From 245982b2c4539f085c9bac632ff6a9cb22147cf8 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Fri, 22 Jan 2021 00:10:22 +0000 Subject: [PATCH] Thu Jan 21 2021 Bob Relyea - 3.60.1-1 Update to NSS 3.60.1 Drop NODEPEND_FREEBL and LOWHASH bug 1919033 --- .gitignore | 1 + nss-turn-off-expired-ocsp-cert.patch | 19 +++++++++++++++++++ nss.spec | 19 ++++++++++++------- sources | 8 +------- 4 files changed, 33 insertions(+), 14 deletions(-) create mode 100644 nss-turn-off-expired-ocsp-cert.patch diff --git a/.gitignore b/.gitignore index 859a2bb..21717ea 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,4 @@ TestUser51.cert /nss-3.58.tar.gz /nspr-4.29.tar.gz /nss-3.59.tar.gz +/nss-3.60.1.tar.gz diff --git a/nss-turn-off-expired-ocsp-cert.patch b/nss-turn-off-expired-ocsp-cert.patch new file mode 100644 index 0000000..dfbbb50 --- /dev/null +++ b/nss-turn-off-expired-ocsp-cert.patch @@ -0,0 +1,19 @@ +diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg +--- a/tests/chains/scenarios/nameconstraints.cfg ++++ b/tests/chains/scenarios/nameconstraints.cfg +@@ -159,12 +159,12 @@ verify NameConstraints.dcissblocked:x + verify NameConstraints.dcissallowed:x + result pass + + # Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem" + # + # This tests that a non server certificate (i.e. id-kp-serverAuth + # not present in EKU) does *NOT* have CN treated as dnsName for + # purposes of Name Constraints validation +-verify NameConstraints.ocsp1:x +- usage 10 +- result pass ++#verify NameConstraints.ocsp1:x ++# usage 10 ++# result pass + diff --git a/nss.spec b/nss.spec index cd6659d..ac03dff 100644 --- a/nss.spec +++ b/nss.spec @@ -2,8 +2,8 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global nspr_release 9 -%global nss_version 3.59.0 +%global nspr_release 10 +%global nss_version 3.60.1 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -53,7 +53,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 2%{?dist} +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -118,6 +118,7 @@ Patch2: nss-539183.patch # but it doesn't hurt to keep it. Patch4: iquote.patch Patch12: nss-signtool-format.patch +Patch13: nss-turn-off-expired-ocsp-cert.patch %if 0%{?fedora} < 34 %if 0%{?rhel} < 9 Patch20: nss-gcm-param-default-pkcs11v2.patch @@ -125,8 +126,6 @@ Patch20: nss-gcm-param-default-pkcs11v2.patch %endif # can drop this patch when the underlying btrfs/sqlite issue is solved Patch30: nss-fedora-btrf-sql-hack.patch -# can drop this patch once crypto-policies has been updated -Patch31: nss-3.53.1-revert_rhel8_unsafe_policy_change.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -348,13 +347,13 @@ popd # This package fails its testsuite with LTO. Disable LTO for now %global _lto_cflags %{nil} -export FREEBL_NO_DEPEND=1 +#export FREEBL_NO_DEPEND=1 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets # copied to dist and the rpm install phase can find it # This due of the upstream changes to fix # https://bugzilla.mozilla.org/show_bug.cgi?id=717906 -export FREEBL_LOWHASH=1 +# export FREEBL_LOWHASH=1 # uncomment if the iquote patch is activated export IN_TREE_FREEBL_HEADERS_FIRST=1 @@ -393,6 +392,8 @@ export NSS_USE_SYSTEM_SQLITE=1 export NSS_ALLOW_SSLKEYLOGFILE=1 +export NSS_SEED_ONLY_DEV_URANDOM=1 + %if %{with dbm} %else export NSS_DISABLE_DBM=1 @@ -1048,6 +1049,10 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Jan 21 2021 Bob Relyea - 3.60.1-1 +- Update to NSS 3.60.1 +- Drop NODEPEND_FREEBL and LOWHASH + * Fri Dec 11 2020 Bob Relyea - 3.59.0-2 - Work around btrfs/sqlite bug - Disable new policy entries until crypto-polices has been updated diff --git a/sources b/sources index 62e2a42..8ef7feb 100644 --- a/sources +++ b/sources @@ -1,7 +1 @@ -SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d -SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 -SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c -SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nspr-4.29.tar.gz) = ba5ac275fe0beb69d7a7674c9ee9e4429bd5761daed285edd975ccc829af30d062bf4a0f5e44361e3bd191f21b1905f96ab146d53b55324020f13ecb3c05609b -SHA512 (nss-3.59.tar.gz) = 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38 +SHA512 (nss-3.60.1.tar.gz) = ba398ddad6f90f3562a041b7fd5fc7b72eb20961cc5c1f4890c3b0d95d438404b26ae6feb54cb8c650707134479a915e1f522f0e9257bc2ede053dd0811156d5