Ubuntu
nss package

Merge ~sergiodj/ubuntu/+source/nss:nss-merge-3.53.1-1ubuntu1 into ubuntu/+source/nss:debian/sid

  1. Git
  2. lp:~sergiodj/ubuntu/+source/nss
  3. nss-merge-3.53.1-1ubuntu1
  4. Merge into debian/sid
Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Lucas Kanashiro
Approved revision: 0f1c2b55f48b2155948956eb15eced9e168ce3b0
Merge reported by: Sergio Durigan Junior
Merged at revision: 0f1c2b55f48b2155948956eb15eced9e168ce3b0
Proposed branch: ~sergiodj/ubuntu/+source/nss:nss-merge-3.53.1-1ubuntu1
Merge into: ubuntu/+source/nss:debian/sid
Diff against target: 494 lines (+332/-2)
7 files modified
debian/changelog (+255/-0)
debian/control (+3/-1)
debian/libnss3.links (+5/-0)
debian/patches/disable_fips_enabled_read.patch (+49/-0)
debian/patches/series (+2/-0)
debian/patches/set-tls1.2-as-minimum.patch (+17/-0)
debian/rules (+1/-1)
Reviewer Review Type Date Requested Status
Lucas Kanashiro (community) Approve
Canonical Server Core Reviewers Pending
Review via email: mp+387608@code.launchpad.net

Description of the change

This is the merge of nss 2:3.53.1-1 from Debian.

It is relatively trivial; only two changes were dropped (the two patches to address CVEs, which were fixed upstream), and the patch to disable reading the fips_enabled flag in FIPS mode had to be updated.

Other than that, the merge went smoothly. The package doesn't have dep8 tests, but I tested the new build by installing it inside a container, and then installing some reversing dependency of it, like openjdk-15-jre-headless.

The Debian package seems a bit abandoned; it still uses compat level 9, and contains many lintian warnings. I will see about submitting an MR to address some of them.

There is a PPA with the new package here:

https://launchpad.net/~sergiodj/+archive/ubuntu/nss-merge

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

* Changelog:
  - [√] old content and logical tag match as expected
  - [√] changelog entry correct version and targeted codename
  - [x] changelog entries correct
  - [√] update-maintainer has been run

* Actual changes:
  - [√] no upstream changes to consider
  - [√] no further upstream version to consider
  - [√] debian changes look safe

* Old Delta:
  - [√] dropped changes are ok to be dropped
  - [√] nothing else to drop
  - [-] changes forwarded upstream/debian (if appropriate)

* New Delta:
  - [√] no new patches added
  - [-] patches match what was proposed upstream
  - [-] patches correctly included in debian/patches/series
  - [-] patches have correct DEP3 metadata

* Build/Test:
  - [√] build is ok
  - [√] verified PPA package installs/uninstalls
  - [-] autopkgtest against the PPA package passes
  - [√] sanity checks test fine

There is just a minor thing I noticed in your changelog and also on your commit messages, to avoid pinging the bugs fixed in previous releases let's remove the ":" from "LP: #NNNN". I can see one occurrence of that in the changelog: "Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)"; and two on the commit messages: "Set TLSv1.2 as minimum TLS version. LP: #1856428" and "Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)".

Other than that LGTM. When you get it fixed let me know and I can sponsor this upload for you.

review: Needs Fixing
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, July 20 2020, Lucas Kanashiro wrote:

> Review: Needs Fixing
>
> * Changelog:
> - [√] old content and logical tag match as expected
> - [√] changelog entry correct version and targeted codename
> - [x] changelog entries correct
> - [√] update-maintainer has been run
>
> * Actual changes:
> - [√] no upstream changes to consider
> - [√] no further upstream version to consider
> - [√] debian changes look safe
>
> * Old Delta:
> - [√] dropped changes are ok to be dropped
> - [√] nothing else to drop
> - [-] changes forwarded upstream/debian (if appropriate)
>
> * New Delta:
> - [√] no new patches added
> - [-] patches match what was proposed upstream
> - [-] patches correctly included in debian/patches/series
> - [-] patches have correct DEP3 metadata
>
> * Build/Test:
> - [√] build is ok
> - [√] verified PPA package installs/uninstalls
> - [-] autopkgtest against the PPA package passes
> - [√] sanity checks test fine
>
> There is just a minor thing I noticed in your changelog and also on
> your commit messages, to avoid pinging the bugs fixed in previous
> releases let's remove the ":" from "LP: #NNNN". I can see one
> occurrence of that in the changelog: "Symlink chk files to fix
> self-verification in FIPS mode (LP: #1885562)"; and two on the commit
> messages: "Set TLSv1.2 as minimum TLS version. LP: #1856428" and
> "Symlink chk files to fix self-verification in FIPS mode (LP:
> #1885562)".
>
> Other than that LGTM. When you get it fixed let me know and I can sponsor this upload for you.

Thanks for the review, Lucas.

Heh, coincidentally I was thinking about the ":" thing when I was
writing the commit messages, and I did a quick investigation to see if
other merges were dropping the colon, but I remember finding one that
didn't, so I decided to leave it on mine as well. But it obviously
makes sense to drop it: the bugs have all been fixed, and we wouldn't
want the merge to pollute them with more info.

I have addressed your request and dropped the colon from both the
changelog entry and the commit messages.

Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks Sergio, I already sponsored the upload for you, please follow its migration.

$ git push pkg upload/2%3.53.1-1ubuntu1
Enumerating objects: 50, done.
Counting objects: 100% (50/50), done.
Delta compression using up to 8 threads
Compressing objects: 100% (31/31), done.
Writing objects: 100% (43/43), 8.30 KiB | 1.04 MiB/s, done.
Total 43 (delta 19), reused 26 (delta 12)
remote: Checking connectivity: 43, done.
To ssh://git.launchpad.net/ubuntu/+source/nss
 * [new tag] upload/2%3.53.1-1ubuntu1 -> upload/2%3.53.1-1ubuntu1

$ dput ubuntu ../nss_3.53.1-1ubuntu1_source.changes
Checking signature on .changes
gpg: ../nss_3.53.1-1ubuntu1_source.changes: Valid signature from F823A2729883C97C
Checking signature on .dsc
gpg: ../nss_3.53.1-1ubuntu1.dsc: Valid signature from F823A2729883C97C
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading nss_3.53.1-1ubuntu1.dsc: done.
  Uploading nss_3.53.1-1ubuntu1.debian.tar.xz: done.
  Uploading nss_3.53.1-1ubuntu1_source.changes: done.
Successfully uploaded packages.

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

This has migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 28834da..d02577d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
1nss (2:3.53.1-1ubuntu1) groovy; urgency=medium
2
3 * Merge with Debian unstable. Remaining changes:
4 - d/libnss3.links: make freebl3 available as library (LP #1744328)
5 - d/control: add dh-exec to Build-Depends
6 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
7 - Disable reading fips_enabled flag in FIPS mode. libnss is
8 not a FIPS certified library. (LP #1837734)
9 - Set TLSv1.2 as minimum TLS version. LP #1856428
10 - Symlink chk files to fix self-verification in FIPS mode (LP #1885562)
11 * Dropped changes:
12 - SECURITY UPDATE: Timing attack during DSA key generation
13 + debian/patches/CVE-2020-12399.patch: force a fixed length for DSA
14 exponentiation in nss/lib/freebl/dsa.c.
15 [ Incorporated by upstream. ]
16 - SECURITY UPDATE: Side channel vulnerabilities during RSA key generation
17 + debian/patches/CVE-2020-12402.patch: use constant-time GCD and
18 modular inversion in nss/lib/freebl/mpi/mpi.c,
19 nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c.
20 [ Incorporated by upstream. ]
21
22 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 17 Jul 2020 10:51:23 -0400
23
1nss (2:3.53.1-1) unstable; urgency=medium24nss (2:3.53.1-1) unstable; urgency=medium
225
3 * New upstream release.26 * New upstream release.
@@ -36,6 +59,43 @@ nss (2:3.50-1) unstable; urgency=medium
3659
37 -- Mike Hommey <glandium@debian.org> Wed, 12 Feb 2020 09:06:51 +090060 -- Mike Hommey <glandium@debian.org> Wed, 12 Feb 2020 09:06:51 +0900
3861
62nss (2:3.49.1-1ubuntu4) groovy; urgency=medium
63
64 * Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)
65
66 -- Dariusz Gadomski <dgadomski@ubuntu.com> Wed, 01 Jul 2020 14:48:13 +0200
67
68nss (2:3.49.1-1ubuntu3) groovy; urgency=medium
69
70 * SECURITY UPDATE: Side channel vulnerabilities during RSA key generation
71 - debian/patches/CVE-2020-12402.patch: use constant-time GCD and
72 modular inversion in nss/lib/freebl/mpi/mpi.c,
73 nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c.
74 - CVE-2020-12402
75
76 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 30 Jun 2020 10:41:20 -0400
77
78nss (2:3.49.1-1ubuntu2) groovy; urgency=medium
79
80 * SECURITY UPDATE: Timing attack during DSA key generation
81 - debian/patches/CVE-2020-12399.patch: force a fixed length for DSA
82 exponentiation in nss/lib/freebl/dsa.c.
83 - CVE-2020-12399
84
85 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Jun 2020 12:54:12 -0400
86
87nss (2:3.49.1-1ubuntu1) focal; urgency=medium
88
89 * Merge with Debian unstable. Remaining changes:
90 - d/libnss3.links: make freebl3 available as library (LP #1744328)
91 - d/control: add dh-exec to Build-Depends
92 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
93 - Disable reading fips_enabled flag in FIPS mode. libnss is
94 not a FIPS certified library. (LP #1837734)
95 - Set TLSv1.2 as minimum TLS version. LP #1856428
96
97 -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 22 Jan 2020 16:24:44 -0300
98
39nss (2:3.49.1-1) unstable; urgency=medium99nss (2:3.49.1-1) unstable; urgency=medium
40100
41 * New upstream release.101 * New upstream release.
@@ -55,6 +115,18 @@ nss (2:3.49-1) unstable; urgency=medium
55115
56 -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +0900116 -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +0900
57117
118nss (2:3.48-1ubuntu1) focal; urgency=low
119
120 * Merge from Debian unstable. Remaining changes:
121 - d/libnss3.links: make freebl3 available as library (LP #1744328)
122 - d/control: add dh-exec to Build-Depends
123 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
124 - Disable reading fips_enabled flag in FIPS mode. libnss is
125 not a FIPS certified library. (LP #1837734)
126 * Set TLSv1.2 as minimum TLS version. LP: #1856428
127
128 -- Ubuntu Merge-o-Matic <mom@ubuntu.com> Sun, 29 Dec 2019 03:43:36 +0000
129
58nss (2:3.48-1) unstable; urgency=medium130nss (2:3.48-1) unstable; urgency=medium
59131
60 * New upstream release. Closes: #947131.132 * New upstream release. Closes: #947131.
@@ -71,6 +143,26 @@ nss (2:3.47.1-1) unstable; urgency=medium
71143
72 -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +0900144 -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +0900
73145
146nss (2:3.47-1ubuntu2) focal; urgency=medium
147
148 * SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate
149 - debian/patches/CVE-2019-11745.patch: use maxout not block size in
150 nss/lib/softoken/pkcs11c.c.
151 - CVE-2019-11745
152
153 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Nov 2019 08:31:39 -0500
154
155nss (2:3.47-1ubuntu1) focal; urgency=medium
156
157 * Merge with Debian unstable. Remaining changes:
158 - d/libnss3.links: make freebl3 available as library (LP #1744328)
159 - d/control: add dh-exec to Build-Depends
160 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
161 - Disable reading fips_enabled flag in FIPS mode. libnss is
162 not a FIPS certified library. (LP #1837734)
163
164 -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 31 Oct 2019 16:18:35 -0300
165
74nss (2:3.47-1) unstable; urgency=medium166nss (2:3.47-1) unstable; urgency=medium
75167
76 * New upstream release.168 * New upstream release.
@@ -78,6 +170,22 @@ nss (2:3.47-1) unstable; urgency=medium
78170
79 -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900171 -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900
80172
173nss (2:3.45-1ubuntu2) eoan; urgency=medium
174
175 * Disable reading fips_enabled flag in FIPS mode. libnss is
176 not a FIPS certified library. (LP: #1837734)
177
178 -- Vineetha Kamath <vineetha.hari.pai@canonical.com> Tue, 23 Jul 2019 20:58:12 +0000
179
180nss (2:3.45-1ubuntu1) eoan; urgency=low
181
182 * Merge from Debian unstable. Remaining changes:
183 - d/libnss3.links: make freebl3 available as library (LP 1744328)
184 - d/control: add dh-exec to Build-Depends
185 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
186
187 -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 11 Jul 2019 11:49:44 +0200
188
81nss (2:3.45-1) unstable; urgency=medium189nss (2:3.45-1) unstable; urgency=medium
82190
83 * New upstream release.191 * New upstream release.
@@ -126,6 +234,28 @@ nss (2:3.42.1-1) unstable; urgency=medium
126234
127 -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900235 -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900
128236
237nss (2:3.42-1ubuntu2) disco; urgency=medium
238
239 * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
240 - debian/patches/CVE-2018-18508-1.patch: add null checks in
241 nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
242 nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
243 nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
244 - debian/patches/CVE-2018-18508-2.patch: add null checks in
245 nss/lib/smime/cmsmessage.c.
246 - CVE-2018-18508
247
248 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Feb 2019 12:04:49 +0100
249
250nss (2:3.42-1ubuntu1) disco; urgency=medium
251
252 * Merge with Debian unstable (LP: #1813593). Remaining changes:
253 - d/libnss3.links: make freebl3 available as library (LP 1744328)
254 - d/control: add dh-exec to Build-Depends
255 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
256
257 -- Karl Stenerud <kstenerud@gmail.com> Mon, 04 Feb 2019 11:03:32 +0100
258
129nss (2:3.42-1) unstable; urgency=medium259nss (2:3.42-1) unstable; urgency=medium
130260
131 * New upstream release.261 * New upstream release.
@@ -144,6 +274,18 @@ nss (2:3.40-1) unstable; urgency=medium
144274
145 -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900275 -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900
146276
277nss (2:3.39-1ubuntu1) disco; urgency=medium
278
279 * Merge with Debian unstable. Remaining changes (LP: #1803707):
280 - d/libnss3.links: make freebl3 available as library (LP 1744328)
281 - d/control: add dh-exec to Build-Depends
282 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
283 * Dropped changes:
284 - d/rules: when building with -O3 on ppc64el this FTBFS, build with
285 -Wno-error=maybe-uninitialized to avoid that
286
287 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Nov 2018 14:27:39 +0100
288
147nss (2:3.39-1) unstable; urgency=medium289nss (2:3.39-1) unstable; urgency=medium
148290
149 * New upstream release.291 * New upstream release.
@@ -176,6 +318,23 @@ nss (2:3.37-1) unstable; urgency=medium
176318
177 -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900319 -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900
178320
321nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium
322
323 * Merge with Debian unstable. Remaining changes:
324 - d/libnss3.links: make freebl3 available as library (LP 1744328)
325 - d/control: add dh-exec to Build-Depends
326 - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
327 - d/rules: when building with -O3 on ppc64el this FTBFS, build with
328 -Wno-error=maybe-uninitialized to avoid that
329 * Dropped changes:
330 - revert switching to SQL default format (LP: 1746947) Dropping this
331 adresses (LP: #1747411) and effectively means we now switch to the new
332 default format after we ensured all depending packages are ready.
333 * Added changes:
334 - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el
335
336 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 May 2018 17:08:46 +0200
337
179nss (2:3.36.1-1) unstable; urgency=medium338nss (2:3.36.1-1) unstable; urgency=medium
180339
181 * New upstream release.340 * New upstream release.
@@ -189,6 +348,25 @@ nss (2:3.36-1) unstable; urgency=medium
189348
190 -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900349 -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900
191350
351nss (2:3.35-2ubuntu2) bionic; urgency=medium
352
353 * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
354 default is still causing too much issues in consumers of nss.
355 So until resolved revert the switched default (LP: #1746947)
356
357 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Feb 2018 11:36:07 +0100
358
359nss (2:3.35-2ubuntu1) bionic; urgency=medium
360
361 * Merge with Debian unstable. Remaining changes:
362 - When building with -O3, build with -Wno-error=maybe-uninitialized.
363 * Added Changes:
364 - d/libnss3.links: make freebl3 available as library (LP: #1744328)
365 + d/control: add dh-exec to Build-Depends
366 + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
367
368 -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 30 Jan 2018 14:04:20 +0100
369
192nss (2:3.35-2) unstable; urgency=medium370nss (2:3.35-2) unstable; urgency=medium
193371
194 * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.372 * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.
@@ -207,6 +385,13 @@ nss (2:3.34.1-1) unstable; urgency=medium
207385
208 -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900386 -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900
209387
388nss (2:3.34-1ubuntu1) bionic; urgency=medium
389
390 * Merge with Debian; remaining changes:
391 - When building with -O3, build with -Wno-error=maybe-uninitialized.
392
393 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Dec 2017 09:18:47 -0500
394
210nss (2:3.34-1) unstable; urgency=medium395nss (2:3.34-1) unstable; urgency=medium
211396
212 * New upstream release:397 * New upstream release:
@@ -231,6 +416,28 @@ nss (2:3.32-2) unstable; urgency=medium
231416
232 -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900417 -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900
233418
419nss (2:3.32-1ubuntu3) artful; urgency=medium
420
421 * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
422 - debian/patches/CVE-2017-7805.patch: Simplify handling of
423 CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
424 - CVE-2017-7805
425
426 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Sep 2017 12:17:39 -0400
427
428nss (2:3.32-1ubuntu2) artful; urgency=medium
429
430 * Initialise curve variable in a test file, resolves FTBFS.
431
432 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Aug 2017 07:21:27 -0400
433
434nss (2:3.32-1ubuntu1) artful; urgency=medium
435
436 * Merge with Debian; remaining changes:
437 - When building with -O3, build with -Wno-error=maybe-uninitialized.
438
439 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 23 Aug 2017 13:09:20 -0400
440
234nss (2:3.32-1) unstable; urgency=medium441nss (2:3.32-1) unstable; urgency=medium
235442
236 * New upstream release.443 * New upstream release.
@@ -290,6 +497,39 @@ nss (2:3.27.1-1) experimental; urgency=medium
290497
291 -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900498 -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900
292499
500nss (2:3.28.4-0ubuntu2) artful; urgency=medium
501
502 * SECURITY UPDATE: DoS via empty SSLv2 messages
503 - debian/patches/CVE-2017-7502.patch: reject broken v2 records in
504 nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
505 added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
506 nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
507 nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
508 - CVE-2017-7502
509
510 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Jun 2017 08:12:38 -0400
511
512nss (2:3.28.4-0ubuntu1) artful; urgency=medium
513
514 * Updated to upstream 3.28.4 to fix security issues and get a new CA
515 certificate bundle.
516 * SECURITY UPDATE: DES and Triple DES ciphers birthday attack
517 - CVE-2016-2183
518 * SECURITY UPDATE: out-of-bounds write in Base64 decoding
519 - CVE-2017-5461
520 * debian/patches/*.patch: refreshed for new version.
521 * debian/control: bump libnspr4-dev to 4.13.1.
522 * debian/libnss3.symbols: added new symbols.
523
524 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 27 Apr 2017 13:13:44 -0400
525
526nss (2:3.26.2-1ubuntu1) zesty; urgency=medium
527
528 * Merge with Debian; remaining changes:
529 - When building with -O3, build with -Wno-error=maybe-uninitialized.
530
531 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 Dec 2016 08:48:03 -0500
532
293nss (2:3.26.2-1) unstable; urgency=medium533nss (2:3.26.2-1) unstable; urgency=medium
294534
295 * New upstream release.535 * New upstream release.
@@ -303,6 +543,13 @@ nss (2:3.26-2) unstable; urgency=medium
303543
304 -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900544 -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900
305545
546nss (2:3.26-1ubuntu1) yakkety; urgency=medium
547
548 * Merge with Debian; remaining changes:
549 - When building with -O3, build with -Wno-error=maybe-uninitialized.
550
551 -- Matthias Klose <doko@ubuntu.com> Tue, 06 Sep 2016 14:39:56 +0200
552
306nss (2:3.26-1) unstable; urgency=medium553nss (2:3.26-1) unstable; urgency=medium
307554
308 * New upstream release.555 * New upstream release.
@@ -317,6 +564,12 @@ nss (2:3.26-1) unstable; urgency=medium
317564
318 -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900565 -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900
319566
567nss (2:3.25-1ubuntu1) yakkety; urgency=medium
568
569 * When building with -O3, build with -Wno-error=maybe-uninitialized.
570
571 -- Matthias Klose <doko@ubuntu.com> Thu, 04 Aug 2016 11:36:54 +0200
572
320nss (2:3.25-1) unstable; urgency=medium573nss (2:3.25-1) unstable; urgency=medium
321574
322 * New upstream release.575 * New upstream release.
@@ -348,6 +601,7 @@ nss (2:3.21-1.1) unstable; urgency=medium
348 * Fix FTBFS on hppa. Closes: #808990601 * Fix FTBFS on hppa. Closes: #808990
349602
350 -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100603 -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100
604
351nss (2:3.21-1) unstable; urgency=medium605nss (2:3.21-1) unstable; urgency=medium
352606
353 * New upstream release.607 * New upstream release.
@@ -1263,3 +1517,4 @@ nss (3.11.5-1) experimental; urgency=low
1263 * Initial release. (Closes: #416151)1517 * Initial release. (Closes: #416151)
12641518
1265 -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +02001519 -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +0200
1520
diff --git a/debian/control b/debian/control
index a4be555..ac713a6 100644
--- a/debian/control
+++ b/debian/control
@@ -1,9 +1,11 @@
1Source: nss1Source: nss
2Section: libs2Section: libs
3Priority: optional3Priority: optional
4Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>
5Uploaders: Mike Hommey <glandium@debian.org>6Uploaders: Mike Hommey <glandium@debian.org>
6Build-Depends: debhelper (>= 9.20160403),7Build-Depends: debhelper (>= 9.20160403),
8 dh-exec,
7 dpkg-dev (>= 1.17.14),9 dpkg-dev (>= 1.17.14),
8 libnspr4-dev (>= 2:4.24),10 libnspr4-dev (>= 2:4.24),
9 zlib1g-dev,11 zlib1g-dev,
diff --git a/debian/libnss3.links b/debian/libnss3.links
10new file mode 10075512new file mode 100755
index 0000000..e62c6a0
--- /dev/null
+++ b/debian/libnss3.links
@@ -0,0 +1,5 @@
1#!/usr/bin/dh-exec
2usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so
3usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.chk usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.chk
4usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.so
5usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.chk usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.chk
diff --git a/debian/patches/disable_fips_enabled_read.patch b/debian/patches/disable_fips_enabled_read.patch
0new file mode 1006446new file mode 100644
index 0000000..c0e54d5
--- /dev/null
+++ b/debian/patches/disable_fips_enabled_read.patch
@@ -0,0 +1,49 @@
1commit 16996a9156c9ff2924bdb19ff43d40617a41c912
2Author: Vineetha Kamath <vineetha.hari.pai@canonical.com>
3Date: Tue Jul 23 15:32:32 2019 -0400
4
5From: Vineetha Kamath<vineetha.hari.pai@canonical.com>
6Decription: Disable libgcrypt reading /proc/sys/crypto/fips_enabled
7file and going into FIPS mode. libnss is not a FIPS
8certified library.
9Bug-Ubuntu: http://bugs.launchpad.net/bugs/1837734
10Forwarded: not-needed
11
12Index: nss/nss/lib/freebl/nsslowhash.c
13===================================================================
14--- nss.orig/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.964346182 -0400
15+++ nss/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.960346213 -0400
16@@ -27,11 +27,13 @@
17 nsslow_GetFIPSEnabled(void)
18 {
19 #ifdef LINUX
20- FILE *f;
21+ FILE *f = NULL;
22 char d;
23 size_t size;
24
25+#if 0
26 f = fopen("/proc/sys/crypto/fips_enabled", "r");
27+#endif
28 if (!f)
29 return 0;
30
31Index: nss/nss/lib/sysinit/nsssysinit.c
32===================================================================
33--- nss.orig/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:37.964346182 -0400
34+++ nss/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:59.844174516 -0400
35@@ -171,11 +171,13 @@
36 getFIPSMode(void)
37 {
38 #ifndef NSS_FIPS_DISABLED
39- FILE *f;
40+ FILE *f = NULL;
41 char d;
42 size_t size;
43
44+#if 0
45 f = fopen("/proc/sys/crypto/fips_enabled", "r");
46+#endif
47 if (!f) {
48 /* if we don't have a proc flag, fall back to the
49 * environment variable */
diff --git a/debian/patches/series b/debian/patches/series
index 2f1226f..e8cd205 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,5 @@
438_hppa.patch438_hppa.patch
5seed5seed
6infinite-recursion6infinite-recursion
7disable_fips_enabled_read.patch
8set-tls1.2-as-minimum.patch
diff --git a/debian/patches/set-tls1.2-as-minimum.patch b/debian/patches/set-tls1.2-as-minimum.patch
7new file mode 1006449new file mode 100644
index 0000000..a05d4e9
--- /dev/null
+++ b/debian/patches/set-tls1.2-as-minimum.patch
@@ -0,0 +1,17 @@
1Description: Set TLSv1.2 as minimum TLS version. LP: #1856428
2Bug-Ubuntu: https://bugs.launchpad.net/bugs/1856428
3
4
5Index: nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c
6===================================================================
7--- nss-3.48-1ubuntu1.orig/nss/lib/ssl/sslsock.c
8+++ nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c
9@@ -96,7 +96,7 @@ static sslOptions ssl_defaults = {
10 * default range of enabled SSL/TLS protocols
11 */
12 static SSLVersionRange versions_defaults_stream = {
13- SSL_LIBRARY_VERSION_TLS_1_0,
14+ SSL_LIBRARY_VERSION_TLS_1_2,
15 SSL_LIBRARY_VERSION_TLS_1_3
16 };
17
diff --git a/debian/rules b/debian/rules
index ec951d3..b4c7302 100755
--- a/debian/rules
+++ b/debian/rules
@@ -175,7 +175,7 @@ override_dh_strip:
175175
176ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))176ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
177 # Check FIPS mode correctly works177 # Check FIPS mode correctly works
178 mkdir debian/tmp178 mkdir -p debian/tmp
179 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null179 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null
180 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null180 LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null
181endif181endif

Subscribers

People subscribed via source and target branches