Bug 1200900

Summary: Rebase nss to 3.18 for Firefox 38 ESR [RHEL-6.6]
Product: Red Hat Enterprise Linux 6 Reporter: Elio Maldonado Batiz <emaldona>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.6CC: jherrman, kengert, ksrot, rrelyea, salmy
Target Milestone: rcKeywords: Rebase, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: [ important information: COMMENT 11 ]
Fixed In Version: nss-3.18.0-5.3.el6 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
The nss and nss-util packages have been upgraded to upstream versions 3.18, and the nspr packages have been upgraded to upstream version 4.10.8. The upgraded versions provide a number of bug fixes and enhancements over the previous versions. Notably, these upgrades allow users to upgrade to Mozilla Firefox 38 Extended Support Release.
 Story Points: ---
Clone Of:
: 1207052 (view as bug list) Environment:
Last Closed: 2015-10-02 23:07:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1200920, 1200937, 1200938    
Bug Blocks: 1200499, 1207052    
Attachments:
Description Flags
Patch to keep 1024 bit legacy CA certificates enabled in the NSS root CA module
none
All changes for rebasing plus two bug fixes none

Description Elio Maldonado Batiz 2015-03-11 15:34:01 UTC 
Firefox 38 ESR, current upstream release date is May 12 2015, requires nss-3.18.
Comment 2 Kai Engert (:kaie) (inactive account) 2015-03-11 17:10:23 UTC 
*** Bug 1200939 has been marked as a duplicate of this bug. ***
Comment 4 Kai Engert (:kaie) (inactive account) 2015-03-25 17:31:13 UTC 
Created attachment 1006380 [details]
Patch to keep 1024 bit legacy CA certificates enabled in the NSS root CA module

I suggest to include this patch in the NSS 3.18 package.

It keeps the trust flags of legacy root CA certificates enabled, as they were before Mozilla decided to phase them out in Firefox.

This patch has the certificates that were changed in the upstream releases version 2.1, 2.2 and 2.3

See also this page which documents the changes:
https://fedoraproject.org/wiki/CA-Certificates


This patch will affect users who are still using the default configuration of RHEL 6, which DOESN'T yet use the shared system certificate store.


If users of RHEL 6.5 and later would like to disable the legacy CAs, they can:

- migrate their system to the new shared CA store by executing:
  update-ca-trust enable

- disable the legacy root CAs:
  ca-legacy disable

(The ca-legacy command will be introduced in version 2.3 of the ca-certificates pacakge.)
Comment 6 Elio Maldonado Batiz 2015-03-31 21:48:18 UTC 
Created attachment 1009282 [details]
All changes for rebasing plus two bug fixes

This is actually for rhel-6.6.z, attaching it here because the clone of this bug hasn't be filed yet. Includes fixes for Bug 1123092 and Bug 1131311.
Comment 7 Elio Maldonado Batiz 2015-03-31 21:50:24 UTC 
My mistake, the clone is filed. I'll attach it there.