Sun Apr 17 19:27:10 2016 UTC ()
Update to 3.23
Changelog:
The NSS team has released Network Security Services (NSS) 3.23, which is a minor
release.
The following security-relevant bug has been resolved in NSS 3.23.
Users are encouraged to upgrade immediately.
* Bug 1245528 (CVE-2016-1950):
Fixed a heap-based buffer overflow related to the parsing of certain ASN.1
structures. An attacker could create a specially-crafted certificate which,
when parsed by NSS, would cause a crash or execution of arbitrary code with
the permissions of the user.
New functionality:
* ChaCha20/Poly1305 cipher and TLS cipher suites now supported
(bug 917571, bug 1227905)
* Experimental-only support TLS 1.3 1-RTT mode (draft-11).
This code is not ready for production use.
New Functions:
* SSL_SetDowngradeCheckVersion - Set maximum version for new ServerRandom
anti-downgrade mechanism
Notable Changes:
* The copy of SQLite shipped with NSS has been updated to version 3.10.2
(bug 1234698)
* The list of TLS extensions sent in the TLS handshake has been reordered
to improve compatibility of the Extended Master Secret feature
with servers (bug 1243641)
* The build time environment variable NSS_ENABLE_ZLIB has been renamed
to NSS_SSL_ENABLE_ZLIB (Bug 1243872).
* The build time environment variable NSS_DISABLE_CHACHAPOLY was added,
which can be used to prevent compilation of the ChaCha20/Poly1305 code.
* The following CA certificates were Removed
- Staat der Nederlanden Root CA
- NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
- NetLock Kozjegyzoi (Class A) Tanusitvanykiado
- NetLock Uzleti (Class B) Tanusitvanykiado
- NetLock Expressz (Class C) Tanusitvanykiado
- VeriSign Class 1 Public PCA – G2
- VeriSign Class 3 Public PCA
- VeriSign Class 3 Public PCA – G2
- CA Disig
* The following CA certificates were Added
- SZAFIR ROOT CA2
- Certum Trusted Network CA 2
* The following CA certificate had the Email trust bit turned on
- Actalis Authentication Root CA
The full release notes, including the SHA256 fingerprints of the changed
CA certificates, are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes
(ryoon)
diff -r1.112 -r1.113 pkgsrc/devel/nss/Makefile
diff -r1.58 -r1.59 pkgsrc/devel/nss/distinfo
diff -r1.4 -r1.5 pkgsrc/devel/nss/patches/patch-mf
diff -r1.1 -r1.2 pkgsrc/devel/nss/patches/patch-nss_coreconf_command.mk
--- pkgsrc/devel/nss/Makefile 2016/04/11 19:01:48 1.112
+++ pkgsrc/devel/nss/Makefile 2016/04/17 19:27:10 1.113
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.112 2016/04/11 19:01:48 ryoon Exp $
+# $NetBSD: Makefile,v 1.113 2016/04/17 19:27:10 ryoon Exp $
DISTNAME= nss-${NSS_RELEASE:S/.0$//}
-NSS_RELEASE= 3.22.3
-PKGREVISION= 1
+NSS_RELEASE= 3.23.0
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_RELEASE:S/.0$//:S/./_/g}_RTM/src/}
--- pkgsrc/devel/nss/distinfo 2016/03/15 03:12:06 1.58
+++ pkgsrc/devel/nss/distinfo 2016/04/17 19:27:10 1.59
@@ -1,20 +1,20 @@
-$NetBSD: distinfo,v 1.58 2016/03/15 03:12:06 ryoon Exp $
+$NetBSD: distinfo,v 1.59 2016/04/17 19:27:10 ryoon Exp $
-SHA1 (nss-3.22.3.tar.gz) = ae1310106a91fa24aa2e5a718ff7be20fcc852d5
-RMD160 (nss-3.22.3.tar.gz) = 469f667d671738cf789bdb6a7a29a300cbe987f9
-SHA512 (nss-3.22.3.tar.gz) = eaffe0061f2d99d8cd69db267acfad443ce2123862d612b26d3b641c982b6e80b18d4e9e6c97d4115f030040390fff7579af35c73f225c278b84c17e3ac1853d
-Size (nss-3.22.3.tar.gz) = 6981457 bytes
+SHA1 (nss-3.23.tar.gz) = 5cb30a18d601d5f2bb635df6213ae3e93f754fe8
+RMD160 (nss-3.23.tar.gz) = 2cb9a448ec60a00edd7cf5a08321dd6583d03cb9
+SHA512 (nss-3.23.tar.gz) = f3e388a415493685faa6df932e9e968af41ea2e8e4cba3fbd539c60177443e4042e8d2e2bfe74183552e14522d49048be2f80fbe038bdbd499971e82abf2cc32
+Size (nss-3.23.tar.gz) = 7467001 bytes
SHA1 (patch-am) = ee4c4beeb120397852fc4b06b7dd54534d0d5ac5
SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69
SHA1 (patch-md) = 0a09fd2abb8674a2d301f1b6a5331af5db94178f
SHA1 (patch-me) = e785e4e12b54f2618746a550a09593c2eede5f65
-SHA1 (patch-mf) = 64d3b2cc09ffbc9c4e8ffdb68cb2fa89b6897e8c
+SHA1 (patch-mf) = 534fe5f711f60dadc3432bc805a6153535f11709
SHA1 (patch-mg) = 3c878548c98bdea559a3e653e63e0ed22a2a8834
SHA1 (patch-mh) = a46d3098a85c3a4a57895a9845bc1741fc5e9561
SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a
SHA1 (patch-mn) = 5b79783e48249044be1a904a6cfd20ba175b5fd4
SHA1 (patch-nss_cmd_platlibs.mk) = 7dadcb72acf15714c61ae74b21c5baf45bc51d4c
SHA1 (patch-nss_coreconf_OpenBSD.mk) = fa545c993038e99bf9f59b59ec1d0bd1f6c192a9
-SHA1 (patch-nss_coreconf_command.mk) = 007b7adb79d300ae73ee4cd71b7314c665172e31
+SHA1 (patch-nss_coreconf_command.mk) = 182d513f40fa9c16006601dd7a7a654bb3139828
SHA1 (patch-nss_lib_freebl_config.mk) = 1c198177da8ba7928cbfbd23e385503be99ebe27
SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af
--- pkgsrc/devel/nss/patches/patch-mf 2013/07/20 09:28:12 1.4
+++ pkgsrc/devel/nss/patches/patch-mf 2016/04/17 19:27:10 1.5
@@ -1,9 +1,9 @@
-$NetBSD: patch-mf,v 1.4 2013/07/20 09:28:12 ryoon Exp $
+$NetBSD: patch-mf,v 1.5 2016/04/17 19:27:10 ryoon Exp $
Add DragonFly support.
Make sure nss libraries have a run path defined.
---- nss/coreconf/config.mk.orig 2013-06-27 17:58:08.000000000 +0000
+--- nss/coreconf/config.mk.orig 2016-02-26 20:51:11.000000000 +0000
+++ nss/coreconf/config.mk
@@ -31,7 +31,7 @@ endif
#######################################################################
@@ -14,10 +14,11 @@
ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
-@@ -179,5 +179,6 @@ endif
+@@ -187,6 +187,7 @@ endif
DEFINES += -DUSE_UTIL_DIRECTLY
USE_UTIL_DIRECTLY = 1
+EXTRA_SHARED_LIBS += -Wl,-R${PREFIX}/lib/${MOZILLA_PKG_NAME}
# Build with NO_NSPR_10_SUPPORT to avoid using obsolete NSPR features
DEFINES += -DNO_NSPR_10_SUPPORT
+
--- pkgsrc/devel/nss/patches/patch-nss_coreconf_command.mk 2015/12/17 13:39:59 1.1
+++ pkgsrc/devel/nss/patches/patch-nss_coreconf_command.mk 2016/04/17 19:27:10 1.2
@@ -1,15 +1,15 @@
-$NetBSD: patch-nss_coreconf_command.mk,v 1.1 2015/12/17 13:39:59 ryoon Exp $
+$NetBSD: patch-nss_coreconf_command.mk,v 1.2 2016/04/17 19:27:10 ryoon Exp $
* Pass CFLAGS from pkgsrc
---- nss/coreconf/command.mk.orig 2015-11-09 05:12:59.000000000 +0000
+--- nss/coreconf/command.mk.orig 2016-02-26 20:51:11.000000000 +0000
+++ nss/coreconf/command.mk
@@ -12,7 +12,7 @@ AS = $(CC)
ASFLAGS += $(CFLAGS)
CCF = $(CC) $(CFLAGS)
LINK_DLL = $(LINK) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
--CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \
-+CFLAGS += $(OPTIMIZER) $(OS_CFLAGS) $(XP_DEFINE) $(DEFINES) $(INCLUDES) \
- $(XCFLAGS)
+-CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \
++CFLAGS += $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \
+ $(DEFINES) $(INCLUDES) $(XCFLAGS)
PERL = perl
RANLIB = echo