Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2026-05-25 21:52:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new.2084 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss" Mon May 25 21:52:31 2026 rev:240 rq:1354980 version:3.123.1 Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2026-04-29 19:18:58.083844603 +0200 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.2084/mozilla-nss.changes 2026-05-25 21:53:32.904931523 +0200 @@ -1,0 +2,10 @@ +Fri May 15 18:10:41 UTC 2026 - Wolfgang Rosenauer <[email protected]> + +- update to NSS 3.123.1 + * bmo#2033783 - reject DTLS 1.3 Server Hello after HVR without + capping ss->vrange.max +- update to NSS 3.123 + * https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/AW6VHkn6E0o +- disabled FIPS patches temporarily (need significant rebasing) + +------------------------------------------------------------------- Old: ---- nss-3.122.2.tar.gz New: ---- nss-3.123.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:42.441323685 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:42.445323849 +0200 @@ -17,15 +17,16 @@ # -%global nss_softokn_fips_version 3.122 -%define NSPR_min_version 4.38 +%global nss_softokn_fips_version 3.123 +%define NSPR_min_version 4.39 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb %global crypto_policies_version 20210218 +%define fips 0 Name: mozilla-nss -Version: 3.122.2 +Version: 3.123.1 Release: 0 -%define underscore_version 3_122_2 +%define underscore_version 3_123_1 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -211,6 +212,7 @@ %patch -P 6 -p1 %patch -P 7 -p1 # FIPS patches +%if 0%{?fips} %patch -P 9 -p1 %patch -P 10 -p1 %patch -P 11 -p1 @@ -246,6 +248,7 @@ %endif %patch -P 50 -p1 %patch -P 51 -p1 +%endif # additional CA certificates #cd security/nss/lib/ckfw/builtins ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:42.753336515 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:42.789337996 +0200 @@ -1,5 +1,5 @@ mozilla-nss - requires "mozilla-nspr-<targettype> >= 4.38" + requires "mozilla-nspr-<targettype> >= 4.39" requires "libfreebl3-<targettype>" requires "libsoftokn3-<targettype>" requires "libnssckbi.so" ++++++ bmo1962556.patch ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:42.877341615 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:42.901342602 +0200 @@ -16,7 +16,7 @@ =================================================================== --- nss.orig/tests/ssl/ssl.sh +++ nss/tests/ssl/ssl.sh -@@ -982,8 +982,8 @@ ssl_policy_pkix_ocsp() +@@ -997,8 +997,8 @@ ssl_policy_pkix_ocsp() echo " vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out" vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out # make sure we have the domain mismatch, not bad signature error ++++++ malloc.patch ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:42.977345727 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:42.981345891 +0200 @@ -2,7 +2,7 @@ =================================================================== --- nss.orig/tests/ssl/ssl.sh +++ nss/tests/ssl/ssl.sh -@@ -1661,6 +1661,7 @@ ssl_run_tests() +@@ -1676,6 +1676,7 @@ ssl_run_tests() ################################# main ################################# ++++++ nss-3.122.2.tar.gz -> nss-3.123.1.tar.gz ++++++ /work/SRC/openSUSE:Factory/mozilla-nss/nss-3.122.2.tar.gz /work/SRC/openSUSE:Factory/.mozilla-nss.new.2084/nss-3.123.1.tar.gz differ: char 5, line 1 ++++++ nss-fips-constructor-self-tests.patch ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:43.221355762 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:43.229356091 +0200 @@ -483,7 +483,7 @@ /* * different platforms have different ways of calling and initial entry point * when the dll/.so is loaded. Most platforms support either a posix pragma -@@ -1667,38 +1674,39 @@ freebl_fips_DH_PowerUpSelfTest(void) +@@ -1668,38 +1675,39 @@ freebl_fips_DH_PowerUpSelfTest(void) { /* DH Known P (2048-bits) */ static const PRUint8 dh_known_P[] = { @@ -555,7 +555,7 @@ }; static const PRUint8 dh_known_Y_1[] = { -@@ -1744,10 +1752,10 @@ freebl_fips_DH_PowerUpSelfTest(void) +@@ -1745,10 +1753,10 @@ freebl_fips_DH_PowerUpSelfTest(void) }; static const PRUint8 dh_known_hash_result[] = { @@ -570,7 +570,7 @@ }; /* DH variables. */ -@@ -1811,17 +1819,19 @@ freebl_fips_RNG_PowerUpSelfTest(void) +@@ -1812,17 +1820,19 @@ freebl_fips_RNG_PowerUpSelfTest(void) return (SECSuccess); } @@ -591,7 +591,7 @@ #define DO_FREEBL 1 #define DO_REST 2 -@@ -1933,11 +1943,13 @@ static PRBool self_tests_ran = PR_FALSE; +@@ -1934,11 +1944,13 @@ static PRBool self_tests_ran = PR_FALSE; static PRBool self_tests_freebl_success = PR_FALSE; static PRBool self_tests_success = PR_FALSE; @@ -606,7 +606,7 @@ { SECStatus rv; /* if the freebl self tests didn't run, there is something wrong with -@@ -1950,7 +1962,7 @@ BL_POSTRan(PRBool freebl_only) +@@ -1951,7 +1963,7 @@ BL_POSTRan(PRBool freebl_only) return PR_TRUE; } /* if we only care about the freebl tests, we are good */ @@ -615,7 +615,7 @@ return PR_TRUE; } /* run the rest of the self tests */ -@@ -1969,32 +1981,16 @@ BL_POSTRan(PRBool freebl_only) +@@ -1970,32 +1982,16 @@ BL_POSTRan(PRBool freebl_only) return PR_TRUE; } @@ -653,7 +653,7 @@ self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ if (!freebl_only) { -@@ -2006,20 +2002,55 @@ bl_startup_tests(void) +@@ -2007,20 +2003,55 @@ bl_startup_tests(void) /* always run the post tests */ rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST); if (rv != SECSuccess) { @@ -711,7 +711,7 @@ } /* -@@ -2028,19 +2059,12 @@ bl_startup_tests(void) +@@ -2029,19 +2060,12 @@ bl_startup_tests(void) * power on selftest failed. */ SECStatus @@ -733,7 +733,7 @@ if (rerun) { /* reset the flags */ self_tests_freebl_ran = PR_FALSE; -@@ -2054,10 +2078,89 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo +@@ -2055,10 +2079,89 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo return SECSuccess; } /* standalone freebl can initialize */ @@ -1170,7 +1170,7 @@ =================================================================== --- nss.orig/lib/softoken/fipstest.c +++ nss/lib/softoken/fipstest.c -@@ -683,6 +683,175 @@ sftk_fips_HKDF_PowerUpSelfTest(void) +@@ -684,6 +684,175 @@ sftk_fips_HKDF_PowerUpSelfTest(void) return (SECSuccess); } @@ -1346,7 +1346,7 @@ static PRBool sftk_self_tests_ran = PR_FALSE; static PRBool sftk_self_tests_success = PR_FALSE; -@@ -694,7 +863,6 @@ void +@@ -695,7 +864,6 @@ void sftk_startup_tests_with_rerun(PRBool rerun) { SECStatus rv; @@ -1354,7 +1354,7 @@ PORT_Assert(!sftk_self_tests_ran); PORT_Assert(!sftk_self_tests_success); -@@ -706,6 +874,7 @@ sftk_startup_tests_with_rerun(PRBool rer +@@ -707,6 +875,7 @@ sftk_startup_tests_with_rerun(PRBool rer if (rv != SECSuccess) { return; } @@ -1362,7 +1362,7 @@ /* make sure freebl is initialized, or our RSA check * may fail. This is normally done at freebl load time, but it's * possible we may have shut freebl down without unloading it. */ -@@ -723,12 +892,15 @@ sftk_startup_tests_with_rerun(PRBool rer +@@ -724,12 +893,15 @@ sftk_startup_tests_with_rerun(PRBool rer if (rv != SECSuccess) { return; } @@ -1382,7 +1382,7 @@ rv = sftk_fips_IKE_PowerUpSelfTests(); if (rv != SECSuccess) { return; -@@ -766,17 +938,10 @@ sftk_startup_tests(void) +@@ -767,17 +939,10 @@ sftk_startup_tests(void) CK_RV sftk_FIPSEntryOK(PRBool rerun) { @@ -1401,7 +1401,7 @@ if (rerun) { sftk_self_tests_ran = PR_FALSE; sftk_self_tests_success = PR_FALSE; -@@ -787,6 +952,17 @@ sftk_FIPSEntryOK(PRBool rerun) +@@ -788,6 +953,17 @@ sftk_FIPSEntryOK(PRBool rerun) } return CKR_OK; } ++++++ nss-fips-dsa-kat.patch ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:43.253357078 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:43.261357407 +0200 @@ -15,7 +15,7 @@ =================================================================== --- nss.orig/lib/freebl/dsa.c +++ nss/lib/freebl/dsa.c -@@ -536,7 +536,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt +@@ -537,7 +537,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt return rv; } ++++++ nss-fips-gcm-ctr.patch ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:43.285358393 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:43.289358558 +0200 @@ -14,7 +14,7 @@ =================================================================== --- nss.orig/lib/freebl/gcm.c +++ nss/lib/freebl/gcm.c -@@ -539,8 +539,14 @@ struct GCMContextStr { +@@ -618,8 +618,14 @@ struct GCMContextStr { unsigned char tagKey[MAX_BLOCK_SIZE]; PRBool ctr_context_init; gcmIVContext gcm_iv; @@ -29,7 +29,7 @@ SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv, unsigned int ivLen, unsigned int tagBits, const unsigned char *aad, unsigned int aadLen); -@@ -794,6 +800,8 @@ gcm_InitCounter(GCMContext *gcm, const u +@@ -873,6 +879,8 @@ gcm_InitCounter(GCMContext *gcm, const u goto loser; } @@ -38,7 +38,7 @@ /* finally mix in the AAD data */ rv = gcmHash_Reset(ghash, aad, aadLen); if (rv != SECSuccess) { -@@ -895,6 +903,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig +@@ -974,6 +982,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig return SECFailure; } @@ -52,7 +52,7 @@ tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE; if (UINT_MAX - inlen < tagBytes) { PORT_SetError(SEC_ERROR_INPUT_LEN); -@@ -923,6 +938,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig +@@ -1002,6 +1017,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig *outlen = 0; return SECFailure; }; ++++++ nss-fips-pairwise-consistency-check.patch ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:43.301359051 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:43.305359216 +0200 @@ -14,7 +14,7 @@ =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -6165,6 +6165,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -6765,6 +6765,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS (PRUint32)crv); sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); } ++++++ nss-fips-rsa-keygen-strictness.patch ++++++ --- /var/tmp/diff_new_pack.CAA9YP/_old 2026-05-25 21:53:43.321359874 +0200 +++ /var/tmp/diff_new_pack.CAA9YP/_new 2026-05-25 21:53:43.321359874 +0200 @@ -21,7 +21,7 @@ #define SMALL_TABLE 0 /* determines size of hard-wired prime table */ #define RANDOM() rand() -@@ -465,6 +467,25 @@ mpp_make_prime_ext_random(mp_int *start, +@@ -619,6 +621,25 @@ mpp_make_prime_ext_random(mp_int *start, } else num_tests = 50; @@ -51,7 +51,7 @@ =================================================================== --- nss.orig/lib/freebl/rsa.c +++ nss/lib/freebl/rsa.c -@@ -16,11 +16,13 @@ +@@ -17,11 +17,13 @@ #include "prinit.h" #include "blapi.h" #include "mpi.h" @@ -65,7 +65,7 @@ /* The minimal required randomness is 64 bits */ /* EXP_BLINDING_RANDOMNESS_LEN is the length of the randomness in mp_digits */ -@@ -151,11 +153,24 @@ rsa_build_from_primes(const mp_int *p, c +@@ -141,11 +143,24 @@ rsa_build_from_primes(const mp_int *p, c err = mp_invmod(d, &phi, e); } else { err = mp_invmod(e, &phi, d); @@ -92,7 +92,7 @@ if (err != MP_OKAY) { if (err == MP_UNDEF) { PORT_SetError(SEC_ERROR_NEED_RANDOM); -@@ -297,10 +312,12 @@ RSA_NewKey(int keySizeInBits, SECItem *p +@@ -255,10 +270,12 @@ RSA_NewKey(int keySizeInBits, SECItem *p mp_int q = { 0, 0, 0, NULL }; mp_int e = { 0, 0, 0, NULL }; mp_int d = { 0, 0, 0, NULL }; @@ -106,7 +106,7 @@ int prerr = 0; RSAPrivateKey *key = NULL; PLArenaPool *arena = NULL; -@@ -318,11 +335,40 @@ RSA_NewKey(int keySizeInBits, SECItem *p +@@ -276,11 +293,40 @@ RSA_NewKey(int keySizeInBits, SECItem *p PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } @@ -151,7 +151,7 @@ } #endif -@@ -340,12 +386,7 @@ RSA_NewKey(int keySizeInBits, SECItem *p +@@ -298,12 +344,7 @@ RSA_NewKey(int keySizeInBits, SECItem *p key->arena = arena; /* length of primes p and q (in bytes) */ primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE); @@ -165,7 +165,7 @@ /* 3. Set the version number (PKCS1 v1.5 says it should be zero) */ SECITEM_AllocItem(arena, &key->version, 1); key->version.data[0] = 0; -@@ -356,13 +397,64 @@ RSA_NewKey(int keySizeInBits, SECItem *p +@@ -314,13 +355,64 @@ RSA_NewKey(int keySizeInBits, SECItem *p PORT_SetError(0); CHECK_SEC_OK(generate_prime(&p, primeLen)); CHECK_SEC_OK(generate_prime(&q, primeLen)); @@ -231,7 +231,7 @@ /* Attempt to use these primes to generate a key */ rv = rsa_build_from_primes(&p, &q, &e, PR_FALSE, /* needPublicExponent=false */ -@@ -385,7 +477,9 @@ cleanup: +@@ -343,7 +435,9 @@ cleanup: mp_clear(&q); mp_clear(&e); mp_clear(&d);
