Merge nss from Debian unstable for kinetic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nss (Ubuntu) |
Fix Released
|
Undecided
|
Athos Ribeiro |
Bug Description
Upstream: tbd
Debian: 2:3.77-1
Ubuntu: 2:3.68.2-0ubuntu1
### New Debian Changes ###
nss (2:3.77-1) unstable; urgency=medium
* New upstream release.
* debian/
-- Mike Hommey <email address hidden> Wed, 06 Apr 2022 09:18:22 +0900
nss (2:3.75-1) unstable; urgency=medium
* New upstream release.
-- Mike Hommey <email address hidden> Wed, 09 Feb 2022 08:46:51 +0900
nss (2:3.73.1-1) unstable; urgency=medium
* New upstream release.
-- Mike Hommey <email address hidden> Fri, 17 Dec 2021 06:16:55 +0900
nss (2:3.73-1) unstable; urgency=medium
* New upstream release.
* Fixes MFSA-2021-51, aka CVE-2021-43527: Memory corruption via DER-encoded
DSA and RSA-PSS signatures.
-- Mike Hommey <email address hidden> Thu, 02 Dec 2021 06:04:31 +0900
nss (2:3.72-2) unstable; urgency=medium
* debian/control: libnss3-dev breaks libxmlsec1-dev (<< 1.2.33-1).
Closes: #998733.
-- Mike Hommey <email address hidden> Fri, 12 Nov 2021 06:21:05 +0900
nss (2:3.72-1) unstable; urgency=medium
* New upstream release.
* debian/
nss/
nss/
symbol and remove the previous workaround. Closes: #990058.
* debian/
nss/
nss/
nss/
subdirectory. It's a deviation from upstream that is causing more problems
than it's worth keeping. Closes: #737855, #846012, #979159.
* debian/
* debian/rules: Stop forcing xz compression.
* debian/copyright: Add dot for continuation.
* debian/watch: Upgrade to version 4.
* debian/control: Upgrade Standard-Version to 4.6.0:
- debian/rules: Build with `make -s` when DEB_BUILD_OPTIONS contains
terse.
- debian/control: Add Rules-Requires-
* debian/control: Remove conflict with libnss3-1d. The last Debian version
with libnss3-1d was jessie, and it had a newer version anyways.
* debian/rules: Enable all hardening options.
* debian/
* debian/
copyright-
* debian/
- s/shlib-
- Add lacks-unversion
* debian/
ours. Closes: #737855, #963136.
* debian/rules, debian/control: Always set Multi-Arch: same.
* debian/copyright:
- Remove commas in `Files`.
- Add missing license name for ifparser.
- Add missing `Copyright`.
- Remove copyright for mkdepend, which is not in the source tree anymore.
* debian/
[ Daniel Kahn Gillmor ]
* debian/control: correct Homepage (old URL redirects to 404)
[ Janitor ]
* debian/changelog: Trim trailing whitespace.
* debian/copyright: Use secure copyright file specification URI.
* debian/compat, debian/control:
- Bump debhelper from deprecated 9 to 13.
- Set debhelper-compat version in Build-Depends.
* debian/
* debian/rules: Drop transition for old debug package migration.
-- Mike Hommey <email address hidden> Tue, 02 Nov 2021 06:57:06 +0900
nss (2:3.70-1) unstable; urgency=medium
* New upstream release.
-- Mike Hommey <email address hidden> Wed, 08 Sep 2021 08:31:23 +0900
nss (2:3.68-1) unstable; urgency=medium
* New upstream release.
-- Mike Hommey <email address hidden> Mon, 19 Jul 2021 06:23:39 +0900
### Old Ubuntu Delta ###
nss (2:3.68.2-0ubuntu1) jammy; urgency=medium
* New upstream release. (LP: #1959126)
* d/p/CVE-
[ Fixed in 3.68.1 ]
-- Athos Ribeiro <email address hidden> Mon, 21 Feb 2022 14:55:42 -0300
nss (2:3.68-1ubuntu2) jammy; urgency=medium
* SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded
signatures
- debian/
nss/
- CVE-2021-43527
-- Marc Deslauriers <email address hidden> Mon, 29 Nov 2021 07:12:54 -0500
nss (2:3.68-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/libnss3.links: Make freebl3 available as library. (LP #1744328)
- d/control: Add dh-exec to Build-Depends.
- d/rules: Make mkdir tolerate debian/tmp existing (due to dh-exec).
- d/p/disable_
in FIPS mode as libnss is not a FIPS certified library. (LP #1837734)
- d/p/set-
(LP #1856428)
- d/libnss3.links.in: Symlink chk files to fix self-verification in
FIPS mode. (LP #1885562)
- d/p/fix-
and format overflows for s390x.
- d/p/fix-
checking on call to getcwd since this results in an erroneous warning
that causes the build to fail otherwise.
* New changes:
- d/rules: Disable LTO on s390x for now. (LP #1931104)
-- Paride Legovini <email address hidden> Wed, 28 Jul 2021 15:27:12 +0200
Related branches
- Bryce Harrington (community): Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 610 lines (+446/-1)2 files modifieddebian/changelog (+444/-0)
debian/control (+2/-1)
CVE References
Changed in nss (Ubuntu): | |
milestone: | none → later |
Changed in nss (Ubuntu): | |
milestone: | later → ubuntu-22.05 |
Changed in nss (Ubuntu): | |
assignee: | nobody → Athos Ribeiro (athos-ribeiro) |
Changed in nss (Ubuntu): | |
status: | New → In Progress |
Our current delta has the following patches:
=== BEGIN DELTA ANALYSIS ===
* New upstream release. (LP: #1959126) [2:3.68.2-0ubuntu1]
We went "ahead" of Debian here. We must drop this to get back to tracking the Debian history.
* d/p/CVE- 2021-43527. patch: drop patch applied upstream. patches/ CVE-2021- 43527.patch: check signature lengths in lib/cryptohi/ secvfy. c.
[ Fixed in 3.68.1 ]
* SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded
signatures
- debian/
nss/
- CVE-2021-43527
When dropping the "New upstream release", this would be re-introduced, but since this was fixed in 3.68.1 already, it can be/remain dropped.
- d/libnss3.links: Make freebl3 available as library. (LP #1744328)
- d/libnss3.links.in: Symlink chk files to fix self-verification in
FIPS mode. (LP #1885562)
- d/control: Add dh-exec to Build-Depends.
- d/rules: Make mkdir tolerate debian/tmp existing (due to dh-exec).
The packaging approach changed in Debian for 2:3.72-1 to stick to the upstream distribution approach. The libraries are now shipped in a single directory and therefore this patch is no longer needed.
dh-exec was only used for this links file and the related deltas are also no longer needed.
- d/p/disable_ fips_enabled_ read.patch: Disable reading fips_enabled flag
in FIPS mode as libnss is not a FIPS certified library. (LP #1837734)
LP: #1837734, which introduced this patch, has a comment from the patch author saying this was never needed in this package and was added to fix an issue with firefox, which had libnss embedded back when this was introduced. This can also be dropped.
- d/p/set- tls1.2- as-minimum. patch: Set TLSv1.2 as minimum TLS version.
(LP #1856428)
This was included in upstream version 3.69 and can be dropped.
- d/p/fix- ftbfs-s390x. patch: Fix some uninitialized variable warnings ftbfs-glibc- invalid- oob-error. patch: Disable non-null error
and format overflows for s390x.
- d/p/fix-
checking on call to getcwd since this results in an erroneous warning
that causes the build to fail otherwise.
There are no FTBFS issues with the current Debian version. Hence, these are no longer needed. See https:/ /launchpad. net/~athos- ribeiro/ +archive/ ubuntu/ nss377- transition/ +packages
- d/rules: Disable LTO on s390x for now. (LP #1931104)
In the upstream issue linked in LP: #1931104, the Fedora packager re-enabled LTO since version 3.69 and reported no issues/regressions were observed. The same applies for our test builds at https:/ /launchpad. net/~athos- ribeiro/ +archive/ ubuntu/ nss377- transition/ +packages. This can also be dropped.
=== END DELTA ANALYSIS ===
Based on the report above, we can safely drop all delta for nss.
This can be a sync.
A bileto ticket was created to ensure rdeps sanity before we proceed with sync'ing this package at https:/ /bileto. ubuntu. com/#/ticket/ 4857