Update to NSS_3_15_3_RTM

- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws - Fix option descriptions for setup-nsssysinit manpage - Fix man page of nss-sysinit wrong path and other flaws - Document email option for certutil manpage - Remove unused patches
2013-11-26 10:36:24 -08:00 · 2013-11-26 10:36:24 -08:00 · 67a7a21b0e
parent 129e66ef0e
commit 67a7a21b0e
3 changed files with 63 additions and 6 deletions
--- a/certutil_keyOpFlagsFix.patch
+++ b/certutil_keyOpFlagsFix.patch
@ -0,0 +1,24 @@
+diff --git a/doc/certutil.xml b/doc/certutil.xml
+--- a/doc/certutil.xml
+++ b/doc/certutil.xml
+@@ -655,18 +655,18 @@ of the attribute codes:
+ 
+       <varlistentry>
+         <term>--keyAttrFlags attrflags</term>
+         <listitem><para>
+ PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+-        <term>--keyFlagsOn opflags</term>
+-        <term>--keyFlagsOff opflags</term>
+        <term>--keyOpFlagsOn opflags</term>
+        <term>--keyOpFlagsOff opflags</term>
+         <listitem><para>
+ PKCS #11 key Operation Flags.
+ Comma separated list of one or more of the following:
+ {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
+           </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
--- a/document-certutil-email-option.patch
+++ b/document-certutil-email-option.patch
@ -0,0 +1,25 @@
+diff --git a/doc/certutil.xml b/doc/certutil.xml
+--- a/doc/certutil.xml
+++ b/doc/certutil.xml
+@@ -204,16 +204,21 @@ If this option is not used, the validity
+       </varlistentry>
+ 
+       <varlistentry>
+         <term>-e </term>
+         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+        <term>--email email-address</term>
+        <listitem><para>Specify the email address, used with the -L command option to print a single named certificate.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+         <term>-f password-file</term>
+         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
+  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
+  unauthorized access to this file.</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+         <term>-g keysize</term>
--- a/nss.spec
+++ b/nss.spec
@ -1,6 +1,6 @@
 %global nspr_version 4.10.2
 %global nss_util_version 3.15.3
-%global nss_softokn_fips_version 3.12.9
+%global nss_softokn_fips_version 3.13.5
 %global nss_softokn_version 3.15.3
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@ -79,8 +79,6 @@ Patch18:          nss-646045.patch
 # must statically link pem against the freebl in the buildroot
 # Needed only when freebl on tree has new APIS
 Patch25:          nsspem-use-system-freebl.patch
-# Prevent users from trying to enable ssl pkcs11 bypass
-# Patch39:          nss-ssl-enforce-no-pkcs11-bypass.path
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 Patch44:          0001-sync-up-with-upstream-softokn-changes.patch
@ -95,6 +93,10 @@ Patch48:          nss-versus-softoken-tests.patch
 # TODO remove when we switch to building nss without softoken
 Patch49:          nss-skip-bltest-and-fipstest.patch
 Patch50:          iquote.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001
+Patch54:          document-certutil-email-option.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=937677
+Patch57:          certutil_keyOpFlagsFix.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -178,9 +180,6 @@ low level services.
 %patch18 -p0 -b .646045
 # link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
-# activate for stable and beta branches
-# %%patch29 -p0 -b .cbcrandomivoff
-# %%patch39 -p0 -b .nobypass
 %patch40 -p0 -b .noocsptest
 %patch44 -p1 -b .syncupwithupstream
 %patch45 -p0 -b .notrash
@ -189,6 +188,10 @@ low level services.
 %patch48 -p0 -b .crypto
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
+pushd nss
+%patch54 -p1 -b .948495
+%patch57 -p1 -b .948495
+popd

 #########################################################
 # Higher-level libraries and test tools need access to
@ -626,6 +629,8 @@ fi
 %attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
 %attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
 %{_bindir}/setup-nsssysinit.sh
+# symbolic link to setup-nsssysinit.sh
+%{_bindir}/setup-nsssysinit
 %attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz

 %files tools
@ -744,6 +749,9 @@ fi
 - Update to NSS_3_15_3_RTM
 - Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
 - Fix option descriptions for setup-nsssysinit manpage
+- Fix man page of nss-sysinit wrong path and other flaws
+- Document email option for certutil manpage
+- Remove unused patches

 * Sun Oct 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-3
 - Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245]