Merge ~sergiodj/ubuntu/+source/nss:nss-merge-3.53.1-1ubuntu1 into ubuntu/+source/nss:debian/sid
- Git
- lp:~sergiodj/ubuntu/+source/nss
- nss-merge-3.53.1-1ubuntu1
- Merge into debian/sid
Status: | Merged |
---|---|
Approved by: | Lucas Kanashiro |
Approved revision: | 0f1c2b55f48b2155948956eb15eced9e168ce3b0 |
Merge reported by: | Sergio Durigan Junior |
Merged at revision: | 0f1c2b55f48b2155948956eb15eced9e168ce3b0 |
Proposed branch: | ~sergiodj/ubuntu/+source/nss:nss-merge-3.53.1-1ubuntu1 |
Merge into: | ubuntu/+source/nss:debian/sid |
Diff against target: |
494 lines (+332/-2) 7 files modified
debian/changelog (+255/-0) debian/control (+3/-1) debian/libnss3.links (+5/-0) debian/patches/disable_fips_enabled_read.patch (+49/-0) debian/patches/series (+2/-0) debian/patches/set-tls1.2-as-minimum.patch (+17/-0) debian/rules (+1/-1) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Lucas Kanashiro (community) | Approve | ||
Canonical Server Core Reviewers | Pending | ||
Review via email: mp+387608@code.launchpad.net |
Commit message
Description of the change
This is the merge of nss 2:3.53.1-1 from Debian.
It is relatively trivial; only two changes were dropped (the two patches to address CVEs, which were fixed upstream), and the patch to disable reading the fips_enabled flag in FIPS mode had to be updated.
Other than that, the merge went smoothly. The package doesn't have dep8 tests, but I tested the new build by installing it inside a container, and then installing some reversing dependency of it, like openjdk-
The Debian package seems a bit abandoned; it still uses compat level 9, and contains many lintian warnings. I will see about submitting an MR to address some of them.
There is a PPA with the new package here:
Sergio Durigan Junior (sergiodj) wrote : | # |
On Monday, July 20 2020, Lucas Kanashiro wrote:
> Review: Needs Fixing
>
> * Changelog:
> - [√] old content and logical tag match as expected
> - [√] changelog entry correct version and targeted codename
> - [x] changelog entries correct
> - [√] update-maintainer has been run
>
> * Actual changes:
> - [√] no upstream changes to consider
> - [√] no further upstream version to consider
> - [√] debian changes look safe
>
> * Old Delta:
> - [√] dropped changes are ok to be dropped
> - [√] nothing else to drop
> - [-] changes forwarded upstream/debian (if appropriate)
>
> * New Delta:
> - [√] no new patches added
> - [-] patches match what was proposed upstream
> - [-] patches correctly included in debian/
> - [-] patches have correct DEP3 metadata
>
> * Build/Test:
> - [√] build is ok
> - [√] verified PPA package installs/uninstalls
> - [-] autopkgtest against the PPA package passes
> - [√] sanity checks test fine
>
> There is just a minor thing I noticed in your changelog and also on
> your commit messages, to avoid pinging the bugs fixed in previous
> releases let's remove the ":" from "LP: #NNNN". I can see one
> occurrence of that in the changelog: "Symlink chk files to fix
> self-verification in FIPS mode (LP: #1885562)"; and two on the commit
> messages: "Set TLSv1.2 as minimum TLS version. LP: #1856428" and
> "Symlink chk files to fix self-verification in FIPS mode (LP:
> #1885562)".
>
> Other than that LGTM. When you get it fixed let me know and I can sponsor this upload for you.
Thanks for the review, Lucas.
Heh, coincidentally I was thinking about the ":" thing when I was
writing the commit messages, and I did a quick investigation to see if
other merges were dropping the colon, but I remember finding one that
didn't, so I decided to leave it on mine as well. But it obviously
makes sense to drop it: the bugs have all been fixed, and we wouldn't
want the merge to pollute them with more info.
I have addressed your request and dropped the colon from both the
changelog entry and the commit messages.
Thanks,
--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14
Lucas Kanashiro (lucaskanashiro) wrote : | # |
Thanks Sergio, I already sponsored the upload for you, please follow its migration.
$ git push pkg upload/
Enumerating objects: 50, done.
Counting objects: 100% (50/50), done.
Delta compression using up to 8 threads
Compressing objects: 100% (31/31), done.
Writing objects: 100% (43/43), 8.30 KiB | 1.04 MiB/s, done.
Total 43 (delta 19), reused 26 (delta 12)
remote: Checking connectivity: 43, done.
To ssh://git.
* [new tag] upload/
$ dput ubuntu ../nss_
Checking signature on .changes
gpg: ../nss_
Checking signature on .dsc
gpg: ../nss_
Uploading to ubuntu (via ftp to upload.ubuntu.com):
Uploading nss_3.53.
Uploading nss_3.53.
Uploading nss_3.53.
Successfully uploaded packages.
Sergio Durigan Junior (sergiodj) wrote : | # |
This has migrated.
Preview Diff
1 | diff --git a/debian/changelog b/debian/changelog | |||
2 | index 28834da..d02577d 100644 | |||
3 | --- a/debian/changelog | |||
4 | +++ b/debian/changelog | |||
5 | @@ -1,3 +1,26 @@ | |||
6 | 1 | nss (2:3.53.1-1ubuntu1) groovy; urgency=medium | ||
7 | 2 | |||
8 | 3 | * Merge with Debian unstable. Remaining changes: | ||
9 | 4 | - d/libnss3.links: make freebl3 available as library (LP #1744328) | ||
10 | 5 | - d/control: add dh-exec to Build-Depends | ||
11 | 6 | - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
12 | 7 | - Disable reading fips_enabled flag in FIPS mode. libnss is | ||
13 | 8 | not a FIPS certified library. (LP #1837734) | ||
14 | 9 | - Set TLSv1.2 as minimum TLS version. LP #1856428 | ||
15 | 10 | - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) | ||
16 | 11 | * Dropped changes: | ||
17 | 12 | - SECURITY UPDATE: Timing attack during DSA key generation | ||
18 | 13 | + debian/patches/CVE-2020-12399.patch: force a fixed length for DSA | ||
19 | 14 | exponentiation in nss/lib/freebl/dsa.c. | ||
20 | 15 | [ Incorporated by upstream. ] | ||
21 | 16 | - SECURITY UPDATE: Side channel vulnerabilities during RSA key generation | ||
22 | 17 | + debian/patches/CVE-2020-12402.patch: use constant-time GCD and | ||
23 | 18 | modular inversion in nss/lib/freebl/mpi/mpi.c, | ||
24 | 19 | nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c. | ||
25 | 20 | [ Incorporated by upstream. ] | ||
26 | 21 | |||
27 | 22 | -- Sergio Durigan Junior <sergio.durigan@canonical.com> Fri, 17 Jul 2020 10:51:23 -0400 | ||
28 | 23 | |||
29 | 1 | nss (2:3.53.1-1) unstable; urgency=medium | 24 | nss (2:3.53.1-1) unstable; urgency=medium |
30 | 2 | 25 | ||
31 | 3 | * New upstream release. | 26 | * New upstream release. |
32 | @@ -36,6 +59,43 @@ nss (2:3.50-1) unstable; urgency=medium | |||
33 | 36 | 59 | ||
34 | 37 | -- Mike Hommey <glandium@debian.org> Wed, 12 Feb 2020 09:06:51 +0900 | 60 | -- Mike Hommey <glandium@debian.org> Wed, 12 Feb 2020 09:06:51 +0900 |
35 | 38 | 61 | ||
36 | 62 | nss (2:3.49.1-1ubuntu4) groovy; urgency=medium | ||
37 | 63 | |||
38 | 64 | * Symlink chk files to fix self-verification in FIPS mode (LP: #1885562) | ||
39 | 65 | |||
40 | 66 | -- Dariusz Gadomski <dgadomski@ubuntu.com> Wed, 01 Jul 2020 14:48:13 +0200 | ||
41 | 67 | |||
42 | 68 | nss (2:3.49.1-1ubuntu3) groovy; urgency=medium | ||
43 | 69 | |||
44 | 70 | * SECURITY UPDATE: Side channel vulnerabilities during RSA key generation | ||
45 | 71 | - debian/patches/CVE-2020-12402.patch: use constant-time GCD and | ||
46 | 72 | modular inversion in nss/lib/freebl/mpi/mpi.c, | ||
47 | 73 | nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c. | ||
48 | 74 | - CVE-2020-12402 | ||
49 | 75 | |||
50 | 76 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 30 Jun 2020 10:41:20 -0400 | ||
51 | 77 | |||
52 | 78 | nss (2:3.49.1-1ubuntu2) groovy; urgency=medium | ||
53 | 79 | |||
54 | 80 | * SECURITY UPDATE: Timing attack during DSA key generation | ||
55 | 81 | - debian/patches/CVE-2020-12399.patch: force a fixed length for DSA | ||
56 | 82 | exponentiation in nss/lib/freebl/dsa.c. | ||
57 | 83 | - CVE-2020-12399 | ||
58 | 84 | |||
59 | 85 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 10 Jun 2020 12:54:12 -0400 | ||
60 | 86 | |||
61 | 87 | nss (2:3.49.1-1ubuntu1) focal; urgency=medium | ||
62 | 88 | |||
63 | 89 | * Merge with Debian unstable. Remaining changes: | ||
64 | 90 | - d/libnss3.links: make freebl3 available as library (LP #1744328) | ||
65 | 91 | - d/control: add dh-exec to Build-Depends | ||
66 | 92 | - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
67 | 93 | - Disable reading fips_enabled flag in FIPS mode. libnss is | ||
68 | 94 | not a FIPS certified library. (LP #1837734) | ||
69 | 95 | - Set TLSv1.2 as minimum TLS version. LP #1856428 | ||
70 | 96 | |||
71 | 97 | -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Wed, 22 Jan 2020 16:24:44 -0300 | ||
72 | 98 | |||
73 | 39 | nss (2:3.49.1-1) unstable; urgency=medium | 99 | nss (2:3.49.1-1) unstable; urgency=medium |
74 | 40 | 100 | ||
75 | 41 | * New upstream release. | 101 | * New upstream release. |
76 | @@ -55,6 +115,18 @@ nss (2:3.49-1) unstable; urgency=medium | |||
77 | 55 | 115 | ||
78 | 56 | -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +0900 | 116 | -- Mike Hommey <glandium@debian.org> Thu, 09 Jan 2020 13:46:11 +0900 |
79 | 57 | 117 | ||
80 | 118 | nss (2:3.48-1ubuntu1) focal; urgency=low | ||
81 | 119 | |||
82 | 120 | * Merge from Debian unstable. Remaining changes: | ||
83 | 121 | - d/libnss3.links: make freebl3 available as library (LP #1744328) | ||
84 | 122 | - d/control: add dh-exec to Build-Depends | ||
85 | 123 | - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
86 | 124 | - Disable reading fips_enabled flag in FIPS mode. libnss is | ||
87 | 125 | not a FIPS certified library. (LP #1837734) | ||
88 | 126 | * Set TLSv1.2 as minimum TLS version. LP: #1856428 | ||
89 | 127 | |||
90 | 128 | -- Ubuntu Merge-o-Matic <mom@ubuntu.com> Sun, 29 Dec 2019 03:43:36 +0000 | ||
91 | 129 | |||
92 | 58 | nss (2:3.48-1) unstable; urgency=medium | 130 | nss (2:3.48-1) unstable; urgency=medium |
93 | 59 | 131 | ||
94 | 60 | * New upstream release. Closes: #947131. | 132 | * New upstream release. Closes: #947131. |
95 | @@ -71,6 +143,26 @@ nss (2:3.47.1-1) unstable; urgency=medium | |||
96 | 71 | 143 | ||
97 | 72 | -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +0900 | 144 | -- Mike Hommey <glandium@debian.org> Wed, 04 Dec 2019 09:00:54 +0900 |
98 | 73 | 145 | ||
99 | 146 | nss (2:3.47-1ubuntu2) focal; urgency=medium | ||
100 | 147 | |||
101 | 148 | * SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate | ||
102 | 149 | - debian/patches/CVE-2019-11745.patch: use maxout not block size in | ||
103 | 150 | nss/lib/softoken/pkcs11c.c. | ||
104 | 151 | - CVE-2019-11745 | ||
105 | 152 | |||
106 | 153 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Nov 2019 08:31:39 -0500 | ||
107 | 154 | |||
108 | 155 | nss (2:3.47-1ubuntu1) focal; urgency=medium | ||
109 | 156 | |||
110 | 157 | * Merge with Debian unstable. Remaining changes: | ||
111 | 158 | - d/libnss3.links: make freebl3 available as library (LP #1744328) | ||
112 | 159 | - d/control: add dh-exec to Build-Depends | ||
113 | 160 | - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
114 | 161 | - Disable reading fips_enabled flag in FIPS mode. libnss is | ||
115 | 162 | not a FIPS certified library. (LP #1837734) | ||
116 | 163 | |||
117 | 164 | -- Lucas Kanashiro <lucas.kanashiro@canonical.com> Thu, 31 Oct 2019 16:18:35 -0300 | ||
118 | 165 | |||
119 | 74 | nss (2:3.47-1) unstable; urgency=medium | 166 | nss (2:3.47-1) unstable; urgency=medium |
120 | 75 | 167 | ||
121 | 76 | * New upstream release. | 168 | * New upstream release. |
122 | @@ -78,6 +170,22 @@ nss (2:3.47-1) unstable; urgency=medium | |||
123 | 78 | 170 | ||
124 | 79 | -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900 | 171 | -- Mike Hommey <glandium@debian.org> Wed, 23 Oct 2019 11:19:59 +0900 |
125 | 80 | 172 | ||
126 | 173 | nss (2:3.45-1ubuntu2) eoan; urgency=medium | ||
127 | 174 | |||
128 | 175 | * Disable reading fips_enabled flag in FIPS mode. libnss is | ||
129 | 176 | not a FIPS certified library. (LP: #1837734) | ||
130 | 177 | |||
131 | 178 | -- Vineetha Kamath <vineetha.hari.pai@canonical.com> Tue, 23 Jul 2019 20:58:12 +0000 | ||
132 | 179 | |||
133 | 180 | nss (2:3.45-1ubuntu1) eoan; urgency=low | ||
134 | 181 | |||
135 | 182 | * Merge from Debian unstable. Remaining changes: | ||
136 | 183 | - d/libnss3.links: make freebl3 available as library (LP 1744328) | ||
137 | 184 | - d/control: add dh-exec to Build-Depends | ||
138 | 185 | - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
139 | 186 | |||
140 | 187 | -- Gianfranco Costamagna <locutusofborg@debian.org> Thu, 11 Jul 2019 11:49:44 +0200 | ||
141 | 188 | |||
142 | 81 | nss (2:3.45-1) unstable; urgency=medium | 189 | nss (2:3.45-1) unstable; urgency=medium |
143 | 82 | 190 | ||
144 | 83 | * New upstream release. | 191 | * New upstream release. |
145 | @@ -126,6 +234,28 @@ nss (2:3.42.1-1) unstable; urgency=medium | |||
146 | 126 | 234 | ||
147 | 127 | -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900 | 235 | -- Mike Hommey <glandium@debian.org> Wed, 13 Feb 2019 13:19:39 +0900 |
148 | 128 | 236 | ||
149 | 237 | nss (2:3.42-1ubuntu2) disco; urgency=medium | ||
150 | 238 | |||
151 | 239 | * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions | ||
152 | 240 | - debian/patches/CVE-2018-18508-1.patch: add null checks in | ||
153 | 241 | nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c, | ||
154 | 242 | nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c, | ||
155 | 243 | nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c. | ||
156 | 244 | - debian/patches/CVE-2018-18508-2.patch: add null checks in | ||
157 | 245 | nss/lib/smime/cmsmessage.c. | ||
158 | 246 | - CVE-2018-18508 | ||
159 | 247 | |||
160 | 248 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 19 Feb 2019 12:04:49 +0100 | ||
161 | 249 | |||
162 | 250 | nss (2:3.42-1ubuntu1) disco; urgency=medium | ||
163 | 251 | |||
164 | 252 | * Merge with Debian unstable (LP: #1813593). Remaining changes: | ||
165 | 253 | - d/libnss3.links: make freebl3 available as library (LP 1744328) | ||
166 | 254 | - d/control: add dh-exec to Build-Depends | ||
167 | 255 | - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
168 | 256 | |||
169 | 257 | -- Karl Stenerud <kstenerud@gmail.com> Mon, 04 Feb 2019 11:03:32 +0100 | ||
170 | 258 | |||
171 | 129 | nss (2:3.42-1) unstable; urgency=medium | 259 | nss (2:3.42-1) unstable; urgency=medium |
172 | 130 | 260 | ||
173 | 131 | * New upstream release. | 261 | * New upstream release. |
174 | @@ -144,6 +274,18 @@ nss (2:3.40-1) unstable; urgency=medium | |||
175 | 144 | 274 | ||
176 | 145 | -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900 | 275 | -- Mike Hommey <glandium@debian.org> Fri, 02 Nov 2018 14:44:19 +0900 |
177 | 146 | 276 | ||
178 | 277 | nss (2:3.39-1ubuntu1) disco; urgency=medium | ||
179 | 278 | |||
180 | 279 | * Merge with Debian unstable. Remaining changes (LP: #1803707): | ||
181 | 280 | - d/libnss3.links: make freebl3 available as library (LP 1744328) | ||
182 | 281 | - d/control: add dh-exec to Build-Depends | ||
183 | 282 | - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
184 | 283 | * Dropped changes: | ||
185 | 284 | - d/rules: when building with -O3 on ppc64el this FTBFS, build with | ||
186 | 285 | -Wno-error=maybe-uninitialized to avoid that | ||
187 | 286 | |||
188 | 287 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Fri, 16 Nov 2018 14:27:39 +0100 | ||
189 | 288 | |||
190 | 147 | nss (2:3.39-1) unstable; urgency=medium | 289 | nss (2:3.39-1) unstable; urgency=medium |
191 | 148 | 290 | ||
192 | 149 | * New upstream release. | 291 | * New upstream release. |
193 | @@ -176,6 +318,23 @@ nss (2:3.37-1) unstable; urgency=medium | |||
194 | 176 | 318 | ||
195 | 177 | -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900 | 319 | -- Mike Hommey <glandium@debian.org> Mon, 14 May 2018 07:15:21 +0900 |
196 | 178 | 320 | ||
197 | 321 | nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium | ||
198 | 322 | |||
199 | 323 | * Merge with Debian unstable. Remaining changes: | ||
200 | 324 | - d/libnss3.links: make freebl3 available as library (LP 1744328) | ||
201 | 325 | - d/control: add dh-exec to Build-Depends | ||
202 | 326 | - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
203 | 327 | - d/rules: when building with -O3 on ppc64el this FTBFS, build with | ||
204 | 328 | -Wno-error=maybe-uninitialized to avoid that | ||
205 | 329 | * Dropped changes: | ||
206 | 330 | - revert switching to SQL default format (LP: 1746947) Dropping this | ||
207 | 331 | adresses (LP: #1747411) and effectively means we now switch to the new | ||
208 | 332 | default format after we ensured all depending packages are ready. | ||
209 | 333 | * Added changes: | ||
210 | 334 | - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el | ||
211 | 335 | |||
212 | 336 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 07 May 2018 17:08:46 +0200 | ||
213 | 337 | |||
214 | 179 | nss (2:3.36.1-1) unstable; urgency=medium | 338 | nss (2:3.36.1-1) unstable; urgency=medium |
215 | 180 | 339 | ||
216 | 181 | * New upstream release. | 340 | * New upstream release. |
217 | @@ -189,6 +348,25 @@ nss (2:3.36-1) unstable; urgency=medium | |||
218 | 189 | 348 | ||
219 | 190 | -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900 | 349 | -- Mike Hommey <glandium@debian.org> Sun, 08 Apr 2018 06:53:15 +0900 |
220 | 191 | 350 | ||
221 | 351 | nss (2:3.35-2ubuntu2) bionic; urgency=medium | ||
222 | 352 | |||
223 | 353 | * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the | ||
224 | 354 | default is still causing too much issues in consumers of nss. | ||
225 | 355 | So until resolved revert the switched default (LP: #1746947) | ||
226 | 356 | |||
227 | 357 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 05 Feb 2018 11:36:07 +0100 | ||
228 | 358 | |||
229 | 359 | nss (2:3.35-2ubuntu1) bionic; urgency=medium | ||
230 | 360 | |||
231 | 361 | * Merge with Debian unstable. Remaining changes: | ||
232 | 362 | - When building with -O3, build with -Wno-error=maybe-uninitialized. | ||
233 | 363 | * Added Changes: | ||
234 | 364 | - d/libnss3.links: make freebl3 available as library (LP: #1744328) | ||
235 | 365 | + d/control: add dh-exec to Build-Depends | ||
236 | 366 | + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) | ||
237 | 367 | |||
238 | 368 | -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Tue, 30 Jan 2018 14:04:20 +0100 | ||
239 | 369 | |||
240 | 192 | nss (2:3.35-2) unstable; urgency=medium | 370 | nss (2:3.35-2) unstable; urgency=medium |
241 | 193 | 371 | ||
242 | 194 | * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64. | 372 | * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64. |
243 | @@ -207,6 +385,13 @@ nss (2:3.34.1-1) unstable; urgency=medium | |||
244 | 207 | 385 | ||
245 | 208 | -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900 | 386 | -- Mike Hommey <glandium@debian.org> Fri, 05 Jan 2018 20:15:40 +0900 |
246 | 209 | 387 | ||
247 | 388 | nss (2:3.34-1ubuntu1) bionic; urgency=medium | ||
248 | 389 | |||
249 | 390 | * Merge with Debian; remaining changes: | ||
250 | 391 | - When building with -O3, build with -Wno-error=maybe-uninitialized. | ||
251 | 392 | |||
252 | 393 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 14 Dec 2017 09:18:47 -0500 | ||
253 | 394 | |||
254 | 210 | nss (2:3.34-1) unstable; urgency=medium | 395 | nss (2:3.34-1) unstable; urgency=medium |
255 | 211 | 396 | ||
256 | 212 | * New upstream release: | 397 | * New upstream release: |
257 | @@ -231,6 +416,28 @@ nss (2:3.32-2) unstable; urgency=medium | |||
258 | 231 | 416 | ||
259 | 232 | -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900 | 417 | -- Mike Hommey <glandium@debian.org> Mon, 28 Aug 2017 07:39:59 +0900 |
260 | 233 | 418 | ||
261 | 419 | nss (2:3.32-1ubuntu3) artful; urgency=medium | ||
262 | 420 | |||
263 | 421 | * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes | ||
264 | 422 | - debian/patches/CVE-2017-7805.patch: Simplify handling of | ||
265 | 423 | CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h. | ||
266 | 424 | - CVE-2017-7805 | ||
267 | 425 | |||
268 | 426 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Sep 2017 12:17:39 -0400 | ||
269 | 427 | |||
270 | 428 | nss (2:3.32-1ubuntu2) artful; urgency=medium | ||
271 | 429 | |||
272 | 430 | * Initialise curve variable in a test file, resolves FTBFS. | ||
273 | 431 | |||
274 | 432 | -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 24 Aug 2017 07:21:27 -0400 | ||
275 | 433 | |||
276 | 434 | nss (2:3.32-1ubuntu1) artful; urgency=medium | ||
277 | 435 | |||
278 | 436 | * Merge with Debian; remaining changes: | ||
279 | 437 | - When building with -O3, build with -Wno-error=maybe-uninitialized. | ||
280 | 438 | |||
281 | 439 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 23 Aug 2017 13:09:20 -0400 | ||
282 | 440 | |||
283 | 234 | nss (2:3.32-1) unstable; urgency=medium | 441 | nss (2:3.32-1) unstable; urgency=medium |
284 | 235 | 442 | ||
285 | 236 | * New upstream release. | 443 | * New upstream release. |
286 | @@ -290,6 +497,39 @@ nss (2:3.27.1-1) experimental; urgency=medium | |||
287 | 290 | 497 | ||
288 | 291 | -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900 | 498 | -- Mike Hommey <glandium@debian.org> Sat, 19 Nov 2016 08:29:17 +0900 |
289 | 292 | 499 | ||
290 | 500 | nss (2:3.28.4-0ubuntu2) artful; urgency=medium | ||
291 | 501 | |||
292 | 502 | * SECURITY UPDATE: DoS via empty SSLv2 messages | ||
293 | 503 | - debian/patches/CVE-2017-7502.patch: reject broken v2 records in | ||
294 | 504 | nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h, | ||
295 | 505 | added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc, | ||
296 | 506 | nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn, | ||
297 | 507 | nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc. | ||
298 | 508 | - CVE-2017-7502 | ||
299 | 509 | |||
300 | 510 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 16 Jun 2017 08:12:38 -0400 | ||
301 | 511 | |||
302 | 512 | nss (2:3.28.4-0ubuntu1) artful; urgency=medium | ||
303 | 513 | |||
304 | 514 | * Updated to upstream 3.28.4 to fix security issues and get a new CA | ||
305 | 515 | certificate bundle. | ||
306 | 516 | * SECURITY UPDATE: DES and Triple DES ciphers birthday attack | ||
307 | 517 | - CVE-2016-2183 | ||
308 | 518 | * SECURITY UPDATE: out-of-bounds write in Base64 decoding | ||
309 | 519 | - CVE-2017-5461 | ||
310 | 520 | * debian/patches/*.patch: refreshed for new version. | ||
311 | 521 | * debian/control: bump libnspr4-dev to 4.13.1. | ||
312 | 522 | * debian/libnss3.symbols: added new symbols. | ||
313 | 523 | |||
314 | 524 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 27 Apr 2017 13:13:44 -0400 | ||
315 | 525 | |||
316 | 526 | nss (2:3.26.2-1ubuntu1) zesty; urgency=medium | ||
317 | 527 | |||
318 | 528 | * Merge with Debian; remaining changes: | ||
319 | 529 | - When building with -O3, build with -Wno-error=maybe-uninitialized. | ||
320 | 530 | |||
321 | 531 | -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 02 Dec 2016 08:48:03 -0500 | ||
322 | 532 | |||
323 | 293 | nss (2:3.26.2-1) unstable; urgency=medium | 533 | nss (2:3.26.2-1) unstable; urgency=medium |
324 | 294 | 534 | ||
325 | 295 | * New upstream release. | 535 | * New upstream release. |
326 | @@ -303,6 +543,13 @@ nss (2:3.26-2) unstable; urgency=medium | |||
327 | 303 | 543 | ||
328 | 304 | -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900 | 544 | -- Mike Hommey <glandium@debian.org> Wed, 21 Sep 2016 10:02:23 +0900 |
329 | 305 | 545 | ||
330 | 546 | nss (2:3.26-1ubuntu1) yakkety; urgency=medium | ||
331 | 547 | |||
332 | 548 | * Merge with Debian; remaining changes: | ||
333 | 549 | - When building with -O3, build with -Wno-error=maybe-uninitialized. | ||
334 | 550 | |||
335 | 551 | -- Matthias Klose <doko@ubuntu.com> Tue, 06 Sep 2016 14:39:56 +0200 | ||
336 | 552 | |||
337 | 306 | nss (2:3.26-1) unstable; urgency=medium | 553 | nss (2:3.26-1) unstable; urgency=medium |
338 | 307 | 554 | ||
339 | 308 | * New upstream release. | 555 | * New upstream release. |
340 | @@ -317,6 +564,12 @@ nss (2:3.26-1) unstable; urgency=medium | |||
341 | 317 | 564 | ||
342 | 318 | -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900 | 565 | -- Mike Hommey <glandium@debian.org> Tue, 16 Aug 2016 16:33:15 +0900 |
343 | 319 | 566 | ||
344 | 567 | nss (2:3.25-1ubuntu1) yakkety; urgency=medium | ||
345 | 568 | |||
346 | 569 | * When building with -O3, build with -Wno-error=maybe-uninitialized. | ||
347 | 570 | |||
348 | 571 | -- Matthias Klose <doko@ubuntu.com> Thu, 04 Aug 2016 11:36:54 +0200 | ||
349 | 572 | |||
350 | 320 | nss (2:3.25-1) unstable; urgency=medium | 573 | nss (2:3.25-1) unstable; urgency=medium |
351 | 321 | 574 | ||
352 | 322 | * New upstream release. | 575 | * New upstream release. |
353 | @@ -348,6 +601,7 @@ nss (2:3.21-1.1) unstable; urgency=medium | |||
354 | 348 | * Fix FTBFS on hppa. Closes: #808990 | 601 | * Fix FTBFS on hppa. Closes: #808990 |
355 | 349 | 602 | ||
356 | 350 | -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100 | 603 | -- Adam Borowski <kilobyte@angband.pl> Sun, 14 Feb 2016 14:46:40 +0100 |
357 | 604 | |||
358 | 351 | nss (2:3.21-1) unstable; urgency=medium | 605 | nss (2:3.21-1) unstable; urgency=medium |
359 | 352 | 606 | ||
360 | 353 | * New upstream release. | 607 | * New upstream release. |
361 | @@ -1263,3 +1517,4 @@ nss (3.11.5-1) experimental; urgency=low | |||
362 | 1263 | * Initial release. (Closes: #416151) | 1517 | * Initial release. (Closes: #416151) |
363 | 1264 | 1518 | ||
364 | 1265 | -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +0200 | 1519 | -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +0200 |
365 | 1520 | |||
366 | diff --git a/debian/control b/debian/control | |||
367 | index a4be555..ac713a6 100644 | |||
368 | --- a/debian/control | |||
369 | +++ b/debian/control | |||
370 | @@ -1,9 +1,11 @@ | |||
371 | 1 | Source: nss | 1 | Source: nss |
372 | 2 | Section: libs | 2 | Section: libs |
373 | 3 | Priority: optional | 3 | Priority: optional |
375 | 4 | Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> | 4 | Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
376 | 5 | XSBC-Original-Maintainer: Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org> | ||
377 | 5 | Uploaders: Mike Hommey <glandium@debian.org> | 6 | Uploaders: Mike Hommey <glandium@debian.org> |
378 | 6 | Build-Depends: debhelper (>= 9.20160403), | 7 | Build-Depends: debhelper (>= 9.20160403), |
379 | 8 | dh-exec, | ||
380 | 7 | dpkg-dev (>= 1.17.14), | 9 | dpkg-dev (>= 1.17.14), |
381 | 8 | libnspr4-dev (>= 2:4.24), | 10 | libnspr4-dev (>= 2:4.24), |
382 | 9 | zlib1g-dev, | 11 | zlib1g-dev, |
383 | diff --git a/debian/libnss3.links b/debian/libnss3.links | |||
384 | 10 | new file mode 100755 | 12 | new file mode 100755 |
385 | index 0000000..e62c6a0 | |||
386 | --- /dev/null | |||
387 | +++ b/debian/libnss3.links | |||
388 | @@ -0,0 +1,5 @@ | |||
389 | 1 | #!/usr/bin/dh-exec | ||
390 | 2 | usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.so | ||
391 | 3 | usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreebl3.chk usr/lib/${DEB_HOST_MULTIARCH}/libfreebl3.chk | ||
392 | 4 | usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.so usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.so | ||
393 | 5 | usr/lib/${DEB_HOST_MULTIARCH}/nss/libfreeblpriv3.chk usr/lib/${DEB_HOST_MULTIARCH}/libfreeblpriv3.chk | ||
394 | diff --git a/debian/patches/disable_fips_enabled_read.patch b/debian/patches/disable_fips_enabled_read.patch | |||
395 | 0 | new file mode 100644 | 6 | new file mode 100644 |
396 | index 0000000..c0e54d5 | |||
397 | --- /dev/null | |||
398 | +++ b/debian/patches/disable_fips_enabled_read.patch | |||
399 | @@ -0,0 +1,49 @@ | |||
400 | 1 | commit 16996a9156c9ff2924bdb19ff43d40617a41c912 | ||
401 | 2 | Author: Vineetha Kamath <vineetha.hari.pai@canonical.com> | ||
402 | 3 | Date: Tue Jul 23 15:32:32 2019 -0400 | ||
403 | 4 | |||
404 | 5 | From: Vineetha Kamath<vineetha.hari.pai@canonical.com> | ||
405 | 6 | Decription: Disable libgcrypt reading /proc/sys/crypto/fips_enabled | ||
406 | 7 | file and going into FIPS mode. libnss is not a FIPS | ||
407 | 8 | certified library. | ||
408 | 9 | Bug-Ubuntu: http://bugs.launchpad.net/bugs/1837734 | ||
409 | 10 | Forwarded: not-needed | ||
410 | 11 | |||
411 | 12 | Index: nss/nss/lib/freebl/nsslowhash.c | ||
412 | 13 | =================================================================== | ||
413 | 14 | --- nss.orig/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.964346182 -0400 | ||
414 | 15 | +++ nss/nss/lib/freebl/nsslowhash.c 2020-07-17 10:46:37.960346213 -0400 | ||
415 | 16 | @@ -27,11 +27,13 @@ | ||
416 | 17 | nsslow_GetFIPSEnabled(void) | ||
417 | 18 | { | ||
418 | 19 | #ifdef LINUX | ||
419 | 20 | - FILE *f; | ||
420 | 21 | + FILE *f = NULL; | ||
421 | 22 | char d; | ||
422 | 23 | size_t size; | ||
423 | 24 | |||
424 | 25 | +#if 0 | ||
425 | 26 | f = fopen("/proc/sys/crypto/fips_enabled", "r"); | ||
426 | 27 | +#endif | ||
427 | 28 | if (!f) | ||
428 | 29 | return 0; | ||
429 | 30 | |||
430 | 31 | Index: nss/nss/lib/sysinit/nsssysinit.c | ||
431 | 32 | =================================================================== | ||
432 | 33 | --- nss.orig/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:37.964346182 -0400 | ||
433 | 34 | +++ nss/nss/lib/sysinit/nsssysinit.c 2020-07-17 10:46:59.844174516 -0400 | ||
434 | 35 | @@ -171,11 +171,13 @@ | ||
435 | 36 | getFIPSMode(void) | ||
436 | 37 | { | ||
437 | 38 | #ifndef NSS_FIPS_DISABLED | ||
438 | 39 | - FILE *f; | ||
439 | 40 | + FILE *f = NULL; | ||
440 | 41 | char d; | ||
441 | 42 | size_t size; | ||
442 | 43 | |||
443 | 44 | +#if 0 | ||
444 | 45 | f = fopen("/proc/sys/crypto/fips_enabled", "r"); | ||
445 | 46 | +#endif | ||
446 | 47 | if (!f) { | ||
447 | 48 | /* if we don't have a proc flag, fall back to the | ||
448 | 49 | * environment variable */ | ||
449 | diff --git a/debian/patches/series b/debian/patches/series | |||
450 | index 2f1226f..e8cd205 100644 | |||
451 | --- a/debian/patches/series | |||
452 | +++ b/debian/patches/series | |||
453 | @@ -4,3 +4,5 @@ | |||
454 | 4 | 38_hppa.patch | 4 | 38_hppa.patch |
455 | 5 | seed | 5 | seed |
456 | 6 | infinite-recursion | 6 | infinite-recursion |
457 | 7 | disable_fips_enabled_read.patch | ||
458 | 8 | set-tls1.2-as-minimum.patch | ||
459 | diff --git a/debian/patches/set-tls1.2-as-minimum.patch b/debian/patches/set-tls1.2-as-minimum.patch | |||
460 | 7 | new file mode 100644 | 9 | new file mode 100644 |
461 | index 0000000..a05d4e9 | |||
462 | --- /dev/null | |||
463 | +++ b/debian/patches/set-tls1.2-as-minimum.patch | |||
464 | @@ -0,0 +1,17 @@ | |||
465 | 1 | Description: Set TLSv1.2 as minimum TLS version. LP: #1856428 | ||
466 | 2 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1856428 | ||
467 | 3 | |||
468 | 4 | |||
469 | 5 | Index: nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c | ||
470 | 6 | =================================================================== | ||
471 | 7 | --- nss-3.48-1ubuntu1.orig/nss/lib/ssl/sslsock.c | ||
472 | 8 | +++ nss-3.48-1ubuntu1/nss/lib/ssl/sslsock.c | ||
473 | 9 | @@ -96,7 +96,7 @@ static sslOptions ssl_defaults = { | ||
474 | 10 | * default range of enabled SSL/TLS protocols | ||
475 | 11 | */ | ||
476 | 12 | static SSLVersionRange versions_defaults_stream = { | ||
477 | 13 | - SSL_LIBRARY_VERSION_TLS_1_0, | ||
478 | 14 | + SSL_LIBRARY_VERSION_TLS_1_2, | ||
479 | 15 | SSL_LIBRARY_VERSION_TLS_1_3 | ||
480 | 16 | }; | ||
481 | 17 | |||
482 | diff --git a/debian/rules b/debian/rules | |||
483 | index ec951d3..b4c7302 100755 | |||
484 | --- a/debian/rules | |||
485 | +++ b/debian/rules | |||
486 | @@ -175,7 +175,7 @@ override_dh_strip: | |||
487 | 175 | 175 | ||
488 | 176 | ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) | 176 | ifeq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH)) |
489 | 177 | # Check FIPS mode correctly works | 177 | # Check FIPS mode correctly works |
491 | 178 | mkdir debian/tmp | 178 | mkdir -p debian/tmp |
492 | 179 | LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null | 179 | LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null |
493 | 180 | LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null | 180 | LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null |
494 | 181 | endif | 181 | endif |
* Changelog:
- [√] old content and logical tag match as expected
- [√] changelog entry correct version and targeted codename
- [x] changelog entries correct
- [√] update-maintainer has been run
* Actual changes:
- [√] no upstream changes to consider
- [√] no further upstream version to consider
- [√] debian changes look safe
* Old Delta:
- [√] dropped changes are ok to be dropped
- [√] nothing else to drop
- [-] changes forwarded upstream/debian (if appropriate)
* New Delta: patches/ series
- [√] no new patches added
- [-] patches match what was proposed upstream
- [-] patches correctly included in debian/
- [-] patches have correct DEP3 metadata
* Build/Test:
- [√] build is ok
- [√] verified PPA package installs/uninstalls
- [-] autopkgtest against the PPA package passes
- [√] sanity checks test fine
There is just a minor thing I noticed in your changelog and also on your commit messages, to avoid pinging the bugs fixed in previous releases let's remove the ":" from "LP: #NNNN". I can see one occurrence of that in the changelog: "Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)"; and two on the commit messages: "Set TLSv1.2 as minimum TLS version. LP: #1856428" and "Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)".
Other than that LGTM. When you get it fixed let me know and I can sponsor this upload for you.