Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2018-03-11 15:25:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Sun Mar 11 15:25:26 2018 rev:28 rq:585105 version:1.0.15 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2017-12-29 18:51:14.107286468 +0100 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2018-03-11 15:25:33.850541809 +0100 @@ -1,0 +2,42 @@ +Thu Mar 8 13:15:32 UTC 2018 - [email protected] + +- Since the update to NSS 3.35, the default NSS certificate + database format changed from Berkley DB to SQLite +- use %license tag + +------------------------------------------------------------------- +Wed Mar 7 16:35:56 UTC 2018 - [email protected] + +- Update to 1.0.15 + * Try to auto-detect the NSS database format if not specified + * Update nss_pcache.8 man page to drop directory and prefix + * When a token is configured in password file only authenticate once + * Return an error when NSSPassPhraseDialog is invalid + * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+ + * Add -Werror=implicit-function-declaration to CFLAGS + * Handle group membership when testing for file permissions + * NSS system-wide policy now disables SSLv3, don't use it in tests + * Add missing error messages for libssl errors + * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name + * When including additional test config use specific extension + * Fix the TLS Session ID cache + * Make an invalid protocol setting fatal + * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init() + * Add info log message when FIPS is enabled + * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types + * Fix removal of CR from PEM certificates + * Add OCSP caching and timeout tuning knobs + * Check the NSS database directory permissions as well as the files + inside it for read access on startup. + * Add in simple aliases for ciphers to fix those that + don't follow the pattern (dhe_rsa_aes_128_sha256, + dhe_rsa_aes_256_sha256) and those with typos + (camelia_128_sha, camelia_256_sha) + * Fix semaphore leak + * Don't set remote user in fixup hook + * Drop SSLv2 tests because it is completely disabled now +- drop 0001-Handle-group-membership-when-testing-for-file-permis.patch + (upstream) +- add 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch + +------------------------------------------------------------------- Old: ---- 0001-Handle-group-membership-when-testing-for-file-permis.patch mod_nss-1.0.14.tar.gz New: ---- 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch mod_nss-1.0.15.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.uLN65b/_old 2018-03-11 15:25:34.650513110 +0100 +++ /var/tmp/diff_new_pack.uLN65b/_new 2018-03-11 15:25:34.658512824 +0100 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ %define apache_mmn %(MMN=$(%{apxs} -q LIBEXECDIR)_MMN; test -x $MMN && $MMN) %define apache_sysconf_nssdir %{apache_sysconfdir}/mod_nss.d Name: apache2-mod_nss -Version: 1.0.14 +Version: 1.0.15 Release: 0 Summary: SSL/TLS module for the Apache HTTP server License: Apache-2.0 @@ -38,8 +38,8 @@ Source5: vhost-nss.template Patch1: mod_nss-migrate.patch Patch2: mod_nss-gencert-correct-ownership.patch -Patch3: 0001-Handle-group-membership-when-testing-for-file-permis.patch Patch4: mod_nss-gencert_use_ss_instead_of_netstat.patch +Patch5: 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel >= 2.2.12 BuildRequires: apr-devel @@ -51,7 +51,6 @@ BuildRequires: flex BuildRequires: gcc-c++ BuildRequires: iproute2 -BuildRequires: iproute2 BuildRequires: libtool BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.25 @@ -62,7 +61,6 @@ Requires: apache2 >= 2.2.12 Requires: findutils Requires: iproute2 -Requires: iproute2 Requires: mozilla-nss >= 3.25 Requires(post): mozilla-nss-tools Provides: mod_nss @@ -77,8 +75,8 @@ %setup -q -n mod_nss-%{version} %patch1 -p1 %patch2 -p1 -%patch3 -p1 %patch4 -p1 +%patch5 -p1 # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] @@ -132,9 +130,15 @@ install -m 755 migrate.pl %{buildroot}%{_sbindir}/mod_nss_migrate.pl #ln -s $RPM_BUILD_ROOT/%%{apache_libexecdir}/libnssckbi.so $RPM_BUILD_ROOT%%{apache_sysconf_nssdir}/ +%if 0%{?suse_version} < 1330 touch %{buildroot}%{apache_sysconf_nssdir}/secmod.db touch %{buildroot}%{apache_sysconf_nssdir}/cert8.db touch %{buildroot}%{apache_sysconf_nssdir}/key3.db +%else +touch %{buildroot}%{apache_sysconf_nssdir}/pkcs11.txt +touch %{buildroot}%{apache_sysconf_nssdir}/cert9.db +touch %{buildroot}%{apache_sysconf_nssdir}/key4.db +%endif touch %{buildroot}%{apache_sysconf_nssdir}/install.log perl -pi -e "s:$NSS_LIB_DIR:$NSS_BIN:" %{buildroot}%{_sbindir}/gencert @@ -195,7 +199,9 @@ %post umask 077 -if [ ! -e %{apache_sysconf_nssdir}/key3.db ]; then +# generate a self-signed certificate if there isn't either +# key3.db (old DBM format) or key4.db (new SQLite format) +if [ ! -e %{apache_sysconf_nssdir}/key3.db -a ! -e %{apache_sysconf_nssdir}/key4.db ]; then %{_sbindir}/gencert %{apache_sysconf_nssdir} > %{apache_sysconf_nssdir}/install.log 2>&1 echo "" echo "%{name} certificate database generated." @@ -206,16 +212,23 @@ find %{apache_sysconf_nssdir} -user root -name "*.db" ! -type l -exec /bin/chmod 640 {} + %files -%doc README LICENSE docs/mod_nss.html README-SUSE.txt +%license LICENSE +%doc README docs/mod_nss.html README-SUSE.txt %config(noreplace) %{apache_sysconfdir}/conf.d/mod_nss.conf %config(noreplace) %{apache_sysconfdir}/vhosts.d/vhost-nss.template %config(noreplace) %{apache_sysconfdir}/listen_nss.conf %dir %{apache_libexecdir} %{apache_libexecdir}/mod_nss.so %dir %{apache_sysconf_nssdir}/ +%if 0%{?suse_version} < 1330 %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/secmod.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert8.db %ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key3.db +%else +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/pkcs11.txt +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/cert9.db +%ghost %attr(0640,root,www) %config(noreplace) %{apache_sysconf_nssdir}/key4.db +%endif %ghost %config(noreplace) %{apache_sysconf_nssdir}/install.log %{_sbindir}/nss_pcache %{_sbindir}/gencert ++++++ 0001-Fix-up-some-broken-cipher-strings-from-a-bad-merge.patch ++++++ >From 6d1f6dd0c2b2cd80559b61779254e1b3d39aa5cd Mon Sep 17 00:00:00 2001 From: Rob Crittenden <[email protected]> Date: Fri, 19 Jan 2018 15:36:40 -0500 Subject: [PATCH] Fix up some broken cipher strings from a bad merge --- nss_engine_cipher.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/nss_engine_cipher.c b/nss_engine_cipher.c index b78e32c..3eda72a 100644 --- a/nss_engine_cipher.c +++ b/nss_engine_cipher.c @@ -59,7 +59,7 @@ cipher_properties ciphers_def[] = {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "FIPS-DES-CBC3-SHA", SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSLV3, SSL_MEDIUM, 112, 168, NULL}, {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, "FIPS-DES-CBC-SHA", SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSLV3, SSL_LOW, 56, 56, NULL}, #ifdef ENABLE_SERVER_DHE - {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "EDH-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, + {"dhe_rsa_3des_sha", TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, "DHE-RSA-DES-CBC3-SHA", SSL_kDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, {"dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, "DHE-RSA-AES128-SHA", SSL_kDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, {"dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, "DHE-RSA-AES256-SHA", SSL_kDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, {"dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, "DHE-RSA-CAMELLIA128-SHA", SSL_kDHE|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, @@ -74,21 +74,21 @@ cipher_properties ciphers_def[] = #endif #endif /* ENABLE_SERVER_DHE */ #ifdef NSS_ENABLE_ECC - {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHe|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, - {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHe|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, - {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHe|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, - {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, - {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHe|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, + {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, "ECDH-ECDSA-NULL-SHA", SSL_kECDHE|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, + {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, "ECDH-ECDSA-RC4-SHA", SSL_kECDHE|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, + {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDH-ECDSA-DES-CBC3-SHA", SSL_kECDHE|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, + {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "ECDH-ECDSA-AES128-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, + {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "ECDH-ECDSA-AES256-SHA", SSL_kECDHE|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, "ECDHE-ECDSA-NULL-SHA", SSL_kEECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "ECDHE-ECDSA-RC4-SHA", SSL_kEECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-ECDSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "ECDHE-ECDSA-AES128-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "ECDHE-ECDSA-AES256-SHA", SSL_kEECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, - {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_aECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, - {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_aECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, - {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_aECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, - {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, - {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_aECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, + {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, "ECDH-RSA-NULL-SHA", SSL_kECDHr|SSL_AECDH|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, + {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, "ECDH-RSA-RC4-SHA", SSL_kECDHr|SSL_AECDH|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, + {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, "ECDH-RSA-DES-CBC3-SHA", SSL_kECDHr|SSL_AECDH|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, + {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "ECDH-RSA-AES128-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES128|SSL_SHA1, TLSV1, SSL_HIGH, 128, 128, NULL}, + {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "ECDH-RSA-AES256-SHA", SSL_kECDHr|SSL_AECDH|SSL_AES256|SSL_SHA1, TLSV1, SSL_HIGH, 256, 256, NULL}, {"ecdhe_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, "ECDHE-RSA-NULL-SHA", SSL_kEECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLSV1, SSL_STRONG_NONE, 0, 0, NULL}, {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, "ECDHE-RSA-RC4-SHA", SSL_kEECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLSV1, SSL_MEDIUM, 128, 128, NULL}, {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "ECDHE-RSA-DES-CBC3-SHA", SSL_kEECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLSV1, SSL_MEDIUM, 112, 168, NULL}, -- 2.16.2 ++++++ mod_nss-1.0.14.tar.gz -> mod_nss-1.0.15.tar.gz ++++++ ++++ 2056 lines of diff (skipped) ++++++ vhost-nss.template ++++++ --- /var/tmp/diff_new_pack.uLN65b/_old 2018-03-11 15:25:34.902504071 +0100 +++ /var/tmp/diff_new_pack.uLN65b/_new 2018-03-11 15:25:34.906503927 +0100 @@ -49,7 +49,7 @@ # Server Certificate Database: # The NSS security database directory that holds the certificates and -# keys. The database consists of 3 files: cert8.db, key3.db and secmod.db. +# keys. The database consists of 3 files: cert9.db, key4.db and secmod.db. # Provide the directory that these files exist. NSSCertificateDatabase /etc/apache2/mod_nss.d
