We will need to rebase nss to 3.14.3 to fix the lucky-13 issue, as described in: http://bugzilla.redhat.com/CVE-2013-1620
In order to fix CVE-2013-1620 in 5.9.z (see BZ 918870), we need to rebase nss to 3.14.3. Setting the 5.9.z? flag.
Created attachment 718353 [details] nss.spec changes required for the rebase - in patch form Highlights: - We now run almost all of upstream test suites as part of the build - Kept franken-nss steps as comments for future time when needed - Added patch to accept signatures with md5 by default for backward compatibility - binutil220 assembler used for intel-gcm hardware support - Uaing our own sqlte as system one of RHEL-5 isn't sufficient for our needs - Removed 14 patches rendered obsolete by the rebase and updated others - Install empty sharedb files and system-pkcs11.txt config file but ... - not installing nss-sysinit module to keep this a mere rebase & reduce risks
Created attachment 730158 [details] Same as previous one - plus bring back -flst- source tar ball
Comment on attachment 730158 [details] Same as previous one - plus bring back -flst- source tar ball r- The following issues: We can't just turn on the NSS self built SQLite. The issue is we form a runtime dependency on the newer sqlite, but we can't install the newer version be cause we will overwrite the system version. This can be solved as follows: 1) include a patch to allow us to use the older sqlite. (preferred) 2) rename the sqlite library name for NSS RHEL-5 so we can use our own. (discourages). 3) Get the system sqlite updated so we can use. (not likely for -z stream, still a potential option for 5.10). Turning of the new DB in RHEL-5 is an option in z stream since it wasn't supported in 3.11, I suspect we don't have to go that far, however. ECC changes. Your line which builds 'softoken/freebl' without ECC assumes a separate tree for softoken/freebl, which you no longer have. The result is you turn off NSS proper's ability to use ECC is you include a loadable module. You will break RHCS if you do this.:). freebl headers and library added to -devel. (note the new util headers should be included, They are cross linked so old apps will need them when they rebuild). We shouldn't add these to the nss-devel package. If you want to add them, add them to nss-softokn-devel, but I suggest just removing them for the z-stream release. bob
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1318.html