From c13e32fe803c886477e60f8755ba529058b27f21 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 13 Nov 2015 17:53:10 -0800 Subject: [PATCH 1/5] Update to NSS 3.21 - Package listsuites as part of the unsupported tools set - Resolves: Bug 1279912 - nss-3.21 is available - Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit - Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set --- dummy-sources-for-testing | 2 - nss-ssl-enforce-no-pkcs11-bypass.path | 16 --- pem-compile-with-Werror.patch | 146 ++++++++++++++++++++++++++ 3 files changed, 146 insertions(+), 18 deletions(-) delete mode 100644 dummy-sources-for-testing delete mode 100644 nss-ssl-enforce-no-pkcs11-bypass.path create mode 100644 pem-compile-with-Werror.patch diff --git a/dummy-sources-for-testing b/dummy-sources-for-testing deleted file mode 100644 index 59ba8d6..0000000 --- a/dummy-sources-for-testing +++ /dev/null @@ -1,2 +0,0 @@ -Dummy source file that we by uploading it lets us verify that nss builds -do not cause the 'fedpkg upload' or 'fedpg new-sources' commands to hang. diff --git a/nss-ssl-enforce-no-pkcs11-bypass.path b/nss-ssl-enforce-no-pkcs11-bypass.path deleted file mode 100644 index 3c99446..0000000 --- a/nss-ssl-enforce-no-pkcs11-bypass.path +++ /dev/null @@ -1,16 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.nobypass nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.nobypass 2013-05-30 22:23:37.305583715 -0700 -+++ nss/lib/ssl/sslsock.c 2013-05-30 22:23:37.311583762 -0700 -@@ -553,8 +553,10 @@ static PRStatus SSL_BypassRegisterShutdo - static PRStatus SSL_BypassSetup(void) - { - #ifdef NO_PKCS11_BYPASS -- /* Guarantee binary compatibility */ -- return PR_SUCCESS; -+ /* No need in our case to guarantee binary compatibility and -+ * we can safely return failure as we have never supported it -+ */ -+ return PR_FAILURE; - #else - return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); - #endif diff --git a/pem-compile-with-Werror.patch b/pem-compile-with-Werror.patch new file mode 100644 index 0000000..392d74a --- /dev/null +++ b/pem-compile-with-Werror.patch @@ -0,0 +1,146 @@ +diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h +--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800 ++++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-13 12:07:29.219887390 -0800 +@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr { + }; + typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey; + ++/* NOTE: Discrepancy with the the way callers use of the return value as a count ++ * Fix this when we sync. up with the cleanup work being done at nss-pem project. ++ */ + SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly); + const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type); + void pem_PopulateModulusExponent(pemInternalObject *io); +diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c +--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 ++++ ./nss/lib/ckfw/pem/pinst.c 2015-11-13 12:07:29.219887390 -0800 +@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key + char *ivstring = NULL; + int cipher; + +- nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); ++ /* TODO: Fix discrepancy between our usage of the return value as ++ * as an int (a count) and the declaration as a SECStatus. */ ++ nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); + if (nobjs <= 0) { + nss_ZFreeIf(objs); + return CKR_GENERAL_ERROR; +@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key + if (keyfile) { /* add the private key */ + SECItem **keyobjs = NULL; + int kobjs = 0; ++ /* TODO: Fix discrepancy between our usage of the return value as ++ * as an int and the declaration as a SECStatus. */ + kobjs = +- ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher, ++ (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher, + &ivstring, PR_FALSE); + if (kobjs < 1) { + error = CKR_GENERAL_ERROR; +diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c +--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 ++++ ./nss/lib/ckfw/pem/pobject.c 2015-11-13 12:07:29.220887368 -0800 +@@ -630,6 +630,11 @@ pem_DestroyInternalObject + if (io->u.key.ivstring) + free(io->u.key.ivstring); + break; ++ case pemAll: ++ /* pemAll is not used, keep the compiler happy ++ * TODO: investigate a proper solution ++ */ ++ return; + } + + if (NULL != gobj) +@@ -1044,7 +1049,9 @@ pem_CreateObject + int nobjs = 0; + int i; + int objid; ++#if 0 + pemToken *token; ++#endif + int cipher; + char *ivstring = NULL; + pemInternalObject *listObj = NULL; +@@ -1073,7 +1080,9 @@ pem_CreateObject + } + slotID = nssCKFWSlot_GetSlotID(fwSlot); + ++#if 0 + token = (pemToken *) mdToken->etc; ++#endif + + /* + * only create keys and certs. +@@ -1114,7 +1123,11 @@ pem_CreateObject + } + + if (objClass == CKO_CERTIFICATE) { +- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); ++ /* TODO: Fix discrepancy between our usage of the return value as ++ * as an int and the declaration as a SECStatus. Typecasting as a ++ * temporary workaround. ++ */ ++ nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); + if (nobjs < 1) + goto loser; + +diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c +--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 ++++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-13 12:07:29.220887368 -0800 +@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey + return 0; + } + ++/* unused functions */ ++#if 0 + static SHA1Context *SHA1_CloneContext(SHA1Context * original) + { + SHA1Context *clone = NULL; +@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un + + return SECSuccess; + } ++#endif /* unused functions */ + + /* + * Format one block of data for public/private key encryption using +diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c +--- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 ++++ ./nss/lib/ckfw/pem/util.c 2015-11-13 12:22:52.282196306 -0800 +@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds + return SECFailure; + } + +-int ++/* FIX: Returns a SECStatus yet callers take result as a count */ ++SECStatus + ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii, + int *cipher, char **ivstring, PRBool certsonly) + { +@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha + goto loser; + } + if ((certsonly && !key) || (!certsonly && key)) { ++ error = CKR_OK; + PUT_Object(der, error); ++ if (error != CKR_OK) { ++ free(der); ++ goto loser; ++ } + } else { + free(der->data); + free(der); +@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha + } + + /* NOTE: This code path has never been tested. */ ++ error = CKR_OK; + PUT_Object(der, error); ++ if (error != CKR_OK) { ++ free(der); ++ goto loser; ++ } + } + + nss_ZFreeIf(filedata.data); From 0a91ce3fe83abfeb352e1eaf6fd521f8a7e0bcd6 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 13 Nov 2015 18:03:07 -0800 Subject: [PATCH 2/5] Complete the commits to update to NSS 3.21 - Add files missed in previous commit as they weren't staged - Package listsuites as part of the unsupported tools set - Resolves: Bug 1279912 - nss-3.21 is available - Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit - Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set --- .gitignore | 2 +- iquote.patch | 12 ++++++++++++ nss-539183.patch | 26 ++++++++----------------- nss.spec | 50 ++++++++++++++++++++++++++++++++++-------------- sources | 2 +- 5 files changed, 58 insertions(+), 34 deletions(-) diff --git a/.gitignore b/.gitignore index 5b7ffac..f972d92 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,4 @@ TestUser51.cert /nss-pem-20140125.tar.bz2 /PayPalRootCA.cert /PayPalICA.cert -/nss-3.20.1.tar.gz +/nss-3.21.0.tar.gz diff --git a/iquote.patch b/iquote.patch index becdd7e..0c9e4cf 100644 --- a/iquote.patch +++ b/iquote.patch @@ -173,3 +173,15 @@ diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # +diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile +--- nss/lib/ssl/Makefile.iquote 2015-11-13 09:23:41.653738563 -0800 ++++ nss/lib/ssl/Makefile 2015-11-13 09:25:25.121415348 -0800 +@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # diff --git a/nss-539183.patch b/nss-539183.patch index 3798c35..c5cc4d8 100644 --- a/nss-539183.patch +++ b/nss-539183.patch @@ -1,11 +1,9 @@ -diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c ---- nss/cmd/httpserv/httpserv.c.539183 2013-05-28 14:43:24.000000000 -0700 -+++ nss/cmd/httpserv/httpserv.c 2013-05-30 22:16:46.685373471 -0700 -@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port - PRStatus prStatus; +diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c +--- ./nss/cmd/httpserv/httpserv.c.539183 2015-11-08 21:12:59.000000000 -0800 ++++ ./nss/cmd/httpserv/httpserv.c 2015-11-12 13:28:01.574855325 -0800 +@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port PRNetAddr addr; PRSocketOptionData opt; -+ PRUint16 socketDomain = PR_AF_INET; - addr.inet.family = PR_AF_INET; - addr.inet.ip = PR_INADDR_ANY; @@ -15,9 +13,6 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c + } - listen_sock = PR_NewTCPSocket(); -+ if (PR_GetEnv("NSS_USE_SDP")) { -+ socketDomain = PR_AF_INET_SDP; -+ } + listen_sock = PR_OpenTCPSocket(PR_AF_INET6); if (listen_sock == NULL) { - errExit("PR_NewTCPSocket"); @@ -25,14 +20,12 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c } opt.option = PR_SockOpt_Nonblocking; -diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c ---- nss/cmd/selfserv/selfserv.c.539183 2013-05-28 14:43:24.000000000 -0700 -+++ nss/cmd/selfserv/selfserv.c 2013-05-30 22:16:46.688373495 -0700 -@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port - PRStatus prStatus; +diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c +--- ./nss/cmd/selfserv/selfserv.c.539183 2015-11-08 21:12:59.000000000 -0800 ++++ ./nss/cmd/selfserv/selfserv.c 2015-11-12 13:26:40.498345875 -0800 +@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port PRNetAddr addr; PRSocketOptionData opt; -+ PRUint16 socketDomain = PR_AF_INET; - addr.inet.family = PR_AF_INET; - addr.inet.ip = PR_INADDR_ANY; @@ -42,9 +35,6 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c + } - listen_sock = PR_NewTCPSocket(); -+ if (PR_GetEnv("NSS_USE_SDP")) { -+ socketDomain = PR_AF_INET_SDP; -+ } + listen_sock = PR_OpenTCPSocket(PR_AF_INET6); if (listen_sock == NULL) { - errExit("PR_NewTCPSocket"); diff --git a/nss.spec b/nss.spec index e8b9639..56e9553 100644 --- a/nss.spec +++ b/nss.spec @@ -18,7 +18,7 @@ Summary: Network Security Services Name: nss -Version: 3.20.1 +Version: 3.21.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) Release: 2%{?dist} @@ -92,15 +92,17 @@ Patch52: disableSSL2libssl.patch Patch53: disableSSL2tests.patch Patch54: tstclnt-ssl2-off-by-default.patch Patch55: skip_stress_TLS_RC4_128_with_MD5.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089 -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429 -# See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50 -Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205688 -Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +# As of nss-3.21 we compile NSS with -Werror. +# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667 +# This requires a cleanup of the PEM module as we have it here. +# TODO: submit a patch to the interim nss-pem upstream project +# The submission will be very different from this patch as +# cleanup there is already in progress there. +Patch59: pem-compile-with-Werror.patch + %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and @@ -188,11 +190,8 @@ pushd nss popd %patch54 -p0 -b .ssl2_off %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5 -%patch56 -p1 -b .ocsp_sni -pushd nss -%patch57 -p1 -b .1185708 -popd %patch58 -p0 -b .1185708_3des +%patch59 -p0 -b .compile_Werror ######################################################### # Higher-level libraries and test tools need access to @@ -210,6 +209,10 @@ done %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf +# Before removing util directory we must save verref.h +# as it will be needed later during the build phase. +%{__mv} ./nss/lib/util/verref.h ./nss/verref.h + ##### Remove util/freebl/softoken and low level tools ######## Remove freebl, softoken and util %{__rm} -rf ./nss/lib/freebl @@ -285,7 +288,11 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1 NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE -%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64 +# external tests are causing build problems because they access ssl internal types +# TODO: Investigate as there may be a better solution +export NSS_DISABLE_GTESTS=1 + +%if %{__isa_bits} == 64 USE_64=1 export USE_64 %endif @@ -301,6 +308,13 @@ export NSS_ECC_MORE_THAN_SUITE_B export NSS_BLTEST_NOT_AVAILABLE=1 %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm + +# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c +# need nss/lib/util/verref.h which is which is exported privately, +# copy the one we saved during prep so it they can find it. +%{__mkdir_p} ./dist/private/nss +%{__mv} ./nss/verref.h ./dist/private/nss/verref.h + %{__make} -C ./nss unset NSS_BLTEST_NOT_AVAILABLE @@ -389,7 +403,7 @@ export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT -%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64 +%if %{__isa_bits} == 64 USE_64=1 export USE_64 %endif @@ -551,7 +565,7 @@ do done # Copy the binaries we ship as unsupported -for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain +for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain do %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done @@ -702,6 +716,7 @@ fi %{unsupported_tools_directory}/atob %{unsupported_tools_directory}/btoa %{unsupported_tools_directory}/derdump +%{unsupported_tools_directory}/listsuites %{unsupported_tools_directory}/ocspclnt %{unsupported_tools_directory}/pp %{unsupported_tools_directory}/selfserv @@ -806,6 +821,13 @@ fi %changelog +* Fri Nov 13 2015 Elio Maldonado Batiz - 3.21.1-2 +- Update to NSS 3.21 +- Package listsuites as part of the unsupported tools set +- Resolves: Bug 1279912 - nss-3.21 is available +- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit +- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set + * Fri Oct 30 2015 Elio Maldonado - 3.20.1-2 - Update to NSS 3.20.1 diff --git a/sources b/sources index 4c5f144..b8aa5ea 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2 -c285ef92de0031cb0a8caa60d396d618 nss-3.20.1.tar.gz +f53ffa490133d29ff930fa4b29bade90 nss-3.21.0.tar.gz From 69b02be5302dc8941e502ab2c747ce23520c1d0b Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sat, 14 Nov 2015 11:32:57 -0800 Subject: [PATCH 3/5] Change the test to %if 0%{__isa_bits} == 64 as required in fedora - As done in the patch contributed by Marcin Juszkiewicz - Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit architectures --- nss.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nss.spec b/nss.spec index 56e9553..b857947 100644 --- a/nss.spec +++ b/nss.spec @@ -292,7 +292,7 @@ export NSS_USE_SYSTEM_SQLITE # TODO: Investigate as there may be a better solution export NSS_DISABLE_GTESTS=1 -%if %{__isa_bits} == 64 +%if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif @@ -403,7 +403,7 @@ export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT -%if %{__isa_bits} == 64 +%if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif From 03da09b383093228d266538d2a2cb982ccbcb44e Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sat, 14 Nov 2015 14:49:57 -0800 Subject: [PATCH 4/5] Enclose the _isa_bits check inside a %ifnarch noarch ... %endif one --- nss.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nss.spec b/nss.spec index b857947..a4961bc 100644 --- a/nss.spec +++ b/nss.spec @@ -292,10 +292,12 @@ export NSS_USE_SYSTEM_SQLITE # TODO: Investigate as there may be a better solution export NSS_DISABLE_GTESTS=1 +%ifnarch noarch %if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif +%endif # uncomment if the iquote patch is activated export IN_TREE_FREEBL_HEADERS_FIRST=1 @@ -403,10 +405,12 @@ export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT +%ifnarch noarch %if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif +%endif export NSS_BLTEST_NOT_AVAILABLE=1 From 66122a0ff7fbc97277fce96ac7d0216b4837afc3 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sun, 15 Nov 2015 10:51:54 -0800 Subject: [PATCH 5/5] Add references to bugs filed upstream --- nss.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index a4961bc..90909de 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.21.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -70,7 +70,10 @@ Source27: secmod.db.xml Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=402712 Patch6: nss-enable-pem.patch +# Below reference applies to most pem module related patches +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 Patch16: nss-539183.patch # must statically link pem against the freebl in the buildroot # Needed only when freebl on tree has new APIS @@ -825,6 +828,9 @@ fi %changelog +* Sun Nov 15 2015 Elio Maldonado - 3.21.0-3 +- Add references to bugs filed upstream + * Fri Nov 13 2015 Elio Maldonado Batiz - 3.21.1-2 - Update to NSS 3.21 - Package listsuites as part of the unsupported tools set