Merge ~sergiodj/ubuntu/+source/nss:nss-merge-3.53.1-1ubuntu1 into ubuntu/+source/nss:debian/sid
- Git
- lp:~sergiodj/ubuntu/+source/nss
- nss-merge-3.53.1-1ubuntu1
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Lucas Kanashiro |
Approved revision: | 0f1c2b55f48b2155948956eb15eced9e168ce3b0 |
Merge reported by: | Sergio Durigan Junior |
Merged at revision: | 0f1c2b55f48b2155948956eb15eced9e168ce3b0 |
Proposed branch: | ~sergiodj/ubuntu/+source/nss:nss-merge-3.53.1-1ubuntu1 |
Merge into: | ubuntu/+source/nss:debian/sid |
Diff against target: |
494 lines (+332/-2) 7 files modified
debian/changelog (+255/-0) debian/control (+3/-1) debian/libnss3.links (+5/-0) debian/patches/disable_fips_enabled_read.patch (+49/-0) debian/patches/series (+2/-0) debian/patches/set-tls1.2-as-minimum.patch (+17/-0) debian/rules (+1/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Lucas Kanashiro (community) | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+387608@code.launchpad.net |
Commit message
Description of the change
This is the merge of nss 2:3.53.1-1 from Debian.
It is relatively trivial; only two changes were dropped (the two patches to address CVEs, which were fixed upstream), and the patch to disable reading the fips_enabled flag in FIPS mode had to be updated.
Other than that, the merge went smoothly. The package doesn't have dep8 tests, but I tested the new build by installing it inside a container, and then installing some reversing dependency of it, like openjdk-
The Debian package seems a bit abandoned; it still uses compat level 9, and contains many lintian warnings. I will see about submitting an MR to address some of them.
There is a PPA with the new package here:
Sergio Durigan Junior (sergiodj) wrote : | # |
On Monday, July 20 2020, Lucas Kanashiro wrote:
> Review: Needs Fixing
>
> * Changelog:
> - [√] old content and logical tag match as expected
> - [√] changelog entry correct version and targeted codename
> - [x] changelog entries correct
> - [√] update-maintainer has been run
>
> * Actual changes:
> - [√] no upstream changes to consider
> - [√] no further upstream version to consider
> - [√] debian changes look safe
>
> * Old Delta:
> - [√] dropped changes are ok to be dropped
> - [√] nothing else to drop
> - [-] changes forwarded upstream/debian (if appropriate)
>
> * New Delta:
> - [√] no new patches added
> - [-] patches match what was proposed upstream
> - [-] patches correctly included in debian/
> - [-] patches have correct DEP3 metadata
>
> * Build/Test:
> - [√] build is ok
> - [√] verified PPA package installs/uninstalls
> - [-] autopkgtest against the PPA package passes
> - [√] sanity checks test fine
>
> There is just a minor thing I noticed in your changelog and also on
> your commit messages, to avoid pinging the bugs fixed in previous
> releases let's remove the ":" from "LP: #NNNN". I can see one
> occurrence of that in the changelog: "Symlink chk files to fix
> self-verification in FIPS mode (LP: #1885562)"; and two on the commit
> messages: "Set TLSv1.2 as minimum TLS version. LP: #1856428" and
> "Symlink chk files to fix self-verification in FIPS mode (LP:
> #1885562)".
>
> Other than that LGTM. When you get it fixed let me know and I can sponsor this upload for you.
Thanks for the review, Lucas.
Heh, coincidentally I was thinking about the ":" thing when I was
writing the commit messages, and I did a quick investigation to see if
other merges were dropping the colon, but I remember finding one that
didn't, so I decided to leave it on mine as well. But it obviously
makes sense to drop it: the bugs have all been fixed, and we wouldn't
want the merge to pollute them with more info.
I have addressed your request and dropped the colon from both the
changelog entry and the commit messages.
Thanks,
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Thanks Sergio, I already sponsored the upload for you, please follow its migration.
$ git push pkg upload/
Enumerating objects: 50, done.
Counting objects: 100% (50/50), done.
Delta compression using up to 8 threads
Compressing objects: 100% (31/31), done.
Writing objects: 100% (43/43), 8.30 KiB | 1.04 MiB/s, done.
Total 43 (delta 19), reused 26 (delta 12)
remote: Checking connectivity: 43, done.
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../nss_
Checking signature on .changes
gpg: ../nss_
Checking signature on .dsc
gpg: ../nss_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading nss_3.53.
Uploading nss_3.53.
Uploading nss_3.53.
Successfully uploaded packages.
Sergio Durigan Junior (sergiodj) wrote : | # |
This has migrated.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog |
2 | index 28834da..d02577d 100644 |
3 | --- a/debian/changelog |
4 | +++ b/debian/changelog |
5 | @@ -1,3 +1,26 @@ |
6 | +nss (2:3.53.1-1ubuntu1) groovy; urgency=medium |
7 | + |
8 | + * Merge with Debian unstable. Remaining changes: |
9 | + - d/libnss3.links: make freebl3 available as library (LP #1744328) |
10 | + - d/control: add dh-exec to Build-Depends |
11 | + - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
12 | + - Disable reading fips_enabled flag in FIPS mode. libnss is |
13 | + not a FIPS certified library. (LP #1837734) |
14 | + - Set TLSv1.2 as minimum TLS version. LP #1856428 |
15 | + - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) |
16 | + * Dropped changes: |
17 | + - SECURITY UPDATE: Timing attack during DSA key generation |
18 | + + debian/patches/CVE-2020-12399.patch: force a fixed length for DSA |
19 | + exponentiation in nss/lib/freebl/dsa.c. |
20 | + [ Incorporated by upstream. ] |
21 | + - SECURITY UPDATE: Side channel vulnerabilities during RSA key generation |
22 | + + debian/patches/CVE-2020-12402.patch: use constant-time GCD and |
23 | + modular inversion in nss/lib/freebl/mpi/mpi.c, |
24 | + nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c. |
25 | + [ Incorporated by upstream. ] |
26 | + |
27 | + -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 17 Jul 2020 10:51:23 -0400 |
28 | + |
29 | nss (2:3.53.1-1) unstable; urgency=medium |
30 | |
31 | * New upstream release. |
32 | @@ -36,6 +59,43 @@ nss (2:3.50-1) unstable; urgency=medium |
33 | |
34 | -- Mike Hommey <glandium@debian.org> Wed, 12 Feb 2020 09:06:51 +0900 |
35 | |
36 | +nss (2:3.49.1-1ubuntu4) groovy; urgency=medium |
37 | + |
38 | + * Symlink chk files to fix self-verification in FIPS mode (LP: #1885562) |
39 | + |
40 | + -- Dariusz Gadomski <dgadomski@ubuntu.com> Wed, 01 Jul 2020 14:48:13 +0200 |
41 | + |
42 | +nss (2:3.49.1-1ubuntu3) groovy; urgency=medium |
43 | + |
44 | + * SECURITY UPDATE: Side channel vulnerabilities during RSA key generation |
45 | + - debian/patches/CVE-2020-12402.patch: use constant-time GCD and |
46 | + modular inversion in nss/lib/freebl/mpi/mpi.c, |
47 | + nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c. |
48 | + - CVE-2020-12402 |
49 | + |
50 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 30 Jun 2020 10:41:20 -0400 |
51 | + |
52 | +nss (2:3.49.1-1ubuntu2) groovy; urgency=medium |
53 | + |
54 | + * SECURITY UPDATE: Timing attack during DSA key generation |
55 | + - debian/patches/CVE-2020-12399.patch: force a fixed length for DSA |
56 | + exponentiation in nss/lib/freebl/dsa.c. |
57 | + - CVE-2020-12399 |
58 | + |
59 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Jun 2020 12:54:12 -0400 |
60 | + |
61 | +nss (2:3.49.1-1ubuntu1) focal; urgency=medium |
62 | + |
63 | + * Merge with Debian unstable. Remaining changes: |
64 | + - d/libnss3.links: make freebl3 available as library (LP #1744328) |
65 | + - d/control: add dh-exec to Build-Depends |
66 | + - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
67 | + - Disable reading fips_enabled flag in FIPS mode. libnss is |
68 | + not a FIPS certified library. (LP #1837734) |
69 | + - Set TLSv1.2 as minimum TLS version. LP #1856428 |
70 | + |
71 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 22 Jan 2020 16:24:44 -0300 |
72 | + |
73 | nss (2:3.49.1-1) unstable; urgency=medium |
74 | |
75 | * New upstream release. |
76 | @@ -55,6 +115,18 @@ nss (2:3.49-1) unstable; urgency=medium |
77 | |
78 | -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +0900 |
79 | |
80 | +nss (2:3.48-1ubuntu1) focal; urgency=low |
81 | + |
82 | + * Merge from Debian unstable. Remaining changes: |
83 | + - d/libnss3.links: make freebl3 available as library (LP #1744328) |
84 | + - d/control: add dh-exec to Build-Depends |
85 | + - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
86 | + - Disable reading fips_enabled flag in FIPS mode. libnss is |
87 | + not a FIPS certified library. (LP #1837734) |
88 | + * Set TLSv1.2 as minimum TLS version. LP: #1856428 |
89 | + |
90 | + -- Ubuntu Merge-o-Matic <mom@ubuntu.com> Sun, 29 Dec 2019 03:43:36 +0000 |
91 | + |
92 | nss (2:3.48-1) unstable; urgency=medium |
93 | |
94 | * New upstream release. Closes: #947131. |
95 | @@ -71,6 +143,26 @@ nss (2:3.47.1-1) unstable; urgency=medium |
96 | |
97 | -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +0900 |
98 | |
99 | +nss (2:3.47-1ubuntu2) focal; urgency=medium |
100 | + |
101 | + * SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate |
102 | + - debian/patches/CVE-2019-11745.patch: use maxout not block size in |
103 | + nss/lib/softoken/pkcs11c.c. |
104 | + - CVE-2019-11745 |
105 | + |
106 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Nov 2019 08:31:39 -0500 |
107 | + |
108 | +nss (2:3.47-1ubuntu1) focal; urgency=medium |
109 | + |
110 | + * Merge with Debian unstable. Remaining changes: |
111 | + - d/libnss3.links: make freebl3 available as library (LP #1744328) |
112 | + - d/control: add dh-exec to Build-Depends |
113 | + - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
114 | + - Disable reading fips_enabled flag in FIPS mode. libnss is |
115 | + not a FIPS certified library. (LP #1837734) |
116 | + |
117 | + -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 31 Oct 2019 16:18:35 -0300 |
118 | + |
119 | nss (2:3.47-1) unstable; urgency=medium |
120 | |
121 | * New upstream release. |
122 | @@ -78,6 +170,22 @@ nss (2:3.47-1) unstable; urgency=medium |
123 | |
124 | -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900 |
125 | |
126 | +nss (2:3.45-1ubuntu2) eoan; urgency=medium |
127 | + |
128 | + * Disable reading fips_enabled flag in FIPS mode. libnss is |
129 | + not a FIPS certified library. (LP: #1837734) |
130 | + |
131 | + -- Vineetha Kamath <vineetha.hari.pai@canonical.com> Tue, 23 Jul 2019 20:58:12 +0000 |
132 | + |
133 | +nss (2:3.45-1ubuntu1) eoan; urgency=low |
134 | + |
135 | + * Merge from Debian unstable. Remaining changes: |
136 | + - d/libnss3.links: make freebl3 available as library (LP 1744328) |
137 | + - d/control: add dh-exec to Build-Depends |
138 | + - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
139 | + |
140 | + -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 11 Jul 2019 11:49:44 +0200 |
141 | + |
142 | nss (2:3.45-1) unstable; urgency=medium |
143 | |
144 | * New upstream release. |
145 | @@ -126,6 +234,28 @@ nss (2:3.42.1-1) unstable; urgency=medium |
146 | |
147 | -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900 |
148 | |
149 | +nss (2:3.42-1ubuntu2) disco; urgency=medium |
150 | + |
151 | + * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions |
152 | + - debian/patches/CVE-2018-18508-1.patch: add null checks in |
153 | + nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c, |
154 | + nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c, |
155 | + nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c. |
156 | + - debian/patches/CVE-2018-18508-2.patch: add null checks in |
157 | + nss/lib/smime/cmsmessage.c. |
158 | + - CVE-2018-18508 |
159 | + |
160 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Feb 2019 12:04:49 +0100 |
161 | + |
162 | +nss (2:3.42-1ubuntu1) disco; urgency=medium |
163 | + |
164 | + * Merge with Debian unstable (LP: #1813593). Remaining changes: |
165 | + - d/libnss3.links: make freebl3 available as library (LP 1744328) |
166 | + - d/control: add dh-exec to Build-Depends |
167 | + - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
168 | + |
169 | + -- Karl Stenerud <kstenerud@gmail.com> Mon, 04 Feb 2019 11:03:32 +0100 |
170 | + |
171 | nss (2:3.42-1) unstable; urgency=medium |
172 | |
173 | * New upstream release. |
174 | @@ -144,6 +274,18 @@ nss (2:3.40-1) unstable; urgency=medium |
175 | |
176 | -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900 |
177 | |
178 | +nss (2:3.39-1ubuntu1) disco; urgency=medium |
179 | + |
180 | + * Merge with Debian unstable. Remaining changes (LP: #1803707): |
181 | + - d/libnss3.links: make freebl3 available as library (LP 1744328) |
182 | + - d/control: add dh-exec to Build-Depends |
183 | + - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
184 | + * Dropped changes: |
185 | + - d/rules: when building with -O3 on ppc64el this FTBFS, build with |
186 | + -Wno-error=maybe-uninitialized to avoid that |
187 | + |
188 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Nov 2018 14:27:39 +0100 |
189 | + |
190 | nss (2:3.39-1) unstable; urgency=medium |
191 | |
192 | * New upstream release. |
193 | @@ -176,6 +318,23 @@ nss (2:3.37-1) unstable; urgency=medium |
194 | |
195 | -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900 |
196 | |
197 | +nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium |
198 | + |
199 | + * Merge with Debian unstable. Remaining changes: |
200 | + - d/libnss3.links: make freebl3 available as library (LP 1744328) |
201 | + - d/control: add dh-exec to Build-Depends |
202 | + - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
203 | + - d/rules: when building with -O3 on ppc64el this FTBFS, build with |
204 | + -Wno-error=maybe-uninitialized to avoid that |
205 | + * Dropped changes: |
206 | + - revert switching to SQL default format (LP: 1746947) Dropping this |
207 | + adresses (LP: #1747411) and effectively means we now switch to the new |
208 | + default format after we ensured all depending packages are ready. |
209 | + * Added changes: |
210 | + - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el |
211 | + |
212 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 May 2018 17:08:46 +0200 |
213 | + |
214 | nss (2:3.36.1-1) unstable; urgency=medium |
215 | |
216 | * New upstream release. |
217 | @@ -189,6 +348,25 @@ nss (2:3.36-1) unstable; urgency=medium |
218 | |
219 | -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900 |
220 | |
221 | +nss (2:3.35-2ubuntu2) bionic; urgency=medium |
222 | + |
223 | + * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the |
224 | + default is still causing too much issues in consumers of nss. |
225 | + So until resolved revert the switched default (LP: #1746947) |
226 | + |
227 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Feb 2018 11:36:07 +0100 |
228 | + |
229 | +nss (2:3.35-2ubuntu1) bionic; urgency=medium |
230 | + |
231 | + * Merge with Debian unstable. Remaining changes: |
232 | + - When building with -O3, build with -Wno-error=maybe-uninitialized. |
233 | + * Added Changes: |
234 | + - d/libnss3.links: make freebl3 available as library (LP: #1744328) |
235 | + + d/control: add dh-exec to Build-Depends |
236 | + + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) |
237 | + |
238 | + -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 30 Jan 2018 14:04:20 +0100 |
239 | + |
240 | nss (2:3.35-2) unstable; urgency=medium |
241 | |
242 | * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64. |
243 | @@ -207,6 +385,13 @@ nss (2:3.34.1-1) unstable; urgency=medium |
244 | |
245 | -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900 |
246 | |
247 | +nss (2:3.34-1ubuntu1) bionic; urgency=medium |
248 | + |
249 | + * Merge with Debian; remaining changes: |
250 | + - When building with -O3, build with -Wno-error=maybe-uninitialized. |
251 | + |
252 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Dec 2017 09:18:47 -0500 |
253 | + |
254 | nss (2:3.34-1) unstable; urgency=medium |
255 | |
256 | * New upstream release: |
257 | @@ -231,6 +416,28 @@ nss (2:3.32-2) unstable; urgency=medium |
258 | |
259 | -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900 |
260 | |
261 | +nss (2:3.32-1ubuntu3) artful; urgency=medium |
262 | + |
263 | + * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes |
264 | + - debian/patches/CVE-2017-7805.patch: Simplify handling of |
265 | + CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h. |
266 | + - CVE-2017-7805 |
267 | + |
268 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Sep 2017 12:17:39 -0400 |
269 | + |
270 | +nss (2:3.32-1ubuntu2) artful; urgency=medium |
271 | + |
272 | + * Initialise curve variable in a test file, resolves FTBFS. |
273 | + |
274 | + -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Aug 2017 07:21:27 -0400 |
275 | + |
276 | +nss (2:3.32-1ubuntu1) artful; urgency=medium |
277 | + |
278 | + * Merge with Debian; remaining changes: |
279 | + - When building with -O3, build with -Wno-error=maybe-uninitialized. |
280 | + |
281 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 23 Aug 2017 13:09:20 -0400 |
282 | + |
283 | nss (2:3.32-1) unstable; urgency=medium |
284 | |
285 | * New upstream release. |
286 | @@ -290,6 +497,39 @@ nss (2:3.27.1-1) experimental; urgency=medium |
287 | |
288 | -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900 |
289 | |
290 | +nss (2:3.28.4-0ubuntu2) artful; urgency=medium |
291 | + |
292 | + * SECURITY UPDATE: DoS via empty SSLv2 messages |
293 | + - debian/patches/CVE-2017-7502.patch: reject broken v2 records in |
294 | + nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h, |
295 | + added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc, |
296 | + nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn, |
297 | + nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc. |
298 | + - CVE-2017-7502 |
299 | + |
300 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Jun 2017 08:12:38 -0400 |
301 | + |
302 | +nss (2:3.28.4-0ubuntu1) artful; urgency=medium |
303 | + |
304 | + * Updated to upstream 3.28.4 to fix security issues and get a new CA |
305 | + certificate bundle. |
306 | + * SECURITY UPDATE: DES and Triple DES ciphers birthday attack |
307 | + - CVE-2016-2183 |
308 | + * SECURITY UPDATE: out-of-bounds write in Base64 decoding |
309 | + - CVE-2017-5461 |
310 | + * debian/patches/*.patch: refreshed for new version. |
311 | + * debian/control: bump libnspr4-dev to 4.13.1. |
312 | + * debian/libnss3.symbols: added new symbols. |
313 | + |
314 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 27 Apr 2017 13:13:44 -0400 |
315 | + |
316 | +nss (2:3.26.2-1ubuntu1) zesty; urgency=medium |
317 | + |
318 | + * Merge with Debian; remaining changes: |
319 | + - When building with -O3, build with -Wno-error=maybe-uninitialized. |
320 | + |
321 | + -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 Dec 2016 08:48:03 -0500 |
322 | + |
323 | nss (2:3.26.2-1) unstable; urgency=medium |
324 | |
325 | * New upstream release. |
326 | @@ -303,6 +543,13 @@ nss (2:3.26-2) unstable; urgency=medium |
327 | |
328 | -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900 |
329 | |
330 | +nss (2:3.26-1ubuntu1) yakkety; urgency=medium |
331 | + |
332 | + * Merge with Debian; remaining changes: |
333 | + - When building with -O3, build with -Wno-error=maybe-uninitialized. |
334 | + |
335 | + -- Matthias Klose <doko@ubuntu.com> Tue, 06 Sep 2016 14:39:56 +0200 |
336 | + |
337 | nss (2:3.26-1) unstable; urgency=medium |
338 | |
339 | * New upstream release. |
340 | @@ -317,6 +564,12 @@ nss (2:3.26-1) unstable; urgency=medium |
341 | |
342 | -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900 |
343 | |
344 | +nss (2:3.25-1ubuntu1) yakkety; urgency=medium |
345 | + |
346 | + * When building with -O3, build with -Wno-error=maybe-uninitialized. |
347 | + |
348 | + -- Matthias Klose <doko@ubuntu.com> Thu, 04 Aug 2016 11:36:54 +0200 |
349 | + |
350 | nss (2:3.25-1) unstable; urgency=medium |
351 | |
352 | * New upstream release. |
353 | @@ -348,6 +601,7 @@ nss (2:3.21-1.1) unstable; urgency=medium |
354 | * Fix FTBFS on hppa. Closes: #808990 |
355 | |
356 | -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100 |
357 | + |
358 | nss (2:3.21-1) unstable; urgency=medium |
359 | |
360 | * New upstream release. |
361 | @@ -1263,3 +1517,4 @@ nss (3.11.5-1) experimental; urgency=low |
362 | * Initial release. (Closes: #416151) |
363 | |
364 | -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +0200 |
365 | + |
366 | diff --git a/debian/control b/debian/control |
367 | index a4be555..ac713a6 100644 |
368 | --- a/debian/control |
369 | +++ b/debian/control |
370 | @@ -1,9 +1,11 @@ |
371 | Source: nss |
372 | Section: libs |
373 | Priority: optional |
374 | -Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> |
375 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
376 | +XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> |
377 | Uploaders: Mike Hommey <glandium@debian.org> |
378 | Build-Depends: debhelper (>= 9.20160403), |
379 | + dh-exec, |
380 | dpkg-dev (>= 1.17.14), |
381 | libnspr4-dev (>= 2:4.24), |
382 | zlib1g-dev, |
383 | diff --git a/debian/libnss3.links b/debian/libnss3.links |
384 | new file mode 100755 |
385 | index 0000000..e62c6a0 |
386 | --- /dev/null |
387 | +++ b/debian/libnss3.links |
388 | @@ -0,0 +1,5 @@ |
389 | +#!/usr/bin/dh-exec |
390 | +usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so |
391 | +usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.chk usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.chk |
392 | +usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.so |
393 | +usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.chk usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.chk |
394 | diff --git a/debian/patches/disable_fips_enabled_read.patch b/debian/patches/disable_fips_enabled_read.patch |
395 | new file mode 100644 |
396 | index 0000000..c0e54d5 |
397 | --- /dev/null |
398 | +++ b/debian/patches/disable_fips_enabled_read.patch |
399 | @@ -0,0 +1,49 @@ |
400 | +commit 16996a9156c9ff2924bdb19ff43d40617a41c912 |
401 | +Author: Vineetha Kamath <vineetha.hari.pai@canonical.com> |
402 | +Date: Tue Jul 23 15:32:32 2019 -0400 |
403 | + |
404 | +From: Vineetha Kamath<vineetha.hari.pai@canonical.com> |
405 | +Decription: Disable libgcrypt reading /proc/sys/crypto/fips_enabled |
406 | +file and going into FIPS mode. libnss is not a FIPS |
407 | +certified library. |
408 | +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1837734 |
409 | +Forwarded: not-needed |
410 | + |
411 | +Index: nss/nss/lib/freebl/nsslowhash.c |
412 | +=================================================================== |
413 | +--- nss.orig/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.964346182 -0400 |
414 | ++++ nss/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.960346213 -0400 |
415 | +@@ -27,11 +27,13 @@ |
416 | + nsslow_GetFIPSEnabled(void) |
417 | + { |
418 | + #ifdef LINUX |
419 | +- FILE *f; |
420 | ++ FILE *f = NULL; |
421 | + char d; |
422 | + size_t size; |
423 | + |
424 | ++#if 0 |
425 | + f = fopen("/proc/sys/crypto/fips_enabled", "r"); |
426 | ++#endif |
427 | + if (!f) |
428 | + return 0; |
429 | + |
430 | +Index: nss/nss/lib/sysinit/nsssysinit.c |
431 | +=================================================================== |
432 | +--- nss.orig/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:37.964346182 -0400 |
433 | ++++ nss/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:59.844174516 -0400 |
434 | +@@ -171,11 +171,13 @@ |
435 | + getFIPSMode(void) |
436 | + { |
437 | + #ifndef NSS_FIPS_DISABLED |
438 | +- FILE *f; |
439 | ++ FILE *f = NULL; |
440 | + char d; |
441 | + size_t size; |
442 | + |
443 | ++#if 0 |
444 | + f = fopen("/proc/sys/crypto/fips_enabled", "r"); |
445 | ++#endif |
446 | + if (!f) { |
447 | + /* if we don't have a proc flag, fall back to the |
448 | + * environment variable */ |
449 | diff --git a/debian/patches/series b/debian/patches/series |
450 | index 2f1226f..e8cd205 100644 |
451 | --- a/debian/patches/series |
452 | +++ b/debian/patches/series |
453 | @@ -4,3 +4,5 @@ |
454 | 38_hppa.patch |
455 | seed |
456 | infinite-recursion |
457 | +disable_fips_enabled_read.patch |
458 | +set-tls1.2-as-minimum.patch |
459 | diff --git a/debian/patches/set-tls1.2-as-minimum.patch b/debian/patches/set-tls1.2-as-minimum.patch |
460 | new file mode 100644 |
461 | index 0000000..a05d4e9 |
462 | --- /dev/null |
463 | +++ b/debian/patches/set-tls1.2-as-minimum.patch |
464 | @@ -0,0 +1,17 @@ |
465 | +Description: Set TLSv1.2 as minimum TLS version. LP: #1856428 |
466 | +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1856428 |
467 | + |
468 | + |
469 | +Index: nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c |
470 | +=================================================================== |
471 | +--- nss-3.48-1ubuntu1.orig/nss/lib/ssl/sslsock.c |
472 | ++++ nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c |
473 | +@@ -96,7 +96,7 @@ static sslOptions ssl_defaults = { |
474 | + * default range of enabled SSL/TLS protocols |
475 | + */ |
476 | + static SSLVersionRange versions_defaults_stream = { |
477 | +- SSL_LIBRARY_VERSION_TLS_1_0, |
478 | ++ SSL_LIBRARY_VERSION_TLS_1_2, |
479 | + SSL_LIBRARY_VERSION_TLS_1_3 |
480 | + }; |
481 | + |
482 | diff --git a/debian/rules b/debian/rules |
483 | index ec951d3..b4c7302 100755 |
484 | --- a/debian/rules |
485 | +++ b/debian/rules |
486 | @@ -175,7 +175,7 @@ override_dh_strip: |
487 | |
488 | ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) |
489 | # Check FIPS mode correctly works |
490 | - mkdir debian/tmp |
491 | + mkdir -p debian/tmp |
492 | LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null |
493 | LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null |
494 | endif |
* Changelog:
- [√] old content and logical tag match as expected
- [√] changelog entry correct version and targeted codename
- [x] changelog entries correct
- [√] update-maintainer has been run
* Actual changes:
- [√] no upstream changes to consider
- [√] no further upstream version to consider
- [√] debian changes look safe
* Old Delta:
- [√] dropped changes are ok to be dropped
- [√] nothing else to drop
- [-] changes forwarded upstream/debian (if appropriate)
* New Delta: patches/ series
- [√] no new patches added
- [-] patches match what was proposed upstream
- [-] patches correctly included in debian/
- [-] patches have correct DEP3 metadata
* Build/Test:
- [√] build is ok
- [√] verified PPA package installs/uninstalls
- [-] autopkgtest against the PPA package passes
- [√] sanity checks test fine
There is just a minor thing I noticed in your changelog and also on your commit messages, to avoid pinging the bugs fixed in previous releases let's remove the ":" from "LP: #NNNN". I can see one occurrence of that in the changelog: "Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)"; and two on the commit messages: "Set TLSv1.2 as minimum TLS version. LP: #1856428" and "Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)".
Other than that LGTM. When you get it fixed let me know and I can sponsor this upload for you.