From c4dce982fc14a9a43b9067ffdf23d0072255c695 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Tue, 24 Oct 2017 14:04:16 +0200 Subject: [PATCH] rhbz#1505487, backport upstream fixes required for rhbz#1496560 --- nss-sql-1-1403691-a.patch | 92 ++++++++++++++++++ nss-sql-1-1403691-b.patch | 31 +++++++ nss-sql-2-1382278-a.patch | 56 +++++++++++ nss-sql-2-1382278-b.patch | 142 ++++++++++++++++++++++++++++ nss-sql-3-1395495-a.patch | 191 ++++++++++++++++++++++++++++++++++++++ nss-sql-3-1395495-b.patch | 33 +++++++ nss.spec | 22 ++++- 7 files changed, 566 insertions(+), 1 deletion(-) create mode 100644 nss-sql-1-1403691-a.patch create mode 100644 nss-sql-1-1403691-b.patch create mode 100644 nss-sql-2-1382278-a.patch create mode 100644 nss-sql-2-1382278-b.patch create mode 100644 nss-sql-3-1395495-a.patch create mode 100644 nss-sql-3-1395495-b.patch diff --git a/nss-sql-1-1403691-a.patch b/nss-sql-1-1403691-a.patch new file mode 100644 index 0000000..f28f674 --- /dev/null +++ b/nss-sql-1-1403691-a.patch @@ -0,0 +1,92 @@ + +# HG changeset patch +# User Kai Engert +# Date 1507823956 -7200 +# Node ID 994e89150fc1cd0008d19a8ad8aafed565d98069 +# Parent f3766809817ba03aa8cc1da4fdf48bd011fc01e3 +Bug 1403691, Change first NSS test cycle to explicitly use dbm file format, r=rrelyea + +diff --git a/tests/all.sh b/tests/all.sh +--- a/tests/all.sh ++++ b/tests/all.sh +@@ -125,24 +125,30 @@ run_tests() + echo "Running tests for ${TEST}" + echo "TIMESTAMP ${TEST} BEGIN: `date`" + (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1) + echo "TIMESTAMP ${TEST} END: `date`" + done + } + + ########################## run_cycle_standard ########################## +-# run test suites with defaults settings (no PKIX, no sharedb) ++# run test suites with dbm database (no PKIX, no sharedb) + ######################################################################## + run_cycle_standard() + { + TEST_MODE=STANDARD + + TESTS="${ALL_TESTS}" +- TESTS_SKIP= ++ TESTS_SKIP="cipher libpkix sdr ocsp pkits" ++ ++ NSS_DEFAULT_DB_TYPE="dbm" ++ export NSS_DEFAULT_DB_TYPE ++ ++ NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` ++ NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` + + run_tests + } + + ############################ run_cycle_pkix ############################ + # run test suites with PKIX enabled + ######################################################################## + run_cycle_pkix() +@@ -157,17 +163,22 @@ run_cycle_pkix() + mkdir -p "${HOSTDIR}" + init_directories + + NSS_ENABLE_PKIX_VERIFY="1" + export NSS_ENABLE_PKIX_VERIFY + + TESTS="${ALL_TESTS}" + TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit" ++ + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` ++ export -n NSS_SSL_RUN ++ ++ # use the default format ++ export -n NSS_DEFAULT_DB_TYPE + + run_tests + } + + ######################### run_cycle_upgrade_db ######################### + # upgrades certificate database to shareable format and run test suites + # with those databases + ######################################################################## +@@ -226,20 +237,20 @@ run_cycle_shared_db() + mkdir -p "${HOSTDIR}" + init_directories + + NSS_DEFAULT_DB_TYPE="sql" + export NSS_DEFAULT_DB_TYPE + + # run the tests for native sharedb support + TESTS="${ALL_TESTS}" +- TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits" ++ TESTS_SKIP="dbupgrade" + +- NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` +- NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"` ++ export -n NSS_SSL_TESTS ++ export -n NSS_SSL_RUN + + run_tests + } + + ############################# run_cycles ############################### + # run test cycles defined in CYCLES variable + ######################################################################## + run_cycles() + diff --git a/nss-sql-1-1403691-b.patch b/nss-sql-1-1403691-b.patch new file mode 100644 index 0000000..16137ef --- /dev/null +++ b/nss-sql-1-1403691-b.patch @@ -0,0 +1,31 @@ + +# HG changeset patch +# User Kai Engert +# Date 1508150373 -7200 +# Node ID e73fedaecd63afe28c9da46cd26906f247375d59 +# Parent 24695a55c095a1c37ed92ac2a4fa6c56595e17c0 +Bug 1403691, follow up fix to allow the pkits tests to work with sql db format + +diff --git a/tests/pkits/pkits.sh b/tests/pkits/pkits.sh +--- a/tests/pkits/pkits.sh ++++ b/tests/pkits/pkits.sh +@@ -88,17 +88,17 @@ pkits_init() + echo "PKITS_DATA" $PKITS_DATA + echo "certs" $certs + echo "crls" $crls + + echo nss > ${PKITSdb}/pw + ${BINDIR}/certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw + + ${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \ +- $certs/TrustAnchorRootCertificate.crt -d $PKITSdb ++ $certs/TrustAnchorRootCertificate.crt -d $PKITSdb -f ${PKITSdb}/pw + if [ -z "$NSS_NO_PKITS_CRLS" ]; then + ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} -f ${PKITSdb}/pw + else + html "

NO CRLs are being used.

" + pkits_log "NO CRLs are being used." + fi + + cp ${PKITSdb}/* ${PKITSbkp} + diff --git a/nss-sql-2-1382278-a.patch b/nss-sql-2-1382278-a.patch new file mode 100644 index 0000000..aa6f559 --- /dev/null +++ b/nss-sql-2-1382278-a.patch @@ -0,0 +1,56 @@ + +# HG changeset patch +# User Bob Relyea +# Date 1505757778 -7200 +# Node ID 18edd4ad8389d50d4231cc1a545a468dbb11185c +# Parent 70109a01ce53328b511aaa6c839593a3282cb725 +Bug 1382278, certutil -A creates uninitialised database, r=kaie + +diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c +--- a/cmd/certutil/certutil.c ++++ b/cmd/certutil/certutil.c +@@ -3005,16 +3005,43 @@ certutil_main(int argc, char **argv, PRB + certutil.options[opt_NewPasswordFile].arg); + } + if (rv != SECSuccess) { + SECU_PrintError(progName, "Could not set password for the slot"); + goto shutdown; + } + } + ++ /* if we are going to modify the cert database, ++ * make sure it's initialized */ ++ if (certutil.commands[cmd_ModifyCertTrust].activated || ++ certutil.commands[cmd_CreateAndAddCert].activated || ++ certutil.commands[cmd_AddCert].activated || ++ certutil.commands[cmd_AddEmailCert].activated) { ++ if (PK11_NeedUserInit(slot)) { ++ char *password = NULL; ++ /* fetch the password from the command line or the file ++ * if no password is supplied, initialize the password to NULL */ ++ if (pwdata.source == PW_FROMFILE) { ++ password = SECU_FilePasswd(slot, PR_FALSE, pwdata.data); ++ } else if (pwdata.source == PW_PLAINTEXT) { ++ password = PL_strdup(pwdata.data); ++ } ++ rv = PK11_InitPin(slot, (char *)NULL, password ? password : ""); ++ if (password) { ++ PORT_Memset(password, 0, PL_strlen(password)); ++ PORT_Free(password); ++ } ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "Could not set password for the slot"); ++ goto shutdown; ++ } ++ } ++ } ++ + /* walk through the upgrade merge if necessary. + * This option is more to test what some applications will want to do + * to do an automatic upgrade. The --merge command is more useful for + * the general case where 2 database need to be merged together. + */ + if (certutil.commands[cmd_UpgradeMerge].activated) { + if (*upgradeTokenName == 0) { + upgradeTokenName = upgradeID; + diff --git a/nss-sql-2-1382278-b.patch b/nss-sql-2-1382278-b.patch new file mode 100644 index 0000000..de9ef56 --- /dev/null +++ b/nss-sql-2-1382278-b.patch @@ -0,0 +1,142 @@ + +# HG changeset patch +# User Kai Engert +# Date 1506452962 -7200 +# Node ID fe8b221d3bded99b2b21e2e62fb27cc8c659ec2f +# Parent 96a835be15192281d67a8b1046b7f159ff6deb12 +Bug 1382278, add test to confirm implicit init with certutil -A is working, r=rrelyea + +diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh +--- a/tests/cert/cert.sh ++++ b/tests/cert/cert.sh +@@ -1941,32 +1941,42 @@ cert_test_distrust() + cert_test_ocspresp() + { + echo "$SCRIPTNAME: OCSP response creation selftest" + OR_ACTION="perform selftest" + RETEXPECTED=0 + ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1 + } + ++cert_test_implicit_db_init() ++{ ++ echo "$SCRIPTNAME: test implicit database init" ++ ++ CU_ACTION="Add cert with trust flags to db with implicit init" ++ mkdir ${IMPLICIT_INIT_DIR} ++ certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert" ++} ++ + ############################## cert_cleanup ############################ + # local shell function to finish this script (no exit since it might be + # sourced) + ######################################################################## + cert_cleanup() + { + cert_log "$SCRIPTNAME: finished $SCRIPTNAME" + html "
" + cd ${QADIR} + . common/cleanup.sh + } + + ################## main ################################################# + + cert_init + cert_all_CA ++cert_test_implicit_db_init + cert_extended_ssl + cert_ssl + cert_smime_client + if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then + cert_fips + fi + cert_eccurves + cert_extensions +diff --git a/tests/common/init.sh b/tests/common/init.sh +--- a/tests/common/init.sh ++++ b/tests/common/init.sh +@@ -63,16 +63,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + DBPASSDIR=${HOSTDIR}/dbpass + ECCURVES_DIR=${HOSTDIR}/eccurves + DISTRUSTDIR=${HOSTDIR}/distrust + + SERVER_CADIR=${HOSTDIR}/serverCA + CLIENT_CADIR=${HOSTDIR}/clientCA + EXT_SERVERDIR=${HOSTDIR}/ext_server + EXT_CLIENTDIR=${HOSTDIR}/ext_client ++ IMPLICIT_INIT_DIR=${HOSTDIR}/implicit_init + + IOPR_CADIR=${HOSTDIR}/CA_iopr + IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr + IOPR_SSL_CLIENTDIR=${HOSTDIR}/client_ssl_iopr + IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr + + CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions + STAPLINGDIR=${HOSTDIR}/stapling +@@ -531,16 +532,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + D_SERVER="Server.$version" + D_CLIENT="Client.$version" + D_NOLOGIN="NoLogin.$version" + D_FIPS="FIPS.$version" + D_DBPASS="DBPASS.$version" + D_ECCURVES="ECCURVES.$version" + D_EXT_SERVER="ExtendedServer.$version" + D_EXT_CLIENT="ExtendedClient.$version" ++ D_IMPLICIT_INIT="ImplicitInit.$version" + D_CERT_EXTENSTIONS="CertExtensions.$version" + D_DISTRUST="Distrust.$version" + + # we need relative pathnames of these files abd directories, since our + # tools can't handle the unix style absolut pathnames on cygnus + + R_CADIR=../CA + R_SERVERDIR=../server +@@ -550,16 +552,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + R_IOPR_SSL_CLIENTDIR=../client_ssl_iopr + R_IOPR_OCSP_CLIENTDIR=../client_ocsp_iopr + R_ALICEDIR=../alicedir + R_BOBDIR=../bobdir + R_DAVEDIR=../dave + R_EVEDIR=../eve + R_EXT_SERVERDIR=../ext_server + R_EXT_CLIENTDIR=../ext_client ++ R_IMPLICIT_INIT_DIR=../implicit_init + R_CERT_EXT=../cert_extensions + R_STAPLINGDIR=../stapling + R_NOLOGINDIR=../nologin + R_SSLGTESTDIR=../ssl_gtests + R_GTESTDIR=../gtests + + # + # profiles are either paths or domains depending on the setting of +@@ -570,27 +573,29 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + P_R_BOBDIR=${R_BOBDIR} + P_R_DAVEDIR=${R_DAVEDIR} + P_R_EVEDIR=${R_EVEDIR} + P_R_SERVERDIR=${R_SERVERDIR} + P_R_CLIENTDIR=${R_CLIENTDIR} + P_R_NOLOGINDIR=${R_NOLOGINDIR} + P_R_EXT_SERVERDIR=${R_EXT_SERVERDIR} + P_R_EXT_CLIENTDIR=${R_EXT_CLIENTDIR} ++ P_R_IMPLICIT_INIT_DIR=${R_IMPLICIT_INIT_DIR} + if [ -n "${MULTIACCESS_DBM}" ]; then + P_R_CADIR="multiaccess:${D_CA}" + P_R_ALICEDIR="multiaccess:${D_ALICE}" + P_R_BOBDIR="multiaccess:${D_BOB}" + P_R_DAVEDIR="multiaccess:${D_DAVE}" + P_R_EVEDIR="multiaccess:${D_EVE}" + P_R_SERVERDIR="multiaccess:${D_SERVER}" + P_R_CLIENTDIR="multiaccess:${D_CLIENT}" + P_R_NOLOGINDIR="multiaccess:${D_NOLOGIN}" + P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}" + P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}" ++ P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}" + fi + + R_PWFILE=../tests.pw + R_EMPTY_FILE=../tests_empty + R_NOISE_FILE=../tests_noise + + R_FIPSPWFILE=../tests.fipspw + R_FIPSBADPWFILE=../tests.fipsbadpw + diff --git a/nss-sql-3-1395495-a.patch b/nss-sql-3-1395495-a.patch new file mode 100644 index 0000000..3e91411 --- /dev/null +++ b/nss-sql-3-1395495-a.patch @@ -0,0 +1,191 @@ + +# HG changeset patch +# User Daiki Ueno +# Date 1505483851 -7200 +# Node ID 279b257c6433f1972d49c529247e6ed2633b979f +# Parent 88b6e9707b17c6b1ba5017cbf62e70bba58c2fcd +Bug 1395495, modutil: Initialize DB with empty password on -create, r=kaie + +diff --git a/cmd/modutil/error.h b/cmd/modutil/error.h +--- a/cmd/modutil/error.h ++++ b/cmd/modutil/error.h +@@ -52,16 +52,17 @@ typedef enum { + ENABLE_FAILED_ERR, + UPDATE_MOD_FAILED_ERR, + DEFAULT_FAILED_ERR, + UNDEFAULT_FAILED_ERR, + STDIN_READ_ERR, + UNSPECIFIED_ERR, + NOCERTDB_MISUSE_ERR, + NSS_INITIALIZE_FAILED_ERR, ++ INITPW_FAILED_ERR, + + LAST_ERR /* must be last */ + } Error; + #define SUCCESS NO_ERR + + /* !!! Should move this into its own .c and un-static it. */ + static char *errStrings[] = { + "Operation completed successfully.\n", +@@ -105,17 +106,18 @@ static char *errStrings[] = { + "ERROR: Slot \"%s\" not found.\n", + "ERROR: Failed to %s slot \"%s\".\n", + "ERROR: Failed to update module \"%s\".\n", + "ERROR: Failed to change defaults.\n", + "ERROR: Failed to change default.\n", + "ERROR: Unable to read from standard input.\n", + "ERROR: Unknown error occurred.\n", + "ERROR: -nocertdb option can only be used with the -jar command.\n", +- "ERROR: NSS_Initialize() failed.\n" ++ "ERROR: NSS_Initialize() failed.\n", ++ "ERROR: Unable to set initial password on the database.\n" + }; + + typedef enum { + FIPS_ENABLED_MSG = 0, + FIPS_DISABLED_MSG, + USING_DBDIR_MSG, + CREATING_DB_MSG, + ADD_MODULE_SUCCESS_MSG, +diff --git a/cmd/modutil/modutil.c b/cmd/modutil/modutil.c +--- a/cmd/modutil/modutil.c ++++ b/cmd/modutil/modutil.c +@@ -860,17 +860,17 @@ main(int argc, char* argv[]) + switch (command) { + case ADD_COMMAND: + errcode = AddModule(moduleName, libFile, ciphers, mechanisms, secmodString); + break; + case CHANGEPW_COMMAND: + errcode = ChangePW(tokenName, pwFile, newpwFile); + break; + case CREATE_COMMAND: +- /* The work was already done in init_crypto() */ ++ errcode = InitPW(); + break; + case DEFAULT_COMMAND: + errcode = SetDefaultModule(moduleName, slotName, mechanisms); + break; + case DELETE_COMMAND: + errcode = DeleteModule(moduleName); + break; + case DISABLE_COMMAND: +diff --git a/cmd/modutil/modutil.h b/cmd/modutil/modutil.h +--- a/cmd/modutil/modutil.h ++++ b/cmd/modutil/modutil.h +@@ -24,16 +24,17 @@ + Error LoadMechanismList(void); + Error FipsMode(char *arg); + Error ChkFipsMode(char *arg); + Error AddModule(char *moduleName, char *libFile, char *ciphers, + char *mechanisms, char *modparms); + Error DeleteModule(char *moduleName); + Error ListModule(char *moduleName); + Error ListModules(); ++Error InitPW(void); + Error ChangePW(char *tokenName, char *pwFile, char *newpwFile); + Error EnableModule(char *moduleName, char *slotName, PRBool enable); + Error RawAddModule(char *dbmodulespec, char *modulespec); + Error RawListModule(char *modulespec); + Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms); + Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms); + void out_of_memory(void); + +diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c +--- a/cmd/modutil/pk11.c ++++ b/cmd/modutil/pk11.c +@@ -665,16 +665,49 @@ loser: + if (module) { + SECMOD_DestroyModule(module); + } + return rv; + } + + /************************************************************************ + * ++ * I n i t P W ++ */ ++Error ++InitPW(void) ++{ ++ PK11SlotInfo *slot; ++ Error ret = UNSPECIFIED_ERR; ++ ++ slot = PK11_GetInternalKeySlot(); ++ if (!slot) { ++ PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], "internal"); ++ return NO_SUCH_TOKEN_ERR; ++ } ++ ++ /* Set the initial password to empty */ ++ if (PK11_NeedUserInit(slot)) { ++ if (PK11_InitPin(slot, NULL, "") != SECSuccess) { ++ PR_fprintf(PR_STDERR, errStrings[INITPW_FAILED_ERR]); ++ ret = INITPW_FAILED_ERR; ++ goto loser; ++ } ++ } ++ ++ ret = SUCCESS; ++ ++loser: ++ PK11_FreeSlot(slot); ++ ++ return ret; ++} ++ ++/************************************************************************ ++ * + * C h a n g e P W + */ + Error + ChangePW(char *tokenName, char *pwFile, char *newpwFile) + { + char *oldpw = NULL, *newpw = NULL, *newpw2 = NULL; + PK11SlotInfo *slot; + Error ret = UNSPECIFIED_ERR; +diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh +--- a/tests/tools/tools.sh ++++ b/tests/tools/tools.sh +@@ -492,27 +492,41 @@ SIGNSCRIPT + + echo "$SCRIPTNAME: Show who signed xpi ------------------------------" + echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}" + ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR} + html_msg $? 0 "Show who signed xpi (signtool -w)" + + } + ++tools_modutil() ++{ ++ echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized" ++ mkdir -p ${R_TOOLSDIR}/moddir ++ modu -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1 ++ ret=$? ++ ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \ ++ -x -t ',,' -z "${R_NOISE_FILE}" ++ ret=$? ++ html_msg $ret 0 "Test if DB created by modutil -create is initialized" ++ check_tmpfile ++} ++ + ############################## tools_cleanup ########################### + # local shell function to finish this script (no exit since it might be + # sourced) + ######################################################################## + tools_cleanup() + { + html "
" + cd ${QADIR} + . common/cleanup.sh + } + + ################## main ################################################# + + tools_init + tools_p12 + tools_sign ++tools_modutil + tools_cleanup + + + diff --git a/nss-sql-3-1395495-b.patch b/nss-sql-3-1395495-b.patch new file mode 100644 index 0000000..9f4a1dc --- /dev/null +++ b/nss-sql-3-1395495-b.patch @@ -0,0 +1,33 @@ + +# HG changeset patch +# User Daiki Ueno +# Date 1505742679 -7200 +# Node ID 70109a01ce53328b511aaa6c839593a3282cb725 +# Parent 279b257c6433f1972d49c529247e6ed2633b979f +Bug 1395495, bustage fix, Don't use the modu function from cert.sh, r=kaie + +diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh +--- a/tests/tools/tools.sh ++++ b/tests/tools/tools.sh +@@ -496,17 +496,19 @@ SIGNSCRIPT + html_msg $? 0 "Show who signed xpi (signtool -w)" + + } + + tools_modutil() + { + echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized" + mkdir -p ${R_TOOLSDIR}/moddir +- modu -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1 ++ # copied from modu function in cert.sh ++ # echo is used to press Enter expected by modutil ++ echo | ${BINDIR}/modutil -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1 + ret=$? + ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \ + -x -t ',,' -z "${R_NOISE_FILE}" + ret=$? + html_msg $ret 0 "Test if DB created by modutil -create is initialized" + check_tmpfile + } + + diff --git a/nss.spec b/nss.spec index f8d5a50..d989f22 100644 --- a/nss.spec +++ b/nss.spec @@ -9,7 +9,7 @@ Name: nss Version: 3.33.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -98,6 +98,15 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch59: nss-check-policy-file.patch Patch62: nss-skip-util-gtest.patch +# rhbz#1505487, backport several upstream fixes from upstream NSS 3.34 +Patch71: nss-sql-1-1403691-a.patch +Patch72: nss-sql-1-1403691-b.patch +Patch73: nss-sql-2-1382278-a.patch +Patch74: nss-sql-2-1382278-b.patch +Patch75: nss-sql-3-1395495-a.patch +Patch76: nss-sql-3-1395495-b.patch + + %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and @@ -180,6 +189,14 @@ low level services. pushd nss %patch59 -p1 -b .check_policy_file %patch62 -p1 -b .skip_util_gtest + +%patch71 -p1 -b .1403691-a +%patch72 -p1 -b .1403691-b +%patch73 -p1 -b .1382278-a +%patch74 -p1 -b .1382278-b +%patch75 -p1 -b .1395495-a +%patch76 -p1 -b .1395495-b + popd ######################################################### @@ -755,6 +772,9 @@ done %changelog +* Tue Oct 24 2017 Kai Engert - 3.33.0-3 +- rhbz#1505487, backport upstream fixes required for rhbz#1496560 + * Tue Oct 3 2017 Daiki Ueno - 3.33.0-2 - Update to NSS 3.33.0