commit mozilla-nss for openSUSE:Factory

Sun, 12 Jun 2016 09:52:08 -0700 

Hello community,

here is the log from the commit of package mozilla-nss for openSUSE:Factory 
checked in at 2016-06-12 18:51:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old)
 and      /work/SRC/openSUSE:Factory/.mozilla-nss.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "mozilla-nss"

Changes:
--------
--- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes  2016-05-31 
12:10:07.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.mozilla-nss.new/mozilla-nss.changes     
2016-06-12 18:51:20.000000000 +0200
@@ -1,0 +2,46 @@
+Thu May 26 05:59:03 UTC 2016 - [email protected]
+
+- update to NSS 3.23
+  New functionality:
+  * ChaCha20/Poly1305 cipher and TLS cipher suites now supported
+  * Experimental-only support TLS 1.3 1-RTT mode (draft-11).
+    This code is not ready for production use.
+  New functions:
+  * SSL_SetDowngradeCheckVersion - Set maximum version for new
+    ServerRandom anti-downgrade mechanism. Clients that perform a
+    version downgrade (which is generally a very bad idea) call this
+    with the highest version number that they possibly support.
+    This gives them access to the version downgrade protection from
+    TLS 1.3.
+  Notable changes:
+  * The copy of SQLite shipped with NSS has been updated to version
+    3.10.2
+  * The list of TLS extensions sent in the TLS handshake has been
+    reordered to increase compatibility of the Extended Master Secret
+    with with servers
+  * The build time environment variable NSS_ENABLE_ZLIB has been
+    renamed to NSS_SSL_ENABLE_ZLIB
+  * The build time environment variable NSS_DISABLE_CHACHAPOLY was
+    added, which can be used to prevent compilation of the
+    ChaCha20/Poly1305 code.
+  * The following CA certificates were Removed
+    - Staat der Nederlanden Root CA
+    - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
+    - NetLock Kozjegyzoi (Class A) Tanusitvanykiado
+    - NetLock Uzleti (Class B) Tanusitvanykiado
+    - NetLock Expressz (Class C) Tanusitvanykiado
+    - VeriSign Class 1 Public PCA – G2
+    - VeriSign Class 3 Public PCA
+    - VeriSign Class 3 Public PCA – G2
+    - CA Disig
+  * The following CA certificates were Added
+    + SZAFIR ROOT CA2
+    + Certum Trusted Network CA 2
+  * The following CA certificate had the Email trust bit turned on
+    + Actalis Authentication Root CA
+  Security fixes:
+  * CVE-2016-2834: Memory safety bugs (boo#983639)
+    MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034 bmo#1241037
+- removed obsolete nss_gcc6_change.patch
+
+-------------------------------------------------------------------
@@ -13,0 +60,5 @@
+  * Fixed a heap-based buffer overflow related to the parsing of
+    certain ASN.1 structures. An attacker could create a specially-crafted
+    certificate which, when parsed by NSS, would cause a crash or
+    execution of arbitrary code with the permissions of the user.
+    (CVE-2016-1950, bmo#1245528)

Old:
----
  nss-3.22.3.tar.gz
  nss_gcc6_change.patch

New:
----
  nss-3.23.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ mozilla-nss.spec ++++++
--- /var/tmp/diff_new_pack.L4xRhd/_old  2016-06-12 18:51:21.000000000 +0200
+++ /var/tmp/diff_new_pack.L4xRhd/_new  2016-06-12 18:51:21.000000000 +0200
@@ -2,7 +2,7 @@
 # spec file for package mozilla-nss
 #
 # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
-# Copyright (c) 2006-2015 Wolfgang Rosenauer
+# Copyright (c) 2006-2016 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,7 +25,7 @@
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.22.3
+Version:        3.23
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_3_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.22.3/nss ; cd 
nss-3.22.3/nss ; hg up NSS_3_22_3_RTM
+Source:         
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss 
; hg up NSS_3_23_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -57,7 +57,6 @@
 Patch7:         nss-disable-ocsp-test.patch
 Patch8:         nss-sqlitename.patch
 Patch9:         nss-bmo1236011.patch
-Patch10:        nss_gcc6_change.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@@ -179,7 +178,6 @@
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
-%patch10 -p1
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt



++++++ nss-3.22.3.tar.gz -> nss-3.23.tar.gz ++++++
/work/SRC/openSUSE:Factory/mozilla-nss/nss-3.22.3.tar.gz 
/work/SRC/openSUSE:Factory/.mozilla-nss.new/nss-3.23.tar.gz differ: char 5, 
line 1

++++++ renegotiate-transitional.patch ++++++
--- /var/tmp/diff_new_pack.L4xRhd/_old  2016-06-12 18:51:22.000000000 +0200
+++ /var/tmp/diff_new_pack.L4xRhd/_new  2016-06-12 18:51:22.000000000 +0200
@@ -1,13 +1,22 @@
 diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
-index e6b2387..87fbe1d 100644
 --- a/lib/ssl/sslsock.c
 +++ b/lib/ssl/sslsock.c
-@@ -74,7 +74,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,   /* noLocks            */
-     PR_FALSE,   /* enableSessionTickets */
-     PR_FALSE,   /* enableDeflate      */
--    2,          /* enableRenegotiation (default: requires extension) */
-+    3,          /* enableRenegotiation (default: requires extension) */
-     PR_FALSE,   /* requireSafeNegotiation */
-     PR_FALSE,   /* enableFalseStart   */
-     PR_TRUE,    /* cbcRandomIV        */
+@@ -72,17 +72,17 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,
+     /* v2CompatibleHello  */ /* now defaults to off in NSS 3.13 */
+     PR_TRUE,                 /* detectRollBack     */
+     PR_FALSE,                /* noStepDown         */
+     PR_FALSE,                /* bypassPKCS11       */
+     PR_FALSE,                /* noLocks            */
+     PR_FALSE,                /* enableSessionTickets */
+     PR_FALSE,                /* enableDeflate      */
+-    2,                       /* enableRenegotiation (default: requires 
extension) */
++    3,                       /* enableRenegotiation (default: requires 
extension) */
+     PR_FALSE,                /* requireSafeNegotiation */
+     PR_FALSE,                /* enableFalseStart   */
+     PR_TRUE,                 /* cbcRandomIV        */
+     PR_FALSE,                /* enableOCSPStapling */
+     PR_TRUE,                 /* enableNPN          */
+     PR_FALSE,                /* enableALPN         */
+     PR_TRUE,                 /* reuseServerECDHEKey */
+     PR_FALSE,                /* enableFallbackSCSV */

Reply via email to