From 0fd0ef5232c651ed72ab64204629f37bd4dc29a8 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Dec 09 2013 17:16:45 +0000 Subject: Merge branch 'f20' into f19 --- diff --git a/.gitignore b/.gitignore index 25fde7a..4cb9016 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,4 @@ TestCA.ca.cert TestUser50.cert TestUser51.cert /nss-pem-20130828.tar.bz2 -/nss-3.15.2.tar.gz +/nss-3.15.3.tar.gz diff --git a/certutil_keyOpFlagsFix.patch b/certutil_keyOpFlagsFix.patch new file mode 100644 index 0000000..94724ff --- /dev/null +++ b/certutil_keyOpFlagsFix.patch @@ -0,0 +1,24 @@ +diff --git a/doc/certutil.xml b/doc/certutil.xml +--- a/doc/certutil.xml ++++ b/doc/certutil.xml +@@ -655,18 +655,18 @@ of the attribute codes: + + + --keyAttrFlags attrflags + + PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} + + + +- --keyFlagsOn opflags +- --keyFlagsOff opflags ++ --keyOpFlagsOn opflags ++ --keyOpFlagsOff opflags + + PKCS #11 key Operation Flags. + Comma separated list of one or more of the following: + {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} + + + + diff --git a/document-certutil-email-option.patch b/document-certutil-email-option.patch new file mode 100644 index 0000000..b9ca7e1 --- /dev/null +++ b/document-certutil-email-option.patch @@ -0,0 +1,25 @@ +diff --git a/doc/certutil.xml b/doc/certutil.xml +--- a/doc/certutil.xml ++++ b/doc/certutil.xml +@@ -204,16 +204,21 @@ If this option is not used, the validity + + + + -e + Check a certificate's signature during the process of validating a certificate. + + + ++ --email email-address ++ Specify the email address, used with the -L command option to print a single named certificate. ++ ++ ++ + -f password-file + Specify a file that will automatically supply the password to include in a certificate + or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent + unauthorized access to this file. + + + + -g keysize diff --git a/manpages-fixes.patch b/manpages-fixes.patch deleted file mode 100644 index dd419b9..0000000 --- a/manpages-fixes.patch +++ /dev/null @@ -1,209 +0,0 @@ -diff --git a/doc/certutil.xml b/doc/certutil.xml ---- a/doc/certutil.xml -+++ b/doc/certutil.xml -@@ -634,16 +634,37 @@ of the attribute codes: - - - - --extSKID - Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280. - - - -+ --extNC -+ Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280. -+ -+ -+ -+ --keyAttrFlags attrflags -+ -+PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} -+ -+ -+ -+ --keyFlagsOn opflags -+ --keyFlagsOff opflags -+ -+PKCS #11 key Operation Flags. -+Comma separated list of one or more of the following: -+{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} -+ -+ -+ -+ - --source-dir certdir - Identify the certificate database directory to upgrade. - - - - --source-prefix certdir - Give the prefix of the certificate and key databases to upgrade. - -@@ -795,17 +816,17 @@ JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0C - XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk - 0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB - AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B - AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09 - XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF - ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg== - -----END CERTIFICATE----- - --For a humam-readable display -+For a human-readable display - $ certutil -L -d sql:$HOME/nssdb -n my-ca-cert - Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3650 (0xe42) - Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption - Issuer: "CN=Example CA" - Validity: -diff --git a/doc/cmsutil.xml b/doc/cmsutil.xml ---- a/doc/cmsutil.xml -+++ b/doc/cmsutil.xml -@@ -84,19 +84,26 @@ The options and arguments for the cmsuti - - -S - Sign a message. - - - - - Arguments -- Option arguments modify an action and are lowercase. -+ Option arguments modify an action. - - -+ -b -+ -+ Decode a batch of files named in infile. -+ -+ -+ -+ - -c content - - Use this detached content (decode only). - - - - - -d dbdir -@@ -108,37 +115,58 @@ The options and arguments for the cmsuti - - -e envfile - - Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only). - - - - -+ -f pwfile -+ -+ Use password file to set password on all PKCS#11 tokens. -+ -+ -+ -+ - -G - - Include a signing time attribute (sign only). - - -- -+ -+ -+ -H hash -+ -+ Use specified hash algorithm (default:SHA1). -+ -+ -+ - - -h num - - Generate email headers with info about CMS message (decode only). - - - - - -i infile - - Use infile as a source of data (default is stdin). - - - - -+ -k -+ -+ Keep decoded encryption certs in permanent cert db. -+ -+ -+ -+ - -N nickname - - Specify nickname of certificate to sign with (sign only). - - - - - -n -@@ -188,16 +216,23 @@ For certificates-only message, list of c - - -u certusage - - Set type of cert usage (default is certUsageEmailSigner). - - - - -+ -v -+ -+ Print debugging information. -+ -+ -+ -+ - -Y ekprefnick - - Specify an encryption key preference by nickname. - - - - - -diff --git a/doc/crlutil.xml b/doc/crlutil.xml ---- a/doc/crlutil.xml -+++ b/doc/crlutil.xml -@@ -261,16 +261,30 @@ Specify type of CRL. possible types are: - -u url - - - Specify the url. - - - - -+ -+ -w pwd-string -+ -+ Provide db password in command line. -+ -+ -+ -+ -+ -Z algorithm -+ -+ Specify the hash algorithm to use for signing the CRL. -+ -+ -+ - - - - - CRL Generation script syntax - CRL generation script file has the following syntax: - - * Line with comments should have # as a first symbol of a line diff --git a/nss.spec b/nss.spec index 5ca3bb8..bf7f3b5 100644 --- a/nss.spec +++ b/nss.spec @@ -1,7 +1,7 @@ -%global nspr_version 4.10.1 -%global nss_util_version 3.15.2 -%global nss_softokn_fips_version 3.12.9 -%global nss_softokn_version 3.15.2 +%global nspr_version 4.10.2 +%global nss_util_version 3.15.3 +%global nss_softokn_fips_version 3.13.5 +%global nss_softokn_version 3.15.3 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" @@ -19,8 +19,8 @@ Summary: Network Security Services Name: nss -Version: 3.15.2 -Release: 2%{?dist} +Version: 3.15.3 +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -81,8 +81,6 @@ Patch18: nss-646045.patch Patch25: nsspem-use-system-freebl.patch # This patch is currently meant for stable branches Patch29: nss-ssl-cbc-random-iv-off-by-default.patch -# Prevent users from trying to enable ssl pkcs11 bypass -# Patch39: nss-ssl-enforce-no-pkcs11-bypass.path # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch Patch44: 0001-sync-up-with-upstream-softokn-changes.patch @@ -97,6 +95,10 @@ Patch48: nss-versus-softoken-tests.patch # TODO remove when we switch to building nss without softoken Patch49: nss-skip-bltest-and-fipstest.patch Patch50: iquote.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001 +Patch54: document-certutil-email-option.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=937677 +Patch57: certutil_keyOpFlagsFix.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -182,7 +184,6 @@ low level services. %patch25 -p0 -b .systemfreebl # activate for stable and beta branches %patch29 -p0 -b .cbcrandomivoff -# %%patch39 -p0 -b .nobypass %patch40 -p0 -b .noocsptest %patch44 -p1 -b .syncupwithupstream %patch45 -p0 -b .notrash @@ -191,6 +192,10 @@ low level services. %patch48 -p0 -b .crypto %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote +pushd nss +%patch54 -p1 -b .948495 +%patch57 -p1 -b .948495 +popd ######################################################### # Higher-level libraries and test tools need access to @@ -527,6 +532,10 @@ done %{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config # Copy the pkcs #11 configuration script %{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +# install a symbolic link to it, without the ".sh" suffix, +# that matches the man page documentation +ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit + # Copy the man pages for scripts for f in nss-config setup-nsssysinit; do install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 @@ -628,6 +637,8 @@ fi %attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz %{_bindir}/setup-nsssysinit.sh +# symbolic link to setup-nsssysinit.sh +%{_bindir}/setup-nsssysinit %attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz %files tools @@ -742,6 +753,14 @@ fi %changelog +* Wed Dec 04 2013 Elio Maldonado - 3.15.3-1 +- Update to NSS_3_15_3_RTM +- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws +- Fix option descriptions for setup-nsssysinit manpage +- Fix man page of nss-sysinit wrong path and other flaws +- Install symlink to setup-nsssysinit.sh, without suffix, to match manpage +- Remove unused patches + * Sun Oct 27 2013 Elio Maldonado - 3.15.2-2 - Use the full pristine sources from upstream - Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird diff --git a/setup-nsssysinit.xml b/setup-nsssysinit.xml index 0560cc1..5b9827f 100644 --- a/setup-nsssysinit.xml +++ b/setup-nsssysinit.xml @@ -27,13 +27,9 @@ setup-nsssysinit - - - - - - - + + + @@ -49,17 +45,17 @@ - + Turn on nss-sysinit. - + Turn on nss-sysinit. - count + returns whether nss-syinit is enabled or not. @@ -71,13 +67,13 @@ The following example will query for the status of nss-sysinit: - /usr/bin/setup-nsssysinit --status + /usr/bin/setup-nsssysinit status The following example, when run as superuser, will turn on nss-sysinit: - /usr/bin/setup-nsssysinit --on + /usr/bin/setup-nsssysinit on @@ -85,7 +81,7 @@ Files - /usr/sbin/setup-nsssysinit + /usr/bin/setup-nsssysinit diff --git a/sources b/sources index 2a414c9..f7b6e77 100644 --- a/sources +++ b/sources @@ -8,4 +8,4 @@ f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert e82dd2b9520f9d0f5d101e7710d59656 nss-pem-20130828.tar.bz2 -154223568f9734c76c164b46c774450c nss-3.15.2.tar.gz +1bb267452359bd37e34d072a215873d5 nss-3.15.3.tar.gz