Oops, I pasted too much is hard to read. The diff lines that matter are
# This patch is currently meant for stable branches
-# Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
# This patch is currently meant for stable branches
-# Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
+Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
.....
# activate for stable and beta branches
-# %%patch29 -p0 -b .cbcrandomivoff
+%patch29 -p0 -b .cbcrandomivoff
# activate for stable and beta branches
-# %%patch29 -p0 -b .cbcrandomivoff
+%patch29 -p0 -b .cbcrandomivoff
Has a bug entered on this?
Also, the notes in the Bodhi update should be very clear and explain that user that, for reasons of compatibility, needs to opt out of the more secure default can do so by setting the environment variable NSS_SSL_CBC_RANDOM_IV=0.
Also, the notes in the Bodhi update should be very clear and explain that user that, for reasons of compatibility, needs to opt out of the more secure default can do so by setting the environment variable NSS_SSL_CBC_RANDOM_IV=0.
...
-Elio
On Wed, Oct 16, 2013 at 2:46 PM, Elio Maldonado <emaldona@xxxxxxxxxx> wrote:
No one in the NSS team was consulted on this. I usually monitor the FESCO meetings announcements but missed this.
----- Original Message -----
From: "Eric H. Christensen" <sparks@xxxxxxxxxxxxxxxxx>
To: devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
Sent: Wednesday, October 16, 2013 1:33:06 PM
Subject: BEAST to be patched in NSS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
FESCo met today to address the NSS BEAST patch that left all software using NSS vulnerable to the BEAST[0] vulnerability. The decision was made to implement the patch that fixes this vulnerablity in F19 and F20. There are some programs that may have difficulties with this fix. While the fix will go in as soon as possible the change in F19 will not be applied until some testing has been completed.
Information on this fix is in Bugzilla[1]. If your package depends on NSS you should definitely test this patch before it goes live in order to determine if it breaks functionality (information on the BZ ticket on how to disable the fix if needed).
[0] https://en.wikipedia.org/wiki/BEAST_%28computer_security%29#BEAST_attack
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=665814
- -- Eric
BEAST has been addressed in NSS back on 3.13. Because breakage of applications, many have since fixed, we decided to override the upstream defaults for fedora stable branches while preserving them on Rawhide. Several times I have asked in the fedora-devel for feedback and have been told clients still have problems as there as sill unpatched servers out there. This time around I didn't ask and should have done so.
All we have to do in fedorais what we current do for Rawhide. This disable a patch or remove it altogether.
Below I have pasted a diff of the nss.spec file Rawihide versus f20.
-- Elio
----------------------------------------------------------
--- ../master/nss.spec 2013-10-04 15:51:01.719885419 -0700
+++ nss.spec 2013-10-03 15:32:32.282352192 -0700
@@ -93,7 +93,7 @@
# Needed only when freebl on tree has new APIS
Patch25: nsspem-use-system-freebl.patch
# This patch is currently meant for stable branches
-# Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
+Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
# Prevent users from trying to enable ssl pkcs11 bypass
# Patch39: nss-ssl-enforce-no-pkcs11-bypass.path
# TODO: Remove this patch when the ocsp test are fixed
@@ -105,7 +105,7 @@
Patch46: disable-ocsp-stapling-tests.patch
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
Patch47: utilwrap-include-templates.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
+# TODO submit this patch upstream
Patch48: nss-versus-softoken-tests.patch
# TODO remove when we switch to building nss without softoken
Patch49: nss-skip-bltest-and-fipstest.patch
@@ -194,7 +194,7 @@
# link pem against buildroot's freebl, essential when mixing and matching
%patch25 -p0 -b .systemfreebl
# activate for stable and beta branches
-# %%patch29 -p0 -b .cbcrandomivoff
+%patch29 -p0 -b .cbcrandomivoff
# %%patch39 -p0 -b .nobypass
%patch40 -p0 -b .noocsptest
%patch44 -p1 -b .syncupwithupstream
@@ -758,6 +758,7 @@
* Thu Sep 26 2013 Elio Maldonado <emaldona@xxxxxxxxxx> - 3.15.2-1
- Update to NSS_3_15_2_RTM
- Update iquote.patch on account of modified prototype on cert.h installed by nss-devel
+- Keep the nss-ssl-cbc-random-iv-off-by-default.patch enabled
* Wed Aug 28 2013 Elio Maldonado <emaldona@xxxxxxxxxx> - 3.15.1-7
- Update pem sources to pick up a patch applied upstream which a faulty merge had missed
-----------------------------------------------------------------------------------------
- --------------------------------------------------
Eric "Sparks" Christensen
Fedora Project
sparks@xxxxxxxxxxxxxxxxx - sparks@xxxxxxxxxx
097C 82C3 52DF C64A 50C2 E3A3 8076 ABDE 024B B3D1
- --------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQGcBAEBCgAGBQJSXvf/AAoJEB/kgVGp2CYvN9cL/RQ0iNRgn//6qgggi7aP2VBN
8AeYhxMCLrYMLCHoK5L1NFa85XjkPzyVStEZK5mUh/2YGHMSI5sA0cCOFQlZfB5T
j4LzuKobc5QdcyAntROsMmBP00yJlRnzfCnyl7CPKMN4GAV582R1I8hkvMsCtZat
KvwPFenrkVTEORTf/UG86Ztu92SjWEcbEmmAzp715aui66OuvyROqtS4sxsdGKfL
cklIvsYTEA11+Adju4rdJGGOGZ6AuczM8VNqw4c4rOWjBbNbQl+a2sgdOSqLnaDC
vuO6MIBaXabuWfpkmWwQmIIWCwslZmnMlA2pNvdjkZ4+6fsIXPGyDI65V2CoJ54i
UxBLGBluiIazwAXTmVk+3FhhECyGZ2KzNj0T49tbtYtIrFquW9K68U9Zo67Zaeh2
AXCz5ILVHJcSxYQqaYO2am0maMN4WKY0DF3VeXWRgSMNM033e0tS87HPttmI0RDo
JMW3yxNSaB8yp3YcG77kDwCAnu8cZmrPYAk843Zi3A==
=YObr
-----END PGP SIGNATURE-----
_______________________________________________
devel-announce mailing list
devel-announce@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel-announce
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
