From 0af1776a67ba12c1c0f0f82d922672f890970ba7 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Fri, 22 Jan 2021 16:45:23 +0000 Subject: [PATCH] Update to NSS 3.60.1 --- .gitignore | 1 + nss-turn-off-expired-ocsp-cert.patch | 19 +++++++++++++++++++ nss.spec | 8 ++++++-- sources | 2 +- 4 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 nss-turn-off-expired-ocsp-cert.patch diff --git a/.gitignore b/.gitignore index cf54e0d..d08b965 100644 --- a/.gitignore +++ b/.gitignore @@ -56,3 +56,4 @@ TestUser51.cert /nss-3.57.tar.gz /nss-3.58.tar.gz /nss-3.59.tar.gz +/nss-3.60.1.tar.gz diff --git a/nss-turn-off-expired-ocsp-cert.patch b/nss-turn-off-expired-ocsp-cert.patch new file mode 100644 index 0000000..dfbbb50 --- /dev/null +++ b/nss-turn-off-expired-ocsp-cert.patch @@ -0,0 +1,19 @@ +diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg +--- a/tests/chains/scenarios/nameconstraints.cfg ++++ b/tests/chains/scenarios/nameconstraints.cfg +@@ -159,12 +159,12 @@ verify NameConstraints.dcissblocked:x + verify NameConstraints.dcissallowed:x + result pass + + # Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem" + # + # This tests that a non server certificate (i.e. id-kp-serverAuth + # not present in EKU) does *NOT* have CN treated as dnsName for + # purposes of Name Constraints validation +-verify NameConstraints.ocsp1:x +- usage 10 +- result pass ++#verify NameConstraints.ocsp1:x ++# usage 10 ++# result pass + diff --git a/nss.spec b/nss.spec index 90afceb..1d3523c 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.29.0 -%global nss_version 3.59.0 +%global nss_version 3.60.1 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -44,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 3%{?dist} +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -107,6 +107,7 @@ Patch2: nss-539183.patch # but it doesn't hurt to keep it. Patch4: iquote.patch Patch12: nss-signtool-format.patch +Patch13: nss-turn-off-expired-ocsp-cert.patch %if 0%{?fedora} < 34 %if 0%{?rhel} < 9 Patch20: nss-gcm-param-default-pkcs11v2.patch @@ -907,6 +908,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Jan 21 2021 Bob Relyea - 3.60.1-1 +- Update to NSS 3.60.1 + * Tue Dec 15 2020 Bob Relyea - 3.59.0-3 - Back out strict SHA-1 signature control because firefox Addon system is still using sha-1 signatures diff --git a/sources b/sources index da88737..f801005 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.59.tar.gz) = 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38 +SHA512 (nss-3.60.1.tar.gz) = ba398ddad6f90f3562a041b7fd5fc7b72eb20961cc5c1f4890c3b0d95d438404b26ae6feb54cb8c650707134479a915e1f522f0e9257bc2ede053dd0811156d5