Hello community, here is the log from the commit of package apache2-mod_nss for openSUSE:Factory checked in at 2013-08-02 15:01:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_nss (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2-mod_nss" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_nss/apache2-mod_nss.changes 2013-07-24 17:28:46.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_nss.new/apache2-mod_nss.changes 2013-08-02 15:01:07.000000000 +0200 @@ -1,0 +2,12 @@ +Thu Aug 1 15:06:55 UTC 2013 - meiss...@suse.com + +- Add support for TLS v1.1 and TLS v1.2 + (TLS v1.2 requires mozilla nss 3.15.1 or newer.) + - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch + from redhat to allow tls v1.1 too. + - ported the tls v1.1 patch to be tls v1.2 aware + - added mod_nss-proxyvariables.patch (from RHEL6 package) + - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2) +- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun + +------------------------------------------------------------------- New: ---- mod_nss-array_overrun.patch mod_nss-proxyvariables.patch mod_nss-tlsv1_1.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_nss.spec ++++++ --- /var/tmp/diff_new_pack.fkDcz2/_old 2013-08-02 15:01:07.000000000 +0200 +++ /var/tmp/diff_new_pack.fkDcz2/_new 2013-08-02 15:01:07.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_nss # -# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,24 +18,25 @@ Name: apache2-mod_nss Summary: SSL/TLS module for the Apache HTTP server -Version: 1.0.8 -Release: 3 -Group: Productivity/Networking/Web/Servers License: Apache-2.0 +Group: Productivity/Networking/Web/Servers +Version: 1.0.8 +Release: 0 Url: http://directory.fedoraproject.org/wiki/Mod_nss Source: http://directory.fedoraproject.org/sources/mod_nss-%{version}.tar.gz Provides: mod_nss Requires: apache2 >= 2.0.52 Requires: findutils Requires(post): mozilla-nss-tools +BuildRequires: apache2-devel >= 2.0.52 BuildRequires: bison BuildRequires: findutils +BuildRequires: flex BuildRequires: gcc-c++ -BuildRequires: libapr1-devel BuildRequires: libapr-util1-devel +BuildRequires: libapr1-devel BuildRequires: mozilla-nspr-devel >= 4.6.3 BuildRequires: mozilla-nss-devel >= 3.12.6 -BuildRequires: apache2-devel >= 2.0.52 BuildRequires: pkgconfig # [bnc#799483] Patch to adjust mod_nss.conf to match SUSE dir layout Patch1: mod_nss-conf.patch @@ -48,7 +49,11 @@ Patch8: mod_nss-lockpcache.patch # Fix build with apache 2.4 Patch9: mod_nss-httpd24.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root + +Patch10: mod_nss-proxyvariables.patch +Patch11: mod_nss-tlsv1_1.patch +Patch12: mod_nss-array_overrun.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build %define apxs /usr/sbin/apxs2 %define apache apache2 %define apache_libexecdir %(%{apxs} -q LIBEXECDIR) @@ -76,6 +81,9 @@ %if 0%{?suse_version} >= 1300 %patch9 -p1 -b .http24 %endif +%patch10 -p1 -b .proxyvariables +%patch11 -p1 -b .tlsv1_1 +%patch12 -p1 -b .array_overrun # Touch expression parser sources to prevent regenerating it touch nss_expr_*.[chyl] ++++++ mod_nss-array_overrun.patch ++++++ mod_nss-1.0.8/nss_engine_init.c:467: overrun-local: Overrunning static array "child_argv", with 5 elements, at position 5 with index variable "5". https://bugzilla.redhat.com/show_bug.cgi?id=714154 diff -up --recursive mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss-1.0.8.orig/nss_engine_init.c 2011-08-01 13:24:34.000000000 -0400 +++ mod_nss-1.0.8/nss_engine_init.c 2011-08-01 13:25:36.000000000 -0400 @@ -429,7 +429,7 @@ int nss_init_Module(apr_pool_t *p, apr_p /* Do we need to fire up our password helper? */ if (mc->nInitCount == 1) { - const char * child_argv[5]; + const char * child_argv[6]; apr_status_t rv; struct sembuf sb; char sembuf[32]; ++++++ mod_nss-proxyvariables.patch ++++++ diff -rupN mod_nss-1.0.8.orig/nss_engine_init.c mod_nss-1.0.8/nss_engine_init.c --- mod_nss-1.0.8.orig/nss_engine_init.c 2012-10-03 14:28:50.751794000 -0700 +++ mod_nss-1.0.8/nss_engine_init.c 2012-10-04 16:33:08.278929000 -0700 @@ -628,8 +628,21 @@ static void nss_init_ctx_protocol(server tls = 1; } else { if (mctx->auth.protocols == NULL) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, - "NSSProtocols not set; using: SSLv3 and TLSv1"); + /* + * Since this routine will be invoked individually for every + * thread associated with each 'server' object as well as for + * every thread associated with each 'proxy' object, issue a + * single per-thread 'warning' message for either a 'server' + * or a 'proxy' based upon the thread's object type. + */ + if (mctx == mctx->sc->server) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "NSSProtocol value not set; using: SSLv3 and TLSv1"); + } else if (mctx == mctx->sc->proxy) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, + "NSSProxyProtocol value not set; using: SSLv3 and TLSv1"); + } + ssl3 = tls = 1; } else { lprotocols = strdup(mctx->auth.protocols); @@ -786,8 +799,25 @@ static void nss_init_ctx_cipher_suite(se * Configure SSL Cipher Suite */ if (!suite) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "Required value NSSCipherSuite not set."); + /* + * Since this is a 'fatal' error, regardless of whether this + * particular invocation is from a 'server' object or a 'proxy' + * object, issue all error message(s) as appropriate. + */ + if ((mctx->sc->enabled == TRUE) && + (mctx->sc->server) && + (!mctx->sc->server->auth.cipher_suite)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "NSSEngine on; required value NSSCipherSuite not set."); + } + + if ((mctx->sc->proxy_enabled == TRUE) && + (mctx->sc->proxy) && + (!mctx->sc->proxy->auth.cipher_suite)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "NSSProxyEngine on; required value NSSProxyCipherSuite not set."); + } + nss_die(); } ciphers = strdup(suite); @@ -1069,8 +1099,25 @@ static void nss_init_server_certs(server if (mctx->nickname == NULL) #endif { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, - "No certificate nickname provided."); + /* + * Since this is a 'fatal' error, regardless of whether this + * particular invocation is from a 'server' object or a 'proxy' + * object, issue all error message(s) as appropriate. + */ + if ((mctx->sc->enabled == TRUE) && + (mctx->sc->server) && + (mctx->sc->server->nickname == NULL)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "NSSEngine on; no certificate nickname provided by NSSNickname."); + } + + if ((mctx->sc->proxy_enabled == TRUE) && + (mctx->sc->proxy) && + (mctx->sc->proxy->nickname == NULL)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "NSSProxyEngine on; no certificate nickname provided by NSSProxyNickname."); + } + nss_die(); } ++++++ mod_nss-tlsv1_1.patch ++++++ ++++ 767 lines (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
