Ubuntu
nss package

Merge ~sergiodj/ubuntu/+source/nss:nss-merge-3.53.1-1ubuntu1 into ubuntu/+source/nss:debian/sid

  1. Git
  2. lp:~sergiodj/ubuntu/+source/nss
  3. nss-merge-3.53.1-1ubuntu1
  4. Merge into debian/sid
Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Lucas Kanashiro
Approved revision: 0f1c2b55f48b2155948956eb15eced9e168ce3b0
Merge reported by: Sergio Durigan Junior
Merged at revision: 0f1c2b55f48b2155948956eb15eced9e168ce3b0
Proposed branch: ~sergiodj/ubuntu/+source/nss:nss-merge-3.53.1-1ubuntu1
Merge into: ubuntu/+source/nss:debian/sid
Diff against target: 494 lines (+332/-2)
7 files modified
debian/changelog (+255/-0)
debian/control (+3/-1)
debian/libnss3.links (+5/-0)
debian/patches/disable_fips_enabled_read.patch (+49/-0)
debian/patches/series (+2/-0)
debian/patches/set-tls1.2-as-minimum.patch (+17/-0)
debian/rules (+1/-1)
Reviewer Review Type Date Requested Status
Lucas Kanashiro (community) Approve
Canonical Server Core Reviewers Pending
Review via email: mp+387608@code.launchpad.net

Description of the change

This is the merge of nss 2:3.53.1-1 from Debian.

It is relatively trivial; only two changes were dropped (the two patches to address CVEs, which were fixed upstream), and the patch to disable reading the fips_enabled flag in FIPS mode had to be updated.

Other than that, the merge went smoothly. The package doesn't have dep8 tests, but I tested the new build by installing it inside a container, and then installing some reversing dependency of it, like openjdk-15-jre-headless.

The Debian package seems a bit abandoned; it still uses compat level 9, and contains many lintian warnings. I will see about submitting an MR to address some of them.

There is a PPA with the new package here:

https://launchpad.net/~sergiodj/+archive/ubuntu/nss-merge

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

* Changelog:
  - [√] old content and logical tag match as expected
  - [√] changelog entry correct version and targeted codename
  - [x] changelog entries correct
  - [√] update-maintainer has been run

* Actual changes:
  - [√] no upstream changes to consider
  - [√] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [√] dropped changes are ok to be dropped
  - [√] nothing else to drop
  - [-] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [√] no new patches added
  - [-] patches match what was proposed upstream
  - [-] patches correctly included in debian/patches/series
  - [-] patches have correct DEP3 metadata

* Build/Test:
  - [√] build is ok
  - [√] verified PPA package installs/uninstalls
  - [-] autopkgtest against the PPA package passes
  - [√] sanity checks test fine

There is just a minor thing I noticed in your changelog and also on your commit messages, to avoid pinging the bugs fixed in previous releases let's remove the ":" from "LP: #NNNN". I can see one occurrence of that in the changelog: "Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)"; and two on the commit messages: "Set TLSv1.2 as minimum TLS version. LP: #1856428" and "Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)".

Other than that LGTM. When you get it fixed let me know and I can sponsor this upload for you.

review: Needs Fixing
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, July 20 2020, Lucas Kanashiro wrote:

> Review: Needs Fixing
>
> * Changelog:
> - [√] old content and logical tag match as expected
> - [√] changelog entry correct version and targeted codename
> - [x] changelog entries correct
> - [√] update-maintainer has been run
>
> * Actual changes:
> - [√] no upstream changes to consider
> - [√] no further upstream version to consider
> - [√] debian changes look safe
>
> * Old Delta:
> - [√] dropped changes are ok to be dropped
> - [√] nothing else to drop
> - [-] changes forwarded upstream/debian (if appropriate)
>
> * New Delta:
> - [√] no new patches added
> - [-] patches match what was proposed upstream
> - [-] patches correctly included in debian/patches/series
> - [-] patches have correct DEP3 metadata
>
> * Build/Test:
> - [√] build is ok
> - [√] verified PPA package installs/uninstalls
> - [-] autopkgtest against the PPA package passes
> - [√] sanity checks test fine
>
> There is just a minor thing I noticed in your changelog and also on
> your commit messages, to avoid pinging the bugs fixed in previous
> releases let's remove the ":" from "LP: #NNNN". I can see one
> occurrence of that in the changelog: "Symlink chk files to fix
> self-verification in FIPS mode (LP: #1885562)"; and two on the commit
> messages: "Set TLSv1.2 as minimum TLS version. LP: #1856428" and
> "Symlink chk files to fix self-verification in FIPS mode (LP:
> #1885562)".
>
> Other than that LGTM. When you get it fixed let me know and I can sponsor this upload for you.

Thanks for the review, Lucas.

Heh, coincidentally I was thinking about the ":" thing when I was
writing the commit messages, and I did a quick investigation to see if
other merges were dropping the colon, but I remember finding one that
didn't, so I decided to leave it on mine as well. But it obviously
makes sense to drop it: the bugs have all been fixed, and we wouldn't
want the merge to pollute them with more info.

I have addressed your request and dropped the colon from both the
changelog entry and the commit messages.

Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks Sergio, I already sponsored the upload for you, please follow its migration.

$ git push pkg upload/2%3.53.1-1ubuntu1
Enumerating objects: 50, done.
Counting objects: 100% (50/50), done.
Delta compression using up to 8 threads
Compressing objects: 100% (31/31), done.
Writing objects: 100% (43/43), 8.30 KiB | 1.04 MiB/s, done.
Total 43 (delta 19), reused 26 (delta 12)
remote: Checking connectivity: 43, done.
To ssh://git.launchpad.net/ubuntu/+source/nss
 * [new tag] upload/2%3.53.1-1ubuntu1 -> upload/2%3.53.1-1ubuntu1

$ dput ubuntu ../nss_3.53.1-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../nss_3.53.1-1ubuntu1_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../nss_3.53.1-1ubuntu1.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading nss_3.53.1-1ubuntu1.dsc: done.
  Uploading nss_3.53.1-1ubuntu1.debian.tar.xz: done.
  Uploading nss_3.53.1-1ubuntu1_source.changes: done.
Successfully uploaded packages.

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

This has migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 28834da..d02577d 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,26 @@
6+nss (2:3.53.1-1ubuntu1) groovy; urgency=medium
7+
8+ * Merge with Debian unstable. Remaining changes:
9+ - d/libnss3.links: make freebl3 available as library (LP #1744328)
10+ - d/control: add dh-exec to Build-Depends
11+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
12+ - Disable reading fips_enabled flag in FIPS mode. libnss is
13+ not a FIPS certified library. (LP #1837734)
14+ - Set TLSv1.2 as minimum TLS version. LP #1856428
15+ - Symlink chk files to fix self-verification in FIPS mode (LP #1885562)
16+ * Dropped changes:
17+ - SECURITY UPDATE: Timing attack during DSA key generation
18+ + debian/patches/CVE-2020-12399.patch: force a fixed length for DSA
19+ exponentiation in nss/lib/freebl/dsa.c.
20+ [ Incorporated by upstream. ]
21+ - SECURITY UPDATE: Side channel vulnerabilities during RSA key generation
22+ + debian/patches/CVE-2020-12402.patch: use constant-time GCD and
23+ modular inversion in nss/lib/freebl/mpi/mpi.c,
24+ nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c.
25+ [ Incorporated by upstream. ]
26+
27+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 17 Jul 2020 10:51:23 -0400
28+
29 nss (2:3.53.1-1) unstable; urgency=medium
30
31 * New upstream release.
32@@ -36,6 +59,43 @@ nss (2:3.50-1) unstable; urgency=medium
33
34 -- Mike Hommey <glandium@debian.org> Wed, 12 Feb 2020 09:06:51 +0900
35
36+nss (2:3.49.1-1ubuntu4) groovy; urgency=medium
37+
38+ * Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)
39+
40+ -- Dariusz Gadomski <dgadomski@ubuntu.com> Wed, 01 Jul 2020 14:48:13 +0200
41+
42+nss (2:3.49.1-1ubuntu3) groovy; urgency=medium
43+
44+ * SECURITY UPDATE: Side channel vulnerabilities during RSA key generation
45+ - debian/patches/CVE-2020-12402.patch: use constant-time GCD and
46+ modular inversion in nss/lib/freebl/mpi/mpi.c,
47+ nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c.
48+ - CVE-2020-12402
49+
50+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 30 Jun 2020 10:41:20 -0400
51+
52+nss (2:3.49.1-1ubuntu2) groovy; urgency=medium
53+
54+ * SECURITY UPDATE: Timing attack during DSA key generation
55+ - debian/patches/CVE-2020-12399.patch: force a fixed length for DSA
56+ exponentiation in nss/lib/freebl/dsa.c.
57+ - CVE-2020-12399
58+
59+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Jun 2020 12:54:12 -0400
60+
61+nss (2:3.49.1-1ubuntu1) focal; urgency=medium
62+
63+ * Merge with Debian unstable. Remaining changes:
64+ - d/libnss3.links: make freebl3 available as library (LP #1744328)
65+ - d/control: add dh-exec to Build-Depends
66+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
67+ - Disable reading fips_enabled flag in FIPS mode. libnss is
68+ not a FIPS certified library. (LP #1837734)
69+ - Set TLSv1.2 as minimum TLS version. LP #1856428
70+
71+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 22 Jan 2020 16:24:44 -0300
72+
73 nss (2:3.49.1-1) unstable; urgency=medium
74
75 * New upstream release.
76@@ -55,6 +115,18 @@ nss (2:3.49-1) unstable; urgency=medium
77
78 -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +0900
79
80+nss (2:3.48-1ubuntu1) focal; urgency=low
81+
82+ * Merge from Debian unstable. Remaining changes:
83+ - d/libnss3.links: make freebl3 available as library (LP #1744328)
84+ - d/control: add dh-exec to Build-Depends
85+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
86+ - Disable reading fips_enabled flag in FIPS mode. libnss is
87+ not a FIPS certified library. (LP #1837734)
88+ * Set TLSv1.2 as minimum TLS version. LP: #1856428
89+
90+ -- Ubuntu Merge-o-Matic <mom@ubuntu.com> Sun, 29 Dec 2019 03:43:36 +0000
91+
92 nss (2:3.48-1) unstable; urgency=medium
93
94 * New upstream release. Closes: #947131.
95@@ -71,6 +143,26 @@ nss (2:3.47.1-1) unstable; urgency=medium
96
97 -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +0900
98
99+nss (2:3.47-1ubuntu2) focal; urgency=medium
100+
101+ * SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate
102+ - debian/patches/CVE-2019-11745.patch: use maxout not block size in
103+ nss/lib/softoken/pkcs11c.c.
104+ - CVE-2019-11745
105+
106+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Nov 2019 08:31:39 -0500
107+
108+nss (2:3.47-1ubuntu1) focal; urgency=medium
109+
110+ * Merge with Debian unstable. Remaining changes:
111+ - d/libnss3.links: make freebl3 available as library (LP #1744328)
112+ - d/control: add dh-exec to Build-Depends
113+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
114+ - Disable reading fips_enabled flag in FIPS mode. libnss is
115+ not a FIPS certified library. (LP #1837734)
116+
117+ -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 31 Oct 2019 16:18:35 -0300
118+
119 nss (2:3.47-1) unstable; urgency=medium
120
121 * New upstream release.
122@@ -78,6 +170,22 @@ nss (2:3.47-1) unstable; urgency=medium
123
124 -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900
125
126+nss (2:3.45-1ubuntu2) eoan; urgency=medium
127+
128+ * Disable reading fips_enabled flag in FIPS mode. libnss is
129+ not a FIPS certified library. (LP: #1837734)
130+
131+ -- Vineetha Kamath <vineetha.hari.pai@canonical.com> Tue, 23 Jul 2019 20:58:12 +0000
132+
133+nss (2:3.45-1ubuntu1) eoan; urgency=low
134+
135+ * Merge from Debian unstable. Remaining changes:
136+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
137+ - d/control: add dh-exec to Build-Depends
138+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
139+
140+ -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 11 Jul 2019 11:49:44 +0200
141+
142 nss (2:3.45-1) unstable; urgency=medium
143
144 * New upstream release.
145@@ -126,6 +234,28 @@ nss (2:3.42.1-1) unstable; urgency=medium
146
147 -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900
148
149+nss (2:3.42-1ubuntu2) disco; urgency=medium
150+
151+ * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
152+ - debian/patches/CVE-2018-18508-1.patch: add null checks in
153+ nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
154+ nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
155+ nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
156+ - debian/patches/CVE-2018-18508-2.patch: add null checks in
157+ nss/lib/smime/cmsmessage.c.
158+ - CVE-2018-18508
159+
160+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Feb 2019 12:04:49 +0100
161+
162+nss (2:3.42-1ubuntu1) disco; urgency=medium
163+
164+ * Merge with Debian unstable (LP: #1813593). Remaining changes:
165+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
166+ - d/control: add dh-exec to Build-Depends
167+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
168+
169+ -- Karl Stenerud <kstenerud@gmail.com> Mon, 04 Feb 2019 11:03:32 +0100
170+
171 nss (2:3.42-1) unstable; urgency=medium
172
173 * New upstream release.
174@@ -144,6 +274,18 @@ nss (2:3.40-1) unstable; urgency=medium
175
176 -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900
177
178+nss (2:3.39-1ubuntu1) disco; urgency=medium
179+
180+ * Merge with Debian unstable. Remaining changes (LP: #1803707):
181+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
182+ - d/control: add dh-exec to Build-Depends
183+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
184+ * Dropped changes:
185+ - d/rules: when building with -O3 on ppc64el this FTBFS, build with
186+ -Wno-error=maybe-uninitialized to avoid that
187+
188+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Nov 2018 14:27:39 +0100
189+
190 nss (2:3.39-1) unstable; urgency=medium
191
192 * New upstream release.
193@@ -176,6 +318,23 @@ nss (2:3.37-1) unstable; urgency=medium
194
195 -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900
196
197+nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium
198+
199+ * Merge with Debian unstable. Remaining changes:
200+ - d/libnss3.links: make freebl3 available as library (LP 1744328)
201+ - d/control: add dh-exec to Build-Depends
202+ - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
203+ - d/rules: when building with -O3 on ppc64el this FTBFS, build with
204+ -Wno-error=maybe-uninitialized to avoid that
205+ * Dropped changes:
206+ - revert switching to SQL default format (LP: 1746947) Dropping this
207+ adresses (LP: #1747411) and effectively means we now switch to the new
208+ default format after we ensured all depending packages are ready.
209+ * Added changes:
210+ - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el
211+
212+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 May 2018 17:08:46 +0200
213+
214 nss (2:3.36.1-1) unstable; urgency=medium
215
216 * New upstream release.
217@@ -189,6 +348,25 @@ nss (2:3.36-1) unstable; urgency=medium
218
219 -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900
220
221+nss (2:3.35-2ubuntu2) bionic; urgency=medium
222+
223+ * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
224+ default is still causing too much issues in consumers of nss.
225+ So until resolved revert the switched default (LP: #1746947)
226+
227+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Feb 2018 11:36:07 +0100
228+
229+nss (2:3.35-2ubuntu1) bionic; urgency=medium
230+
231+ * Merge with Debian unstable. Remaining changes:
232+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
233+ * Added Changes:
234+ - d/libnss3.links: make freebl3 available as library (LP: #1744328)
235+ + d/control: add dh-exec to Build-Depends
236+ + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
237+
238+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 30 Jan 2018 14:04:20 +0100
239+
240 nss (2:3.35-2) unstable; urgency=medium
241
242 * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.
243@@ -207,6 +385,13 @@ nss (2:3.34.1-1) unstable; urgency=medium
244
245 -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900
246
247+nss (2:3.34-1ubuntu1) bionic; urgency=medium
248+
249+ * Merge with Debian; remaining changes:
250+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
251+
252+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Dec 2017 09:18:47 -0500
253+
254 nss (2:3.34-1) unstable; urgency=medium
255
256 * New upstream release:
257@@ -231,6 +416,28 @@ nss (2:3.32-2) unstable; urgency=medium
258
259 -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900
260
261+nss (2:3.32-1ubuntu3) artful; urgency=medium
262+
263+ * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
264+ - debian/patches/CVE-2017-7805.patch: Simplify handling of
265+ CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
266+ - CVE-2017-7805
267+
268+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Sep 2017 12:17:39 -0400
269+
270+nss (2:3.32-1ubuntu2) artful; urgency=medium
271+
272+ * Initialise curve variable in a test file, resolves FTBFS.
273+
274+ -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Aug 2017 07:21:27 -0400
275+
276+nss (2:3.32-1ubuntu1) artful; urgency=medium
277+
278+ * Merge with Debian; remaining changes:
279+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
280+
281+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 23 Aug 2017 13:09:20 -0400
282+
283 nss (2:3.32-1) unstable; urgency=medium
284
285 * New upstream release.
286@@ -290,6 +497,39 @@ nss (2:3.27.1-1) experimental; urgency=medium
287
288 -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900
289
290+nss (2:3.28.4-0ubuntu2) artful; urgency=medium
291+
292+ * SECURITY UPDATE: DoS via empty SSLv2 messages
293+ - debian/patches/CVE-2017-7502.patch: reject broken v2 records in
294+ nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
295+ added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
296+ nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
297+ nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
298+ - CVE-2017-7502
299+
300+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Jun 2017 08:12:38 -0400
301+
302+nss (2:3.28.4-0ubuntu1) artful; urgency=medium
303+
304+ * Updated to upstream 3.28.4 to fix security issues and get a new CA
305+ certificate bundle.
306+ * SECURITY UPDATE: DES and Triple DES ciphers birthday attack
307+ - CVE-2016-2183
308+ * SECURITY UPDATE: out-of-bounds write in Base64 decoding
309+ - CVE-2017-5461
310+ * debian/patches/*.patch: refreshed for new version.
311+ * debian/control: bump libnspr4-dev to 4.13.1.
312+ * debian/libnss3.symbols: added new symbols.
313+
314+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 27 Apr 2017 13:13:44 -0400
315+
316+nss (2:3.26.2-1ubuntu1) zesty; urgency=medium
317+
318+ * Merge with Debian; remaining changes:
319+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
320+
321+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 Dec 2016 08:48:03 -0500
322+
323 nss (2:3.26.2-1) unstable; urgency=medium
324
325 * New upstream release.
326@@ -303,6 +543,13 @@ nss (2:3.26-2) unstable; urgency=medium
327
328 -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900
329
330+nss (2:3.26-1ubuntu1) yakkety; urgency=medium
331+
332+ * Merge with Debian; remaining changes:
333+ - When building with -O3, build with -Wno-error=maybe-uninitialized.
334+
335+ -- Matthias Klose <doko@ubuntu.com> Tue, 06 Sep 2016 14:39:56 +0200
336+
337 nss (2:3.26-1) unstable; urgency=medium
338
339 * New upstream release.
340@@ -317,6 +564,12 @@ nss (2:3.26-1) unstable; urgency=medium
341
342 -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900
343
344+nss (2:3.25-1ubuntu1) yakkety; urgency=medium
345+
346+ * When building with -O3, build with -Wno-error=maybe-uninitialized.
347+
348+ -- Matthias Klose <doko@ubuntu.com> Thu, 04 Aug 2016 11:36:54 +0200
349+
350 nss (2:3.25-1) unstable; urgency=medium
351
352 * New upstream release.
353@@ -348,6 +601,7 @@ nss (2:3.21-1.1) unstable; urgency=medium
354 * Fix FTBFS on hppa. Closes: #808990
355
356 -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100
357+
358 nss (2:3.21-1) unstable; urgency=medium
359
360 * New upstream release.
361@@ -1263,3 +1517,4 @@ nss (3.11.5-1) experimental; urgency=low
362 * Initial release. (Closes: #416151)
363
364 -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +0200
365+
366diff --git a/debian/control b/debian/control
367index a4be555..ac713a6 100644
368--- a/debian/control
369+++ b/debian/control
370@@ -1,9 +1,11 @@
371 Source: nss
372 Section: libs
373 Priority: optional
374-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
375+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
376+XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
377 Uploaders: Mike Hommey <glandium@debian.org>
378 Build-Depends: debhelper (>= 9.20160403),
379+ dh-exec,
380 dpkg-dev (>= 1.17.14),
381 libnspr4-dev (>= 2:4.24),
382 zlib1g-dev,
383diff --git a/debian/libnss3.links b/debian/libnss3.links
384new file mode 100755
385index 0000000..e62c6a0
386--- /dev/null
387+++ b/debian/libnss3.links
388@@ -0,0 +1,5 @@
389+#!/usr/bin/dh-exec
390+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so
391+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.chk usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.chk
392+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.so
393+usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.chk usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.chk
394diff --git a/debian/patches/disable_fips_enabled_read.patch b/debian/patches/disable_fips_enabled_read.patch
395new file mode 100644
396index 0000000..c0e54d5
397--- /dev/null
398+++ b/debian/patches/disable_fips_enabled_read.patch
399@@ -0,0 +1,49 @@
400+commit 16996a9156c9ff2924bdb19ff43d40617a41c912
401+Author: Vineetha Kamath <vineetha.hari.pai@canonical.com>
402+Date: Tue Jul 23 15:32:32 2019 -0400
403+
404+From: Vineetha Kamath<vineetha.hari.pai@canonical.com>
405+Decription: Disable libgcrypt reading /proc/sys/crypto/fips_enabled
406+file and going into FIPS mode. libnss is not a FIPS
407+certified library.
408+Bug-Ubuntu: http://bugs.launchpad.net/bugs/1837734
409+Forwarded: not-needed
410+
411+Index: nss/nss/lib/freebl/nsslowhash.c
412+===================================================================
413+--- nss.orig/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.964346182 -0400
414++++ nss/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.960346213 -0400
415+@@ -27,11 +27,13 @@
416+ nsslow_GetFIPSEnabled(void)
417+ {
418+ #ifdef LINUX
419+- FILE *f;
420++ FILE *f = NULL;
421+ char d;
422+ size_t size;
423+
424++#if 0
425+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
426++#endif
427+ if (!f)
428+ return 0;
429+
430+Index: nss/nss/lib/sysinit/nsssysinit.c
431+===================================================================
432+--- nss.orig/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:37.964346182 -0400
433++++ nss/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:59.844174516 -0400
434+@@ -171,11 +171,13 @@
435+ getFIPSMode(void)
436+ {
437+ #ifndef NSS_FIPS_DISABLED
438+- FILE *f;
439++ FILE *f = NULL;
440+ char d;
441+ size_t size;
442+
443++#if 0
444+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
445++#endif
446+ if (!f) {
447+ /* if we don't have a proc flag, fall back to the
448+ * environment variable */
449diff --git a/debian/patches/series b/debian/patches/series
450index 2f1226f..e8cd205 100644
451--- a/debian/patches/series
452+++ b/debian/patches/series
453@@ -4,3 +4,5 @@
454 38_hppa.patch
455 seed
456 infinite-recursion
457+disable_fips_enabled_read.patch
458+set-tls1.2-as-minimum.patch
459diff --git a/debian/patches/set-tls1.2-as-minimum.patch b/debian/patches/set-tls1.2-as-minimum.patch
460new file mode 100644
461index 0000000..a05d4e9
462--- /dev/null
463+++ b/debian/patches/set-tls1.2-as-minimum.patch
464@@ -0,0 +1,17 @@
465+Description: Set TLSv1.2 as minimum TLS version. LP: #1856428
466+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1856428
467+
468+
469+Index: nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c
470+===================================================================
471+--- nss-3.48-1ubuntu1.orig/nss/lib/ssl/sslsock.c
472++++ nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c
473+@@ -96,7 +96,7 @@ static sslOptions ssl_defaults = {
474+ * default range of enabled SSL/TLS protocols
475+ */
476+ static SSLVersionRange versions_defaults_stream = {
477+- SSL_LIBRARY_VERSION_TLS_1_0,
478++ SSL_LIBRARY_VERSION_TLS_1_2,
479+ SSL_LIBRARY_VERSION_TLS_1_3
480+ };
481+
482diff --git a/debian/rules b/debian/rules
483index ec951d3..b4c7302 100755
484--- a/debian/rules
485+++ b/debian/rules
486@@ -175,7 +175,7 @@ override_dh_strip:
487
488 ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
489 # Check FIPS mode correctly works
490- mkdir debian/tmp
491+ mkdir -p debian/tmp
492 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null
493 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null
494 endif

Subscribers

People subscribed via source and target branches