Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2016-06-12 18:51:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mozilla-nss" Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2016-05-31 12:10:07.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new/mozilla-nss.changes 2016-06-12 18:51:20.000000000 +0200 @@ -1,0 +2,46 @@ +Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.23 + New functionality: + * ChaCha20/Poly1305 cipher and TLS cipher suites now supported + * Experimental-only support TLS 1.3 1-RTT mode (draft-11). + This code is not ready for production use. + New functions: + * SSL_SetDowngradeCheckVersion - Set maximum version for new + ServerRandom anti-downgrade mechanism. Clients that perform a + version downgrade (which is generally a very bad idea) call this + with the highest version number that they possibly support. + This gives them access to the version downgrade protection from + TLS 1.3. + Notable changes: + * The copy of SQLite shipped with NSS has been updated to version + 3.10.2 + * The list of TLS extensions sent in the TLS handshake has been + reordered to increase compatibility of the Extended Master Secret + with with servers + * The build time environment variable NSS_ENABLE_ZLIB has been + renamed to NSS_SSL_ENABLE_ZLIB + * The build time environment variable NSS_DISABLE_CHACHAPOLY was + added, which can be used to prevent compilation of the + ChaCha20/Poly1305 code. + * The following CA certificates were Removed + - Staat der Nederlanden Root CA + - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado + - NetLock Kozjegyzoi (Class A) Tanusitvanykiado + - NetLock Uzleti (Class B) Tanusitvanykiado + - NetLock Expressz (Class C) Tanusitvanykiado + - VeriSign Class 1 Public PCA – G2 + - VeriSign Class 3 Public PCA + - VeriSign Class 3 Public PCA – G2 + - CA Disig + * The following CA certificates were Added + + SZAFIR ROOT CA2 + + Certum Trusted Network CA 2 + * The following CA certificate had the Email trust bit turned on + + Actalis Authentication Root CA + Security fixes: + * CVE-2016-2834: Memory safety bugs (boo#983639) + MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034 bmo#1241037 +- removed obsolete nss_gcc6_change.patch + +------------------------------------------------------------------- @@ -13,0 +60,5 @@ + * Fixed a heap-based buffer overflow related to the parsing of + certain ASN.1 structures. An attacker could create a specially-crafted + certificate which, when parsed by NSS, would cause a crash or + execution of arbitrary code with the permissions of the user. + (CVE-2016-1950, bmo#1245528) Old: ---- nss-3.22.3.tar.gz nss_gcc6_change.patch New: ---- nss-3.23.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.L4xRhd/_old 2016-06-12 18:51:21.000000000 +0200 +++ /var/tmp/diff_new_pack.L4xRhd/_new 2016-06-12 18:51:21.000000000 +0200 @@ -2,7 +2,7 @@ # spec file for package mozilla-nss # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. -# Copyright (c) 2006-2015 Wolfgang Rosenauer +# Copyright (c) 2006-2016 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,7 +25,7 @@ BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.22.3 +Version: 3.23 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_3_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.22.3/nss ; cd nss-3.22.3/nss ; hg up NSS_3_22_3_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss ; hg up NSS_3_23_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -57,7 +57,6 @@ Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch Patch9: nss-bmo1236011.patch -Patch10: nss_gcc6_change.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -179,7 +178,6 @@ %patch7 -p1 %patch8 -p1 %patch9 -p1 -%patch10 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt ++++++ nss-3.22.3.tar.gz -> nss-3.23.tar.gz ++++++ /work/SRC/openSUSE:Factory/mozilla-nss/nss-3.22.3.tar.gz /work/SRC/openSUSE:Factory/.mozilla-nss.new/nss-3.23.tar.gz differ: char 5, line 1 ++++++ renegotiate-transitional.patch ++++++ --- /var/tmp/diff_new_pack.L4xRhd/_old 2016-06-12 18:51:22.000000000 +0200 +++ /var/tmp/diff_new_pack.L4xRhd/_new 2016-06-12 18:51:22.000000000 +0200 @@ -1,13 +1,22 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c -index e6b2387..87fbe1d 100644 --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c -@@ -74,7 +74,7 @@ static sslOptions ssl_defaults = { - PR_FALSE, /* noLocks */ - PR_FALSE, /* enableSessionTickets */ - PR_FALSE, /* enableDeflate */ -- 2, /* enableRenegotiation (default: requires extension) */ -+ 3, /* enableRenegotiation (default: requires extension) */ - PR_FALSE, /* requireSafeNegotiation */ - PR_FALSE, /* enableFalseStart */ - PR_TRUE, /* cbcRandomIV */ +@@ -72,17 +72,17 @@ static sslOptions ssl_defaults = { + PR_FALSE, + /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ + PR_TRUE, /* detectRollBack */ + PR_FALSE, /* noStepDown */ + PR_FALSE, /* bypassPKCS11 */ + PR_FALSE, /* noLocks */ + PR_FALSE, /* enableSessionTickets */ + PR_FALSE, /* enableDeflate */ +- 2, /* enableRenegotiation (default: requires extension) */ ++ 3, /* enableRenegotiation (default: requires extension) */ + PR_FALSE, /* requireSafeNegotiation */ + PR_FALSE, /* enableFalseStart */ + PR_TRUE, /* cbcRandomIV */ + PR_FALSE, /* enableOCSPStapling */ + PR_TRUE, /* enableNPN */ + PR_FALSE, /* enableALPN */ + PR_TRUE, /* reuseServerECDHEKey */ + PR_FALSE, /* enableFallbackSCSV */