Ubuntu
nss package

Merge ~lucaskanashiro/ubuntu/+source/nss:merge-focal into ubuntu/+source/nss:debian/sid

  1. Git
  2. lp:~lucaskanashiro/ubuntu/+source/nss
  3. merge-focal
  4. Merge into debian/sid
Proposed by Lucas Kanashiro
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 3d3a453069c5b125047697ea9b9a9d48ad4d82af
Merge reported by: Christian Ehrhardt 
Merged at revision: 3d3a453069c5b125047697ea9b9a9d48ad4d82af
Proposed branch: ~lucaskanashiro/ubuntu/+source/nss:merge-focal
Merge into: ubuntu/+source/nss:debian/sid
Diff against target: 361 lines (+230/-2)
6 files modified
debian/changelog (+173/-0)
debian/control (+3/-1)
debian/libnss3.links (+3/-0)
debian/patches/disable_fips_enabled_read.patch (+49/-0)
debian/patches/series (+1/-0)
debian/rules (+1/-1)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+375115@code.launchpad.net

This proposal supersedes a proposal from 2019-10-31.

Description of the change

Merge version 2:3.47-1 from Debian. The delta from version 2:3.45-1ubuntu2 was applied on top of this new release:

* d/libnss3.links: make freebl3 available as library
* d/control: add dh-exec to Build-Depends
* d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
* Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library.

According to upstream release notes the library in this new release is compatible with the version we have in the archive, so the version bump should not be a problem.

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

The package builds fine and it was uploaded to this PPA: https://launchpad.net/~lucaskanashiro/+archive/ubuntu/focal-nss-merge/

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Recommendation: switch on nonx86 architectures on the PPA to not hit late surprises on upload

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

build - ok
retained delta - ok (nothing upstreamable, not sure why debian dislikes freebl3)
changelog - ok

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

It has quite a long list of reverse dependencies which makes this dangerous.
I agree that we don't see a bump of the major number of the lib so it might be working out well.

I was checking
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes

It is a bit tricky, there were significant TLS changes announced for 3.47 in the 3.46 doc. Only to be listed still as future in 3.47 release note.

It also contains the statement you probably meant that it should be compatible.
Yeah it seems safe in that regard.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

But the notes also contain:
  "The HG tag is NSS_3_47_RTM. NSS 3.47 requires NSPR 4.23 or newer."

Well at least in f-proposed that is ok:
 libnspr4 | 2:4.23-1 | focal-proposed | amd64, arm64, armhf, i386, ppc64el, s390x

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Yeah, overall this LGTM.
Be prepared that due to the longer list of dependencies there might be more potential hickups in tests. But that won't change, so if you are ok it can be sponsored.

review: Approve
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

> Recommendation: switch on nonx86 architectures on the PPA to not hit late
> surprises on upload

Thanks for the heads up Christian. Do you usually build packages for all architectures? Or do you have a small set that is "more valuable" in general?

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

> Yeah, overall this LGTM.
> Be prepared that due to the longer list of dependencies there might be more
> potential hickups in tests. But that won't change, so if you are ok it can be
> sponsored.

I am ok with it, could you please sponsor it?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I usually build all that the main archive builds for: amd64, i386, armhf, arm64, ppc64el, s390x.
As those are the ones that should work well on the actual upload.
No one cares about e.g. "powerpc" anymore these days.

As agreed, sponsoring ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tagged and uploaded to Focal

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/nss
 * [new tag] upload/2%3.47-1ubuntu1 -> upload/2%3.47-1ubuntu1

And I see https://launchpad.net/ubuntu/+source/nss/2:3.47-1ubuntu1 started building

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This is in the release pocket

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 4e90a94..6acea72 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,14 @@
6+nss (2:3.47-1ubuntu1) focal; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/libnss3.links: make freebl3 available as library (LP #1744328)
10+ - d/control: add dh-exec to Build-Depends
11+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
12+ - Disable reading fips_enabled flag in FIPS mode. libnss is
13+ not a FIPS certified library. (LP #1837734)
14+
15+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 31 Oct 2019 16:18:35 -0300
16+
17 nss (2:3.47-1) unstable; urgency=medium
18
19 * New upstream release.
20@@ -5,6 +16,22 @@ nss (2:3.47-1) unstable; urgency=medium
21
22 -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900
23
24+nss (2:3.45-1ubuntu2) eoan; urgency=medium
25+
26+ * Disable reading fips_enabled flag in FIPS mode. libnss is
27+ not a FIPS certified library. (LP: #1837734)
28+
29+ -- Vineetha Kamath <vineetha.hari.pai@canonical.com> Tue, 23 Jul 2019 20:58:12 +0000
30+
31+nss (2:3.45-1ubuntu1) eoan; urgency=low
32+
33+ * Merge from Debian unstable. Remaining changes:
34+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
35+ - d/control: add dh-exec to Build-Depends
36+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
37+
38+ -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 11 Jul 2019 11:49:44 +0200
39+
40 nss (2:3.45-1) unstable; urgency=medium
41
42 * New upstream release.
43@@ -53,6 +80,28 @@ nss (2:3.42.1-1) unstable; urgency=medium
44
45 -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900
46
47+nss (2:3.42-1ubuntu2) disco; urgency=medium
48+
49+ * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
50+ - debian/patches/CVE-2018-18508-1.patch: add null checks in
51+ nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
52+ nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
53+ nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
54+ - debian/patches/CVE-2018-18508-2.patch: add null checks in
55+ nss/lib/smime/cmsmessage.c.
56+ - CVE-2018-18508
57+
58+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Feb 2019 12:04:49 +0100
59+
60+nss (2:3.42-1ubuntu1) disco; urgency=medium
61+
62+ * Merge with Debian unstable (LP: #1813593). Remaining changes:
63+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
64+ - d/control: add dh-exec to Build-Depends
65+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
66+
67+ -- Karl Stenerud <kstenerud@gmail.com> Mon, 04 Feb 2019 11:03:32 +0100
68+
69 nss (2:3.42-1) unstable; urgency=medium
70
71 * New upstream release.
72@@ -71,6 +120,18 @@ nss (2:3.40-1) unstable; urgency=medium
73
74 -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900
75
76+nss (2:3.39-1ubuntu1) disco; urgency=medium
77+
78+ * Merge with Debian unstable. Remaining changes (LP: #1803707):
79+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
80+ - d/control: add dh-exec to Build-Depends
81+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
82+ * Dropped changes:
83+ - d/rules: when building with -O3 on ppc64el this FTBFS, build with
84+ -Wno-error=maybe-uninitialized to avoid that
85+
86+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Nov 2018 14:27:39 +0100
87+
88 nss (2:3.39-1) unstable; urgency=medium
89
90 * New upstream release.
91@@ -103,6 +164,23 @@ nss (2:3.37-1) unstable; urgency=medium
92
93 -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900
94
95+nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium
96+
97+ * Merge with Debian unstable. Remaining changes:
98+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
99+ - d/control: add dh-exec to Build-Depends
100+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
101+ - d/rules: when building with -O3 on ppc64el this FTBFS, build with
102+ -Wno-error=maybe-uninitialized to avoid that
103+ * Dropped changes:
104+ - revert switching to SQL default format (LP: 1746947) Dropping this
105+ adresses (LP: #1747411) and effectively means we now switch to the new
106+ default format after we ensured all depending packages are ready.
107+ * Added changes:
108+ - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el
109+
110+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 May 2018 17:08:46 +0200
111+
112 nss (2:3.36.1-1) unstable; urgency=medium
113
114 * New upstream release.
115@@ -116,6 +194,25 @@ nss (2:3.36-1) unstable; urgency=medium
116
117 -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900
118
119+nss (2:3.35-2ubuntu2) bionic; urgency=medium
120+
121+ * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
122+ default is still causing too much issues in consumers of nss.
123+ So until resolved revert the switched default (LP: #1746947)
124+
125+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Feb 2018 11:36:07 +0100
126+
127+nss (2:3.35-2ubuntu1) bionic; urgency=medium
128+
129+ * Merge with Debian unstable. Remaining changes:
130+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
131+ * Added Changes:
132+ - d/libnss3.links: make freebl3 available as library (LP: #1744328)
133+ + d/control: add dh-exec to Build-Depends
134+ + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
135+
136+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 30 Jan 2018 14:04:20 +0100
137+
138 nss (2:3.35-2) unstable; urgency=medium
139
140 * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.
141@@ -134,6 +231,13 @@ nss (2:3.34.1-1) unstable; urgency=medium
142
143 -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900
144
145+nss (2:3.34-1ubuntu1) bionic; urgency=medium
146+
147+ * Merge with Debian; remaining changes:
148+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
149+
150+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Dec 2017 09:18:47 -0500
151+
152 nss (2:3.34-1) unstable; urgency=medium
153
154 * New upstream release:
155@@ -158,6 +262,28 @@ nss (2:3.32-2) unstable; urgency=medium
156
157 -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900
158
159+nss (2:3.32-1ubuntu3) artful; urgency=medium
160+
161+ * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
162+ - debian/patches/CVE-2017-7805.patch: Simplify handling of
163+ CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
164+ - CVE-2017-7805
165+
166+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Sep 2017 12:17:39 -0400
167+
168+nss (2:3.32-1ubuntu2) artful; urgency=medium
169+
170+ * Initialise curve variable in a test file, resolves FTBFS.
171+
172+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Aug 2017 07:21:27 -0400
173+
174+nss (2:3.32-1ubuntu1) artful; urgency=medium
175+
176+ * Merge with Debian; remaining changes:
177+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
178+
179+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 23 Aug 2017 13:09:20 -0400
180+
181 nss (2:3.32-1) unstable; urgency=medium
182
183 * New upstream release.
184@@ -217,6 +343,39 @@ nss (2:3.27.1-1) experimental; urgency=medium
185
186 -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900
187
188+nss (2:3.28.4-0ubuntu2) artful; urgency=medium
189+
190+ * SECURITY UPDATE: DoS via empty SSLv2 messages
191+ - debian/patches/CVE-2017-7502.patch: reject broken v2 records in
192+ nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
193+ added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
194+ nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
195+ nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
196+ - CVE-2017-7502
197+
198+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Jun 2017 08:12:38 -0400
199+
200+nss (2:3.28.4-0ubuntu1) artful; urgency=medium
201+
202+ * Updated to upstream 3.28.4 to fix security issues and get a new CA
203+ certificate bundle.
204+ * SECURITY UPDATE: DES and Triple DES ciphers birthday attack
205+ - CVE-2016-2183
206+ * SECURITY UPDATE: out-of-bounds write in Base64 decoding
207+ - CVE-2017-5461
208+ * debian/patches/*.patch: refreshed for new version.
209+ * debian/control: bump libnspr4-dev to 4.13.1.
210+ * debian/libnss3.symbols: added new symbols.
211+
212+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 27 Apr 2017 13:13:44 -0400
213+
214+nss (2:3.26.2-1ubuntu1) zesty; urgency=medium
215+
216+ * Merge with Debian; remaining changes:
217+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
218+
219+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 Dec 2016 08:48:03 -0500
220+
221 nss (2:3.26.2-1) unstable; urgency=medium
222
223 * New upstream release.
224@@ -230,6 +389,13 @@ nss (2:3.26-2) unstable; urgency=medium
225
226 -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900
227
228+nss (2:3.26-1ubuntu1) yakkety; urgency=medium
229+
230+ * Merge with Debian; remaining changes:
231+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
232+
233+ -- Matthias Klose <doko@ubuntu.com> Tue, 06 Sep 2016 14:39:56 +0200
234+
235 nss (2:3.26-1) unstable; urgency=medium
236
237 * New upstream release.
238@@ -244,6 +410,12 @@ nss (2:3.26-1) unstable; urgency=medium
239
240 -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900
241
242+nss (2:3.25-1ubuntu1) yakkety; urgency=medium
243+
244+ * When building with -O3, build with -Wno-error=maybe-uninitialized.
245+
246+ -- Matthias Klose <doko@ubuntu.com> Thu, 04 Aug 2016 11:36:54 +0200
247+
248 nss (2:3.25-1) unstable; urgency=medium
249
250 * New upstream release.
251@@ -275,6 +447,7 @@ nss (2:3.21-1.1) unstable; urgency=medium
252 * Fix FTBFS on hppa. Closes: #808990
253
254 -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100
255+
256 nss (2:3.21-1) unstable; urgency=medium
257
258 * New upstream release.
259diff --git a/debian/control b/debian/control
260index 90afcdc..54c1ae6 100644
261--- a/debian/control
262+++ b/debian/control
263@@ -1,9 +1,11 @@
264 Source: nss
265 Section: libs
266 Priority: optional
267-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
268+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
269+XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
270 Uploaders: Mike Hommey <glandium@debian.org>
271 Build-Depends: debhelper (>= 9.20160403),
272+ dh-exec,
273 dpkg-dev (>= 1.17.14),
274 libnspr4-dev (>= 2:4.12),
275 zlib1g-dev,
276diff --git a/debian/libnss3.links b/debian/libnss3.links
277new file mode 100755
278index 0000000..717ff94
279--- /dev/null
280+++ b/debian/libnss3.links
281@@ -0,0 +1,3 @@
282+#!/usr/bin/dh-exec
283+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so
284+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.so
285diff --git a/debian/patches/disable_fips_enabled_read.patch b/debian/patches/disable_fips_enabled_read.patch
286new file mode 100644
287index 0000000..7a87954
288--- /dev/null
289+++ b/debian/patches/disable_fips_enabled_read.patch
290@@ -0,0 +1,49 @@
291+commit 16996a9156c9ff2924bdb19ff43d40617a41c912
292+Author: Vineetha Kamath <vineetha.hari.pai@canonical.com>
293+Date: Tue Jul 23 15:32:32 2019 -0400
294+
295+From: Vineetha Kamath<vineetha.hari.pai@canonical.com>
296+Decription: Disable libgcrypt reading /proc/sys/crypto/fips_enabled
297+file and going into FIPS mode. libnss is not a FIPS
298+certified library.
299+Bug-Ubuntu: http://bugs.launchpad.net/bugs/1837734
300+Forwarded: not-needed
301+
302+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
303+index 22f9781..8433377 100644
304+--- a/nss/lib/freebl/nsslowhash.c
305++++ b/nss/lib/freebl/nsslowhash.c
306+@@ -27,11 +27,13 @@ static int
307+ nsslow_GetFIPSEnabled(void)
308+ {
309+ #ifdef LINUX
310+- FILE *f;
311++ FILE *f = NULL;
312+ char d;
313+ size_t size;
314+
315++#if 0
316+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
317++#endif
318+ if (!f)
319+ return 0;
320+
321+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
322+index bd0fac2..81f9b17 100644
323+--- a/nss/lib/sysinit/nsssysinit.c
324++++ b/nss/lib/sysinit/nsssysinit.c
325+@@ -168,11 +168,13 @@ getFIPSEnv(void)
326+ static PRBool
327+ getFIPSMode(void)
328+ {
329+- FILE *f;
330++ FILE *f = NULL;
331+ char d;
332+ size_t size;
333+
334++#if 0
335+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
336++#endif
337+ if (!f) {
338+ /* if we don't have a proc flag, fall back to the
339+ * environment variable */
340diff --git a/debian/patches/series b/debian/patches/series
341index c1bd63f..3f8bf6a 100644
342--- a/debian/patches/series
343+++ b/debian/patches/series
344@@ -2,3 +2,4 @@
345 80_security_tools.patch
346 85_security_load.patch
347 38_hppa.patch
348+disable_fips_enabled_read.patch
349diff --git a/debian/rules b/debian/rules
350index ec951d3..b4c7302 100755
351--- a/debian/rules
352+++ b/debian/rules
353@@ -175,7 +175,7 @@ override_dh_strip:
354
355 ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
356 # Check FIPS mode correctly works
357- mkdir debian/tmp
358+ mkdir -p debian/tmp
359 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null
360 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null
361 endif

Subscribers

People subscribed via source and target branches