From 7ee7f9bbbe8a774bc151a06e0895ff2c4a765b7c Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Fri, 22 Jan 2021 05:44:38 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/nss.git#4d0b92b33350fc4f84936b3fe001ddec026b5d3a --- .gitignore | 1 + nss-turn-off-expired-ocsp-cert.patch | 19 +++++++++++++++++++ nss.spec | 20 +++++++++++++------- sources | 2 +- 4 files changed, 34 insertions(+), 8 deletions(-) create mode 100644 nss-turn-off-expired-ocsp-cert.patch diff --git a/.gitignore b/.gitignore index 859a2bb..21717ea 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,4 @@ TestUser51.cert /nss-3.58.tar.gz /nspr-4.29.tar.gz /nss-3.59.tar.gz +/nss-3.60.1.tar.gz diff --git a/nss-turn-off-expired-ocsp-cert.patch b/nss-turn-off-expired-ocsp-cert.patch new file mode 100644 index 0000000..dfbbb50 --- /dev/null +++ b/nss-turn-off-expired-ocsp-cert.patch @@ -0,0 +1,19 @@ +diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg +--- a/tests/chains/scenarios/nameconstraints.cfg ++++ b/tests/chains/scenarios/nameconstraints.cfg +@@ -159,12 +159,12 @@ verify NameConstraints.dcissblocked:x + verify NameConstraints.dcissallowed:x + result pass + + # Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem" + # + # This tests that a non server certificate (i.e. id-kp-serverAuth + # not present in EKU) does *NOT* have CN treated as dnsName for + # purposes of Name Constraints validation +-verify NameConstraints.ocsp1:x +- usage 10 +- result pass ++#verify NameConstraints.ocsp1:x ++# usage 10 ++# result pass + diff --git a/nss.spec b/nss.spec index 3e27158..ac03dff 100644 --- a/nss.spec +++ b/nss.spec @@ -2,8 +2,8 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global nspr_release 9 -%global nss_version 3.59.0 +%global nspr_release 10 +%global nss_version 3.60.1 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -53,7 +53,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 2%{?dist} +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -64,6 +64,7 @@ Requires: nss-system-init Requires: p11-kit-trust Requires: /usr/bin/update-crypto-policies # for shlibsign +BuildRequires: make BuildRequires: nss-softokn BuildRequires: sqlite-devel BuildRequires: zlib-devel @@ -117,6 +118,7 @@ Patch2: nss-539183.patch # but it doesn't hurt to keep it. Patch4: iquote.patch Patch12: nss-signtool-format.patch +Patch13: nss-turn-off-expired-ocsp-cert.patch %if 0%{?fedora} < 34 %if 0%{?rhel} < 9 Patch20: nss-gcm-param-default-pkcs11v2.patch @@ -124,8 +126,6 @@ Patch20: nss-gcm-param-default-pkcs11v2.patch %endif # can drop this patch when the underlying btrfs/sqlite issue is solved Patch30: nss-fedora-btrf-sql-hack.patch -# can drop this patch once crypto-policies has been updated -Patch31: nss-3.53.1-revert_rhel8_unsafe_policy_change.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -347,13 +347,13 @@ popd # This package fails its testsuite with LTO. Disable LTO for now %global _lto_cflags %{nil} -export FREEBL_NO_DEPEND=1 +#export FREEBL_NO_DEPEND=1 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets # copied to dist and the rpm install phase can find it # This due of the upstream changes to fix # https://bugzilla.mozilla.org/show_bug.cgi?id=717906 -export FREEBL_LOWHASH=1 +# export FREEBL_LOWHASH=1 # uncomment if the iquote patch is activated export IN_TREE_FREEBL_HEADERS_FIRST=1 @@ -392,6 +392,8 @@ export NSS_USE_SYSTEM_SQLITE=1 export NSS_ALLOW_SSLKEYLOGFILE=1 +export NSS_SEED_ONLY_DEV_URANDOM=1 + %if %{with dbm} %else export NSS_DISABLE_DBM=1 @@ -1047,6 +1049,10 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Jan 21 2021 Bob Relyea - 3.60.1-1 +- Update to NSS 3.60.1 +- Drop NODEPEND_FREEBL and LOWHASH + * Fri Dec 11 2020 Bob Relyea - 3.59.0-2 - Work around btrfs/sqlite bug - Disable new policy entries until crypto-polices has been updated diff --git a/sources b/sources index 62e2a42..d49f4c8 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60b SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 SHA512 (nspr-4.29.tar.gz) = ba5ac275fe0beb69d7a7674c9ee9e4429bd5761daed285edd975ccc829af30d062bf4a0f5e44361e3bd191f21b1905f96ab146d53b55324020f13ecb3c05609b -SHA512 (nss-3.59.tar.gz) = 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38 +SHA512 (nss-3.60.1.tar.gz) = ba398ddad6f90f3562a041b7fd5fc7b72eb20961cc5c1f4890c3b0d95d438404b26ae6feb54cb8c650707134479a915e1f522f0e9257bc2ede053dd0811156d5