:35:25 +0200 - -nss (3.12.0-2) unstable; urgency=low - - * debian/patches/95_add_spi+cacert_ca_certs.dpatch: - + Add CAcert root and class 3 certificates to nssckbi module. - + Add SPI Inc. certificate to nssckbi module. - Thanks to Martin F Krafft for these. Closes: #309564. - * debian/patches/00list: Updated accordingly. - - -- Mike Hommey <[email protected]> Sat, 12 Jul 2008 18:26:09 +0200 - -nss (3.12.0-1) unstable; urgency=low - - * New upstream release. - * debian/patches/92_ocsp.dpatch: Removed, as applied upstream. - * debian/patches/00list: Updated accordingly. - * debian/control: - + Bumped Standards-Version to 3.8.0.1. No changes needed. - + Added Vcs-Browser and Vcs-Git fields. - + libnss3-dev don't need explicit version dependency on libnss3-1d. - + libnss3-dev depends on libnspr4-dev. Closes: #488402. - + Make the -dbg package less a hassle for manual installations with dpkg. - + libnss3-1d depends on version of dpkg that either don't support symbols - files or has fix for #474079. - * debian/patches/85_security_load.dpatch: Load files from /usr/lib/nss if - given reference path is only a filename, which happens when freebl is - statically linked in a binary executable, such as signtool, and the - executable is run from $PATH. When the executable is run using a full - path, we must replace /bin/ in the path with /lib/ to find the libraries. - Closes: #483774. - * debian/libnss3-1d.symbols: Re-enable symbols file. - - -- Mike Hommey <[email protected]> Sat, 05 Jul 2008 10:19:53 +0200 - -nss (3.12.0~rc3-3) unstable; urgency=low - - * debian/control: Make libnss3-0d conflict with old libnss3, which can - still be installed on some systems, though it hasn't been in the archive - since sarge. Closes: #485080. - - -- Mike Hommey <[email protected]> Sun, 08 Jun 2008 14:11:13 +0200 - -nss (3.12.0~rc3-2) unstable; urgency=low - - * debian/patches/92_ocsp.dpatch: Apply patches from bz433594 and bz#433386, - which are applied in upstream RC4 (and are the only changes), to fix - crashes under some conditions with OCSP checks. - * debian/patches/00list: Updated accordingly. - * debian/libnss3-dev.links, debian/libnss3-1d.links: Don't install so - files in the -dev package but in the library package. It will allow - external applications linked against upstream nss to work on Debian with - system nss libraries, and will avoid all browsers to have to implement - symlinks themselves to allow some external plugins to work properly. - * debian/control: Make libnss3-1d conflict with older versions of - libnss3-dev and libnss3-dev need newer libnss3-1d accordingly. - - -- Mike Hommey <[email protected]> Sat, 07 Jun 2008 11:57:55 +0200 - -nss (3.12.0~rc3-1) unstable; urgency=low - - * New upstream snapshot, picked from NSS_3_12_RC3 cvs tag. - - -- Mike Hommey <[email protected]> Sun, 11 May 2008 16:58:17 +0200 - -nss (3.12.0~beta3-1) unstable; urgency=low - - * New upstream snapshot, picked from NSS_3_12_BETA3 cvs tag. - * debian/control: Turn Homepage indications in descriptions into a - control field. - * debian/patches/91_build_pwdecrypt.dpatch: Enable building and installing - pwdecrypt. Thanks Paul Wise. Closes: #472303. - * debian/patches/00list: Updated accordingly. - * debian/libnss3-1d.symbols: Update symbols file with new symbols and rename - the file, so that it isn't used, as a workaround to #474079. - Closes: #474007. - * debian/rules: Bumped shlibs. - - -- Mike Hommey <[email protected]> Tue, 08 Apr 2008 21:23:53 +0200 - -nss (3.12.0~beta2-1) unstable; urgency=low - - * New upstream snapshot, picked from NSS_3_12_BETA2 cvs tag. - * debian/patches/10_3.11.7_symbol_fix.dpatch: Removed, as applied upstream. - * debian/patches/38_kbsd.dpatch: Adapted to upstream changes. - * debian/patches/81_sonames.dpatch: Add SO_VERSION to libnssutil3. - * debian/libnss3-dev.links: Add link for libnssutil3. - * debian/libnss3-1d.symbols: Update symbols file with new symbols. Note that - SEC_StringToOID disappeared (well, was moved to nssutil), compared to - version 3.12.0~1.9b1, but it was a new symbol, and isn't used anywhere. - * debian/nss.pc.in, debian/nss-config.in: Add libnssutil3 support. - * debian/rules: - + Bumped shlibs. - + Don't generate libsoftokn3.so.0d. - * debian/control: - + Remove transitional libnss3-0d package. - + Bumped Standards-Version to 3.7.3.0. No changes needed. - + Build depend on libnspr4-dev >= 4.7.0 (we *do* need the RTM version, and - not the preceding betas) - * debian/libnss3-0d.*: Removed. - * debian/patches/85_security_load.dpatch: Load files from $ORIGIN/nss before - those of $ORIGIN. Closes: #469079. - * debian/patches/38_hurd.dpatch: Fix FTBFS on Hurd because of MAXPATHLEN. - Closes: #419529. - * debian/patches/00list: Updated accordingly. - - -- Mike Hommey <[email protected]> Fri, 07 Mar 2008 21:27:54 +0100 - -nss (3.12.0~1.9b1-2) unstable; urgency=low - - * debian/control: libnss3-1-dbg needs to conflict with older libnss3-0d-dbg, - as it overwrites so of its files. Closes: #455875. - * debian/patches/90_realpath.dpatch: Use realpath() in - loader_GetOriginalPathname, so that symlinks are properly followed when - determining where the current library lives. - * debian/patches/00list: Updated accordingly. - * debian/patches/85_security_load.dpatch: When the module given by the - caller contains a directory name, remove it so that the module can be - properly loaded. Closes: #456296. - - -- Mike Hommey <[email protected]> Sun, 16 Dec 2007 11:06:03 +0100 - -nss (3.12.0~1.9b1-1) unstable; urgency=low - - * New upstream snapshot, picked from FIREFOX_3_0b1_RELEASE cvs tag. - * debian/copyright: Add licensing information about the recently added - sqlite copy in the source tree. - * debian/control: - + Build depend on libsqlite3-dev. - + Rename all -0d packages to -1d, but keep a transitional -0d package, - since all libraries are compatible (except for the removed one). - + Make libnss3-1d conflict with older libnss3-0d. - * debian/patches/38_kbsd.dpatch, debian/patches/81_sonames.dpatch: - Adapted to upstream changes. - * debian/patches/81_sonames.dpatch: - + Remove SO version from libsoftokn3, now it is not linked against - anymore, but dlloaded. - + Remove the hacks to have shlibsign and the signature verification code - handle the SO version in the file name. - + Bump SO version to 1d. - * debian/rules: - + Add NSS_USE_SYSTEM_SQLITE=1 to the make options. - + Install libsoftokn3 and the new libnssdbm3 in /usr/lib/nss. - + Run shlibsign on libsoftokn3 in /usr/lib/nss, without a SO version. - + For some reason, build-stamp was missing in install-stamp dependencies. - + Bumped shlibs because of new symbols, and pass -c4 to dpkg-gensymbols, - so that it fails in all cases where the symbols file is not up to date. - + Adapt upstream version pattern matching so that the ~1.9b1 part is - removed. - + Install .1d libraries in -1d packages. - + Create a dummy libsoftokn3.so.0d library, installed in the libnss3-0d - package. - * debian/libnss3-0d.links: - + Remove links in /usr/lib/xulrunner. The workaround they were - implementing is going to be done another way. - + Add .0d links to .1d libraries. - * debian/libnss3-dev.links: - + Don't put a symlink for libsoftokn3. - + .so files now link to .1d libraries. - * debian/patches/80_security_build.dpatch: Remove the hack to load libfreebl - from /usr/lib/nss. - * debian/patches/85_security_load.dpatch: Load modules from $ORIGIN/nss. - * debian/patches/10_3.11.7_symbol_fix.dpatch: Fix a symbol version. Stolen - from bz#325672. - * debian/patches/00list: Updated accordingly. - * debian/libnss3-0d.dirs: Renamed to libnss3-1d.dirs. - - -- Mike Hommey <[email protected]> Sat, 08 Dec 2007 10:53:02 +0100 - -nss (3.11.7-1) unstable; urgency=low - - * New upstream release, picked from NSS_3_11_7_RTM cvs tag. - * debian/patches/38_kbsd.dpatch: Also add support for the Hurd. - Closes: #419529. - * debian/rules: - + Don't fail on clean with unpatched ruleset. Closes: #421542. - + Bumped shlibs because of new symbols. - * debian/patches/81_sonames.dpatch: Adapted to upstream changes. - - -- Mike Hommey <[email protected]> Sun, 01 Jul 2007 11:29:06 +0200 - -nss (3.11.5-3) unstable; urgency=low - - * Upload to unstable. - - -- Mike Hommey <[email protected]> Mon, 09 Apr 2007 20:37:25 +0200 - -nss (3.11.5-2) experimental; urgency=low - - * debian/rules: - + Cleaner way to set the NSPR location. - + Install libcrmf.a files in libnss3-dev. - + binary-indep now does nothing. - * debian/control: Make libnss3-dev an Arch: any package. - * debian/nss.pc.in: - + Remove libsoftokn3 from ld libraries. - + Improvement in directories setting. - * debian/libnss3-dev.dirs: Create /usr/bin. - * debian/nss-config.in, debian/rules: Install a nss-config script into - libnss3-dev. - - -- Mike Hommey <[email protected]> Tue, 27 Mar 2007 20:41:11 +0200 - -nss (3.11.5-1) experimental; urgency=low - - * Initial release. (Closes: #416151) - - -- Mike Hommey <[email protected]> Sun, 25 Mar 2007 23:56:17 +0200 diff -Nru nss-3.26/debian/control nss-3.26.2/debian/control --- nss-3.26/debian/control 2016-10-03 15:18:55.000000000 -0400 +++ nss-3.26.2/debian/control 2016-12-22 15:00:11.000000000 -0500 @@ -7,7 +7,9 @@ dpkg-dev (>= 1.16.1.1~), libnspr4-dev (>= 2:4.12), zlib1g-dev, - libsqlite3-dev (>= 3.3.9) + libsqlite3-dev (>= 3.3.9), + gcc-4.7, + g++-4.7 Standards-Version: 3.9.3.0 Homepage: http://www.mozilla.org/projects/security/pki/nss/ Vcs-Git: https://anonscm.debian.org/git/pkg-mozilla/nss.git diff -Nru nss-3.26/debian/patches/customize-gcc.patch nss-3.26.2/debian/patches/customize-gcc.patch --- nss-3.26/debian/patches/customize-gcc.patch 1969-12-31 19:00:00.000000000 -0500 +++ nss-3.26.2/debian/patches/customize-gcc.patch 2016-12-22 15:00:41.000000000 -0500 @@ -0,0 +1,30 @@ +Description: allow environment to override linux compiler +Author: Antoine Beaupré <[email protected]> + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: debian +Forwarded: no +Last-Update: 2016-12-21 + +--- nss-3.26.2.orig/nss/coreconf/Linux.mk ++++ nss-3.26.2/nss/coreconf/Linux.mk +@@ -16,11 +16,11 @@ ifeq ($(USE_PTHREADS),1) + IMPL_STRATEGY = _PTH + endif + +-CC = gcc +-CCC = g++ +-RANLIB = ranlib ++CC ?= gcc ++CCC ?= g++ ++RANLIB ?= ranlib + +-DEFAULT_COMPILER = gcc ++DEFAULT_COMPILER = $(CC) + + ifeq ($(OS_TARGET),Android) + ifndef ANDROID_NDK diff -Nru nss-3.26/debian/patches/replace_expired_paypal_cert.patch nss-3.26.2/debian/patches/replace_expired_paypal_cert.patch --- nss-3.26/debian/patches/replace_expired_paypal_cert.patch 1969-12-31 19:00:00.000000000 -0500 +++ nss-3.26.2/debian/patches/replace_expired_paypal_cert.patch 2016-12-22 15:00:42.000000000 -0500 @@ -0,0 +1,29 @@ +Description: Two tests are failing due to PayPalEE.cert having expired + $ nss-pp -t c -i tests/libpkix/certs/PayPalEE.cert|grep After + Not After : Fri Dec 16 12:00:00 2016 + We update the associated meta-data and will replace the binary + certificates separately through debian/source/include-binaries. + . + This problem is the same than two years ago: + https://bugzilla.mozilla.org/show_bug.cgi?id=1151037 +Author: Raphaël Hertzog <[email protected]> + +--- a/nss/tests/chains/scenarios/realcerts.cfg ++++ b/nss/tests/chains/scenarios/realcerts.cfg +@@ -21,7 +21,7 @@ verify TestUser51:x + result pass + + verify PayPalEE:x +- policy OID.2.16.840.1.114412.1.1 ++ policy OID.2.16.840.1.113733.1.7.23.6 + result pass + + verify BrAirWaysBadSig:x +--- a/nss/tests/libpkix/vfychain_test.lst ++++ b/nss/tests/libpkix/vfychain_test.lst +@@ -1,4 +1,4 @@ + # Status | Leaf Cert | Policies | Others(undef) + 0 TestUser50 undef + 0 TestUser51 undef +-0 PayPalEE OID.2.16.840.1.114412.1.1 ++0 PayPalEE OID.2.16.840.1.113733.1.7.23.6 diff -Nru nss-3.26/debian/patches/series nss-3.26.2/debian/patches/series --- nss-3.26/debian/patches/series 2016-10-03 15:27:18.000000000 -0400 +++ nss-3.26.2/debian/patches/series 2016-12-22 15:00:42.000000000 -0500 @@ -2,3 +2,5 @@ 38_kbsd.patch 80_security_tools.patch 85_security_load.patch +replace_expired_paypal_cert.patch +customize-gcc.patch diff -Nru nss-3.26/debian/rules nss-3.26.2/debian/rules --- nss-3.26/debian/rules 2016-10-03 15:42:41.000000000 -0400 +++ nss-3.26.2/debian/rules 2016-12-22 15:00:29.000000000 -0500 @@ -6,6 +6,10 @@ $(call lazy,CPPFLAGS,$$(shell dpkg-buildflags --get CPPFLAGS)) $(call lazy,LDFLAGS,$$(shell dpkg-buildflags --get LDFLAGS)) +export CC=gcc-4.7 +export CXX=g++-4.7 +export CCC=g++-4.7 + PREPROCESS_FILES := $(wildcard debian/*.in) $(PREPROCESS_FILES:.in=): %: %.in @@ -50,7 +54,6 @@ SOURCE_MD_DIR=$(DISTDIR) \ DIST=$(DISTDIR) \ BUILD_OPT=1 \ - NS_USE_GCC=1 \ OPTIMIZER="$(CFLAGS) $(CPPFLAGS)" \ LDFLAGS='$(LDFLAGS) $$(ARCHFLAG) $$(ZDEFS_FLAG)' \ DSO_LDOPTS='-shared $$(LDFLAGS)' \ @@ -155,6 +158,20 @@ dh_gencontrol -- -Vmisc:Multi-Arch=same endif +override_dh_auto_test: + # Create .chk files for FIPS mode tests + $(foreach lib,libsoftokn3.so libfreebl3.so libfreeblpriv3.so libnssdbm3.so, \ + $(call cmd,cd $(DISTDIR)/lib; LD_LIBRARY_PATH=$(DISTDIR)/lib $(DISTDIR)/bin/shlibsign -v -i $(lib))) + # Run tests + export DIST=$(CURDIR) &&\ + export OBJDIR=dist &&\ + export IP_ADDRESS=127.0.0.1 &&\ + export USE_IP=TRUE &&\ + export NSS_CYCLES=standard &&\ + cd $(CURDIR)/nss/tests && ./all.sh + # Cleanup + rm -f dist/lib/*.chk + override_dh_builddeb: dh_builddeb -- -Zxz diff -Nru nss-3.26/debian/source/include-binaries nss-3.26.2/debian/source/include-binaries --- nss-3.26/debian/source/include-binaries 1969-12-31 19:00:00.000000000 -0500 +++ nss-3.26.2/debian/source/include-binaries 2016-11-30 15:09:36.000000000 -0500 @@ -0,0 +1,3 @@ +nss/tests/libpkix/certs/PayPalEE.cert +nss/tests/libpkix/certs/PayPalICA.cert +nss/tests/libpkix/certs/PayPalRootCA.cert diff -Nru nss-3.26/debian/tests/control nss-3.26.2/debian/tests/control --- nss-3.26/debian/tests/control 1969-12-31 19:00:00.000000000 -0500 +++ nss-3.26.2/debian/tests/control 2016-11-30 15:09:36.000000000 -0500 @@ -0,0 +1,5 @@ +Tests: test-cert.sh test-fips.sh +Depends: libnss3-tools + +Tests: test-link.make +Depends: libnss3-dev, pkg-config, g++ diff -Nru nss-3.26/debian/tests/test-cert.sh nss-3.26.2/debian/tests/test-cert.sh --- nss-3.26/debian/tests/test-cert.sh 1969-12-31 19:00:00.000000000 -0500 +++ nss-3.26.2/debian/tests/test-cert.sh 2016-11-30 15:09:36.000000000 -0500 @@ -0,0 +1,42 @@ +#!/bin/bash +# +# Check some basic CA operations + +set -e + +cleanup() { + [ -z "$DIR" ] || rm -rf "$DIR" +} + + +run_certutil() { + CMD="certutil -z $DIR/random -f $DIR/passwd -d sql:$DIR $@" + echo "Running: $CMD" + $CMD +} + +DIR=`mktemp -p . -d` +trap cleanup EXIT ERR + +dd bs=20 count=1 if=/dev/urandom of=$DIR/random 2>/dev/null +echo "password" > $DIR/passwd + +# Create the database +run_certutil -N +# Create a self signed certificate +run_certutil -S -k rsa -n test-ca -s CN=testca -t c -x 2>/dev/null +# Create a certificate request +run_certutil -R -k rsa -g 2048 -n test-cert -s "CN=testcert" -o $DIR/cert.req -a 2>/dev/null +# Sign with ca +run_certutil -C -m 10000 -c test-ca -i $DIR/cert.req -o $DIR/cert.cer -a +run_certutil -A -n test-cert -i $DIR/cert.cer -t c -a + +echo -n "Checking if ca is present..." +run_certutil -L -n test-ca >/dev/null +echo "OK." + +echo -n "Checking if cert present..." +run_certutil -L -n test-cert >/dev/null +echo "OK." + +exit 0 diff -Nru nss-3.26/debian/tests/test-fips.sh nss-3.26.2/debian/tests/test-fips.sh --- nss-3.26/debian/tests/test-fips.sh 1969-12-31 19:00:00.000000000 -0500 +++ nss-3.26.2/debian/tests/test-fips.sh 2016-11-30 15:09:36.000000000 -0500 @@ -0,0 +1,22 @@ +#!/bin/bash +# +# Enable fips mode + +set -e + +cleanup() { + [ -z "$DIR" ] || rm -rf "$DIR" +} + + +run_certutil() { + CMD="certutil -z $DIR/random -f $DIR/passwd -d sql:$DIR $@" + echo "Running: $CMD" + $CMD +} + +DIR=`mktemp -p . -d` +trap cleanup EXIT ERR + +modutil -create -dbdir $DIR < /dev/null +modutil -fips true -dbdir $DIR < /dev/null diff -Nru nss-3.26/debian/tests/test-link.cpp nss-3.26.2/debian/tests/test-link.cpp --- nss-3.26/debian/tests/test-link.cpp 1969-12-31 19:00:00.000000000 -0500 +++ nss-3.26.2/debian/tests/test-link.cpp 2016-11-30 15:09:36.000000000 -0500 @@ -0,0 +1,25 @@ +#include <stdio.h> +#include <stdlib.h> +#include <errno.h> + +#include <nss.h> + +int main() +{ + int ret = 0; + SECStatus s; + char *t = strdup("/tmp/nss.XXXXXX"); + char *tmpdir = mkdtemp(t); + + if (tmpdir == NULL) + fprintf(stderr, "Failed to create temp directory: %s", strerror(errno)); + + s = NSS_InitReadWrite(tmpdir); + if (s != SECSuccess) + ret = 2; + + NSS_Shutdown(); + free(t); + + return ret; +} diff -Nru nss-3.26/debian/tests/test-link.make nss-3.26.2/debian/tests/test-link.make --- nss-3.26/debian/tests/test-link.make 1969-12-31 19:00:00.000000000 -0500 +++ nss-3.26.2/debian/tests/test-link.make 2016-11-30 15:09:36.000000000 -0500 @@ -0,0 +1,10 @@ +#!/usr/bin/make -f + +all: a.out + ./a.out + rm -f a.out + +a.out: debian/tests/test-link.cpp + g++ -Wall -Werror $< $(shell pkg-config --cflags nss) $(shell pkg-config --libs nss) + +.PHONY: all diff -Nru nss-3.26/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc nss-3.26.2/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc --- nss-3.26/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc 2016-08-05 11:43:39.000000000 -0400 +++ nss-3.26.2/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc 2016-10-10 10:54:09.000000000 -0400 @@ -22,6 +22,38 @@ namespace nss_test { +class TlsInspectorCertificateRequestSigAlgSetter : public TlsHandshakeFilter { + public: + TlsInspectorCertificateRequestSigAlgSetter(SSLSignatureAndHashAlg sig_alg) + : sig_alg_(sig_alg) {} + + virtual PacketFilter::Action FilterHandshake( + const HandshakeHeader& header, + const DataBuffer& input, DataBuffer* output) { + if (header.handshake_type() != kTlsHandshakeCertificateRequest) { + return KEEP; + } + + TlsParser parser(input); + *output = input; + + // Skip certificate types. + parser.SkipVariable(1); + + // Skip sig algs length. + parser.Skip(2); + + // Write signature algorithm. + output->Write(parser.consumed(), sig_alg_.hashAlg, 1); + output->Write(parser.consumed() + 1, sig_alg_.sigAlg, 1); + + return CHANGE; + } + + private: + SSLSignatureAndHashAlg sig_alg_; +}; + TEST_P(TlsConnectGeneric, ClientAuth) { client_->SetupClientAuth(); server_->RequestClientAuth(true); @@ -337,4 +369,41 @@ Receive(10); } +TEST_P(TlsConnectTls12, ClientAuthNoMatchingSigAlgs) { + Reset(TlsAgent::kServerEcdsa); + server_->RequestClientAuth(false); + client_->SetupClientAuth(); + + server_->EnableCiphersByAuthType(ssl_auth_ecdh_ecdsa); + server_->SetSignatureAlgorithms(SignatureEcdsaSha256, + PR_ARRAY_SIZE(SignatureEcdsaSha256)); + + Connect(); + CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa); + EXPECT_TRUE(!SSL_PeerCertificate(server_->ssl_fd())); +} + +TEST_P(TlsConnectTls12, CertificateRequestMd5) { + const SSLSignatureAndHashAlg md5_sig_alg = {ssl_hash_md5, ssl_sign_rsa}; + + const SSLSignatureAndHashAlg serverAlgorithms[] = { + {ssl_hash_sha1, ssl_sign_rsa}, + {ssl_hash_sha256, ssl_sign_rsa} + }; + + client_->SetupClientAuth(); + server_->RequestClientAuth(true); + server_->SetPacketFilter(new TlsInspectorCertificateRequestSigAlgSetter + (md5_sig_alg)); + server_->SetSignatureAlgorithms(serverAlgorithms, + PR_ARRAY_SIZE(serverAlgorithms)); + + client_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384); + server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384); + + ConnectExpectFail(); + ASSERT_EQ(SEC_ERROR_BAD_SIGNATURE, server_->error_code()); + ASSERT_EQ(SSL_ERROR_DECRYPT_ERROR_ALERT, client_->error_code()); +} + } diff -Nru nss-3.26/nss/external_tests/ssl_gtest/tls_parser.h nss-3.26.2/nss/external_tests/ssl_gtest/tls_parser.h --- nss-3.26/nss/external_tests/ssl_gtest/tls_parser.h 2016-08-05 11:43:39.000000000 -0400 +++ nss-3.26.2/nss/external_tests/ssl_gtest/tls_parser.h 2016-10-10 10:54:09.000000000 -0400 @@ -29,6 +29,7 @@ const uint8_t kTlsHandshakeEncryptedExtensions = 8; const uint8_t kTlsHandshakeCertificate = 11; const uint8_t kTlsHandshakeServerKeyExchange = 12; +const uint8_t kTlsHandshakeCertificateRequest = 13; const uint8_t kTlsHandshakeCertificateVerify = 15; const uint8_t kTlsHandshakeClientKeyExchange = 16; const uint8_t kTlsHandshakeFinished = 20; diff -Nru nss-3.26/nss/.hg_archival.txt nss-3.26.2/nss/.hg_archival.txt --- nss-3.26/nss/.hg_archival.txt 2016-08-05 11:43:39.000000000 -0400 +++ nss-3.26.2/nss/.hg_archival.txt 2016-10-10 10:54:09.000000000 -0400 @@ -1,4 +1,4 @@ repo: 9949429068caa6bb8827a8ceeaa7c605d722f47f -node: f118cfd3948a9198bff6db23a300073897fb59c0 +node: 5bb734f18d10e207cdfb222dbdb8be56dfdd0f64 branch: NSS_3_26_BRANCH -tag: NSS_3_26_RTM +tag: NSS_3_26_2_RTM diff -Nru nss-3.26/nss/lib/nss/nss.h nss-3.26.2/nss/lib/nss/nss.h --- nss-3.26/nss/lib/nss/nss.h 2016-08-05 11:43:39.000000000 -0400 +++ nss-3.26.2/nss/lib/nss/nss.h 2016-10-10 10:54:09.000000000 -0400 @@ -22,10 +22,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.26" _NSS_CUSTOMIZED +#define NSS_VERSION "3.26.2" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 26 -#define NSS_VPATCH 0 +#define NSS_VPATCH 2 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE diff -Nru nss-3.26/nss/lib/softoken/softkver.h nss-3.26.2/nss/lib/softoken/softkver.h --- nss-3.26/nss/lib/softoken/softkver.h 2016-08-05 11:43:39.000000000 -0400 +++ nss-3.26.2/nss/lib/softoken/softkver.h 2016-10-10 10:54:09.000000000 -0400 @@ -25,10 +25,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.26" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.26.2" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 26 -#define SOFTOKEN_VPATCH 0 +#define SOFTOKEN_VPATCH 2 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE diff -Nru nss-3.26/nss/lib/ssl/ssl3con.c nss-3.26.2/nss/lib/ssl/ssl3con.c --- nss-3.26/nss/lib/ssl/ssl3con.c 2016-08-05 11:43:39.000000000 -0400 +++ nss-3.26.2/nss/lib/ssl/ssl3con.c 2016-10-10 10:54:09.000000000 -0400 @@ -7881,7 +7881,7 @@ return rv; } -static void +static SECStatus ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms); typedef struct dnameNode { @@ -8112,7 +8112,10 @@ } if (ss->ssl3.hs.hashType == handshake_hash_record || ss->ssl3.hs.hashType == handshake_hash_single) { - ssl3_DecideTls12CertVerifyHash(ss, algorithms); + rv = ssl3_DecideTls12CertVerifyHash(ss, algorithms); + if (rv != SECSuccess) { + goto send_no_certificate; + } } break; /* not an error */ @@ -10187,7 +10190,7 @@ return SECFailure; } -static void +static SECStatus ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms) { SECStatus rv; @@ -10201,7 +10204,7 @@ /* Determine the key's signature algorithm and whether it prefers SHA-1. */ rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1); if (rv != SECSuccess) { - return; + return SECFailure; } /* Determine the server's hash support for that signature algorithm. */ @@ -10210,6 +10213,9 @@ SSLHashType hashAlg = algorithms->data[i]; SECOidTag hashOID; PRUint32 policy; + if (hashAlg == ssl_hash_md5) { + continue; /* No MD5 signature support. */ + } if (hashAlg == ssl_hash_sha1 && ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3) { /* TLS 1.3 explicitly forbids using SHA-1 with certificate_verify. */ @@ -10239,6 +10245,13 @@ } else { ss->ssl3.hs.tls12CertVerifyHash = otherHashAlg; } + + /* We didn't find a sigAlg matching the client cert's key type. */ + if (ss->ssl3.hs.tls12CertVerifyHash == ssl_hash_none) { + return SECFailure; + } + + return SECSuccess; } static SECStatus @@ -12983,6 +12996,13 @@ return DUPLICATE_MSB_TO_ALL_8(c); } +/* ssl_constantTimeSelect return a if mask is 0xFF and b if mask is 0x00 */ +static unsigned char +ssl_constantTimeSelect(unsigned char mask, unsigned char a, unsigned char b) +{ + return (mask & a) | (~mask & b); +} + static SECStatus ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext, unsigned int blockSize, @@ -13086,22 +13106,54 @@ /* scanStart contains the number of bytes that we can ignore because * the MAC's position can only vary by 255 bytes. */ unsigned scanStart = 0; - unsigned i, j, divSpoiler; + unsigned i, j; unsigned char rotateOffset; - if (originalLength > macSize + 255 + 1) + if (originalLength > macSize + 255 + 1) { scanStart = originalLength - (macSize + 255 + 1); + } - /* divSpoiler contains a multiple of macSize that is used to cause the - * modulo operation to be constant time. Without this, the time varies - * based on the amount of padding when running on Intel chips at least. - * - * The aim of right-shifting macSize is so that the compiler doesn't - * figure out that it can remove divSpoiler as that would require it - * to prove that macSize is always even, which I hope is beyond it. */ - divSpoiler = macSize >> 1; - divSpoiler <<= (sizeof(divSpoiler) - 1) * 8; - rotateOffset = (divSpoiler + macStart - scanStart) % macSize; + /* We want to compute + * rotateOffset = (macStart - scanStart) % macSize + * But the time to compute this varies based on the amount of padding. Thus + * we explicitely handle all mac sizes with (hopefully) constant time modulo + * using Barrett reduction: + * q := (rotateOffset * m) >> k + * rotateOffset -= q * n + * if (n <= rotateOffset) rotateOffset -= n + */ + rotateOffset = macStart - scanStart; + /* rotateOffset < 255 + 1 + 48 = 304 */ + if (macSize == 16) { + rotateOffset &= 15; + } else if (macSize == 20) { + /* + * Correctness: rotateOffset * ( 1/20 - 25/2^9 ) < 1 + * with rotateOffset <= 853 + */ + unsigned q = (rotateOffset * 25) >> 9; /* m = 25, k = 9 */ + rotateOffset -= q * 20; + rotateOffset -= ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, 20), + 20, 0); + } else if (macSize == 32) { + rotateOffset &= 31; + } else if (macSize == 48) { + /* + * Correctness: rotateOffset * ( 1/48 - 10/2^9 ) < 1 + * with rotateOffset < 768 + */ + unsigned q = (rotateOffset * 10) >> 9; /* m = 25, k = 9 */ + rotateOffset -= q * 48; + rotateOffset -= ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, 48), + 48, 0); + } else { + /* + * SHA384 (macSize == 48) is the largest we support. We should never + * get here. + */ + PORT_Assert(0); + rotateOffset = rotateOffset % macSize; + } memset(rotatedMac, 0, macSize); for (i = scanStart; i < originalLength;) { @@ -13117,12 +13169,16 @@ /* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line * we could line-align |rotatedMac| and rotate in place. */ memset(out, 0, macSize); + rotateOffset = macSize - rotateOffset; + rotateOffset = ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, macSize), + 0, rotateOffset); for (i = 0; i < macSize; i++) { - unsigned char offset = - (divSpoiler + macSize - rotateOffset + i) % macSize; for (j = 0; j < macSize; j++) { - out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset); + out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, rotateOffset); } + rotateOffset++; + rotateOffset = ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, macSize), + 0, rotateOffset); } } diff -Nru nss-3.26/nss/lib/util/nssutil.h nss-3.26.2/nss/lib/util/nssutil.h --- nss-3.26/nss/lib/util/nssutil.h 2016-08-05 11:43:39.000000000 -0400 +++ nss-3.26.2/nss/lib/util/nssutil.h 2016-10-10 10:54:09.000000000 -0400 @@ -19,10 +19,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" */ -#define NSSUTIL_VERSION "3.26" +#define NSSUTIL_VERSION "3.26.2" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 26 -#define NSSUTIL_VPATCH 0 +#define NSSUTIL_VPATCH 2 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE Les fichiers binaires /tmp/KBRYTjaHxN/nss-3.26/nss/tests/libpkix/certs/PayPalEE.cert et /tmp/Ua8lsn8jAs/nss-3.26.2/nss/tests/libpkix/certs/PayPalEE.cert sont différents Les fichiers binaires /tmp/KBRYTjaHxN/nss-3.26/nss/tests/libpkix/certs/PayPalICA.cert et /tmp/Ua8lsn8jAs/nss-3.26.2/nss/tests/libpkix/certs/PayPalICA.cert sont différents Les fichiers binaires /tmp/KBRYTjaHxN/nss-3.26/nss/tests/libpkix/certs/PayPalRootCA.cert et /tmp/Ua8lsn8jAs/nss-3.26.2/nss/tests/libpkix/certs/PayPalRootCA.cert sont différents
I have uploaded a new package, built on AMD64, here: https://people.debian.org/~anarcat/debian/wheezy-lts/ ... which should have the proper patches. Make sure that `customize-gcc.patch` is present in order for arm builds to work. Cheers, A.
