Sun Apr 17 19:27:10 2016 UTC ()
Update to 3.23

Changelog:
The NSS team has released Network Security Services (NSS) 3.23, which is a minor
release.

The following security-relevant bug has been resolved in NSS 3.23.
Users are encouraged to upgrade immediately.

* Bug 1245528 (CVE-2016-1950):
  Fixed a heap-based buffer overflow related to the parsing of certain ASN.1
  structures. An attacker could create a specially-crafted certificate which,
  when parsed by NSS, would cause a crash or execution of arbitrary code with
  the permissions of the user.

New functionality:
* ChaCha20/Poly1305 cipher and TLS cipher suites now supported
  (bug 917571, bug 1227905)
* Experimental-only support TLS 1.3 1-RTT mode (draft-11).
  This code is not ready for production use.

New Functions:
* SSL_SetDowngradeCheckVersion - Set maximum version for new ServerRandom
  anti-downgrade mechanism

Notable Changes:
* The copy of SQLite shipped with NSS has been updated to version 3.10.2
  (bug 1234698)
* The list of TLS extensions sent in the TLS handshake has been reordered
  to improve compatibility of the Extended Master Secret feature
  with servers (bug 1243641)
* The build time environment variable NSS_ENABLE_ZLIB has been renamed
  to NSS_SSL_ENABLE_ZLIB (Bug 1243872).
* The build time environment variable NSS_DISABLE_CHACHAPOLY was added,
  which can be used to prevent compilation of the ChaCha20/Poly1305 code.
* The following CA certificates were Removed
- Staat der Nederlanden Root CA
- NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
- NetLock Kozjegyzoi (Class A) Tanusitvanykiado
- NetLock Uzleti (Class B) Tanusitvanykiado
- NetLock Expressz (Class C) Tanusitvanykiado
- VeriSign Class 1 Public PCA – G2
- VeriSign Class 3 Public PCA
- VeriSign Class 3 Public PCA – G2
- CA Disig
* The following CA certificates were Added
- SZAFIR ROOT CA2
- Certum Trusted Network CA 2
* The following CA certificate had the Email trust bit turned on
- Actalis Authentication Root CA

The full release notes, including the SHA256 fingerprints of the changed
CA certificates, are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes


(ryoon)
diff -r1.112 -r1.113 pkgsrc/devel/nss/Makefile
diff -r1.58 -r1.59 pkgsrc/devel/nss/distinfo
diff -r1.4 -r1.5 pkgsrc/devel/nss/patches/patch-mf
diff -r1.1 -r1.2 pkgsrc/devel/nss/patches/patch-nss_coreconf_command.mk
cvs diff -r1.112 -r1.113 pkgsrc/devel/nss/Makefile (expand / switch to unified diff)

--- pkgsrc/devel/nss/Makefile 2016/04/11 19:01:48 1.112
+++ pkgsrc/devel/nss/Makefile 2016/04/17 19:27:10 1.113
@@ -1,18 +1,17 @@ @@ -1,18 +1,17 @@
1# $NetBSD: Makefile,v 1.112 2016/04/11 19:01:48 ryoon Exp $ 1# $NetBSD: Makefile,v 1.113 2016/04/17 19:27:10 ryoon Exp $
2 2
3DISTNAME= nss-${NSS_RELEASE:S/.0$//} 3DISTNAME= nss-${NSS_RELEASE:S/.0$//}
4NSS_RELEASE= 3.22.3 4NSS_RELEASE= 3.23.0
5PKGREVISION= 1 
6CATEGORIES= security 5CATEGORIES= security
7MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_RELEASE:S/.0$//:S/./_/g}_RTM/src/} 6MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_RELEASE:S/.0$//:S/./_/g}_RTM/src/}
8 7
9MAINTAINER= pkgsrc-users@NetBSD.org 8MAINTAINER= pkgsrc-users@NetBSD.org
10HOMEPAGE= http://www.mozilla.org/projects/security/pki/nss/ 9HOMEPAGE= http://www.mozilla.org/projects/security/pki/nss/
11COMMENT= Libraries to support development of security-enabled applications 10COMMENT= Libraries to support development of security-enabled applications
12LICENSE= mpl-2.0 11LICENSE= mpl-2.0
13 12
14CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/libpkix/libpkix.sh 13CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/libpkix/libpkix.sh
15CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/multinit/multinit.sh 14CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/multinit/multinit.sh
16CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}js/src/configure 15CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}js/src/configure
17CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}configure 16CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}configure
18 17
cvs diff -r1.58 -r1.59 pkgsrc/devel/nss/distinfo (expand / switch to unified diff)

--- pkgsrc/devel/nss/distinfo 2016/03/15 03:12:06 1.58
+++ pkgsrc/devel/nss/distinfo 2016/04/17 19:27:10 1.59
@@ -1,20 +1,20 @@ @@ -1,20 +1,20 @@
1$NetBSD: distinfo,v 1.58 2016/03/15 03:12:06 ryoon Exp $ 1$NetBSD: distinfo,v 1.59 2016/04/17 19:27:10 ryoon Exp $
2 2
3SHA1 (nss-3.22.3.tar.gz) = ae1310106a91fa24aa2e5a718ff7be20fcc852d5 3SHA1 (nss-3.23.tar.gz) = 5cb30a18d601d5f2bb635df6213ae3e93f754fe8
4RMD160 (nss-3.22.3.tar.gz) = 469f667d671738cf789bdb6a7a29a300cbe987f9 4RMD160 (nss-3.23.tar.gz) = 2cb9a448ec60a00edd7cf5a08321dd6583d03cb9
5SHA512 (nss-3.22.3.tar.gz) = eaffe0061f2d99d8cd69db267acfad443ce2123862d612b26d3b641c982b6e80b18d4e9e6c97d4115f030040390fff7579af35c73f225c278b84c17e3ac1853d 5SHA512 (nss-3.23.tar.gz) = f3e388a415493685faa6df932e9e968af41ea2e8e4cba3fbd539c60177443e4042e8d2e2bfe74183552e14522d49048be2f80fbe038bdbd499971e82abf2cc32
6Size (nss-3.22.3.tar.gz) = 6981457 bytes 6Size (nss-3.23.tar.gz) = 7467001 bytes
7SHA1 (patch-am) = ee4c4beeb120397852fc4b06b7dd54534d0d5ac5 7SHA1 (patch-am) = ee4c4beeb120397852fc4b06b7dd54534d0d5ac5
8SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69 8SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69
9SHA1 (patch-md) = 0a09fd2abb8674a2d301f1b6a5331af5db94178f 9SHA1 (patch-md) = 0a09fd2abb8674a2d301f1b6a5331af5db94178f
10SHA1 (patch-me) = e785e4e12b54f2618746a550a09593c2eede5f65 10SHA1 (patch-me) = e785e4e12b54f2618746a550a09593c2eede5f65
11SHA1 (patch-mf) = 64d3b2cc09ffbc9c4e8ffdb68cb2fa89b6897e8c 11SHA1 (patch-mf) = 534fe5f711f60dadc3432bc805a6153535f11709
12SHA1 (patch-mg) = 3c878548c98bdea559a3e653e63e0ed22a2a8834 12SHA1 (patch-mg) = 3c878548c98bdea559a3e653e63e0ed22a2a8834
13SHA1 (patch-mh) = a46d3098a85c3a4a57895a9845bc1741fc5e9561 13SHA1 (patch-mh) = a46d3098a85c3a4a57895a9845bc1741fc5e9561
14SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a 14SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a
15SHA1 (patch-mn) = 5b79783e48249044be1a904a6cfd20ba175b5fd4 15SHA1 (patch-mn) = 5b79783e48249044be1a904a6cfd20ba175b5fd4
16SHA1 (patch-nss_cmd_platlibs.mk) = 7dadcb72acf15714c61ae74b21c5baf45bc51d4c 16SHA1 (patch-nss_cmd_platlibs.mk) = 7dadcb72acf15714c61ae74b21c5baf45bc51d4c
17SHA1 (patch-nss_coreconf_OpenBSD.mk) = fa545c993038e99bf9f59b59ec1d0bd1f6c192a9 17SHA1 (patch-nss_coreconf_OpenBSD.mk) = fa545c993038e99bf9f59b59ec1d0bd1f6c192a9
18SHA1 (patch-nss_coreconf_command.mk) = 007b7adb79d300ae73ee4cd71b7314c665172e31 18SHA1 (patch-nss_coreconf_command.mk) = 182d513f40fa9c16006601dd7a7a654bb3139828
19SHA1 (patch-nss_lib_freebl_config.mk) = 1c198177da8ba7928cbfbd23e385503be99ebe27 19SHA1 (patch-nss_lib_freebl_config.mk) = 1c198177da8ba7928cbfbd23e385503be99ebe27
20SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af 20SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af
cvs diff -r1.4 -r1.5 pkgsrc/devel/nss/patches/patch-mf (expand / switch to unified diff)

--- pkgsrc/devel/nss/patches/patch-mf 2013/07/20 09:28:12 1.4
+++ pkgsrc/devel/nss/patches/patch-mf 2016/04/17 19:27:10 1.5
@@ -1,23 +1,24 @@ @@ -1,23 +1,24 @@
1$NetBSD: patch-mf,v 1.4 2013/07/20 09:28:12 ryoon Exp $ 1$NetBSD: patch-mf,v 1.5 2016/04/17 19:27:10 ryoon Exp $
2 2
3Add DragonFly support. 3Add DragonFly support.
4Make sure nss libraries have a run path defined. 4Make sure nss libraries have a run path defined.
5 5
6--- nss/coreconf/config.mk.orig 2013-06-27 17:58:08.000000000 +0000 6--- nss/coreconf/config.mk.orig 2016-02-26 20:51:11.000000000 +0000
7+++ nss/coreconf/config.mk 7+++ nss/coreconf/config.mk
8@@ -31,7 +31,7 @@ endif 8@@ -31,7 +31,7 @@ endif
9 ####################################################################### 9 #######################################################################
10  10
11 TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \ 11 TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
12- AIX RISCOS WINNT WIN95 Linux Android 12- AIX RISCOS WINNT WIN95 Linux Android
13+ AIX RISCOS WINNT WIN95 Linux Android DragonFly 13+ AIX RISCOS WINNT WIN95 Linux Android DragonFly
14  14
15 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) 15 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
16 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk 16 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
17@@ -179,5 +179,6 @@ endif 17@@ -187,6 +187,7 @@ endif
18 DEFINES += -DUSE_UTIL_DIRECTLY 18 DEFINES += -DUSE_UTIL_DIRECTLY
19 USE_UTIL_DIRECTLY = 1 19 USE_UTIL_DIRECTLY = 1
20  20
21+EXTRA_SHARED_LIBS += -Wl,-R${PREFIX}/lib/${MOZILLA_PKG_NAME} 21+EXTRA_SHARED_LIBS += -Wl,-R${PREFIX}/lib/${MOZILLA_PKG_NAME}
22 # Build with NO_NSPR_10_SUPPORT to avoid using obsolete NSPR features 22 # Build with NO_NSPR_10_SUPPORT to avoid using obsolete NSPR features
23 DEFINES += -DNO_NSPR_10_SUPPORT 23 DEFINES += -DNO_NSPR_10_SUPPORT
 24
cvs diff -r1.1 -r1.2 pkgsrc/devel/nss/patches/patch-nss_coreconf_command.mk (expand / switch to unified diff)

--- pkgsrc/devel/nss/patches/patch-nss_coreconf_command.mk 2015/12/17 13:39:59 1.1
+++ pkgsrc/devel/nss/patches/patch-nss_coreconf_command.mk 2016/04/17 19:27:10 1.2
@@ -1,15 +1,15 @@ @@ -1,15 +1,15 @@
1$NetBSD: patch-nss_coreconf_command.mk,v 1.1 2015/12/17 13:39:59 ryoon Exp $ 1$NetBSD: patch-nss_coreconf_command.mk,v 1.2 2016/04/17 19:27:10 ryoon Exp $
2 2
3* Pass CFLAGS from pkgsrc 3* Pass CFLAGS from pkgsrc
4 4
5--- nss/coreconf/command.mk.orig 2015-11-09 05:12:59.000000000 +0000 5--- nss/coreconf/command.mk.orig 2016-02-26 20:51:11.000000000 +0000
6+++ nss/coreconf/command.mk 6+++ nss/coreconf/command.mk
7@@ -12,7 +12,7 @@ AS = $(CC) 7@@ -12,7 +12,7 @@ AS = $(CC)
8 ASFLAGS += $(CFLAGS) 8 ASFLAGS += $(CFLAGS)
9 CCF = $(CC) $(CFLAGS) 9 CCF = $(CC) $(CFLAGS)
10 LINK_DLL = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS) 10 LINK_DLL = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
11-CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \ 11-CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \
12+CFLAGS += $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \ 12+CFLAGS += $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \
13 $(XCFLAGS) 13 $(DEFINES) $(INCLUDES) $(XCFLAGS)
14 PERL = perl 14 PERL = perl
15 RANLIB = echo 15 RANLIB = echo