Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/nss.git#4d0b92b33350fc4f84936b3fe001ddec026b5d3a

.gitignore

@@ -57,3 +57,4 @@ TestUser51.cert
 /nss-3.58.tar.gz
 /nspr-4.29.tar.gz
 /nss-3.59.tar.gz
+/nss-3.60.1.tar.gz

nss-turn-off-expired-ocsp-cert.patch

@@ -0,0 +1,19 @@
+diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
+--- a/tests/chains/scenarios/nameconstraints.cfg
++++ b/tests/chains/scenarios/nameconstraints.cfg
+@@ -159,12 +159,12 @@ verify NameConstraints.dcissblocked:x
+ verify NameConstraints.dcissallowed:x
+   result pass
+ 
+ # Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem"
+ #
+ # This tests that a non server certificate (i.e. id-kp-serverAuth
+ # not present in EKU) does *NOT* have CN treated as dnsName for
+ # purposes of Name Constraints validation
+-verify NameConstraints.ocsp1:x
+-  usage 10
+-  result pass
++#verify NameConstraints.ocsp1:x
++#  usage 10
++#  result pass
+ 

nss.spec

@@ -2,8 +2,8 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global nspr_release 9
+%global nspr_release 10
-%global nss_version 3.59.0
+%global nss_version 3.60.1
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -53,7 +53,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -64,6 +64,7 @@ Requires:         nss-system-init
 Requires:         p11-kit-trust
 Requires:         /usr/bin/update-crypto-policies
 # for shlibsign
+BuildRequires: make
 BuildRequires:    nss-softokn
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
@@ -117,6 +118,7 @@ Patch2:           nss-539183.patch
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
+Patch13:          nss-turn-off-expired-ocsp-cert.patch
 %if 0%{?fedora} < 34
 %if 0%{?rhel} < 9
 Patch20:          nss-gcm-param-default-pkcs11v2.patch
@@ -124,8 +126,6 @@ Patch20:          nss-gcm-param-default-pkcs11v2.patch
 %endif
 # can drop this patch when the underlying btrfs/sqlite issue is solved
 Patch30:          nss-fedora-btrf-sql-hack.patch
-# can drop this patch once crypto-policies has been updated
-Patch31:          nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -347,13 +347,13 @@ popd
 # This package fails its testsuite with LTO.  Disable LTO for now
 %global _lto_cflags %{nil}
 
-export FREEBL_NO_DEPEND=1
+#export FREEBL_NO_DEPEND=1
 
 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
 # copied to dist and the rpm install phase can find it
 # This due of the upstream changes to fix
 # https://bugzilla.mozilla.org/show_bug.cgi?id=717906
-export FREEBL_LOWHASH=1
+# export FREEBL_LOWHASH=1
 
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
@@ -392,6 +392,8 @@ export NSS_USE_SYSTEM_SQLITE=1
 
 export NSS_ALLOW_SSLKEYLOGFILE=1
 
+export NSS_SEED_ONLY_DEV_URANDOM=1
+
 %if %{with dbm}
 %else
 export NSS_DISABLE_DBM=1
@@ -1047,6 +1049,10 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Thu Jan 21 2021 Bob Relyea <rrelyea@redhat.com> - 3.60.1-1
+- Update to NSS 3.60.1
+- Drop NODEPEND_FREEBL and LOWHASH
+
 * Fri Dec 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.59.0-2
 - Work around btrfs/sqlite bug
 - Disable new policy entries until crypto-polices has been updated

sources

@@ -4,4 +4,4 @@ SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60b
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
 SHA512 (nspr-4.29.tar.gz) = ba5ac275fe0beb69d7a7674c9ee9e4429bd5761daed285edd975ccc829af30d062bf4a0f5e44361e3bd191f21b1905f96ab146d53b55324020f13ecb3c05609b
-SHA512 (nss-3.59.tar.gz) = 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38
+SHA512 (nss-3.60.1.tar.gz) = ba398ddad6f90f3562a041b7fd5fc7b72eb20961cc5c1f4890c3b0d95d438404b26ae6feb54cb8c650707134479a915e1f522f0e9257bc2ede053dd0811156d5