Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2016-08-12 15:33:38 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss" Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2016-06-12 18:51:20.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new/mozilla-nss.changes 2016-08-12 15:33:39.000000000 +0200 @@ -1,0 +2,93 @@ +Thu Aug 4 20:28:32 UTC 2016 - w...@rosenauer.org + +- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236) + +------------------------------------------------------------------- +Sat Jul 30 08:53:02 UTC 2016 - w...@rosenauer.org + +- update to NSS 3.24 + New functionality: + * NSS softoken has been updated with the latest National Institute + of Standards and Technology (NIST) guidance (as of 2015): + - Software integrity checks and POST functions are executed on + shared library load. These checks have been disabled by default, + as they can cause a performance regression. To enable these + checks, you must define symbol NSS_FORCE_FIPS when building NSS. + - Counter mode and Galois/Counter Mode (GCM) have checks to + prevent counter overflow. + - Additional CSPs are zeroed in the code. + - NSS softoken uses new guidance for how many Rabin-Miller tests + are needed to verify a prime based on prime size. + * NSS softoken has also been updated to allow NSS to run in FIPS + Level 1 (no password). This mode is triggered by setting the + database password to the empty string. In FIPS mode, you may move + from Level 1 to Level 2 (by setting an appropriate password), + but not the reverse. + * A SSL_ConfigServerCert function has been added for configuring + SSL/TLS server sockets with a certificate and private key. Use + this new function in place of SSL_ConfigSecureServer, + SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, + and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically + determines the certificate type from the certificate and private key. + The caller is no longer required to use SSLKEAType explicitly to + select a "slot" into which the certificate is configured (which + incorrectly identifies a key agreement type rather than a certificate). + Separate functions for configuring Online Certificate Status Protocol + (OCSP) responses or Signed Certificate Timestamps are not needed, + since these can be added to the optional SSLExtraServerCertData struct + provided to SSL_ConfigServerCert. Also, partial support for RSA + Probabilistic Signature Scheme (RSA-PSS) certificates has been added. + Although these certificates can be configured, they will not be + used by NSS in this version. + New functions + * SSL_ConfigServerCert - Configures an SSL/TLS socket with a + certificate, private key, and other information. + * PORT_InitCheapArena - Initializes an arena that was created on + the stack. (See PORTCheapArenaPool.= + * PORT_DestroyCheapArena - Destroys an arena that was created on + the stack. (See PORTCheapArenaPool.) + New types + * SSLExtraServerCertData - Optionally passed as an argument to + SSL_ConfigServerCert. This struct contains supplementary information + about a certificate, such as the intended type of the certificate, + stapled OCSP responses, or Signed Certificate Timestamps (used for + certificate transparency). + * PORTCheapArenaPool - A stack-allocated arena pool, to be used for + temporary arena allocations. + New macros + * CKM_TLS12_MAC + * SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the + TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used + only for session resumption in TLS 1.3. + Notable changes: + * Deprecate the following functions. (Applications should instead use the new + SSL_ConfigServerCert function.): + - SSL_SetStapledOCSPResponses + - SSL_SetSignedCertTimestamps + - SSL_ConfigSecureServer + - SSL_ConfigSecureServerWithCertChain + * Deprecate the NSS_FindCertKEAType function, as it reports a misleading + value for certificates that might be used for signing rather than + key exchange. + * Update SSLAuthType to define a larger number of authentication key types. + * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo. + Instead, applications should use the newly added attribute authType. + * Rename ssl_auth_rsa to ssl_auth_rsa_decrypt. + * Add a shared library (libfreeblpriv3) on Linux platforms that + define FREEBL_LOWHASH. + * Remove most code related to SSL v2, including the ability to actively + send a SSLv2-compatible client hello. However, the server-side + implementation of the SSL/TLS protocol still supports processing + of received v2-compatible client hello messages. + * Disable (by default) NSS support in optimized builds for logging SSL/TLS + key material to a logfile if the SSLKEYLOGFILE environment variable + is set. To enable the functionality in optimized builds, you must define + the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS. + * Update NSS to protect it against the Cachebleed attack. + * Disable support for DTLS compression. + * Improve support for TLS 1.3. This includes support for DTLS 1.3. + Note that TLS 1.3 support is experimental and not suitable for + production use. +- removed obsolete nss-bmo1236011.patch + +------------------------------------------------------------------- Old: ---- nss-3.23.tar.gz nss-bmo1236011.patch New: ---- nss-3.24.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.e3yRHg/_old 2016-08-12 15:33:40.000000000 +0200 +++ /var/tmp/diff_new_pack.e3yRHg/_new 2016-08-12 15:33:40.000000000 +0200 @@ -25,7 +25,7 @@ BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.23 +Version: 3.24 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss ; hg up NSS_3_23_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.24/nss ; cd nss-3.24/nss ; hg up NSS_3_24_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -56,7 +56,6 @@ Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch -Patch9: nss-bmo1236011.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -177,7 +176,6 @@ %endif %patch7 -p1 %patch8 -p1 -%patch9 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt @@ -249,6 +247,8 @@ $RPM_BUILD_ROOT%{_libdir} cp -L lib/libfreebl3.so \ lib/libfreebl3.chk \ + lib/libfreeblpriv3.so \ + lib/libfreeblpriv3.chk \ $RPM_BUILD_ROOT/%{_lib} #cp -L lib/libnsssqlite3.so \ # $RPM_BUILD_ROOT%{_libdir} @@ -325,6 +325,7 @@ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ + LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreeblpriv3.so \ %{nil} %post -p /sbin/ldconfig @@ -388,6 +389,8 @@ %defattr(-, root, root) /%{_lib}/libfreebl3.so /%{_lib}/libfreebl3.chk +/%{_lib}/libfreeblpriv3.so +/%{_lib}/libfreeblpriv3.chk %files -n libsoftokn3 %defattr(-, root, root) ++++++ nss-3.23.tar.gz -> nss-3.24.tar.gz ++++++ /work/SRC/openSUSE:Factory/mozilla-nss/nss-3.23.tar.gz /work/SRC/openSUSE:Factory/.mozilla-nss.new/nss-3.24.tar.gz differ: char 5, line 1