Bug 918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
Summary: [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss
Version: 5.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Elio Maldonado Batiz
QA Contact: Hubert Kario
Depends On: 919183 949047
Blocks: 928849 949845
TreeView+ depends on / blocked
Reported: 2013-03-07 09:42 UTC by Huzaifa S. Sidhpurwala
Modified: 2013-09-30 22:42 UTC (History)
16 users (show)

Fixed In Version: nss-3.14.3-11.el5
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Rebase package(s) to version: 3.14.3 Highlights, important fixes, or notable enhancements: It is important that we document how customers can disable MD5 certificates after the rebase. This text should be updated to include that information.
Clone Of:
Last Closed: 2013-09-30 22:42:54 UTC
Target Upstream Version:

Attachments (Terms of Use)
nss.spec changes required for the rebase - in patch form (21.12 KB, patch)
2013-03-30 20:11 UTC, Elio Maldonado Batiz
no flags Details | Diff
Same as previous one - plus bring back -flst- source tar ball (21.30 KB, patch)
2013-04-01 03:03 UTC, Elio Maldonado Batiz
rrelyea: review-
Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1318 normal SHIPPED_LIVE nss bug fix and enhancement update 2013-09-30 21:13:17 UTC

Description Huzaifa S. Sidhpurwala 2013-03-07 09:42:44 UTC
We will need to rebase nss to 3.14.3 to fix the lucky-13 issue, as described in:

Comment 1 Suzanne Forsberg 2013-03-07 14:32:04 UTC
In order to fix CVE-2013-1620 in 5.9.z (see BZ 918870), we need to rebase nss to 3.14.3. Setting the 5.9.z? flag.

Comment 8 Elio Maldonado Batiz 2013-03-30 20:11:42 UTC
Created attachment 718353 [details]
nss.spec changes required for the rebase - in patch form

- We now run almost all of upstream test suites as part of the build
- Kept franken-nss steps as comments for future time when needed
- Added patch to accept signatures with md5 by default for backward compatibility
- binutil220 assembler used for intel-gcm hardware support
- Uaing our own sqlte as system one of RHEL-5 isn't sufficient for our needs
- Removed 14 patches rendered obsolete by the rebase and updated others
- Install empty sharedb files and system-pkcs11.txt config file but ...
- not installing nss-sysinit module to keep this a mere rebase & reduce risks

Comment 9 Elio Maldonado Batiz 2013-04-01 03:03:32 UTC
Created attachment 730158 [details]
Same as previous one - plus bring back -flst- source tar ball

Comment 10 Bob Relyea 2013-04-01 21:27:25 UTC
Comment on attachment 730158 [details]
Same as previous one - plus bring back -flst- source tar ball


The following issues:

We can't just turn on the NSS self built SQLite. The issue is we form a runtime dependency on the newer sqlite, but we can't install the newer version be cause we will overwrite the system version. This can be solved as follows:

1) include a patch to allow us to use the older sqlite. (preferred)
2) rename the sqlite library name for NSS RHEL-5 so we can use our own. (discourages).
3) Get the system sqlite updated so we can use. (not likely for -z stream, still a potential option for 5.10).

Turning of the new DB in RHEL-5 is an option in z stream since it wasn't supported in 3.11, I suspect we don't have to go that far, however.

ECC changes.

Your line which builds 'softoken/freebl' without ECC assumes a separate tree for softoken/freebl, which you no longer have. The result is you turn off NSS proper's ability to use ECC is you include a loadable module. You will break RHCS if you do this.:).

freebl headers and library added to -devel. (note the new util headers should be included, They are cross linked so old apps will need them when they rebuild).

We shouldn't add these to the nss-devel package. If you want to add them, add them to nss-softokn-devel, but I suggest just removing them for the z-stream release.


Comment 18 errata-xmlrpc 2013-09-30 22:42:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.