Bug 1447496
| Summary: | [QE TPS TESTS] JSS requires illegal version of libnss.so | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | jss | Assignee: | Matthew Harmsen <mharmsen> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | aakkiang, alee, arubin, cfu, cheimes, dueno, edewata, emaldona, ftweedal, jmagne, kengert, lockhart, mharmsen, nkinder, rrelyea |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | jss-4.4.0-7.el7 | Doc Type: | No Doc Update |
| Doc Text: |
undefined
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 22:32:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Created attachment 1277124 [details] Use lazy building in jss native code When generating the libjss4.so shared library, mark it to tell the dynamic linker to defer function-call resolution to the point when the function is called (lazy binding), rather than at load time. This is as explained in http://www.qnx.com/developers/docs/660/index.jsp?topic=%2Fcom.qnx.doc.neutrino.prog%2Ftopic%2Fdevel_Lazy_binding.html Created attachment 1277125 [details]
changes to jss.spec - in patch format
Errata TPS tests for the advisory 2017:27071 passed, nss dependency issues resolved. # grep Requires jss.spec | grep nss BuildRequires: nss-devel >= 3.28.4-6 Requires: nss >= 3.28.4-6 Marking the bug verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2090 |
While running TPS tests on JSS, the following two tests failed: Upgrade Test: libssl3.so(NSS_3.30.0.1)(64bit) is needed by jss-4.4.0-6.el7.x86_64 InstallTest: libssl3.so(NSS_3.30.0.1)(64bit) is needed by jss-4.4.0-6.el7.x86_64 Examining the jss-4.4.0-6.el7 build, however showed both a build and runtime requirement on nss 3.28.3. However, running the following commands revealed: # cat jss-6-requires # rpm -q jss jss-4.4.0-6.el7.x86_64 # rpm -q --requires jss java-headless libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.4)(64bit) libdl.so.2()(64bit) libnspr4.so()(64bit) libnss3.so()(64bit) libnss3.so(NSS_3.10.2)(64bit) libnss3.so(NSS_3.11.7)(64bit) libnss3.so(NSS_3.12)(64bit) libnss3.so(NSS_3.12.3)(64bit) libnss3.so(NSS_3.2)(64bit) libnss3.so(NSS_3.3)(64bit) libnss3.so(NSS_3.4)(64bit) libnss3.so(NSS_3.6)(64bit) libnss3.so(NSS_3.9)(64bit) libnssutil3.so()(64bit) libnssutil3.so(NSSUTIL_3.12)(64bit) libplc4.so()(64bit) libplds4.so()(64bit) libpthread.so.0()(64bit) libsmime3.so()(64bit) libsmime3.so(NSS_3.2)(64bit) libsmime3.so(NSS_3.3)(64bit) libssl3.so()(64bit) libssl3.so(NSS_3.14)(64bit) libssl3.so(NSS_3.2)(64bit) libssl3.so(NSS_3.30.0.1)(64bit) libssl3.so(NSS_3.4)(64bit) nss >= 3.28.3 rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rtld(GNU_HASH) rpmlib(PayloadIsXz) <= 5.2-1 where we see "libssl3.so(NSS_3.30.0.1)(64bit)", the culprit exposed by the TPS tests. Asha informed us that the last known TPS tests to pass were run against jss-4.4.0-1.el7; with Asha's assistance, we slowly stepped backwards to determine that the last JSS to pass TPS tests was "jss-4.4.0-3.el7"; the differences between the rquirements for this build versus the latest are: # diff jss-3-requires jss-6-requires 2c2 < jss-4.4.0-3.el7.x86_64 --- > jss-4.4.0-6.el7.x86_64 33a34 > libssl3.so(NSS_3.30.0.1)(64bit) 35c36 < nss >= 3.21.0 --- > nss >= 3.28.3 It turns out that "jss-4.4.0-4.el7" was the first to utilize the newer version of NSS; in addition to being compiled and linked against nss 3.28.3, the following bugs were changed in "jss-4.4.0-4.el7": * Mon Mar 27 2017 Matthew Harmsen <mharmsen> - 4.4.0-4 - Bugzilla Bug #1394414 - Rebase jss to 4.4.0 in RHEL 7.4 - Updated build requirements for NSPR - Updated build and runtime requirements for NSS - ## 'jss-post-rebase.patch' resolves the following issues ported from - Mozilla Bugzilla #1337092 - CMC conformance update: Implement required ASN.1 code for RFC5272+ (cfu) - Mozilla Bugzilla #1347394 - Eclipse project files for JSS (edewata) - Mozilla Bugzilla #1347429 - Deprecated SSL 3.0 cipher names in SSLSocket class. (edewata) - Mozilla Bugzilla #1348856 - SSL alert callback (edewata) - Mozilla Bugzilla #1349278 - SSL cipher enumeration (edewata) - Mozilla Bugzilla #1349349 - Problem with Password.readPasswordFromConsole(). (edewata) - Mozilla Bugzilla #1349831 - Revise top-level README file (mharmsen) - Mozilla Bugzilla #1349836 - Changes to JSS Version Block (mharmsen) - Mozilla Bugzilla #1350130 - Missing CryptoManager.verifyCertificateNowCUNative() implementation. (emaldona) As this problem exists in jss-4.4.0-4.el7, jss-4.4.0-5.el7, and jss-4.4.0-6.el7,, but not in jss-4.4.0-3.el7, this issue must be caused by either the compilation/link process with NSS 3.28.3, or one of the aforementioned bugs. Since this issue was uncovered as a part of RHEL QE Testing, only this internal bug will be filed until the actual issues is discovered.