Ubuntu
nss package

Merge ~lucaskanashiro/ubuntu/+source/nss:focal-merge-3.49.1-1 into ubuntu/+source/nss:debian/sid

  1. Git
  2. lp:~lucaskanashiro/ubuntu/+source/nss
  3. focal-merge-3.49.1-1
  4. Merge into debian/sid
Proposed by Lucas Kanashiro
Status: Merged
Approved by: Andreas Hasenack
Approved revision: a9ecbd25eac7c9cc2eaec18d4cd7ea68b9a21f88
Merge reported by: Andreas Hasenack
Merged at revision: a9ecbd25eac7c9cc2eaec18d4cd7ea68b9a21f88
Proposed branch: ~lucaskanashiro/ubuntu/+source/nss:focal-merge-3.49.1-1
Merge into: ubuntu/+source/nss:debian/sid
Diff against target: 437 lines (+282/-2)
7 files modified
debian/changelog (+207/-0)
debian/control (+3/-1)
debian/libnss3.links (+3/-0)
debian/patches/disable_fips_enabled_read.patch (+49/-0)
debian/patches/series (+2/-0)
debian/patches/set-tls1.2-as-minimum.patch (+17/-0)
debian/rules (+1/-1)
Reviewer Review Type Date Requested Status
Canonical Server Pending
Andreas Hasenack Pending
Review via email: mp+377965@code.launchpad.net

Description of the change

Merge version 2:3.49.1-1 from Debian. This version fixes a FTBFS on armhf, here are the changes:

  * New upstream release.
  * nss/lib/freebl/Makefile: Revert change from 2:3.48-1.
  * nss/coreconf/config.gypi, nss/lib/freebl/Makefile,
    nss/lib/freebl/aes-armv8.c, nss/lib/freebl/freebl.gyp,
    nss/lib/freebl/gcm-arm32-neon.c, nss/lib/freebl/gcm.c,
    nss/lib/freebl/rijndael.c: Fix freebl arm NEON code use, fixing FTBFS
    on armhf, and enabling runtime detection of NEON on armel. bz#1608327
  * Fixes CVE-2019-17023.

Our delta kept the same:

    - d/libnss3.links: make freebl3 available as library (LP #1744328)
    - d/control: add dh-exec to Build-Depends
    - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
    - Disable reading fips_enabled flag in FIPS mode. libnss is
      not a FIPS certified library. (LP #1837734)
    - Set TLSv1.2 as minimum TLS version. LP #1856428

The package builds fine all architectures as you can see in my PPA:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/focal-nss-merge-3.49.1-1

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagging and uploading a9ecbd25eac7c9cc2eaec18d4cd7ea68b9a21f88:

$ git push pkg upload/2%3.49.1-1ubuntu1
Enumerating objects: 44, done.
Counting objects: 100% (44/44), done.
Delta compression using up to 4 threads
Compressing objects: 100% (25/25), done.
Writing objects: 100% (37/37), 6.71 KiB | 312.00 KiB/s, done.
Total 37 (delta 16), reused 30 (delta 12)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/nss
 * [new tag] upload/2%3.49.1-1ubuntu1 -> upload/2%3.49.1-1ubuntu1

$ dput ubuntu ../nss_3.49.1-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../nss_3.49.1-1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../nss_3.49.1-1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading nss_3.49.1-1ubuntu1.dsc: done.
  Uploading nss_3.49.1.orig.tar.gz: done.
  Uploading nss_3.49.1-1ubuntu1.debian.tar.xz: done.
  Uploading nss_3.49.1-1ubuntu1_source.buildinfo: done.
  Uploading nss_3.49.1-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Please check its migration, thanks.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated into focal.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index b1db982..a004ef9 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,15 @@
6+nss (2:3.49.1-1ubuntu1) focal; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/libnss3.links: make freebl3 available as library (LP #1744328)
10+ - d/control: add dh-exec to Build-Depends
11+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
12+ - Disable reading fips_enabled flag in FIPS mode. libnss is
13+ not a FIPS certified library. (LP #1837734)
14+ - Set TLSv1.2 as minimum TLS version. LP #1856428
15+
16+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 22 Jan 2020 16:24:44 -0300
17+
18 nss (2:3.49.1-1) unstable; urgency=medium
19
20 * New upstream release.
21@@ -17,6 +29,18 @@ nss (2:3.49-1) unstable; urgency=medium
22
23 -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +0900
24
25+nss (2:3.48-1ubuntu1) focal; urgency=low
26+
27+ * Merge from Debian unstable. Remaining changes:
28+ - d/libnss3.links: make freebl3 available as library (LP #1744328)
29+ - d/control: add dh-exec to Build-Depends
30+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
31+ - Disable reading fips_enabled flag in FIPS mode. libnss is
32+ not a FIPS certified library. (LP #1837734)
33+ * Set TLSv1.2 as minimum TLS version. LP: #1856428
34+
35+ -- Ubuntu Merge-o-Matic <mom@ubuntu.com> Sun, 29 Dec 2019 03:43:36 +0000
36+
37 nss (2:3.48-1) unstable; urgency=medium
38
39 * New upstream release. Closes: #947131.
40@@ -33,6 +57,26 @@ nss (2:3.47.1-1) unstable; urgency=medium
41
42 -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +0900
43
44+nss (2:3.47-1ubuntu2) focal; urgency=medium
45+
46+ * SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate
47+ - debian/patches/CVE-2019-11745.patch: use maxout not block size in
48+ nss/lib/softoken/pkcs11c.c.
49+ - CVE-2019-11745
50+
51+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Nov 2019 08:31:39 -0500
52+
53+nss (2:3.47-1ubuntu1) focal; urgency=medium
54+
55+ * Merge with Debian unstable. Remaining changes:
56+ - d/libnss3.links: make freebl3 available as library (LP #1744328)
57+ - d/control: add dh-exec to Build-Depends
58+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
59+ - Disable reading fips_enabled flag in FIPS mode. libnss is
60+ not a FIPS certified library. (LP #1837734)
61+
62+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 31 Oct 2019 16:18:35 -0300
63+
64 nss (2:3.47-1) unstable; urgency=medium
65
66 * New upstream release.
67@@ -40,6 +84,22 @@ nss (2:3.47-1) unstable; urgency=medium
68
69 -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900
70
71+nss (2:3.45-1ubuntu2) eoan; urgency=medium
72+
73+ * Disable reading fips_enabled flag in FIPS mode. libnss is
74+ not a FIPS certified library. (LP: #1837734)
75+
76+ -- Vineetha Kamath <vineetha.hari.pai@canonical.com> Tue, 23 Jul 2019 20:58:12 +0000
77+
78+nss (2:3.45-1ubuntu1) eoan; urgency=low
79+
80+ * Merge from Debian unstable. Remaining changes:
81+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
82+ - d/control: add dh-exec to Build-Depends
83+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
84+
85+ -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 11 Jul 2019 11:49:44 +0200
86+
87 nss (2:3.45-1) unstable; urgency=medium
88
89 * New upstream release.
90@@ -88,6 +148,28 @@ nss (2:3.42.1-1) unstable; urgency=medium
91
92 -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900
93
94+nss (2:3.42-1ubuntu2) disco; urgency=medium
95+
96+ * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
97+ - debian/patches/CVE-2018-18508-1.patch: add null checks in
98+ nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
99+ nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
100+ nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
101+ - debian/patches/CVE-2018-18508-2.patch: add null checks in
102+ nss/lib/smime/cmsmessage.c.
103+ - CVE-2018-18508
104+
105+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Feb 2019 12:04:49 +0100
106+
107+nss (2:3.42-1ubuntu1) disco; urgency=medium
108+
109+ * Merge with Debian unstable (LP: #1813593). Remaining changes:
110+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
111+ - d/control: add dh-exec to Build-Depends
112+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
113+
114+ -- Karl Stenerud <kstenerud@gmail.com> Mon, 04 Feb 2019 11:03:32 +0100
115+
116 nss (2:3.42-1) unstable; urgency=medium
117
118 * New upstream release.
119@@ -106,6 +188,18 @@ nss (2:3.40-1) unstable; urgency=medium
120
121 -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900
122
123+nss (2:3.39-1ubuntu1) disco; urgency=medium
124+
125+ * Merge with Debian unstable. Remaining changes (LP: #1803707):
126+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
127+ - d/control: add dh-exec to Build-Depends
128+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
129+ * Dropped changes:
130+ - d/rules: when building with -O3 on ppc64el this FTBFS, build with
131+ -Wno-error=maybe-uninitialized to avoid that
132+
133+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Nov 2018 14:27:39 +0100
134+
135 nss (2:3.39-1) unstable; urgency=medium
136
137 * New upstream release.
138@@ -138,6 +232,23 @@ nss (2:3.37-1) unstable; urgency=medium
139
140 -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900
141
142+nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium
143+
144+ * Merge with Debian unstable. Remaining changes:
145+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
146+ - d/control: add dh-exec to Build-Depends
147+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
148+ - d/rules: when building with -O3 on ppc64el this FTBFS, build with
149+ -Wno-error=maybe-uninitialized to avoid that
150+ * Dropped changes:
151+ - revert switching to SQL default format (LP: 1746947) Dropping this
152+ adresses (LP: #1747411) and effectively means we now switch to the new
153+ default format after we ensured all depending packages are ready.
154+ * Added changes:
155+ - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el
156+
157+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 May 2018 17:08:46 +0200
158+
159 nss (2:3.36.1-1) unstable; urgency=medium
160
161 * New upstream release.
162@@ -151,6 +262,25 @@ nss (2:3.36-1) unstable; urgency=medium
163
164 -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900
165
166+nss (2:3.35-2ubuntu2) bionic; urgency=medium
167+
168+ * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
169+ default is still causing too much issues in consumers of nss.
170+ So until resolved revert the switched default (LP: #1746947)
171+
172+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Feb 2018 11:36:07 +0100
173+
174+nss (2:3.35-2ubuntu1) bionic; urgency=medium
175+
176+ * Merge with Debian unstable. Remaining changes:
177+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
178+ * Added Changes:
179+ - d/libnss3.links: make freebl3 available as library (LP: #1744328)
180+ + d/control: add dh-exec to Build-Depends
181+ + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
182+
183+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 30 Jan 2018 14:04:20 +0100
184+
185 nss (2:3.35-2) unstable; urgency=medium
186
187 * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.
188@@ -169,6 +299,13 @@ nss (2:3.34.1-1) unstable; urgency=medium
189
190 -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900
191
192+nss (2:3.34-1ubuntu1) bionic; urgency=medium
193+
194+ * Merge with Debian; remaining changes:
195+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
196+
197+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Dec 2017 09:18:47 -0500
198+
199 nss (2:3.34-1) unstable; urgency=medium
200
201 * New upstream release:
202@@ -193,6 +330,28 @@ nss (2:3.32-2) unstable; urgency=medium
203
204 -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900
205
206+nss (2:3.32-1ubuntu3) artful; urgency=medium
207+
208+ * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
209+ - debian/patches/CVE-2017-7805.patch: Simplify handling of
210+ CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
211+ - CVE-2017-7805
212+
213+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Sep 2017 12:17:39 -0400
214+
215+nss (2:3.32-1ubuntu2) artful; urgency=medium
216+
217+ * Initialise curve variable in a test file, resolves FTBFS.
218+
219+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Aug 2017 07:21:27 -0400
220+
221+nss (2:3.32-1ubuntu1) artful; urgency=medium
222+
223+ * Merge with Debian; remaining changes:
224+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
225+
226+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 23 Aug 2017 13:09:20 -0400
227+
228 nss (2:3.32-1) unstable; urgency=medium
229
230 * New upstream release.
231@@ -252,6 +411,39 @@ nss (2:3.27.1-1) experimental; urgency=medium
232
233 -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900
234
235+nss (2:3.28.4-0ubuntu2) artful; urgency=medium
236+
237+ * SECURITY UPDATE: DoS via empty SSLv2 messages
238+ - debian/patches/CVE-2017-7502.patch: reject broken v2 records in
239+ nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
240+ added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
241+ nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
242+ nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
243+ - CVE-2017-7502
244+
245+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Jun 2017 08:12:38 -0400
246+
247+nss (2:3.28.4-0ubuntu1) artful; urgency=medium
248+
249+ * Updated to upstream 3.28.4 to fix security issues and get a new CA
250+ certificate bundle.
251+ * SECURITY UPDATE: DES and Triple DES ciphers birthday attack
252+ - CVE-2016-2183
253+ * SECURITY UPDATE: out-of-bounds write in Base64 decoding
254+ - CVE-2017-5461
255+ * debian/patches/*.patch: refreshed for new version.
256+ * debian/control: bump libnspr4-dev to 4.13.1.
257+ * debian/libnss3.symbols: added new symbols.
258+
259+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 27 Apr 2017 13:13:44 -0400
260+
261+nss (2:3.26.2-1ubuntu1) zesty; urgency=medium
262+
263+ * Merge with Debian; remaining changes:
264+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
265+
266+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 Dec 2016 08:48:03 -0500
267+
268 nss (2:3.26.2-1) unstable; urgency=medium
269
270 * New upstream release.
271@@ -265,6 +457,13 @@ nss (2:3.26-2) unstable; urgency=medium
272
273 -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900
274
275+nss (2:3.26-1ubuntu1) yakkety; urgency=medium
276+
277+ * Merge with Debian; remaining changes:
278+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
279+
280+ -- Matthias Klose <doko@ubuntu.com> Tue, 06 Sep 2016 14:39:56 +0200
281+
282 nss (2:3.26-1) unstable; urgency=medium
283
284 * New upstream release.
285@@ -279,6 +478,12 @@ nss (2:3.26-1) unstable; urgency=medium
286
287 -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900
288
289+nss (2:3.25-1ubuntu1) yakkety; urgency=medium
290+
291+ * When building with -O3, build with -Wno-error=maybe-uninitialized.
292+
293+ -- Matthias Klose <doko@ubuntu.com> Thu, 04 Aug 2016 11:36:54 +0200
294+
295 nss (2:3.25-1) unstable; urgency=medium
296
297 * New upstream release.
298@@ -310,6 +515,7 @@ nss (2:3.21-1.1) unstable; urgency=medium
299 * Fix FTBFS on hppa. Closes: #808990
300
301 -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100
302+
303 nss (2:3.21-1) unstable; urgency=medium
304
305 * New upstream release.
306@@ -1225,3 +1431,4 @@ nss (3.11.5-1) experimental; urgency=low
307 * Initial release. (Closes: #416151)
308
309 -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +0200
310+
311diff --git a/debian/control b/debian/control
312index a4be555..ac713a6 100644
313--- a/debian/control
314+++ b/debian/control
315@@ -1,9 +1,11 @@
316 Source: nss
317 Section: libs
318 Priority: optional
319-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
320+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
321+XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
322 Uploaders: Mike Hommey <glandium@debian.org>
323 Build-Depends: debhelper (>= 9.20160403),
324+ dh-exec,
325 dpkg-dev (>= 1.17.14),
326 libnspr4-dev (>= 2:4.24),
327 zlib1g-dev,
328diff --git a/debian/libnss3.links b/debian/libnss3.links
329new file mode 100755
330index 0000000..717ff94
331--- /dev/null
332+++ b/debian/libnss3.links
333@@ -0,0 +1,3 @@
334+#!/usr/bin/dh-exec
335+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so
336+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.so
337diff --git a/debian/patches/disable_fips_enabled_read.patch b/debian/patches/disable_fips_enabled_read.patch
338new file mode 100644
339index 0000000..7a87954
340--- /dev/null
341+++ b/debian/patches/disable_fips_enabled_read.patch
342@@ -0,0 +1,49 @@
343+commit 16996a9156c9ff2924bdb19ff43d40617a41c912
344+Author: Vineetha Kamath <vineetha.hari.pai@canonical.com>
345+Date: Tue Jul 23 15:32:32 2019 -0400
346+
347+From: Vineetha Kamath<vineetha.hari.pai@canonical.com>
348+Decription: Disable libgcrypt reading /proc/sys/crypto/fips_enabled
349+file and going into FIPS mode. libnss is not a FIPS
350+certified library.
351+Bug-Ubuntu: http://bugs.launchpad.net/bugs/1837734
352+Forwarded: not-needed
353+
354+diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
355+index 22f9781..8433377 100644
356+--- a/nss/lib/freebl/nsslowhash.c
357++++ b/nss/lib/freebl/nsslowhash.c
358+@@ -27,11 +27,13 @@ static int
359+ nsslow_GetFIPSEnabled(void)
360+ {
361+ #ifdef LINUX
362+- FILE *f;
363++ FILE *f = NULL;
364+ char d;
365+ size_t size;
366+
367++#if 0
368+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
369++#endif
370+ if (!f)
371+ return 0;
372+
373+diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
374+index bd0fac2..81f9b17 100644
375+--- a/nss/lib/sysinit/nsssysinit.c
376++++ b/nss/lib/sysinit/nsssysinit.c
377+@@ -168,11 +168,13 @@ getFIPSEnv(void)
378+ static PRBool
379+ getFIPSMode(void)
380+ {
381+- FILE *f;
382++ FILE *f = NULL;
383+ char d;
384+ size_t size;
385+
386++#if 0
387+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
388++#endif
389+ if (!f) {
390+ /* if we don't have a proc flag, fall back to the
391+ * environment variable */
392diff --git a/debian/patches/series b/debian/patches/series
393index 9e1133d..e076305 100644
394--- a/debian/patches/series
395+++ b/debian/patches/series
396@@ -3,3 +3,5 @@
397 85_security_load.patch
398 38_hppa.patch
399 bz1608327-freebl-arm
400+disable_fips_enabled_read.patch
401+set-tls1.2-as-minimum.patch
402diff --git a/debian/patches/set-tls1.2-as-minimum.patch b/debian/patches/set-tls1.2-as-minimum.patch
403new file mode 100644
404index 0000000..a05d4e9
405--- /dev/null
406+++ b/debian/patches/set-tls1.2-as-minimum.patch
407@@ -0,0 +1,17 @@
408+Description: Set TLSv1.2 as minimum TLS version. LP: #1856428
409+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1856428
410+
411+
412+Index: nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c
413+===================================================================
414+--- nss-3.48-1ubuntu1.orig/nss/lib/ssl/sslsock.c
415++++ nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c
416+@@ -96,7 +96,7 @@ static sslOptions ssl_defaults = {
417+ * default range of enabled SSL/TLS protocols
418+ */
419+ static SSLVersionRange versions_defaults_stream = {
420+- SSL_LIBRARY_VERSION_TLS_1_0,
421++ SSL_LIBRARY_VERSION_TLS_1_2,
422+ SSL_LIBRARY_VERSION_TLS_1_3
423+ };
424+
425diff --git a/debian/rules b/debian/rules
426index ec951d3..b4c7302 100755
427--- a/debian/rules
428+++ b/debian/rules
429@@ -175,7 +175,7 @@ override_dh_strip:
430
431 ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
432 # Check FIPS mode correctly works
433- mkdir debian/tmp
434+ mkdir -p debian/tmp
435 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null
436 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null
437 endif

Subscribers

People subscribed via source and target branches