Merge ~lucaskanashiro/ubuntu/+source/nss:focal-merge-3.49.1-1 into ubuntu/+source/nss:debian/sid

Proposed by Lucas Kanashiro
Status: Merged
Approved by: Andreas Hasenack
Approved revision: a9ecbd25eac7c9cc2eaec18d4cd7ea68b9a21f88
Merge reported by: Andreas Hasenack
Merged at revision: a9ecbd25eac7c9cc2eaec18d4cd7ea68b9a21f88
Proposed branch: ~lucaskanashiro/ubuntu/+source/nss:focal-merge-3.49.1-1
Merge into: ubuntu/+source/nss:debian/sid
Diff against target: 437 lines (+282/-2)
7 files modified
debian/changelog (+207/-0)
debian/control (+3/-1)
debian/libnss3.links (+3/-0)
debian/patches/disable_fips_enabled_read.patch (+49/-0)
debian/patches/series (+2/-0)
debian/patches/set-tls1.2-as-minimum.patch (+17/-0)
debian/rules (+1/-1)
Reviewer Review Type Date Requested Status
Canonical Server Pending
Andreas Hasenack Pending
Review via email: mp+377965@code.launchpad.net

Description of the change

Merge version 2:3.49.1-1 from Debian. This version fixes a FTBFS on armhf, here are the changes:

  * New upstream release.
  * nss/lib/freebl/Makefile: Revert change from 2:3.48-1.
  * nss/coreconf/config.gypi, nss/lib/freebl/Makefile,
    nss/lib/freebl/aes-armv8.c, nss/lib/freebl/freebl.gyp,
    nss/lib/freebl/gcm-arm32-neon.c, nss/lib/freebl/gcm.c,
    nss/lib/freebl/rijndael.c: Fix freebl arm NEON code use, fixing FTBFS
    on armhf, and enabling runtime detection of NEON on armel. bz#1608327
  * Fixes CVE-2019-17023.

Our delta kept the same:

    - d/libnss3.links: make freebl3 available as library (LP #1744328)
    - d/control: add dh-exec to Build-Depends
    - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
    - Disable reading fips_enabled flag in FIPS mode. libnss is
      not a FIPS certified library. (LP #1837734)
    - Set TLSv1.2 as minimum TLS version. LP #1856428

The package builds fine all architectures as you can see in my PPA:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/focal-nss-merge-3.49.1-1

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagging and uploading a9ecbd25eac7c9cc2eaec18d4cd7ea68b9a21f88:

$ git push pkg upload/2%3.49.1-1ubuntu1
Enumerating objects: 44, done.
Counting objects: 100% (44/44), done.
Delta compression using up to 4 threads
Compressing objects: 100% (25/25), done.
Writing objects: 100% (37/37), 6.71 KiB | 312.00 KiB/s, done.
Total 37 (delta 16), reused 30 (delta 12)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/nss
 * [new tag] upload/2%3.49.1-1ubuntu1 -> upload/2%3.49.1-1ubuntu1

$ dput ubuntu ../nss_3.49.1-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../nss_3.49.1-1ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../nss_3.49.1-1ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Package includes an .orig.tar.gz file although the debian revision suggests
that it might not be required. Multiple uploads of the .orig.tar.gz may be
rejected by the upload queue management software.
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading nss_3.49.1-1ubuntu1.dsc: done.
  Uploading nss_3.49.1.orig.tar.gz: done.
  Uploading nss_3.49.1-1ubuntu1.debian.tar.xz: done.
  Uploading nss_3.49.1-1ubuntu1_source.buildinfo: done.
  Uploading nss_3.49.1-1ubuntu1_source.changes: done.
Successfully uploaded packages.

Please check its migration, thanks.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This migrated into focal.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index b1db982..a004ef9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
1nss (2:3.49.1-1ubuntu1) focal; urgency=medium
2
3 * Merge with Debian unstable. Remaining changes:
4 - d/libnss3.links: make freebl3 available as library (LP #1744328)
5 - d/control: add dh-exec to Build-Depends
6 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
7 - Disable reading fips_enabled flag in FIPS mode. libnss is
8 not a FIPS certified library. (LP #1837734)
9 - Set TLSv1.2 as minimum TLS version. LP #1856428
10
11 -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 22 Jan 2020 16:24:44 -0300
12
1nss (2:3.49.1-1) unstable; urgency=medium13nss (2:3.49.1-1) unstable; urgency=medium
214
3 * New upstream release.15 * New upstream release.
@@ -17,6 +29,18 @@ nss (2:3.49-1) unstable; urgency=medium
1729
18 -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +090030 -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +0900
1931
32nss (2:3.48-1ubuntu1) focal; urgency=low
33
34 * Merge from Debian unstable. Remaining changes:
35 - d/libnss3.links: make freebl3 available as library (LP #1744328)
36 - d/control: add dh-exec to Build-Depends
37 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
38 - Disable reading fips_enabled flag in FIPS mode. libnss is
39 not a FIPS certified library. (LP #1837734)
40 * Set TLSv1.2 as minimum TLS version. LP: #1856428
41
42 -- Ubuntu Merge-o-Matic <mom@ubuntu.com> Sun, 29 Dec 2019 03:43:36 +0000
43
20nss (2:3.48-1) unstable; urgency=medium44nss (2:3.48-1) unstable; urgency=medium
2145
22 * New upstream release. Closes: #947131.46 * New upstream release. Closes: #947131.
@@ -33,6 +57,26 @@ nss (2:3.47.1-1) unstable; urgency=medium
3357
34 -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +090058 -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +0900
3559
60nss (2:3.47-1ubuntu2) focal; urgency=medium
61
62 * SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate
63 - debian/patches/CVE-2019-11745.patch: use maxout not block size in
64 nss/lib/softoken/pkcs11c.c.
65 - CVE-2019-11745
66
67 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Nov 2019 08:31:39 -0500
68
69nss (2:3.47-1ubuntu1) focal; urgency=medium
70
71 * Merge with Debian unstable. Remaining changes:
72 - d/libnss3.links: make freebl3 available as library (LP #1744328)
73 - d/control: add dh-exec to Build-Depends
74 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
75 - Disable reading fips_enabled flag in FIPS mode. libnss is
76 not a FIPS certified library. (LP #1837734)
77
78 -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 31 Oct 2019 16:18:35 -0300
79
36nss (2:3.47-1) unstable; urgency=medium80nss (2:3.47-1) unstable; urgency=medium
3781
38 * New upstream release.82 * New upstream release.
@@ -40,6 +84,22 @@ nss (2:3.47-1) unstable; urgency=medium
4084
41 -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +090085 -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900
4286
87nss (2:3.45-1ubuntu2) eoan; urgency=medium
88
89 * Disable reading fips_enabled flag in FIPS mode. libnss is
90 not a FIPS certified library. (LP: #1837734)
91
92 -- Vineetha Kamath <vineetha.hari.pai@canonical.com> Tue, 23 Jul 2019 20:58:12 +0000
93
94nss (2:3.45-1ubuntu1) eoan; urgency=low
95
96 * Merge from Debian unstable. Remaining changes:
97 - d/libnss3.links: make freebl3 available as library (LP 1744328)
98 - d/control: add dh-exec to Build-Depends
99 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
100
101 -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 11 Jul 2019 11:49:44 +0200
102
43nss (2:3.45-1) unstable; urgency=medium103nss (2:3.45-1) unstable; urgency=medium
44104
45 * New upstream release.105 * New upstream release.
@@ -88,6 +148,28 @@ nss (2:3.42.1-1) unstable; urgency=medium
88148
89 -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900149 -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900
90150
151nss (2:3.42-1ubuntu2) disco; urgency=medium
152
153 * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
154 - debian/patches/CVE-2018-18508-1.patch: add null checks in
155 nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
156 nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
157 nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
158 - debian/patches/CVE-2018-18508-2.patch: add null checks in
159 nss/lib/smime/cmsmessage.c.
160 - CVE-2018-18508
161
162 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Feb 2019 12:04:49 +0100
163
164nss (2:3.42-1ubuntu1) disco; urgency=medium
165
166 * Merge with Debian unstable (LP: #1813593). Remaining changes:
167 - d/libnss3.links: make freebl3 available as library (LP 1744328)
168 - d/control: add dh-exec to Build-Depends
169 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
170
171 -- Karl Stenerud <kstenerud@gmail.com> Mon, 04 Feb 2019 11:03:32 +0100
172
91nss (2:3.42-1) unstable; urgency=medium173nss (2:3.42-1) unstable; urgency=medium
92174
93 * New upstream release.175 * New upstream release.
@@ -106,6 +188,18 @@ nss (2:3.40-1) unstable; urgency=medium
106188
107 -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900189 -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900
108190
191nss (2:3.39-1ubuntu1) disco; urgency=medium
192
193 * Merge with Debian unstable. Remaining changes (LP: #1803707):
194 - d/libnss3.links: make freebl3 available as library (LP 1744328)
195 - d/control: add dh-exec to Build-Depends
196 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
197 * Dropped changes:
198 - d/rules: when building with -O3 on ppc64el this FTBFS, build with
199 -Wno-error=maybe-uninitialized to avoid that
200
201 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Nov 2018 14:27:39 +0100
202
109nss (2:3.39-1) unstable; urgency=medium203nss (2:3.39-1) unstable; urgency=medium
110204
111 * New upstream release.205 * New upstream release.
@@ -138,6 +232,23 @@ nss (2:3.37-1) unstable; urgency=medium
138232
139 -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900233 -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900
140234
235nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium
236
237 * Merge with Debian unstable. Remaining changes:
238 - d/libnss3.links: make freebl3 available as library (LP 1744328)
239 - d/control: add dh-exec to Build-Depends
240 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
241 - d/rules: when building with -O3 on ppc64el this FTBFS, build with
242 -Wno-error=maybe-uninitialized to avoid that
243 * Dropped changes:
244 - revert switching to SQL default format (LP: 1746947) Dropping this
245 adresses (LP: #1747411) and effectively means we now switch to the new
246 default format after we ensured all depending packages are ready.
247 * Added changes:
248 - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el
249
250 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 May 2018 17:08:46 +0200
251
141nss (2:3.36.1-1) unstable; urgency=medium252nss (2:3.36.1-1) unstable; urgency=medium
142253
143 * New upstream release.254 * New upstream release.
@@ -151,6 +262,25 @@ nss (2:3.36-1) unstable; urgency=medium
151262
152 -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900263 -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900
153264
265nss (2:3.35-2ubuntu2) bionic; urgency=medium
266
267 * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
268 default is still causing too much issues in consumers of nss.
269 So until resolved revert the switched default (LP: #1746947)
270
271 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Feb 2018 11:36:07 +0100
272
273nss (2:3.35-2ubuntu1) bionic; urgency=medium
274
275 * Merge with Debian unstable. Remaining changes:
276 - When building with -O3, build with -Wno-error=maybe-uninitialized.
277 * Added Changes:
278 - d/libnss3.links: make freebl3 available as library (LP: #1744328)
279 + d/control: add dh-exec to Build-Depends
280 + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
281
282 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 30 Jan 2018 14:04:20 +0100
283
154nss (2:3.35-2) unstable; urgency=medium284nss (2:3.35-2) unstable; urgency=medium
155285
156 * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.286 * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.
@@ -169,6 +299,13 @@ nss (2:3.34.1-1) unstable; urgency=medium
169299
170 -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900300 -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900
171301
302nss (2:3.34-1ubuntu1) bionic; urgency=medium
303
304 * Merge with Debian; remaining changes:
305 - When building with -O3, build with -Wno-error=maybe-uninitialized.
306
307 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Dec 2017 09:18:47 -0500
308
172nss (2:3.34-1) unstable; urgency=medium309nss (2:3.34-1) unstable; urgency=medium
173310
174 * New upstream release:311 * New upstream release:
@@ -193,6 +330,28 @@ nss (2:3.32-2) unstable; urgency=medium
193330
194 -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900331 -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900
195332
333nss (2:3.32-1ubuntu3) artful; urgency=medium
334
335 * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
336 - debian/patches/CVE-2017-7805.patch: Simplify handling of
337 CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
338 - CVE-2017-7805
339
340 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Sep 2017 12:17:39 -0400
341
342nss (2:3.32-1ubuntu2) artful; urgency=medium
343
344 * Initialise curve variable in a test file, resolves FTBFS.
345
346 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Aug 2017 07:21:27 -0400
347
348nss (2:3.32-1ubuntu1) artful; urgency=medium
349
350 * Merge with Debian; remaining changes:
351 - When building with -O3, build with -Wno-error=maybe-uninitialized.
352
353 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 23 Aug 2017 13:09:20 -0400
354
196nss (2:3.32-1) unstable; urgency=medium355nss (2:3.32-1) unstable; urgency=medium
197356
198 * New upstream release.357 * New upstream release.
@@ -252,6 +411,39 @@ nss (2:3.27.1-1) experimental; urgency=medium
252411
253 -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900412 -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900
254413
414nss (2:3.28.4-0ubuntu2) artful; urgency=medium
415
416 * SECURITY UPDATE: DoS via empty SSLv2 messages
417 - debian/patches/CVE-2017-7502.patch: reject broken v2 records in
418 nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
419 added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
420 nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
421 nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
422 - CVE-2017-7502
423
424 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Jun 2017 08:12:38 -0400
425
426nss (2:3.28.4-0ubuntu1) artful; urgency=medium
427
428 * Updated to upstream 3.28.4 to fix security issues and get a new CA
429 certificate bundle.
430 * SECURITY UPDATE: DES and Triple DES ciphers birthday attack
431 - CVE-2016-2183
432 * SECURITY UPDATE: out-of-bounds write in Base64 decoding
433 - CVE-2017-5461
434 * debian/patches/*.patch: refreshed for new version.
435 * debian/control: bump libnspr4-dev to 4.13.1.
436 * debian/libnss3.symbols: added new symbols.
437
438 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 27 Apr 2017 13:13:44 -0400
439
440nss (2:3.26.2-1ubuntu1) zesty; urgency=medium
441
442 * Merge with Debian; remaining changes:
443 - When building with -O3, build with -Wno-error=maybe-uninitialized.
444
445 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 Dec 2016 08:48:03 -0500
446
255nss (2:3.26.2-1) unstable; urgency=medium447nss (2:3.26.2-1) unstable; urgency=medium
256448
257 * New upstream release.449 * New upstream release.
@@ -265,6 +457,13 @@ nss (2:3.26-2) unstable; urgency=medium
265457
266 -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900458 -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900
267459
460nss (2:3.26-1ubuntu1) yakkety; urgency=medium
461
462 * Merge with Debian; remaining changes:
463 - When building with -O3, build with -Wno-error=maybe-uninitialized.
464
465 -- Matthias Klose <doko@ubuntu.com> Tue, 06 Sep 2016 14:39:56 +0200
466
268nss (2:3.26-1) unstable; urgency=medium467nss (2:3.26-1) unstable; urgency=medium
269468
270 * New upstream release.469 * New upstream release.
@@ -279,6 +478,12 @@ nss (2:3.26-1) unstable; urgency=medium
279478
280 -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900479 -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900
281480
481nss (2:3.25-1ubuntu1) yakkety; urgency=medium
482
483 * When building with -O3, build with -Wno-error=maybe-uninitialized.
484
485 -- Matthias Klose <doko@ubuntu.com> Thu, 04 Aug 2016 11:36:54 +0200
486
282nss (2:3.25-1) unstable; urgency=medium487nss (2:3.25-1) unstable; urgency=medium
283488
284 * New upstream release.489 * New upstream release.
@@ -310,6 +515,7 @@ nss (2:3.21-1.1) unstable; urgency=medium
310 * Fix FTBFS on hppa. Closes: #808990515 * Fix FTBFS on hppa. Closes: #808990
311516
312 -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100517 -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100
518
313nss (2:3.21-1) unstable; urgency=medium519nss (2:3.21-1) unstable; urgency=medium
314520
315 * New upstream release.521 * New upstream release.
@@ -1225,3 +1431,4 @@ nss (3.11.5-1) experimental; urgency=low
1225 * Initial release. (Closes: #416151)1431 * Initial release. (Closes: #416151)
12261432
1227 -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +02001433 -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +0200
1434
diff --git a/debian/control b/debian/control
index a4be555..ac713a6 100644
--- a/debian/control
+++ b/debian/control
@@ -1,9 +1,11 @@
1Source: nss1Source: nss
2Section: libs2Section: libs
3Priority: optional3Priority: optional
4Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
5Uploaders: Mike Hommey <glandium@debian.org>6Uploaders: Mike Hommey <glandium@debian.org>
6Build-Depends: debhelper (>= 9.20160403),7Build-Depends: debhelper (>= 9.20160403),
8 dh-exec,
7 dpkg-dev (>= 1.17.14),9 dpkg-dev (>= 1.17.14),
8 libnspr4-dev (>= 2:4.24),10 libnspr4-dev (>= 2:4.24),
9 zlib1g-dev,11 zlib1g-dev,
diff --git a/debian/libnss3.links b/debian/libnss3.links
10new file mode 10075512new file mode 100755
index 0000000..717ff94
--- /dev/null
+++ b/debian/libnss3.links
@@ -0,0 +1,3 @@
1#!/usr/bin/dh-exec
2usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so
3usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.so
diff --git a/debian/patches/disable_fips_enabled_read.patch b/debian/patches/disable_fips_enabled_read.patch
0new file mode 1006444new file mode 100644
index 0000000..7a87954
--- /dev/null
+++ b/debian/patches/disable_fips_enabled_read.patch
@@ -0,0 +1,49 @@
1commit 16996a9156c9ff2924bdb19ff43d40617a41c912
2Author: Vineetha Kamath <vineetha.hari.pai@canonical.com>
3Date: Tue Jul 23 15:32:32 2019 -0400
4
5From: Vineetha Kamath<vineetha.hari.pai@canonical.com>
6Decription: Disable libgcrypt reading /proc/sys/crypto/fips_enabled
7file and going into FIPS mode. libnss is not a FIPS
8certified library.
9Bug-Ubuntu: http://bugs.launchpad.net/bugs/1837734
10Forwarded: not-needed
11
12diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
13index 22f9781..8433377 100644
14--- a/nss/lib/freebl/nsslowhash.c
15+++ b/nss/lib/freebl/nsslowhash.c
16@@ -27,11 +27,13 @@ static int
17 nsslow_GetFIPSEnabled(void)
18 {
19 #ifdef LINUX
20- FILE *f;
21+ FILE *f = NULL;
22 char d;
23 size_t size;
24
25+#if 0
26 f = fopen("/proc/sys/crypto/fips_enabled", "r");
27+#endif
28 if (!f)
29 return 0;
30
31diff --git a/nss/lib/sysinit/nsssysinit.c b/nss/lib/sysinit/nsssysinit.c
32index bd0fac2..81f9b17 100644
33--- a/nss/lib/sysinit/nsssysinit.c
34+++ b/nss/lib/sysinit/nsssysinit.c
35@@ -168,11 +168,13 @@ getFIPSEnv(void)
36 static PRBool
37 getFIPSMode(void)
38 {
39- FILE *f;
40+ FILE *f = NULL;
41 char d;
42 size_t size;
43
44+#if 0
45 f = fopen("/proc/sys/crypto/fips_enabled", "r");
46+#endif
47 if (!f) {
48 /* if we don't have a proc flag, fall back to the
49 * environment variable */
diff --git a/debian/patches/series b/debian/patches/series
index 9e1133d..e076305 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,5 @@
385_security_load.patch385_security_load.patch
438_hppa.patch438_hppa.patch
5bz1608327-freebl-arm5bz1608327-freebl-arm
6disable_fips_enabled_read.patch
7set-tls1.2-as-minimum.patch
diff --git a/debian/patches/set-tls1.2-as-minimum.patch b/debian/patches/set-tls1.2-as-minimum.patch
6new file mode 1006448new file mode 100644
index 0000000..a05d4e9
--- /dev/null
+++ b/debian/patches/set-tls1.2-as-minimum.patch
@@ -0,0 +1,17 @@
1Description: Set TLSv1.2 as minimum TLS version. LP: #1856428
2Bug-Ubuntu: https://bugs.launchpad.net/bugs/1856428
3
4
5Index: nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c
6===================================================================
7--- nss-3.48-1ubuntu1.orig/nss/lib/ssl/sslsock.c
8+++ nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c
9@@ -96,7 +96,7 @@ static sslOptions ssl_defaults = {
10 * default range of enabled SSL/TLS protocols
11 */
12 static SSLVersionRange versions_defaults_stream = {
13- SSL_LIBRARY_VERSION_TLS_1_0,
14+ SSL_LIBRARY_VERSION_TLS_1_2,
15 SSL_LIBRARY_VERSION_TLS_1_3
16 };
17
diff --git a/debian/rules b/debian/rules
index ec951d3..b4c7302 100755
--- a/debian/rules
+++ b/debian/rules
@@ -175,7 +175,7 @@ override_dh_strip:
175175
176ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))176ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
177 # Check FIPS mode correctly works177 # Check FIPS mode correctly works
178 mkdir debian/tmp178 mkdir -p debian/tmp
179 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null179 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null
180 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null180 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null
181endif181endif

Subscribers

People subscribed via source and target branches