configure.ac | 2 -
download.lst | 8 +++----
external/nss/README | 26 ++++++++++---------------
external/openssl/configurable-z-option.patch.0 | 14 ++++++-------
4 files changed, 23 insertions(+), 27 deletions(-)
New commits:
commit b9549d52decac9570cf4796652a0a6e64c1f449b
Author: Andras Timar <andras.ti...@collabora.com>
AuthorDate: Fri Feb 23 11:00:13 2024 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Fri Feb 23 11:00:13 2024 +0100
Bump version to 7.5.9.4
Change-Id: I7413926adaf629edfc91a62488661b9071b667b8
diff --git a/configure.ac b/configure.ac
index 123c56fc0852..4faf9002896c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -9,7 +9,7 @@ dnl in order to create a configure script.
# several non-alphanumeric characters, those are split off and used only for
the
# ABOUTBOXPRODUCTVERSIONSUFFIX in openoffice.lst. Why that is necessary, no
idea.
-AC_INIT([LibreOffice],[7.5.9.3],[],[],[http://documentfoundation.org/])
+AC_INIT([LibreOffice],[7.5.9.4],[],[],[http://documentfoundation.org/])
dnl libnumbertext needs autoconf 2.68, but that can pick up autoconf268 just
fine if it is installed
dnl whereas aclocal (as run by autogen.sh) insists on using autoconf and fails
hard
commit 0b4f9426d7c131e70bb98ef9e6aab99464702a0c
Author: Mike Kaganski <mike.kagan...@collabora.com>
AuthorDate: Fri Feb 16 13:43:20 2024 +0600
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Fri Feb 23 10:59:46 2024 +0100
OpenSSL: upgrade to 3.0.13
Change-Id: Ib03c99a2dbf0f7c932b8a6b953ac9eb9c43f978f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163493
Tested-by: Jenkins
Reviewed-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
diff --git a/download.lst b/download.lst
index b7d70460336d..1133601065bf 100644
--- a/download.lst
+++ b/download.lst
@@ -419,8 +419,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-OPENSSL_SHA256SUM :=
b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55
-OPENSSL_TARBALL := openssl-3.0.11.tar.gz
+OPENSSL_SHA256SUM :=
88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313
+OPENSSL_TARBALL := openssl-3.0.13.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
commit c36996abf3b792fc7da953275a7ba58ca7b0fd0f
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Sat Sep 30 23:54:06 2023 +0900
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Fri Feb 23 10:59:04 2024 +0100
openssl: upgrade to release 3.0.11
Change-Id: I80c6fde3b6ae526f46b6bc346f09b287cc88b032
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/157433
Tested-by: Jenkins
Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163522
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Andras Timar <andras.ti...@collabora.com>
diff --git a/download.lst b/download.lst
index 5abd5b8039bc..b7d70460336d 100644
--- a/download.lst
+++ b/download.lst
@@ -419,8 +419,8 @@ OPENLDAP_TARBALL := openldap-2.4.59.tgz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-OPENSSL_SHA256SUM :=
1761d4f5b13a1028b9b6f3d4b8e17feb0cedc9370f6afe61d7193d2cdce83323
-OPENSSL_TARBALL := openssl-3.0.10.tar.gz
+OPENSSL_SHA256SUM :=
b3425d3bb4a2218d0697eb41f7fc0cdede016ed19ca49d168b78e8d947887f55
+OPENSSL_TARBALL := openssl-3.0.11.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/openssl/configurable-z-option.patch.0
b/external/openssl/configurable-z-option.patch.0
index 9a4426edd5d2..d9478b6a9701 100644
--- a/external/openssl/configurable-z-option.patch.0
+++ b/external/openssl/configurable-z-option.patch.0
@@ -1,15 +1,15 @@
---- Configurations/10-main.conf.sav 2021-08-24 13:38:47.000000000 +0000
-+++ Configurations/10-main.conf 2021-11-02 22:20:44.377653700 +0000
-@@ -13,7 +13,7 @@
+--- Configurations/10-main.conf.sav 2023-09-19 22:02:31.000000000 +0900
++++ Configurations/10-main.conf 2023-09-30 23:47:49.734377000 +0900
+@@ -14,7 +14,7 @@
} elsif ($disabled{asm}) {
# assembler is still used to compile uplink shim
$vc_win64a_info = { AS => "ml64",
- ASFLAGS => "/nologo /Zi",
+ ASFLAGS => "/nologo $$(DEBUG_FLAGS_VALUE)",
asflags => "/c /Cp /Cx",
- asoutflag => "/Fo" };
- } else {
-@@ -41,7 +41,7 @@
+ asoutflag => "/Fo",
+ perlasm_scheme => "masm" };
+@@ -44,7 +44,7 @@
} elsif ($disabled{asm}) {
# not actually used, uplink shim is inlined into C code
$vc_win32_info = { AS => "ml",
@@ -18,7 +18,7 @@
asflags => "/Cp /coff /c /Cx",
asoutflag => "/Fo",
perlasm_scheme => "win32" };
-@@ -1323,10 +1323,10 @@
+@@ -1333,10 +1333,10 @@
"UNICODE", "_UNICODE",
"_CRT_SECURE_NO_DEPRECATE",
"_WINSOCK_DEPRECATED_NO_WARNINGS"),
commit 88c420a23f8f3273bbebc2d217d65d650bc24fb5
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri Feb 16 10:34:54 2024 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Fri Feb 23 10:58:46 2024 +0100
nss: upgrade to release 3.98
Fixes CVE-2023-5388
Also update README, and remove obsolete documentation of Debian's
mangled SONAME; relevant Debian changelog:
nss (2:3.13.4-2) unstable; urgency=low
* debian/control, debian/libnss3*, debian/rules,
mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn:
Move to unversioned library. ABI compatibility is ensured upstream, and
the SO version, if it needed a change at any time, would be a change in
the library name. There is no reason to keep making compatibility more
difficult with other distros and upstream binary releases. While
previous
versions were one-way compatible (binaries built against other distros
or
upstream nspr could work on Debian), this approach works both ways.
-- Mike Hommey <gland...@debian.org> Thu, 17 May 2012 09:45:36 +0200
Change-Id: Ifc1eae68827fa88ae001a3903c8555af67b488ac
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163482
Tested-by: Michael Stahl <michael.st...@allotropia.de>
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit c5e7af92ebcde59cb72fda2a88d08dc6656dc2e2)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163507
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Andras Timar <andras.ti...@collabora.com>
diff --git a/download.lst b/download.lst
index c6c16b0ef2bf..5abd5b8039bc 100644
--- a/download.lst
+++ b/download.lst
@@ -393,8 +393,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-NSS_SHA256SUM :=
a7a920d295998563b33d9e06c1a36b799201493d81b64537fab42f2a733411ce
-NSS_TARBALL := nss-3.97-with-nspr-4.35.tar.gz
+NSS_SHA256SUM :=
59bb55a59b02e4004fc26ad0aa1a13fe8d73c6c90c447dd2f2efb73fb81083ed
+NSS_TARBALL := nss-3.98-with-nspr-4.35.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/nss/README b/external/nss/README
index 6997cea6ca06..09931f64ea20 100644
--- a/external/nss/README
+++ b/external/nss/README
@@ -1,5 +1,16 @@
Contains the Network Security Services (NSS) libraries from Mozilla
+== ESR versions ==
+
+Upstream releases both regular and "ESR" versions, the latter go into Firefox
+ESR and Thunderbird.
+
+There is a new ESR version about once a year, and a ESR version gets micro
+updates only when there are security issues to fix, and it's not always obvious
+from the release notes of a regular release if there are security issues that
+are relevant to LibreOffice, hence it's probably best to bundle only the ESR
+versions and upgrade for every micro release (as recommended by upstream).
+
== Fips 140 and signed libraries ==
Fips 140 mode is not supported. That is, the *.chk files containing the
@@ -20,18 +31,3 @@ With all supported macOS SDK we use
NSS_USE_SYSTEM_SQLITE=1
to build using the system sqlite.
-== system NSS on Linux ==
-
-Note that different Linux distributions use different SONAMEs for the
-NSS libraries, so it is not possible to use --with-system-nss and build
-a portable generic LO installation set, despite NSS upstream apparently
-maintaining ABI compatibility.
-
-Debian Squeeze:
-0x000000000000000e (SONAME) Library soname: [libnss3.so.1d]
-Fedora 20:
-0x000000000000000e (SONAME) Library soname: [libnss3.so]
-
-For the record, the LSB specified SONAME is libnss3.so
-http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libnss3.html
-
commit 10ee2a03922ee47881a20830efd2466afee72421
Author: Andras Timar <andras.ti...@collabora.com>
AuthorDate: Wed Feb 14 22:18:30 2024 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Fri Feb 23 10:58:43 2024 +0100
nss: upgrade to release 3.97
Change-Id: If0eaf6a93f57239d81491c635922745bf3f38fd5
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163411
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoff...@gmail.com>
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/download.lst b/download.lst
index 3030321b11ec..c6c16b0ef2bf 100644
--- a/download.lst
+++ b/download.lst
@@ -393,8 +393,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-NSS_SHA256SUM :=
f78ab1d911cae8bbc94758fb3bd0f731df4087423a4ff5db271ba65381f6b739
-NSS_TARBALL := nss-3.90-with-nspr-4.35.tar.gz
+NSS_SHA256SUM :=
a7a920d295998563b33d9e06c1a36b799201493d81b64537fab42f2a733411ce
+NSS_TARBALL := nss-3.97-with-nspr-4.35.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
