Bug 918948

Summary: [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
Product: Red Hat Enterprise Linux 5 Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: high Docs Contact:
Priority: high    
Version: 5.10CC: amarecek, bgollahe, cschalle, dpal, eparis, hkario, huzaifas, jgalipea, jrieden, kengert, ksrot, rrelyea, sforsber, stransky, thoger, tpelka
Target Milestone: rcKeywords: FutureFeature, Rebase, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.14.3-11.el5 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Rebase package(s) to version: 3.14.3 Highlights, important fixes, or notable enhancements: It is important that we document how customers can disable MD5 certificates after the rebase. This text should be updated to include that information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-30 22:42:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 919183, 949047    
Bug Blocks: 928849, 949845    
Attachments:
Description Flags
nss.spec changes required for the rebase - in patch form
none
Same as previous one - plus bring back -flst- source tar ball rrelyea: review-

Description Huzaifa S. Sidhpurwala 2013-03-07 09:42:44 UTC 
We will need to rebase nss to 3.14.3 to fix the lucky-13 issue, as described in:
http://bugzilla.redhat.com/CVE-2013-1620
Comment 1 Suzanne Forsberg 2013-03-07 14:32:04 UTC 
In order to fix CVE-2013-1620 in 5.9.z (see BZ 918870), we need to rebase nss to 3.14.3. Setting the 5.9.z? flag.
Comment 8 Elio Maldonado Batiz 2013-03-30 20:11:42 UTC 
Created attachment 718353 [details]
nss.spec changes required for the rebase - in patch form

Highlights:
- We now run almost all of upstream test suites as part of the build
- Kept franken-nss steps as comments for future time when needed
- Added patch to accept signatures with md5 by default for backward compatibility
- binutil220 assembler used for intel-gcm hardware support
- Uaing our own sqlte as system one of RHEL-5 isn't sufficient for our needs
- Removed 14 patches rendered obsolete by the rebase and updated others
- Install empty sharedb files and system-pkcs11.txt config file but ...
- not installing nss-sysinit module to keep this a mere rebase & reduce risks
Comment 9 Elio Maldonado Batiz 2013-04-01 03:03:32 UTC 
Created attachment 730158 [details]
Same as previous one - plus bring back -flst- source tar ball
Comment 10 Bob Relyea 2013-04-01 21:27:25 UTC 
Comment on attachment 730158 [details]
Same as previous one - plus bring back -flst- source tar ball

r-

The following issues:

We can't just turn on the NSS self built SQLite. The issue is we form a runtime dependency on the newer sqlite, but we can't install the newer version be cause we will overwrite the system version. This can be solved as follows:

1) include a patch to allow us to use the older sqlite. (preferred)
2) rename the sqlite library name for NSS RHEL-5 so we can use our own. (discourages).
3) Get the system sqlite updated so we can use. (not likely for -z stream, still a potential option for 5.10).

Turning of the new DB in RHEL-5 is an option in z stream since it wasn't supported in 3.11, I suspect we don't have to go that far, however.

ECC changes.

Your line which builds 'softoken/freebl' without ECC assumes a separate tree for softoken/freebl, which you no longer have. The result is you turn off NSS proper's ability to use ECC is you include a loadable module. You will break RHCS if you do this.:).

freebl headers and library added to -devel. (note the new util headers should be included, They are cross linked so old apps will need them when they rebuild).

We shouldn't add these to the nss-devel package. If you want to add them, add them to nss-softokn-devel, but I suggest just removing them for the z-stream release.


bob
Comment 18 errata-xmlrpc 2013-09-30 22:42:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1318.html