Bug 918948
Summary: | [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||||
Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | 5.10 | CC: | amarecek, bgollahe, cschalle, dpal, eparis, hkario, huzaifas, jgalipea, jrieden, kengert, ksrot, rrelyea, sforsber, stransky, thoger, tpelka | ||||||
Target Milestone: | rc | Keywords: | FutureFeature, Rebase, ZStream | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | nss-3.14.3-11.el5 | Doc Type: | Rebase: Bug Fixes and Enhancements | ||||||
Doc Text: |
Rebase package(s) to version: 3.14.3
Highlights, important fixes, or notable enhancements: It is important that we document how customers can disable MD5 certificates after the rebase. This text should be updated to include that information.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-09-30 22:42:54 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 919183, 949047 | ||||||||
Bug Blocks: | 928849, 949845 | ||||||||
Attachments: |
|
Description
Huzaifa S. Sidhpurwala
2013-03-07 09:42:44 UTC
In order to fix CVE-2013-1620 in 5.9.z (see BZ 918870), we need to rebase nss to 3.14.3. Setting the 5.9.z? flag. Created attachment 718353 [details]
nss.spec changes required for the rebase - in patch form
Highlights:
- We now run almost all of upstream test suites as part of the build
- Kept franken-nss steps as comments for future time when needed
- Added patch to accept signatures with md5 by default for backward compatibility
- binutil220 assembler used for intel-gcm hardware support
- Uaing our own sqlte as system one of RHEL-5 isn't sufficient for our needs
- Removed 14 patches rendered obsolete by the rebase and updated others
- Install empty sharedb files and system-pkcs11.txt config file but ...
- not installing nss-sysinit module to keep this a mere rebase & reduce risks
Created attachment 730158 [details]
Same as previous one - plus bring back -flst- source tar ball
Comment on attachment 730158 [details]
Same as previous one - plus bring back -flst- source tar ball
r-
The following issues:
We can't just turn on the NSS self built SQLite. The issue is we form a runtime dependency on the newer sqlite, but we can't install the newer version be cause we will overwrite the system version. This can be solved as follows:
1) include a patch to allow us to use the older sqlite. (preferred)
2) rename the sqlite library name for NSS RHEL-5 so we can use our own. (discourages).
3) Get the system sqlite updated so we can use. (not likely for -z stream, still a potential option for 5.10).
Turning of the new DB in RHEL-5 is an option in z stream since it wasn't supported in 3.11, I suspect we don't have to go that far, however.
ECC changes.
Your line which builds 'softoken/freebl' without ECC assumes a separate tree for softoken/freebl, which you no longer have. The result is you turn off NSS proper's ability to use ECC is you include a loadable module. You will break RHCS if you do this.:).
freebl headers and library added to -devel. (note the new util headers should be included, They are cross linked so old apps will need them when they rebuild).
We shouldn't add these to the nss-devel package. If you want to add them, add them to nss-softokn-devel, but I suggest just removing them for the z-stream release.
bob
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1318.html |