Bug 650197 - Update an expired test certificate

- Fix invalid %postun scriptlet (#639248)

.gitignore

@@ -1,4 +1,4 @@
-nss-3.12.7-stripped.tar.bz2
+nss-3.12.8-stripped.tar.bz2
 nss-pem-20100809.tar.bz2
 blank-cert8.db
 blank-key3.db

nss.spec

@@ -1,13 +1,11 @@
 %global nspr_version 4.8.6
-%global nss_util_version 3.12.7
-%global nss_util_build_version 3.12.6
-%global nss_softokn_version 3.12.6
-%global nss_softokn_build_version 3.12.6
+%global nss_util_version 3.12.8
+%global nss_softokn_version 3.12.8
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.12.7
+Version:          3.12.8
 Release:          3%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
@@ -18,8 +16,8 @@ Requires:         nss-softokn%{_isa} >= %{nss_softokn_version}
 Requires:         nss-system-init
 BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:    nspr-devel >= %{nspr_version}
-BuildRequires:    nss-softokn-devel >= %{nss_softokn_build_version}                                                  
-BuildRequires:    nss-util-devel >= %{nss_util_build_version}
+BuildRequires:    nss-softokn-devel >= %{nss_softokn_version}
+BuildRequires:    nss-util-devel >= %{nss_util_version}
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
 BuildRequires:    pkgconfig
@@ -102,6 +100,7 @@ Header and Library files for doing development with Network Security Services.
 %package pkcs11-devel
 Summary:          Development libraries for PKCS #11 (Cryptoki) using NSS
 Group:            Development/Libraries
+Provides:         nss-pkcs11-devel-static = %{version}-%{release}
 Requires:         nss-devel = %{version}-%{release}
 
 %description pkcs11-devel
@@ -369,15 +368,15 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 %clean
 %{__rm} -rf $RPM_BUILD_ROOT
 
+%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
+# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
+# from previous versions of nss.spec
+/usr/bin/setup-nsssysinit.sh on
+
 %post -p /sbin/ldconfig
 
 %postun -p /sbin/ldconfig
 
-%post sysinit
-%{_bindir}/setup-nsssysinit.sh on
-
-%preun sysinit
-%{_bindir}/setup-nsssysinit.sh off
 
 %files
 %defattr(-,root,root)
@@ -491,13 +490,44 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 %{_libdir}/libnssckfw.a
 
 %changelog
+* Fri Nov 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-3
+- Update test certificate which had expired (#650197)
+
+* Wed Oct 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-2
+- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248)
+
+* Tue Oct 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-1
+- Update to 3.12.8
+- Fix invalid %postun scriptlet (#639248)
+
+* Thu Sep 30 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-9
+- Fix version on triggerpostun scriplet (#636787)
+
+* Wed Sep 29 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-8
+- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787)
+- Fix and cleanup the setup-nsssysinit.sh script (#636792, #636801)
+
+* Tue Sep 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-7
+- Prevent of nss-sysinit disabling on package upgrade (#636787)
+- Create pkcs11.txt with correct permissions regardless of umask (#636792) 
+- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801)
+- Add provides nss-pkcs11-devel-static to comply with packaging guidelines (#609612)
+
+* Sun Sep 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-6
+- Remove {nss_util|nss_softokn}_build_version, BuildRequires must match Requires
+
+* Sat Sep 11 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-5
+- Bump nss_util_build_version and nss_softokn_build_version to 3.12.7
+
+* Mon Sep 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-4
+- Fix unclosed comment in renegotiate-transitional.patch
+
 * Sat Aug 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-3
 - Change BuildRequries to available version of nss-util-devel
 
-%changelog
 * Sat Aug 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-2
 - Define NSS_USE_SYSTEM_SQLITE and remove unneeded patch
-- Add comments regarding an unverioned provides which triggers rpmlint warning
+- Add comments regarding an unversioned provides which triggers rpmlint warning
 - Build requires nss-softokn-devel >= 3.12.7
 
 * Mon Aug 16 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-1
@@ -520,8 +550,6 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 
 * Tue Jun 08 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-7
 - Require nss-softoken 3.12.6
-
-* Sun Jun 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-6
 - Fix SIGSEGV within CreateObject (#596674)
 
 * Sat Apr 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-5
@@ -537,77 +565,64 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 - Add sed to sysinit requires as setup-nsssysinit.sh requires it (#576071)
 - Update PayPalEE test cert with unexpired one (#580207)
 
-* Thu Mar 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-2
-- Fix ns.spec to not require nss-softokn (#575001)
+* Fri Mar 19 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-2
+- Fix nss.pc to not require nss-softokn (#575001)
 
 * Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.2
-- rebuilt with all tests enabled
+- Rebuilt with all tests enabled
 
 * Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.1
-- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period
-- Disabling ssl tests suites until bug 539183 is resolved
-
-* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1
 - Update to 3.12.6
-- Reactivate all tests
+- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period
 - Patch tools to validate command line options arguments
 
 * Mon Jan 25 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-8
 - Fix curl related regression and general patch code clean up
 
-* Wed Jan 13 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-5
--  retagging
+* Wed Jan 13 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-7
+- Retagged
 
-* Tue Jan 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-1.1
+* Wed Jan 13 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-6
+- retagging
+
+* Tue Jan 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-2.1
 - Fix SIGSEGV on call of NSS_Initialize (#553638)
 
-* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.2
-- New version of patch to allow root to modify ystem database (#547860)
+* Wed Jan 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-2
+- bump release number and rebuild
 
-* Thu Dec 31 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.1
-- Temporarily disabling the ssl tests
-
-* Sat Dec 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13
+* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.14
 - Fix nsssysinit to allow root to modify the nss system database (#547860)
 
-* Fri Dec 25 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.11
-- Fix an error introduced when adapting the patch for rhbz #546211
+* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.12.1
+- Temporarily disabling the ssl tests until Bug 539183 is resolved
 
-* Sat Dec 19 2009 Elio maldonado<emaldona@redhat.com> - 3.12.5-1.9
-- Remove left over trace statements from nsssysinit patching
+* Sat Dec 25 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.11
+- Fix an error introduced when adapting the patch for 546211
 
-* Fri Dec 18 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-2.7
-- Fix a misconstructed patch
+* Sat Dec 19 2009 Elio maldonado<emaldona@redhat.com> - 3.12.5-1.10
+- Remove some left over trace statements from nsssysinit patching
 
-* Thu Dec 17 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.6
-- Fix nsssysinit to enable apps to use system cert store, patch contributed by David Woodhouse (#546221)
-- Fix spec so sysinit requires coreutils for post install scriplet (#547067)
-- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387)
-
-* Thu Dec 10 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.5
+* Thu Dec 17 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.8
 - Fix nsssysinit to set the default flags on the crypto module (#545779)
+- Fix nsssysinit to enable apps to use the system cert store, patch contributed by David Woodhouse (#546221)
+- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387)
+- Sysinit requires coreutils for post install scriplet (#547067)
 - Remove redundant header from the pem module
 
-* Wed Dec 09 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.1
+* Wed Dec 09 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-2.1
 - Remove unneeded patch
 
-* Thu Dec 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.1
-- Retagging to include missing patch
-
-* Thu Dec 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1
+* Thu Dec 04 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.2
 - Update to 3.12.5
-- Patch to allow ssl/tls clients to interoperate with servers that require renogiation
+- CVE-2009-3555 TLS: MITM attacks via session renegotiation
 
-* Fri Nov 20 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-14.1
-- Retagging
+* Mon Oct 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-15
+- Require nss-softoken of same arch as nss (#527867)
 
-* Tue Oct 20 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13.1
-- Require nss-softoken of same architecture as nss (#527867)
-- Merge setup-nsssysinit.sh improvements from F-12 (#527051)
-
-* Mon Oct 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13
-- User no longer prompted for a password when listing keys an empty system db (#527048)
-- Fix setup-nsssysinit to handle more general formats (#527051)
+* Mon Oct 06 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-14
+- Fix bug where user was prompted for a password when listing keys on an empty system database (#527048)
+- Fix setup-nsssysinit to handle more general flags formats (#527051)
 
 * Sun Sep 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-12
 - Fix syntax error in setup-nsssysinit.sh

renegotiate-transitional.patch

@@ -1,16 +1,12 @@
-Index: ./mozilla/security/nss/lib/ssl/sslsock.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
-retrieving revision 1.66
-diff -u -p -r1.66 sslsock.c
---- ./mozilla/security/nss/lib/ssl/sslsock.c	26 Feb 2010 20:44:54 -0000	1.66
-+++ ./mozilla/security/nss/lib/ssl/sslsock.c	1 Mar 2010 18:05:10 -0000
+diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.transitional ./mozilla/security/nss/lib/ssl/sslsock.c
+--- ./mozilla/security/nss/lib/ssl/sslsock.c.transitional	2010-09-04 09:46:50.331327676 -0700
++++ ./mozilla/security/nss/lib/ssl/sslsock.c	2010-09-04 09:50:02.814325605 -0700
 @@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
      PR_FALSE,   /* noLocks            */
      PR_FALSE,   /* enableSessionTickets */
      PR_FALSE,   /* enableDeflate      */
 -    2,          /* enableRenegotiation (default: requires extension) */
-+    3,          /* enableRenegotiation (default: transitional)
++    3,          /* enableRenegotiation (default: transitional) */
      PR_FALSE,   /* requireSafeNegotiation */
+     PR_FALSE,   /* enableFalseStart   */
  };
- 

setup-nsssysinit.sh

@@ -1,24 +1,24 @@
 #!/bin/sh
 #
 # Turns on or off the nss-sysinit module db by editing the
-# global PKCS #11 congiguration file.
+# global PKCS #11 congiguration file. Displays the status.
 #
 # This script can be invoked by the user as super user.
-# It is invoked at nss-sysinit post install time with argument on
-# and at nss-sysinit pre uninstall with argument off. 
+# It is invoked at nss-sysinit post install time with argument on.
 #
 usage()
 {
   cat <<EOF
 Usage: setup-nsssysinit [on|off]
-  on  - turns on nsssysinit
-  off - turns off nsssysinit
+  on     - turns on nsssysinit
+  off    - turns off nsssysinit
+  status - reports whether nsssysinit is turned on or off
 EOF
   exit $1
 }
 
 # validate
-if test $# -eq 0; then
+if [ $# -eq 0 ]; then
   usage 1 1>&2
 fi
 
@@ -30,17 +30,26 @@ if [ ! -f $p11conf ]; then
   exit 1
 fi
 
-on="1"
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+  grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
 case "$1" in
   on | ON )
+    if sysinit_enabled; then 
+      exit 0 
+    fi
     cat ${p11conf} | \
-     sed -e 's/^library=$/library=libnsssysinit.so/' \
-         -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
-    ${p11conf}.on
+    sed -e 's/^library=$/library=libnsssysinit.so/' \
+        -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+        ${p11conf}.on
     mv ${p11conf}.on ${p11conf}
     ;;
   off | OFF )
-    if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then
+    if ! sysinit_enabled; then
       exit 0
     fi
     cat ${p11conf} | \
@@ -49,6 +58,10 @@ case "$1" in
         ${p11conf}.off
     mv ${p11conf}.off ${p11conf}
     ;;
+  status )
+    echo -n 'NSS sysinit is '
+    sysinit_enabled && echo 'enabled' || echo 'disabled'
+    ;;
   * )
     usage 1 1>&2
     ;;

sources

@@ -1,8 +1,8 @@
-8a44cbd25ca6705a08559c2bf4228eef  nss-3.12.7-stripped.tar.bz2
+248bc97cb3fd613b23d66fd1d9d8d60a  nss-3.12.8-stripped.tar.bz2
 765fa031d5affa91ab824dd981777ddf  nss-pem-20100809.tar.bz2
 a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-9bbc62615e6b2b22547375b5d39ddfe7  PayPalEE.cert
+f3eaeb308918aeb0748707d8780f321c  PayPalEE.cert

system-pkcs11.txt

@@ -1,5 +1,5 @@
-library=
+library=libnsssysinit.so
 name=NSS Internal PKCS #11 Module
 parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})