Update to 3.23 Changelog: The NSS team has released Network Security Services (NSS) 3.23, which is a minor release. The following security-relevant bug has been resolved in NSS 3.23. Users are encouraged to upgrade immediately. * Bug 1245528 (CVE-2016-1950): Fixed a heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or execution of arbitrary code with the permissions of the user. New functionality: * ChaCha20/Poly1305 cipher and TLS cipher suites now supported (bug 917571, bug 1227905) * Experimental-only support TLS 1.3 1-RTT mode (draft-11). This code is not ready for production use. New Functions: * SSL_SetDowngradeCheckVersion - Set maximum version for new ServerRandom anti-downgrade mechanism Notable Changes: * The copy of SQLite shipped with NSS has been updated to version 3.10.2 (bug 1234698) * The list of TLS extensions sent in the TLS handshake has been reordered to improve compatibility of the Extended Master Secret feature with servers (bug 1243641) * The build time environment variable NSS_ENABLE_ZLIB has been renamed to NSS_SSL_ENABLE_ZLIB (Bug 1243872). * The build time environment variable NSS_DISABLE_CHACHAPOLY was added, which can be used to prevent compilation of the ChaCha20/Poly1305 code. * The following CA certificates were Removed - Staat der Nederlanden Root CA - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado - NetLock Kozjegyzoi (Class A) Tanusitvanykiado - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado - VeriSign Class 1 Public PCA – G2 - VeriSign Class 3 Public PCA - VeriSign Class 3 Public PCA – G2 - CA Disig * The following CA certificates were Added - SZAFIR ROOT CA2 - Certum Trusted Network CA 2 * The following CA certificate had the Email trust bit turned on - Actalis Authentication Root CA The full release notes, including the SHA256 fingerprints of the changed CA certificates, are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notesdiff -r1.112 -r1.113 pkgsrc/devel/nss/Makefile
(ryoon)
@@ -1,18 +1,17 @@ | @@ -1,18 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.112 2016/04/11 19:01:48 ryoon Exp $ | 1 | # $NetBSD: Makefile,v 1.113 2016/04/17 19:27:10 ryoon Exp $ | |
2 | 2 | |||
3 | DISTNAME= nss-${NSS_RELEASE:S/.0$//} | 3 | DISTNAME= nss-${NSS_RELEASE:S/.0$//} | |
4 | NSS_RELEASE= 3.22.3 | 4 | NSS_RELEASE= 3.23.0 | |
5 | PKGREVISION= 1 | |||
6 | CATEGORIES= security | 5 | CATEGORIES= security | |
7 | MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_RELEASE:S/.0$//:S/./_/g}_RTM/src/} | 6 | MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_RELEASE:S/.0$//:S/./_/g}_RTM/src/} | |
8 | 7 | |||
9 | MAINTAINER= pkgsrc-users@NetBSD.org | 8 | MAINTAINER= pkgsrc-users@NetBSD.org | |
10 | HOMEPAGE= http://www.mozilla.org/projects/security/pki/nss/ | 9 | HOMEPAGE= http://www.mozilla.org/projects/security/pki/nss/ | |
11 | COMMENT= Libraries to support development of security-enabled applications | 10 | COMMENT= Libraries to support development of security-enabled applications | |
12 | LICENSE= mpl-2.0 | 11 | LICENSE= mpl-2.0 | |
13 | 12 | |||
14 | CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/libpkix/libpkix.sh | 13 | CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/libpkix/libpkix.sh | |
15 | CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/multinit/multinit.sh | 14 | CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/multinit/multinit.sh | |
16 | CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}js/src/configure | 15 | CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}js/src/configure | |
17 | CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}configure | 16 | CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}configure | |
18 | 17 |
@@ -1,20 +1,20 @@ | @@ -1,20 +1,20 @@ | |||
1 | $NetBSD: distinfo,v 1.58 2016/03/15 03:12:06 ryoon Exp $ | 1 | $NetBSD: distinfo,v 1.59 2016/04/17 19:27:10 ryoon Exp $ | |
2 | 2 | |||
3 | SHA1 (nss-3.22.3.tar.gz) = ae1310106a91fa24aa2e5a718ff7be20fcc852d5 | 3 | SHA1 (nss-3.23.tar.gz) = 5cb30a18d601d5f2bb635df6213ae3e93f754fe8 | |
4 | RMD160 (nss-3.22.3.tar.gz) = 469f667d671738cf789bdb6a7a29a300cbe987f9 | 4 | RMD160 (nss-3.23.tar.gz) = 2cb9a448ec60a00edd7cf5a08321dd6583d03cb9 | |
5 | SHA512 (nss-3.22.3.tar.gz) = eaffe0061f2d99d8cd69db267acfad443ce2123862d612b26d3b641c982b6e80b18d4e9e6c97d4115f030040390fff7579af35c73f225c278b84c17e3ac1853d | 5 | SHA512 (nss-3.23.tar.gz) = f3e388a415493685faa6df932e9e968af41ea2e8e4cba3fbd539c60177443e4042e8d2e2bfe74183552e14522d49048be2f80fbe038bdbd499971e82abf2cc32 | |
6 | Size (nss-3.22.3.tar.gz) = 6981457 bytes | 6 | Size (nss-3.23.tar.gz) = 7467001 bytes | |
7 | SHA1 (patch-am) = ee4c4beeb120397852fc4b06b7dd54534d0d5ac5 | 7 | SHA1 (patch-am) = ee4c4beeb120397852fc4b06b7dd54534d0d5ac5 | |
8 | SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69 | 8 | SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69 | |
9 | SHA1 (patch-md) = 0a09fd2abb8674a2d301f1b6a5331af5db94178f | 9 | SHA1 (patch-md) = 0a09fd2abb8674a2d301f1b6a5331af5db94178f | |
10 | SHA1 (patch-me) = e785e4e12b54f2618746a550a09593c2eede5f65 | 10 | SHA1 (patch-me) = e785e4e12b54f2618746a550a09593c2eede5f65 | |
11 | SHA1 (patch-mf) = 64d3b2cc09ffbc9c4e8ffdb68cb2fa89b6897e8c | 11 | SHA1 (patch-mf) = 534fe5f711f60dadc3432bc805a6153535f11709 | |
12 | SHA1 (patch-mg) = 3c878548c98bdea559a3e653e63e0ed22a2a8834 | 12 | SHA1 (patch-mg) = 3c878548c98bdea559a3e653e63e0ed22a2a8834 | |
13 | SHA1 (patch-mh) = a46d3098a85c3a4a57895a9845bc1741fc5e9561 | 13 | SHA1 (patch-mh) = a46d3098a85c3a4a57895a9845bc1741fc5e9561 | |
14 | SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a | 14 | SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a | |
15 | SHA1 (patch-mn) = 5b79783e48249044be1a904a6cfd20ba175b5fd4 | 15 | SHA1 (patch-mn) = 5b79783e48249044be1a904a6cfd20ba175b5fd4 | |
16 | SHA1 (patch-nss_cmd_platlibs.mk) = 7dadcb72acf15714c61ae74b21c5baf45bc51d4c | 16 | SHA1 (patch-nss_cmd_platlibs.mk) = 7dadcb72acf15714c61ae74b21c5baf45bc51d4c | |
17 | SHA1 (patch-nss_coreconf_OpenBSD.mk) = fa545c993038e99bf9f59b59ec1d0bd1f6c192a9 | 17 | SHA1 (patch-nss_coreconf_OpenBSD.mk) = fa545c993038e99bf9f59b59ec1d0bd1f6c192a9 | |
18 | SHA1 (patch-nss_coreconf_command.mk) = 007b7adb79d300ae73ee4cd71b7314c665172e31 | 18 | SHA1 (patch-nss_coreconf_command.mk) = 182d513f40fa9c16006601dd7a7a654bb3139828 | |
19 | SHA1 (patch-nss_lib_freebl_config.mk) = 1c198177da8ba7928cbfbd23e385503be99ebe27 | 19 | SHA1 (patch-nss_lib_freebl_config.mk) = 1c198177da8ba7928cbfbd23e385503be99ebe27 | |
20 | SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af | 20 | SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af |
@@ -1,23 +1,24 @@ | @@ -1,23 +1,24 @@ | |||
1 | $NetBSD: patch-mf,v 1.4 2013/07/20 09:28:12 ryoon Exp $ | 1 | $NetBSD: patch-mf,v 1.5 2016/04/17 19:27:10 ryoon Exp $ | |
2 | 2 | |||
3 | Add DragonFly support. | 3 | Add DragonFly support. | |
4 | Make sure nss libraries have a run path defined. | 4 | Make sure nss libraries have a run path defined. | |
5 | 5 | |||
6 | --- nss/coreconf/config.mk.orig 2013-06-27 17:58:08.000000000 +0000 | 6 | --- nss/coreconf/config.mk.orig 2016-02-26 20:51:11.000000000 +0000 | |
7 | +++ nss/coreconf/config.mk | 7 | +++ nss/coreconf/config.mk | |
8 | @@ -31,7 +31,7 @@ endif | 8 | @@ -31,7 +31,7 @@ endif | |
9 | ####################################################################### | 9 | ####################################################################### | |
10 | 10 | |||
11 | TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \ | 11 | TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \ | |
12 | - AIX RISCOS WINNT WIN95 Linux Android | 12 | - AIX RISCOS WINNT WIN95 Linux Android | |
13 | + AIX RISCOS WINNT WIN95 Linux Android DragonFly | 13 | + AIX RISCOS WINNT WIN95 Linux Android DragonFly | |
14 | 14 | |||
15 | ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) | 15 | ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) | |
16 | include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk | 16 | include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk | |
17 | @@ -179,5 +179,6 @@ endif | 17 | @@ -187,6 +187,7 @@ endif | |
18 | DEFINES += -DUSE_UTIL_DIRECTLY | 18 | DEFINES += -DUSE_UTIL_DIRECTLY | |
19 | USE_UTIL_DIRECTLY = 1 | 19 | USE_UTIL_DIRECTLY = 1 | |
20 | 20 | |||
21 | +EXTRA_SHARED_LIBS += -Wl,-R${PREFIX}/lib/${MOZILLA_PKG_NAME} | 21 | +EXTRA_SHARED_LIBS += -Wl,-R${PREFIX}/lib/${MOZILLA_PKG_NAME} | |
22 | # Build with NO_NSPR_10_SUPPORT to avoid using obsolete NSPR features | 22 | # Build with NO_NSPR_10_SUPPORT to avoid using obsolete NSPR features | |
23 | DEFINES += -DNO_NSPR_10_SUPPORT | 23 | DEFINES += -DNO_NSPR_10_SUPPORT | |
24 |
@@ -1,15 +1,15 @@ | @@ -1,15 +1,15 @@ | |||
1 | $NetBSD: patch-nss_coreconf_command.mk,v 1.1 2015/12/17 13:39:59 ryoon Exp $ | 1 | $NetBSD: patch-nss_coreconf_command.mk,v 1.2 2016/04/17 19:27:10 ryoon Exp $ | |
2 | 2 | |||
3 | * Pass CFLAGS from pkgsrc | 3 | * Pass CFLAGS from pkgsrc | |
4 | 4 | |||
5 | --- nss/coreconf/command.mk.orig 2015-11-09 05:12:59.000000000 +0000 | 5 | --- nss/coreconf/command.mk.orig 2016-02-26 20:51:11.000000000 +0000 | |
6 | +++ nss/coreconf/command.mk | 6 | +++ nss/coreconf/command.mk | |
7 | @@ -12,7 +12,7 @@ AS = $(CC) | 7 | @@ -12,7 +12,7 @@ AS = $(CC) | |
8 | ASFLAGS += $(CFLAGS) | 8 | ASFLAGS += $(CFLAGS) | |
9 | CCF = $(CC) $(CFLAGS) | 9 | CCF = $(CC) $(CFLAGS) | |
10 | LINK_DLL = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS) | 10 | LINK_DLL = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS) | |
11 | -CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \ | 11 | -CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \ | |
12 | +CFLAGS += $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \ | 12 | +CFLAGS += $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \ | |
13 | $(XCFLAGS) | 13 | $(DEFINES) $(INCLUDES) $(XCFLAGS) | |
14 | PERL = perl | 14 | PERL = perl | |
15 | RANLIB = echo | 15 | RANLIB = echo |