![](https://seccdn.libravatar.org/avatar/000404b9c3cf99a2a21283776f57d3b5.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2017-01-29 10:29:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mozilla-nss" Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2016-11-17 12:19:23.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new/mozilla-nss.changes 2017-02-03 17:50:45.645913849 +0100 @@ -1,0 +2,82 @@ +Wed Jan 18 22:00:31 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.28.1 + No new functionality is introduced in this release. This is a patch release to + update the list of root CA certificates and address a minor TLS compatibility + issue that some applications experienced with NSS 3.28. + * The following CA certificates were Removed + CN = Buypass Class 2 CA 1 + CN = Root CA Generalitat Valenciana + OU = RSA Security 2048 V3 + * The following CA certificates were Added + OU = AC RAIZ FNMT-RCM + CN = Amazon Root CA 1 + CN = Amazon Root CA 2 + CN = Amazon Root CA 3 + CN = Amazon Root CA 4 + CN = LuxTrust Global Root 2 + CN = Symantec Class 1 Public Primary Certification Authority - G4 + CN = Symantec Class 1 Public Primary Certification Authority - G6 + CN = Symantec Class 2 Public Primary Certification Authority - G4 + CN = Symantec Class 2 Public Primary Certification Authority - G6 + * The version number of the updated root CA list has been set to 2.11 + * A misleading assertion/alert has been removed when NSS tries to flush data + to the peer but the connection was already reset. +- update to NSS 3.28 + New functionality: + * NSS includes support for TLS 1.3 draft -18. This includes a number + of improvements to TLS 1.3: + - The signed certificate timestamp, used in certificate + transparency, is supported in TLS 1.3. + - Key exporters for TLS 1.3 are supported. This includes the early + key exporter, which can be used if 0-RTT is enabled. Note that + there is a difference between TLS 1.3 and key exporters in older + versions of TLS. TLS 1.3 does not distinguish between an empty + context and no context. + - The TLS 1.3 (draft) protocol can be enabled, by defining + NSS_ENABLE_TLS_1_3=1 when building NSS. + - NSS includes support for the X25519 key exchange algorithm, + which is supported and enabled by default in all versions of TLS. + New Functions: + * SSL_ExportEarlyKeyingMaterial + * SSL_SendAdditionalKeyShares + * SSL_SignatureSchemePrefSet + * SSL_SignatureSchemePrefGet + Notable Changes: + * NSS can no longer be compiled with support for additional elliptic curves. + This was previously possible by replacing certain NSS source files. + * NSS will now detect the presence of tokens that support additional + elliptic curves and enable those curves for use in TLS. + Note that this detection has a one-off performance cost, which can be + avoided by using the SSL_NamedGroupConfig function to limit supported + groups to those that NSS provides. + * PKCS#11 bypass for TLS is no longer supported and has been removed. + * Support for "export" grade SSL/TLS cipher suites has been removed. + * NSS now uses the signature schemes definition in TLS 1.3. + This also affects TLS 1.2. NSS will now only generate signatures with the + combinations of hash and signature scheme that are defined in TLS 1.3, + even when negotiating TLS 1.2. + - This means that SHA-256 will only be used with P-256 ECDSA certificates, + SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates. + SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward + compatibility reasons. + - New functions to configure signature schemes are provided: + SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet. + The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are + now deprecated. + - NSS will now no longer assume that default signature schemes are + supported by a peer if there was no commonly supported signature scheme. + * NSS will now check if RSA-PSS signing is supported by the token that holds + the private key prior to using it for TLS. + * The certificate validation code contains checks to no longer trust + certificates that are issued by old WoSign and StartCom CAs after + October 21, 2016. This is equivalent to the behavior that Mozilla will + release with Firefox 51. +- update to NSS 3.27.2 + * SSL_SetTrustAnchors leaks (bmo#1318561) +- removed upstreamed patch + * nss-uninitialized.patch +- raised the minimum softokn/freebl version to 3.28 as reported in + boo#1021636 + +------------------------------------------------------------------- Old: ---- nss-3.26.2.tar.gz nss-uninitialized.patch New: ---- nss-3.28.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.8ZAkk8/_old 2017-02-03 17:50:47.029718746 +0100 +++ /var/tmp/diff_new_pack.8ZAkk8/_new 2017-02-03 17:50:47.033718182 +0100 @@ -1,7 +1,7 @@ # # spec file for package mozilla-nss # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2006-2016 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties @@ -17,15 +17,15 @@ # -%global nss_softokn_fips_version 3.21 +%global nss_softokn_fips_version 3.28 Name: mozilla-nss BuildRequires: gcc-c++ -BuildRequires: mozilla-nspr-devel >= 4.12 +BuildRequires: mozilla-nspr-devel >= 4.13.1 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.26.2 +Version: 3.28.1 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_26_2_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.26.2/nss ; cd nss-3.26.2/nss ; hg up NSS_3_26_2_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_1_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.28.1/nss ; cd nss-3.28.1/nss ; hg up NSS_3_28_1_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -51,7 +51,6 @@ Source99: %{name}.changes Patch1: nss-opt.patch Patch2: system-nspr.patch -Patch3: nss-uninitialized.patch Patch4: nss-no-rpath.patch Patch5: renegotiate-transitional.patch Patch6: malloc.patch @@ -88,7 +87,7 @@ Group: Development/Libraries/Other Requires: libfreebl3 Requires: libsoftokn3 -Requires: mozilla-nspr-devel >= 4.9 +Requires: mozilla-nspr-devel >= 4.13.1 Requires: mozilla-nss = %{version}-%{release} # bug437293 %ifarch ppc64 @@ -170,7 +169,6 @@ cd nss %patch1 -p1 %patch2 -p1 -%patch3 -p1 %patch4 -p1 %patch5 -p1 %if %suse_version > 1110 @@ -200,6 +198,7 @@ export USE_64=1 %endif export NSS_USE_SYSTEM_SQLITE=1 +export NSS_ENABLE_TLS_1_3=1 #export SQLITE_LIB_NAME=nsssqlite3 MAKE_FLAGS="BUILD_OPT=1" make nss_build_all $MAKE_FLAGS ++++++ nss-3.26.2.tar.gz -> nss-3.28.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/mozilla-nss/nss-3.26.2.tar.gz /work/SRC/openSUSE:Factory/.mozilla-nss.new/nss-3.28.1.tar.gz differ: char 5, line 1 ++++++ system-nspr.patch ++++++ --- /var/tmp/diff_new_pack.8ZAkk8/_old 2017-02-03 17:50:47.193695628 +0100 +++ /var/tmp/diff_new_pack.8ZAkk8/_new 2017-02-03 17:50:47.193695628 +0100 @@ -1,22 +1,13 @@ diff --git a/Makefile b/Makefile +index c824ba2..a5abe7b 100644 --- a/Makefile +++ b/Makefile -@@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk - ####################################################################### - - - - ####################################################################### +@@ -46,7 +46,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (7) Execute "local" rules. (OPTIONAL). # ####################################################################### --nss_build_all: build_nspr all -+nss_build_all: all +-nss_build_all: build_nspr all latest ++nss_build_all: all latest nss_clean_all: clobber_nspr clobber - NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status - NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure - - # - # Translate coreconf build options to NSPR configure options.