Our current delta has the following patches:
=== BEGIN DELTA ANALYSIS ===
* New upstream release. (LP: #1959126) [2:3.68.2-0ubuntu1]
We went "ahead" of Debian here. We must drop this to get back to
tracking the Debian history.
* d/p/CVE-2021-43527.patch: drop patch applied upstream.
[ Fixed in 3.68.1 ]
* SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded
signatures
- debian/patches/CVE-2021-43527.patch: check signature lengths in
nss/lib/cryptohi/secvfy.c.
- CVE-2021-43527
When dropping the "New upstream release", this would be re-introduced,
but since this was fixed in 3.68.1 already, it can be/remain dropped.
- d/libnss3.links: Make freebl3 available as library. (LP #1744328)
- d/libnss3.links.in: Symlink chk files to fix self-verification in
FIPS mode. (LP #1885562)
- d/control: Add dh-exec to Build-Depends.
- d/rules: Make mkdir tolerate debian/tmp existing (due to dh-exec).
The packaging approach changed in Debian for 2:3.72-1 to stick to the upstream
distribution approach. The libraries are now shipped in a single directory and
therefore this patch is no longer needed.
dh-exec was only used for this links file and the related deltas are also no
longer needed.
- d/p/disable_fips_enabled_read.patch: Disable reading fips_enabled flag
in FIPS mode as libnss is not a FIPS certified library. (LP #1837734)
LP: #1837734, which introduced this patch, has a comment from the patch
author saying this was never needed in this package and was added to fix
an issue with firefox, which had libnss embedded back when this was
introduced. This can also be dropped.
- d/p/set-tls1.2-as-minimum.patch: Set TLSv1.2 as minimum TLS version.
(LP #1856428)
This was included in upstream version 3.69 and can be dropped.
- d/p/fix-ftbfs-s390x.patch: Fix some uninitialized variable warnings
and format overflows for s390x.
- d/p/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error
checking on call to getcwd since this results in an erroneous warning
that causes the build to fail otherwise.
There are no FTBFS issues with the current Debian version. Hence, these
are no longer needed. See https://launchpad.net/~athos-
ribeiro/+archive/ubuntu/nss377-transition/+packages
- d/rules: Disable LTO on s390x for now. (LP #1931104)
In the upstream issue linked in LP: #1931104, the Fedora packager re-
enabled LTO since version 3.69 and reported no issues/regressions were
observed. The same applies for our test builds at
https://launchpad.net/~athos-
ribeiro/+archive/ubuntu/nss377-transition/+packages. This can also be
dropped.
=== END DELTA ANALYSIS ===
Based on the report above, we can safely drop all delta for nss.
This can be a sync.
A bileto ticket was created to ensure rdeps sanity before we proceed
with sync'ing this package at https://bileto.ubuntu.com/#/ticket/4857
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-43527
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1971299
Title:
Merge nss from Debian unstable for kinetic
Status in nss package in Ubuntu:
In Progress
Bug description:
Upstream: tbd
Debian: 2:3.77-1
Ubuntu: 2:3.68.2-0ubuntu1
### New Debian Changes ###
nss (2:3.77-1) unstable; urgency=medium
* New upstream release.
* debian/libnss3.symbols: Add NSS_3.77 symbol version.
-- Mike Hommey <[email protected]> Wed, 06 Apr 2022 09:18:22 +0900
nss (2:3.75-1) unstable; urgency=medium
* New upstream release.
-- Mike Hommey <[email protected]> Wed, 09 Feb 2022 08:46:51 +0900
nss (2:3.73.1-1) unstable; urgency=medium
* New upstream release.
-- Mike Hommey <[email protected]> Fri, 17 Dec 2021 06:16:55 +0900
nss (2:3.73-1) unstable; urgency=medium
* New upstream release.
* Fixes MFSA-2021-51, aka CVE-2021-43527: Memory corruption via DER-encoded
DSA and RSA-PSS signatures.
-- Mike Hommey <[email protected]> Thu, 02 Dec 2021 06:04:31 +0900
nss (2:3.72-2) unstable; urgency=medium
* debian/control: libnss3-dev breaks libxmlsec1-dev (<< 1.2.33-1).
Closes: #998733.
-- Mike Hommey <[email protected]> Fri, 12 Nov 2021 06:21:05 +0900
nss (2:3.72-1) unstable; urgency=medium
* New upstream release.
* debian/libnss3.symbols, nss/lib/ssl/sslinfo.c, nss/lib/ssl/sslt.h,
nss/cmd/selfserv/selfserv.c, nss/cmd/strsclnt/strsclnt.c,
nss/cmd/tstclnt/tstclnt.c: Bump dependency version for SSL_GetChannelInfo
symbol and remove the previous workaround. Closes: #990058.
* debian/libnss3.lintian-overrides.in, debian/rules,
nss/cmd/shlibsign/shlibsign.c, nss/lib/pk11wrap/pk11load.c,
nss/lib/util/secload.c, nss/cmd/shlibsign/Makefile,
nss/cmd/shlibsign/manifest.mn: Stop putting freebl, softokn, etc. in a
subdirectory. It's a deviation from upstream that is causing more problems
than it's worth keeping. Closes: #737855, #846012, #979159.
* debian/libnss3-dev.links.in: Remove xulrunner-nss.pc.
* debian/rules: Stop forcing xz compression.
* debian/copyright: Add dot for continuation.
* debian/watch: Upgrade to version 4.
* debian/control: Upgrade Standard-Version to 4.6.0:
- debian/rules: Build with `make -s` when DEB_BUILD_OPTIONS contains
terse.
- debian/control: Add Rules-Requires-Root: no.
* debian/control: Remove conflict with libnss3-1d. The last Debian version
with libnss3-1d was jessie, and it had a newer version anyways.
* debian/rules: Enable all hardening options.
* debian/libnss3-symbols: Add Build-Depends-Package in symbols file.
* debian/*.lintian-overrides*: Remove
copyright-refers-to-versionless-license-file lintian overrides.
* debian/libnss3.lintian-overrides.in:
- s/shlib-without-versioned-soname/shared-library-lacks-version/.
- Add lacks-unversioned-link-to-shared-library overrides.
* debian/nss-config.in, debian/rules: Ship upstream nss-config instead of
ours. Closes: #737855, #963136.
* debian/rules, debian/control: Always set Multi-Arch: same.
* debian/copyright:
- Remove commas in `Files`.
- Add missing license name for ifparser.
- Add missing `Copyright`.
- Remove copyright for mkdepend, which is not in the source tree anymore.
* debian/upstream/metadata: Add upstream bug tracking metadata.
[ Daniel Kahn Gillmor ]
* debian/control: correct Homepage (old URL redirects to 404)
[ Janitor ]
* debian/changelog: Trim trailing whitespace.
* debian/copyright: Use secure copyright file specification URI.
* debian/compat, debian/control:
- Bump debhelper from deprecated 9 to 13.
- Set debhelper-compat version in Build-Depends.
* debian/upstream/metadata: Set upstream metadata fields: Repository.
* debian/rules: Drop transition for old debug package migration.
-- Mike Hommey <[email protected]> Tue, 02 Nov 2021 06:57:06 +0900
nss (2:3.70-1) unstable; urgency=medium
* New upstream release.
-- Mike Hommey <[email protected]> Wed, 08 Sep 2021 08:31:23 +0900
nss (2:3.68-1) unstable; urgency=medium
* New upstream release.
-- Mike Hommey <[email protected]> Mon, 19 Jul 2021 06:23:39 +0900
### Old Ubuntu Delta ###
nss (2:3.68.2-0ubuntu1) jammy; urgency=medium
* New upstream release. (LP: #1959126)
* d/p/CVE-2021-43527.patch: drop patch applied upstream.
[ Fixed in 3.68.1 ]
-- Athos Ribeiro <[email protected]> Mon, 21 Feb 2022
14:55:42 -0300
nss (2:3.68-1ubuntu2) jammy; urgency=medium
* SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded
signatures
- debian/patches/CVE-2021-43527.patch: check signature lengths in
nss/lib/cryptohi/secvfy.c.
- CVE-2021-43527
-- Marc Deslauriers <[email protected]> Mon, 29 Nov 2021
07:12:54 -0500
nss (2:3.68-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/libnss3.links: Make freebl3 available as library. (LP #1744328)
- d/control: Add dh-exec to Build-Depends.
- d/rules: Make mkdir tolerate debian/tmp existing (due to dh-exec).
- d/p/disable_fips_enabled_read.patch: Disable reading fips_enabled flag
in FIPS mode as libnss is not a FIPS certified library. (LP #1837734)
- d/p/set-tls1.2-as-minimum.patch: Set TLSv1.2 as minimum TLS version.
(LP #1856428)
- d/libnss3.links.in: Symlink chk files to fix self-verification in
FIPS mode. (LP #1885562)
- d/p/fix-ftbfs-s390x.patch: Fix some uninitialized variable warnings
and format overflows for s390x.
- d/p/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error
checking on call to getcwd since this results in an erroneous warning
that causes the build to fail otherwise.
* New changes:
- d/rules: Disable LTO on s390x for now. (LP #1931104)
-- Paride Legovini <[email protected]> Wed, 28 Jul 2021 15:27:12
+0200
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1971299/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
