Hello community,

here is the log from the commit of package apache2-mod_nss for openSUSE:Factory 
checked in at 2018-03-11 15:25:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old)
 and      /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "apache2-mod_nss"

Sun Mar 11 15:25:26 2018 rev:28 rq:585105 version:1.0.15

Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes  
2017-12-29 18:51:14.107286468 +0100
+++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes     
2018-03-11 15:25:33.850541809 +0100
@@ -1,0 +2,42 @@
+Thu Mar  8 13:15:32 UTC 2018 - vci...@suse.com
+
+- Since the update to NSS 3.35, the default NSS certificate
+  database format changed from Berkley DB to SQLite
+- use %license tag
+
+-------------------------------------------------------------------
+Wed Mar  7 16:35:56 UTC 2018 - vci...@suse.com
+
+- Update to 1.0.15
+  * Try to auto-detect the NSS database format if not specified
+  * Update nss_pcache.8 man page to drop directory and prefix
+  * When a token is configured in password file only authenticate once
+  * Return an error when NSSPassPhraseDialog is invalid
+  * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+
+  * Add -Werror=implicit-function-declaration to CFLAGS
+  * Handle group membership when testing for file permissions
+  * NSS system-wide policy now disables SSLv3, don't use it in tests
+  * Add missing error messages for libssl errors
+  * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name
+  * When including additional test config use specific extension
+  * Fix the TLS Session ID cache
+  * Make an invalid protocol setting fatal
+  * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init()
+  * Add info log message when FIPS is enabled
+      * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types
+  * Fix removal of CR from PEM certificates
+  * Add OCSP caching and timeout tuning knobs
+  * Check the NSS database directory permissions as well as the files
+    inside it for read access on startup.
+  * Add in simple aliases for ciphers to fix those that
+    don't follow the pattern (dhe_rsa_aes_128_sha256,
+    dhe_rsa_aes_256_sha256) and those with typos
+    (camelia_128_sha, camelia_256_sha)
+  * Fix semaphore leak
+  * Don't set remote user in fixup hook
+  * Drop SSLv2 tests because it is completely disabled now
+- drop 0001-Handle-group-membership-when-testing-for-file-permis.patch
+  (upstream)
+- add 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
+
+-------------------------------------------------------------------

Old:
----
  0001-Handle-group-membership-when-testing-for-file-permis.patch
  mod_nss-1.0.14.tar.gz

New:
----
  0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
  mod_nss-1.0.15.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ apache2-mod_nss.spec ++++++
--- /var/tmp/diff_new_pack.uLN65b/_old  2018-03-11 15:25:34.650513110 +0100
+++ /var/tmp/diff_new_pack.uLN65b/_new  2018-03-11 15:25:34.658512824 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package apache2-mod_nss
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,7 +25,7 @@
 %define    apache_mmn        %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN 
&& $MMN)
 %define    apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d
 Name:           apache2-mod_nss
-Version:        1.0.14
+Version:        1.0.15
 Release:        0
 Summary:        SSL/TLS module for the Apache HTTP server
 License:        Apache-2.0
@@ -38,8 +38,8 @@
 Source5:        vhost-nss.template
 Patch1:         mod_nss-migrate.patch
 Patch2:         mod_nss-gencert-correct-ownership.patch
-Patch3:         0001-Handle-group-membership-when-testing-for-file-permis.patch
 Patch4:         mod_nss-gencert_use_ss_instead_of_netstat.patch
+Patch5:         0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch
 BuildRequires:  apache-rpm-macros
 BuildRequires:  apache2-devel >= 2.2.12
 BuildRequires:  apr-devel
@@ -51,7 +51,6 @@
 BuildRequires:  flex
 BuildRequires:  gcc-c++
 BuildRequires:  iproute2
-BuildRequires:  iproute2
 BuildRequires:  libtool
 BuildRequires:  mozilla-nspr-devel >= 4.6.3
 BuildRequires:  mozilla-nss-devel >= 3.25
@@ -62,7 +61,6 @@
 Requires:       apache2 >= 2.2.12
 Requires:       findutils
 Requires:       iproute2
-Requires:       iproute2
 Requires:       mozilla-nss >= 3.25
 Requires(post): mozilla-nss-tools
 Provides:       mod_nss
@@ -77,8 +75,8 @@
 %setup -q -n mod_nss-%{version}
 %patch1 -p1
 %patch2 -p1
-%patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 # Touch expression parser sources to prevent regenerating it
 touch nss_expr_*.[chyl]
@@ -132,9 +130,15 @@
 install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl
 
 #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so 
$RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/
+%if 0%{?suse_version} < 1330
 touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db
 touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db
 touch %{buildroot}%{apache_sysconf_nssdir}/key3.db
+%else
+touch %{buildroot}%{apache_sysconf_nssdir}/pkcs11.txt
+touch %{buildroot}%{apache_sysconf_nssdir}/cert9.db
+touch %{buildroot}%{apache_sysconf_nssdir}/key4.db
+%endif
 touch %{buildroot}%{apache_sysconf_nssdir}/install.log
 perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert
 
@@ -195,7 +199,9 @@
 
 %post
 umask 077
-if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then
+# generate a self-signed certificate if there isn't either
+# key3.db (old DBM format) or key4.db (new SQLite format)
+if [ ! -e %{apache_sysconf_nssdir}/key3.db -a ! -e 
%{apache_sysconf_nssdir}/key4.db ]; then
     %{_sbindir}/gencert %{apache_sysconf_nssdir} > 
%{apache_sysconf_nssdir}/install.log 2>&1
     echo ""
     echo "%{name} certificate database generated."
@@ -206,16 +212,23 @@
 find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec 
/bin/chmod 640 {} +
 
 %files
-%doc README LICENSE docs/mod_nss.html README-SUSE.txt
+%license LICENSE
+%doc README docs/mod_nss.html README-SUSE.txt
 %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf
 %config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template
 %config(noreplace) %{apache_sysconfdir}/listen_nss.conf
 %dir %{apache_libexecdir}
 %{apache_libexecdir}/mod_nss.so
 %dir %{apache_sysconf_nssdir}/
+%if 0%{?suse_version} < 1330
 %ghost %attr(0640,root,www) %config(noreplace) 
%{apache_sysconf_nssdir}/secmod.db
 %ghost %attr(0640,root,www) %config(noreplace) 
%{apache_sysconf_nssdir}/cert8.db
 %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db
+%else
+%ghost %attr(0640,root,www) %config(noreplace) 
%{apache_sysconf_nssdir}/pkcs11.txt
+%ghost %attr(0640,root,www) %config(noreplace) 
%{apache_sysconf_nssdir}/cert9.db
+%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key4.db
+%endif
 %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log
 %{_sbindir}/nss_pcache
 %{_sbindir}/gencert

++++++ 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch ++++++
>From 6d1f6dd0c2b2cd80559b61779254e1b3d39aa5cd Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 19 Jan 2018 15:36:40 -0500
Subject: [PATCH] Fix up some broken cipher strings from a bad merge

---
 nss_engine_cipher.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c
index b78e32c..3eda72a 100644
--- a/nss_engine_cipher.c
+++ b/nss_engine_cipher.c
@@ -59,7 +59,7 @@ cipher_properties ciphers_def[] =
     {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", 
SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_MEDIUM, 112, 168, NULL},
     {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", 
SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56, NULL},
 #ifdef ENABLE_SERVER_DHE
-    {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
"EDH-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 
112, 168, NULL},
+    {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
"DHE-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 
112, 168, NULL},
     {"dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
"DHE-RSA-AES128-SHA", SSL_kDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 
128, 128, NULL},
     {"dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 
"DHE-RSA-AES256-SHA", SSL_kDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 
256, 256, NULL},
     {"dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, 
"DHE-RSA-CAMELLIA128-SHA", SSL_kDHE|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLSV1, 
SSL_HIGH, 128, 128, NULL},
@@ -74,21 +74,21 @@ cipher_properties ciphers_def[] =
 #endif
 #endif /* ENABLE_SERVER_DHE */
 #ifdef NSS_ENABLE_ECC
-    {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 
"ECDH-ECDSA-NULL-SHA", SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, 
SSL_STRONG_NONE, 0, 0, NULL},
-    {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 
"ECDH-ECDSA-RC4-SHA", SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 
128, 128, NULL},
-    {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 
"ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, 
SSL_MEDIUM, 112, 168, NULL},
-    {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
"ECDH-ECDSA-AES128-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, 
SSL_HIGH, 128, 128, NULL},
-    {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 
"ECDH-ECDSA-AES256-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, 
SSL_HIGH, 256, 256, NULL},
+    {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, 
"ECDH-ECDSA-NULL-SHA", SSL_kECDHE|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, 
SSL_STRONG_NONE, 0, 0, NULL},
+    {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, 
"ECDH-ECDSA-RC4-SHA", SSL_kECDHE|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 
128, 128, NULL},
+    {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 
"ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHE|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, 
SSL_MEDIUM, 112, 168, NULL},
+    {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
"ECDH-ECDSA-AES128-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, 
SSL_HIGH, 128, 128, NULL},
+    {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, 
"ECDH-ECDSA-AES256-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, 
SSL_HIGH, 256, 256, NULL},
     {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, 
"ECDHE-ECDSA-NULL-SHA", SSL_kEECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLSV1, 
SSL_STRONG_NONE, 0, 0, NULL},
     {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 
"ECDHE-ECDSA-RC4-SHA", SSL_kEECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLSV1, 
SSL_MEDIUM, 128, 128, NULL},
     {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, 
"ECDHE-ECDSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLSV1, 
SSL_MEDIUM, 112, 168, NULL},
     {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 
"ECDHE-ECDSA-AES128-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLSV1, 
SSL_HIGH, 128, 128, NULL},
     {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 
"ECDHE-ECDSA-AES256-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLSV1, 
SSL_HIGH, 256, 256, NULL},
-    {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", 
SSL_kECDHr|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
-    {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", 
SSL_kECDHr|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
-    {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 
"ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, 
SSL_MEDIUM, 112, 168, NULL},
-    {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 
"ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, 
SSL_HIGH, 128, 128, NULL},
-    {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 
"ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, 
SSL_HIGH, 256, 256, NULL},
+    {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", 
SSL_kECDHr|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
+    {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", 
SSL_kECDHr|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL},
+    {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, 
"ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, 
SSL_MEDIUM, 112, 168, NULL},
+    {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, 
"ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, 
SSL_HIGH, 128, 128, NULL},
+    {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, 
"ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, 
SSL_HIGH, 256, 256, NULL},
     {"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, "ECDHE-RSA-NULL-SHA", 
SSL_kEECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL},
     {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, 
"ECDHE-RSA-RC4-SHA", SSL_kEECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 
128, 128, NULL},
     {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 
"ECDHE-RSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, 
SSL_MEDIUM, 112, 168, NULL},
-- 
2.16.2

++++++ mod_nss-1.0.14.tar.gz -> mod_nss-1.0.15.tar.gz ++++++
++++ 2056 lines of diff (skipped)

++++++ vhost-nss.template ++++++
--- /var/tmp/diff_new_pack.uLN65b/_old  2018-03-11 15:25:34.902504071 +0100
+++ /var/tmp/diff_new_pack.uLN65b/_new  2018-03-11 15:25:34.906503927 +0100
@@ -49,7 +49,7 @@
 
 #   Server Certificate Database:
 #   The NSS security database directory that holds the certificates and
-#   keys. The database consists of 3 files: cert8.db, key3.db and secmod.db.
+#   keys. The database consists of 3 files: cert9.db, key4.db and secmod.db.
 #   Provide the directory that these files exist.
 NSSCertificateDatabase /etc/apache2/mod_nss.d
 


Reply via email to