[Bug 1971299] Re: Merge nss from Debian unstable for kinetic

Thu May 26 17:26:50 UTC 2022

Our current delta has the following patches:

=== BEGIN DELTA ANALYSIS ===

  * New upstream release. (LP: #1959126) [2:3.68.2-0ubuntu1]

We went "ahead" of Debian here. We must drop this to get back to
tracking the Debian history.

  * d/p/CVE-2021-43527.patch: drop patch applied upstream.
    [ Fixed in 3.68.1 ]
  * SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded
    signatures
    - debian/patches/CVE-2021-43527.patch: check signature lengths in
      nss/lib/cryptohi/secvfy.c.
    - CVE-2021-43527

When dropping the "New upstream release", this would be re-introduced,
but since this was fixed in 3.68.1 already, it can be/remain dropped.

    - d/libnss3.links: Make freebl3 available as library. (LP #1744328)
    - d/libnss3.links.in: Symlink chk files to fix self-verification in
      FIPS mode. (LP #1885562)
    - d/control: Add dh-exec to Build-Depends.
    - d/rules: Make mkdir tolerate debian/tmp existing (due to dh-exec).

The packaging approach changed in Debian for 2:3.72-1 to stick to the upstream distribution approach. The libraries are now shipped in a single directory and therefore this patch is no longer needed.
dh-exec was only used for this links file and the related deltas are also no longer needed.

    - d/p/disable_fips_enabled_read.patch: Disable reading fips_enabled flag
      in FIPS mode as libnss is not a FIPS certified library. (LP #1837734)

LP: #1837734, which introduced this patch, has a comment from the patch
author saying this was never needed in this package and was added to fix
an issue with firefox, which had libnss embedded back when this was
introduced. This can also be dropped.

    - d/p/set-tls1.2-as-minimum.patch: Set TLSv1.2 as minimum TLS version.
      (LP #1856428)

This was included in upstream version 3.69 and can be dropped.

    - d/p/fix-ftbfs-s390x.patch: Fix some uninitialized variable warnings
      and format overflows for s390x.
    - d/p/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error
      checking on call to getcwd since this results in an erroneous warning
      that causes the build to fail otherwise.

There are no FTBFS issues with the current Debian version. Hence, these
are no longer needed. See https://launchpad.net/~athos-
ribeiro/+archive/ubuntu/nss377-transition/+packages

    - d/rules: Disable LTO on s390x for now. (LP #1931104)

In the upstream issue linked in LP: #1931104, the Fedora packager re-
enabled LTO since version 3.69 and reported no issues/regressions were
observed. The same applies for our test builds at
https://launchpad.net/~athos-
ribeiro/+archive/ubuntu/nss377-transition/+packages. This can also be
dropped.

=== END DELTA ANALYSIS ===

Based on the report above, we can safely drop all delta for nss.

This can be a sync.

A bileto ticket was created to ensure rdeps sanity before we proceed
with sync'ing this package at https://bileto.ubuntu.com/#/ticket/4857

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-43527

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1971299

Title:
  Merge nss from Debian unstable for kinetic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1971299/+subscriptions