From 67a7a21b0e9405986d0eb56883bc333153156761 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 26 Nov 2013 10:36:24 -0800 Subject: [PATCH] Update to NSS_3_15_3_RTM - Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws - Fix option descriptions for setup-nsssysinit manpage - Fix man page of nss-sysinit wrong path and other flaws - Document email option for certutil manpage - Remove unused patches --- certutil_keyOpFlagsFix.patch | 24 ++++++++++++++++++++++++ document-certutil-email-option.patch | 25 +++++++++++++++++++++++++ nss.spec | 20 ++++++++++++++------ 3 files changed, 63 insertions(+), 6 deletions(-) create mode 100644 certutil_keyOpFlagsFix.patch create mode 100644 document-certutil-email-option.patch diff --git a/certutil_keyOpFlagsFix.patch b/certutil_keyOpFlagsFix.patch new file mode 100644 index 0000000..94724ff --- /dev/null +++ b/certutil_keyOpFlagsFix.patch @@ -0,0 +1,24 @@ +diff --git a/doc/certutil.xml b/doc/certutil.xml +--- a/doc/certutil.xml ++++ b/doc/certutil.xml +@@ -655,18 +655,18 @@ of the attribute codes: + + + --keyAttrFlags attrflags + + PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} + + + +- --keyFlagsOn opflags +- --keyFlagsOff opflags ++ --keyOpFlagsOn opflags ++ --keyOpFlagsOff opflags + + PKCS #11 key Operation Flags. + Comma separated list of one or more of the following: + {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} + + + + diff --git a/document-certutil-email-option.patch b/document-certutil-email-option.patch new file mode 100644 index 0000000..b9ca7e1 --- /dev/null +++ b/document-certutil-email-option.patch @@ -0,0 +1,25 @@ +diff --git a/doc/certutil.xml b/doc/certutil.xml +--- a/doc/certutil.xml ++++ b/doc/certutil.xml +@@ -204,16 +204,21 @@ If this option is not used, the validity + + + + -e + Check a certificate's signature during the process of validating a certificate. + + + ++ --email email-address ++ Specify the email address, used with the -L command option to print a single named certificate. ++ ++ ++ + -f password-file + Specify a file that will automatically supply the password to include in a certificate + or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent + unauthorized access to this file. + + + + -g keysize diff --git a/nss.spec b/nss.spec index 36eddea..f213ae4 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,6 @@ %global nspr_version 4.10.2 %global nss_util_version 3.15.3 -%global nss_softokn_fips_version 3.12.9 +%global nss_softokn_fips_version 3.13.5 %global nss_softokn_version 3.15.3 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" @@ -79,8 +79,6 @@ Patch18: nss-646045.patch # must statically link pem against the freebl in the buildroot # Needed only when freebl on tree has new APIS Patch25: nsspem-use-system-freebl.patch -# Prevent users from trying to enable ssl pkcs11 bypass -# Patch39: nss-ssl-enforce-no-pkcs11-bypass.path # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch Patch44: 0001-sync-up-with-upstream-softokn-changes.patch @@ -95,6 +93,10 @@ Patch48: nss-versus-softoken-tests.patch # TODO remove when we switch to building nss without softoken Patch49: nss-skip-bltest-and-fipstest.patch Patch50: iquote.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001 +Patch54: document-certutil-email-option.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=937677 +Patch57: certutil_keyOpFlagsFix.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -178,9 +180,6 @@ low level services. %patch18 -p0 -b .646045 # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl -# activate for stable and beta branches -# %%patch29 -p0 -b .cbcrandomivoff -# %%patch39 -p0 -b .nobypass %patch40 -p0 -b .noocsptest %patch44 -p1 -b .syncupwithupstream %patch45 -p0 -b .notrash @@ -189,6 +188,10 @@ low level services. %patch48 -p0 -b .crypto %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote +pushd nss +%patch54 -p1 -b .948495 +%patch57 -p1 -b .948495 +popd ######################################################### # Higher-level libraries and test tools need access to @@ -626,6 +629,8 @@ fi %attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz %{_bindir}/setup-nsssysinit.sh +# symbolic link to setup-nsssysinit.sh +%{_bindir}/setup-nsssysinit %attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz %files tools @@ -744,6 +749,9 @@ fi - Update to NSS_3_15_3_RTM - Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws - Fix option descriptions for setup-nsssysinit manpage +- Fix man page of nss-sysinit wrong path and other flaws +- Document email option for certutil manpage +- Remove unused patches * Sun Oct 27 2013 Elio Maldonado - 3.15.2-3 - Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245]