Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2017-04-18 13:47:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss" Tue Apr 18 13:47:28 2017 rev:125 rq:487715 version:3.29.5 Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2017-03-31 15:02:08.466699226 +0200 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new/mozilla-nss.changes 2017-04-18 13:47:29.879100604 +0200 @@ -1,0 +2,10 @@ +Wed Apr 12 21:21:38 UTC 2017 - [email protected] + +- update to NSS 3.29.5 + * Rare crashes in the base 64 decoder and encoder were fixed. + (bmo#1344380) + * A carry over bug in the RNG was fixed. (bmo#1345089) +- Allow use of session tickets when there is no ticket wrapping key + (boo#1015499, bmo#1320695) (nss-bmo1320695.patch) + +------------------------------------------------------------------- Old: ---- nss-3.29.3.tar.gz New: ---- nss-3.29.5.tar.gz nss-bmo1320695.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.gte7Bd/_old 2017-04-18 13:47:31.714840777 +0200 +++ /var/tmp/diff_new_pack.gte7Bd/_new 2017-04-18 13:47:31.718840210 +0200 @@ -25,7 +25,7 @@ BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.29.3 +Version: 3.29.5 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_3_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.29.3/nss ; cd nss-3.29.3/nss ; hg up NSS_3_29_3_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.29.5/nss ; cd nss-3.29.5/nss ; hg up NSS_3_29_5_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -51,12 +51,13 @@ Source99: %{name}.changes Patch1: nss-opt.patch Patch2: system-nspr.patch -Patch4: nss-no-rpath.patch -Patch5: renegotiate-transitional.patch -Patch6: malloc.patch -Patch7: nss-disable-ocsp-test.patch -Patch8: nss-sqlitename.patch -Patch9: nss-fix-hash.patch +Patch3: nss-no-rpath.patch +Patch4: renegotiate-transitional.patch +Patch5: malloc.patch +Patch6: nss-disable-ocsp-test.patch +Patch7: nss-sqlitename.patch +Patch8: nss-fix-hash.patch +Patch9: nss-bmo1320695.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -170,11 +171,12 @@ cd nss %patch1 -p1 %patch2 -p1 +%patch3 -p1 %patch4 -p1 -%patch5 -p1 %if %suse_version > 1110 -%patch6 -p1 +%patch5 -p1 %endif +%patch6 -p1 %patch7 -p1 %patch8 -p1 %patch9 -p1 ++++++ nss-3.29.3.tar.gz -> nss-3.29.5.tar.gz ++++++ /work/SRC/openSUSE:Factory/mozilla-nss/nss-3.29.3.tar.gz /work/SRC/openSUSE:Factory/.mozilla-nss.new/nss-3.29.5.tar.gz differ: char 5, line 1 ++++++ nss-bmo1320695.patch ++++++ # HG changeset patch # User Daiki Ueno <[email protected]> # Date 1481108447 -3600 # Wed Dec 07 12:00:47 2016 +0100 # Branch wip/dueno/ec-session-ticket # Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73 # Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1 Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable When session ticket is used and wrapping key pair (for caching generated keys at server side) is not available, disable caching instead of returning an error. diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c --- a/lib/ssl/ssl3exthandle.c +++ b/lib/ssl/ssl3exthandle.c @@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat sslSocket *ss = (sslSocket *)data; sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL }; const sslServerCert *sc; - SECKEYPrivateKey *svrPrivKey; - SECKEYPublicKey *svrPubKey; + SECKEYPrivateKey *svrPrivKey = NULL; + SECKEYPublicKey *svrPubKey = NULL; sc = ssl_FindServerCert(ss, &certType); if (!sc || !sc->serverKeyPair) { SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair", SSL_GETPID(), ss->fd)); - goto loser; - } - svrPrivKey = sc->serverKeyPair->privKey; - svrPubKey = sc->serverKeyPair->pubKey; - if (svrPrivKey == NULL || svrPubKey == NULL) { - SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", - SSL_GETPID(), ss->fd)); - goto loser; + } else { + svrPrivKey = sc->serverKeyPair->privKey; + svrPubKey = sc->serverKeyPair->pubKey; + if (svrPrivKey == NULL || svrPubKey == NULL) { + SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.", + SSL_GETPID(), ss->fd)); + svrPrivKey = NULL; + svrPubKey = NULL; + } } /* Get a copy of the session keys from shared memory. */ diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c --- a/lib/ssl/sslsnce.c +++ b/lib/ssl/sslsnce.c @@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe PRBool keysGenerated = PR_FALSE; cacheDesc *cache = &globalCache; - if (!cache->cacheMem) { - /* cache is uninitialized. Generate keys and return them - * without caching. */ + if (!cache->cacheMem || !svrPrivKey || !svrPubKey) { + /* Generated keys cannot be cached, because: + * - the cache is not initialized, or + * - key pairs to wrap them are not available + * Generate keys and return them without caching. */ return GenerateTicketKeys(pwArg, keyName, aesKey, macKey); }
