Bug 1228913
| Summary: | Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1] | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Elio Maldonado Batiz <emaldona> | ||||||
| Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Alicja Kario <hkario> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 7.1 | CC: | hkario, huzaifas, kengert, ksrot, rrelyea | ||||||
| Target Milestone: | rc | Keywords: | Rebase | ||||||
| Target Release: | 7.1 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | nss-3.19.1-6.el7 | Doc Type: | Rebase: Bug Fixes and Enhancements | ||||||
| Doc Text: |
The nss and nss-util packages have been upgraded to upstream version 3.19.1, which provides a number of bug fixes and enhancements over the previous version. Notably, the update allows users to upgrade to Mozila Firefox 38 Extended Support Release and prevents attackers from exploiting the Logjam security vulnerability CVE-2015-4000.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-11-19 12:27:06 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1223211 | ||||||||
| Attachments: |
|
||||||||
|
Description
Elio Maldonado Batiz
2015-06-06 15:26:35 UTC
Created attachment 1035693 [details]
all changes needed for nss rebase for rhel-7.1.z
Comment on attachment 1035693 [details]
all changes needed for nss rebase for rhel-7.1.z
These are the changes:
1) .gitignore and source updated because of the rebase
2) expired-cert.patch removed as no lo longer needed
3) Patch91: nss-3.18.1-ca-2.3-to-2.4.patch removed, obsoleted
4) Patch95: expired-cert.patch removed, obsoleted
5) Patch96: syntaxfix.patch removed, obsoleted
6) Patch98: nss-revert-tls-version-defaults.patch to keep the TLS protocol versions that are enabled by default is no longer a straight reversal of an upstream patch as it was with 3.18.0 so the -R is not applicable.
7) iquote.patch updated as the there is a new public API
8) Notice at the top of nss.spec that %global required_softokn_build_version changed from -11 to -10 because we are temporarily backtracking the changes previously made to add support for sha384 tls cipher suites. They will come back one this rebase is completed.
I think the most recently attached patch is insufficient. It doesn't include the change of magic numbers made to softokn by upstream. I understand we might not want to change softokn. In that case we should apply the patch from upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1172128 on top of 3.19.1 Also, the attached patch is broken. checking file .gitignore checking file expired-cert.patch checking file iquote.patch patch: **** malformed patch at line 48: @@ -1,326 +0,0 @@ Sorry, my comment 10 was a false alarm. I made a mistake when downloading the patch. Patch applies on my local tree. Nevertheless, my comment 9 still stands. I'll continue the review of the patch. Created attachment 1036471 [details] all changes needed for nss rebase for rhel-7.1.z Completes the need changes as Kai pointed out on Comment 8, with the ssl-server-min-key-sizes.patch suitably modified so DH_MIN_P_BITS is 768. upstream reverted their changes refered to in comment 9, so there is no need to pick up a new softoken. bob Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2121.html |