Bug 918948
| Summary: | [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||||
| Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Alicja Kario <hkario> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 5.10 | CC: | amarecek, bgollahe, cschalle, dpal, eparis, hkario, huzaifas, jgalipea, jrieden, kengert, ksrot, rrelyea, sforsber, stransky, thoger, tpelka | ||||||
| Target Milestone: | rc | Keywords: | FutureFeature, Rebase, ZStream | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | nss-3.14.3-11.el5 | Doc Type: | Rebase: Bug Fixes and Enhancements | ||||||
| Doc Text: |
Rebase package(s) to version: 3.14.3
Highlights, important fixes, or notable enhancements: It is important that we document how customers can disable MD5 certificates after the rebase. This text should be updated to include that information.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-09-30 22:42:54 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 919183, 949047 | ||||||||
| Bug Blocks: | 928849, 949845 | ||||||||
| Attachments: |
|
||||||||
|
Description
Huzaifa S. Sidhpurwala
2013-03-07 09:42:44 UTC
In order to fix CVE-2013-1620 in 5.9.z (see BZ 918870), we need to rebase nss to 3.14.3. Setting the 5.9.z? flag. Created attachment 718353 [details]
nss.spec changes required for the rebase - in patch form
Highlights:
- We now run almost all of upstream test suites as part of the build
- Kept franken-nss steps as comments for future time when needed
- Added patch to accept signatures with md5 by default for backward compatibility
- binutil220 assembler used for intel-gcm hardware support
- Uaing our own sqlte as system one of RHEL-5 isn't sufficient for our needs
- Removed 14 patches rendered obsolete by the rebase and updated others
- Install empty sharedb files and system-pkcs11.txt config file but ...
- not installing nss-sysinit module to keep this a mere rebase & reduce risks
Created attachment 730158 [details]
Same as previous one - plus bring back -flst- source tar ball
Comment on attachment 730158 [details]
Same as previous one - plus bring back -flst- source tar ball
r-
The following issues:
We can't just turn on the NSS self built SQLite. The issue is we form a runtime dependency on the newer sqlite, but we can't install the newer version be cause we will overwrite the system version. This can be solved as follows:
1) include a patch to allow us to use the older sqlite. (preferred)
2) rename the sqlite library name for NSS RHEL-5 so we can use our own. (discourages).
3) Get the system sqlite updated so we can use. (not likely for -z stream, still a potential option for 5.10).
Turning of the new DB in RHEL-5 is an option in z stream since it wasn't supported in 3.11, I suspect we don't have to go that far, however.
ECC changes.
Your line which builds 'softoken/freebl' without ECC assumes a separate tree for softoken/freebl, which you no longer have. The result is you turn off NSS proper's ability to use ECC is you include a loadable module. You will break RHCS if you do this.:).
freebl headers and library added to -devel. (note the new util headers should be included, They are cross linked so old apps will need them when they rebuild).
We shouldn't add these to the nss-devel package. If you want to add them, add them to nss-softokn-devel, but I suggest just removing them for the z-stream release.
bob
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1318.html |