diff options
author | Michael Stahl <michael.stahl@allotropia.de> | 2024-02-16 10:34:54 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2024-02-16 20:50:34 +0100 |
commit | 5e5452e4fc098659d7ae1fc350e59a2fa1f4434c (patch) | |
tree | 46e1d78d24b38c54233d2acce5c72d274abad760 | |
parent | f7ec729f25f374be907bb8cfeeeaed97959287de (diff) |
nss: upgrade to release 3.98
Fixes CVE-2023-5388
Also update README, and remove obsolete documentation of Debian's
mangled SONAME; relevant Debian changelog:
nss (2:3.13.4-2) unstable; urgency=low
* debian/control, debian/libnss3*, debian/rules,
mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn:
Move to unversioned library. ABI compatibility is ensured upstream, and
the SO version, if it needed a change at any time, would be a change in
the library name. There is no reason to keep making compatibility more
difficult with other distros and upstream binary releases. While previous
versions were one-way compatible (binaries built against other distros or
upstream nspr could work on Debian), this approach works both ways.
-- Mike Hommey <glandium@debian.org> Thu, 17 May 2012 09:45:36 +0200
Change-Id: Ifc1eae68827fa88ae001a3903c8555af67b488ac
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163486
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
-rw-r--r-- | download.lst | 4 | ||||
-rw-r--r-- | external/nss/README | 26 |
2 files changed, 13 insertions, 17 deletions
diff --git a/download.lst b/download.lst index 10c44083c080..0b22fab601e4 100644 --- a/download.lst +++ b/download.lst @@ -217,8 +217,8 @@ export MYTHES_SHA256SUM := 1e81f395d8c851c3e4e75b568e20fa2fa549354e75ab397f9de4b export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz export NEON_SHA256SUM := cf1ee3ac27a215814a9c80803fcee4f0ede8466ebead40267a9bd115e16a8678 export NEON_TARBALL := neon-0.31.2.tar.gz -export NSS_SHA256SUM := a7a920d295998563b33d9e06c1a36b799201493d81b64537fab42f2a733411ce -export NSS_TARBALL := nss-3.97-with-nspr-4.35.tar.gz +export NSS_SHA256SUM := 59bb55a59b02e4004fc26ad0aa1a13fe8d73c6c90c447dd2f2efb73fb81083ed +export NSS_TARBALL := nss-3.98-with-nspr-4.35.tar.gz export ODFGEN_SHA256SUM := 55200027fd46623b9bdddd38d275e7452d1b0ff8aeddcad6f9ae6dc25f610625 export ODFGEN_VERSION_MICRO := 8 export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.xz diff --git a/external/nss/README b/external/nss/README index 6997cea6ca06..09931f64ea20 100644 --- a/external/nss/README +++ b/external/nss/README @@ -1,5 +1,16 @@ Contains the Network Security Services (NSS) libraries from Mozilla +== ESR versions == + +Upstream releases both regular and "ESR" versions, the latter go into Firefox +ESR and Thunderbird. + +There is a new ESR version about once a year, and a ESR version gets micro +updates only when there are security issues to fix, and it's not always obvious +from the release notes of a regular release if there are security issues that +are relevant to LibreOffice, hence it's probably best to bundle only the ESR +versions and upgrade for every micro release (as recommended by upstream). + == Fips 140 and signed libraries == Fips 140 mode is not supported. That is, the *.chk files containing the @@ -20,18 +31,3 @@ With all supported macOS SDK we use NSS_USE_SYSTEM_SQLITE=1 to build using the system sqlite. -== system NSS on Linux == - -Note that different Linux distributions use different SONAMEs for the -NSS libraries, so it is not possible to use --with-system-nss and build -a portable generic LO installation set, despite NSS upstream apparently -maintaining ABI compatibility. - -Debian Squeeze: -0x000000000000000e (SONAME) Library soname: [libnss3.so.1d] -Fedora 20: -0x000000000000000e (SONAME) Library soname: [libnss3.so] - -For the record, the LSB specified SONAME is libnss3.so -http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libnss3.html - |