Ubuntu
nss package

Update nss to 3.12.3.1 in Ubuntu 8.04 and later

Bug #407549 reported by Wan-Teh Chang on 2009-08-01

This bug affects 2 people

	Status	Importance	Assigned to
nss (Ubuntu)	Fix Released	High	Alexander Sack
Hardy	Fix Released	Undecided	Alexander Sack
Intrepid	Fix Released	High	Alexander Sack
Jaunty	Fix Released	High	Alexander Sack
Karmic	Fix Released	High	Alexander Sack

Bug Description

Binary package hint: libnss3-1d

The libnss3-1d package in Ubuntu 8.04 LTS is NSS 3.12.0.3 (package version 3.12.0.3-0ubuntu0.8.04.5). This is an old NSS release now. The current NSS release is NSS 3.12.3.1.

To not loose upstream security/stability support we need to roll out latest nss release (3.12.3.1) to our stable ubuntu releases: hardy, intrepid, jaunty.

this requires nspr update to at least 4.7.4; the bug for that is bug 387745

----
Also:

The Chromium browser is affected by an NSS bug (one of the issues in https://bugzilla.mozilla.org/show_bug.cgi?id=444850) that has been fixed in NSS 3.12.1. See Chromium issue 15630 (http://crbug.com/15630). We can't work around this NSS bug. So I'd like to request that the libnss3-1d package in Ubuntu 8.04 LTS be upgraded to NSS 3.12.3.1, or the attached NSS patch be applied to libnss3-1d.

See original description

Tags:

Related branches

lp://staging/~mozillateam/nss/nss.head

lp://staging/~mozillateam/nss/nss.jaunty

lp://staging/~mozillateam/nss/nss.intrepid

lp://staging/~mozillateam/nss/nss.hardy

lp://staging/ubuntu/karmic/nss

lp://staging/ubuntu/hardy-proposed/nss

lp://staging/ubuntu/intrepid-proposed/nss

lp://staging/ubuntu/jaunty-proposed/nss

Revision history for this message

Wan-Teh Chang (wtc-google) wrote on 2009-08-01:

NSS patch Edit (6.4 KiB, text/plain)

Revision history for this message

Wan-Teh Chang (wtc-google) wrote on 2009-08-01:

One more thing: if you upgrade to NSS 3.12.3.1, the dependent libnspr4-0d package should be upgraded to NSPR 4.7.5.

Revision history for this message

Alexander Sack (asac) wrote on 2009-08-01:

we are working on getting major version upgrade everywhere; see: http://www.asoftsite.org/s9y/archives/163-nss-3.12.3-SRU-testing-needed.html

we didnt prepare .1 yet, but i will do that now that its released.

Changed in nss (Ubuntu):
assignee:	nobody → Alexander Sack (asac)
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Alexander Sack (asac) wrote on 2009-08-01:

importance high ... not because of chromium, but because for security support reasons.

summary:	- Update libnss3-1d in Ubuntu 8.04 LTS + Update libnss3-1d in Ubuntu 8.04 and later
summary:	- Update libnss3-1d in Ubuntu 8.04 and later + Update nss to 3.12.3.1 in Ubuntu 8.04 and later
Changed in nss (Ubuntu Jaunty):
assignee:	nobody → Alexander Sack (asac)
importance:	Undecided → High
status:	New → In Progress
Changed in nss (Ubuntu Intrepid):
assignee:	nobody → Alexander Sack (asac)
importance:	Undecided → High
status:	New → In Progress
Changed in nss (Ubuntu Hardy):
assignee:	nobody → Alexander Sack (asac)
status:	New → In Progress

Alexander Sack (asac) on 2009-08-01

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-08-01:

This bug was fixed in the package nss - 3.12.3.1-0ubuntu1

---------------
nss (3.12.3.1-0ubuntu1) karmic; urgency=low

* new upstream release 3.12.3.1 RTM (NSS_3_12_3_1_RTM) (LP: #407549)
- see USN-810-1

-- Alexander Sack <email address hidden> Sat, 01 Aug 2009 17:05:48 +0200

Changed in nss (Ubuntu Karmic):
status:	In Progress → Fix Released

Revision history for this message

Martin Pitt (pitti) wrote on 2009-08-03:

Accepted into jaunty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in nss (Ubuntu Jaunty):
status:	In Progress → Fix Committed
tags:	added: verification-needed
Changed in nss (Ubuntu Intrepid):
status:	In Progress → Fix Committed

Revision history for this message

Martin Pitt (pitti) wrote on 2009-08-03:

Accepted into intrepid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Revision history for this message

Alexander Sack (asac) wrote on 2009-08-04:

jaunty verification done: (see https://wiki.ubuntu.com/MozillaTeam/SecurityNotes/Nss3.12.3)
1. new intrepid nss/nspr works fine on current jaunty (without rebuild firefox/xulrunner)
2. new jaunty nss/nspr works fine on current jaunty (without rebuild firefox/xulrunner)
3. new jaunty nss/nspr works fine with NEW jaunty (with latest firefox/xulrunner security updates from https://edge.launchpad.net/~ubuntu-mozilla-security/+archive/ppa)

Revision history for this message

Alexander Sack (asac) wrote on 2009-08-04:

... more jaunty verification

jaunty verification for evolution:
pre. setup account that uses imaps (SSL encryption) for gmail account
1. new intrepid nss/nspr works fine on release jaunty with evolution
2. new jaunty nss/nspr works on release jaunty with evolution

jaunty verification for thunderbird:
pre. setup account that uses imaps (SSL encryption) for gmail account
1. new intrepid nss/nspr works fine on release jaunty with thunderbird
2. new jaunty nss/nspr works on release jaunty with thunderbird

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-08-04:

#10

intrepid verification done: (see https://wiki.ubuntu.com/MozillaTeam/SecurityNotes/Nss3.12.3)
1. new hardy nss/nspr works fine on current intrepid (without rebuild firefox/xulrunner)
2. new intrepid nss/nspr works fine on current intrepid (without rebuild firefox/xulrunner)
3. new intrepid nss/nspr works fine with NEW intrepid (with latest firefox/xulrunner security

intrepid verification for evolution:
pre. setup account that uses pop3s (SSL encryption) for dovecot account
1. new hardy nss/nspr works fine on release intrepid with evolution
2. new intrepid nss/nspr works on release intrepid with evolution

intrepid verification for thunderbird:
pre. setup account that uses pop3s (SSL encryption) for dovecot account
1. new hardy nss/nspr works fine on release intrepid with thunderbird
2. new intrepid nss/nspr works on release intrepid with thunderbird

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-08-04:

#11

hardy verification done: (see https://wiki.ubuntu.com/MozillaTeam/SecurityNotes/Nss3.12.3)
1. new hardy nss/nspr works fine on current hardy (without rebuild firefox/xulrunner)
2. new hardy nss/nspr works fine with NEW hardy (with latest firefox/xulrunner security

hardy verification for evolution:
pre. setup account that uses pop3s (SSL encryption) for dovecot account
1. new hardy nss/nspr works fine on release intrepid with evolution

hardy verification for thunderbird:
pre. setup account that uses pop3s (SSL encryption) for dovecot account
1. new hardy nss/nspr works fine on release intrepid with thunderbird

tags:

added: verification-done
removed: verification-needed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-08-04:

#12

This bug was fixed in the package nss - 3.12.3.1-0ubuntu0.8.04.1

---------------
nss (3.12.3.1-0ubuntu0.8.04.1) hardy-security; urgency=low

  * new upstream release 3.12.3.1 RTM (NSS_3_12_3_1_RTM) (LP: #407549)
    - see USN-810-1
  * requires nspr >= 4.7.4
    - update debian/control
  * drop (ubuntu-)useless kbsd patch
    - delete debian/patches/38_kbsd.patch
  * drop obsolete patches fixed upstream
    - delete debian/patches/80_security_tools.patch
    - delete debian/patches/bz471715_attachment_357235-backport.patch
  * adjust patches to new upstream codebase
    - update debian/patches/38_mips64_build.patch
    - update debian/patches/81_sonames.patch
  * LP: #388350 - nss 3.12.3-0ubuntu2 ftbfs in karmic - shlibsign crashes; we add
    debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH for the shlibsign invocation
    used to sign libs in debian/rules
    - update debian/rules
  * update .symbols files for new upstream api
    - update debian/libnss3-1d.symbols
  * bump shlibs version to >= 3.12.3
    - update debian/rules

-- Alexander Sack <email address hidden> Sat, 01 Aug 2009 16:57:40 +0200

Changed in nss (Ubuntu Hardy):
status:	In Progress → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-08-04:

#13

This bug was fixed in the package nss - 3.12.3.1-0ubuntu0.8.10.1

---------------
nss (3.12.3.1-0ubuntu0.8.10.1) intrepid-security; urgency=low

-- Alexander Sack <email address hidden> Sat, 01 Aug 2009 16:54:10 +0200

Changed in nss (Ubuntu Intrepid):
status:	Fix Committed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-08-04:

#14

This bug was fixed in the package nss - 3.12.3.1-0ubuntu0.9.04.1

---------------
nss (3.12.3.1-0ubuntu0.9.04.1) jaunty-security; urgency=low

  * new upstream release 3.12.3.1 RTM (NSS_3_12_3_1_RTM) (LP: #407549)
    - see USN-810-1
  * adjust patches to changed upstream code base
    - update debian/patches/38_kbsd.patch
  * needs nspr >= 4.7.4
    - update debian/control
  * update 85_security_load.patch to latest debian version
    - update debian/patches/85_security_load.patch
  * add new symbols for 3.12.3
    - update debian/libnss3-1d.symbols
  * LP: #388350 - nss 3.12.3-0ubuntu2 ftbfs in karmic - shlibsign crashes; we add
    debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH for the shlibsign invocation
    used to sign libs in debian/rules
    - update debian/rules
  * append LD_LIBRARY_PATH to shlibsign invocation to make fakeroot builds happy
    - update debian/rules