Everything is checked into SVN, but we need to get nss built.

CC: (none) => nicolas.salguero

Did you do the certdata.perl test on Mga7 or Cauldron ?

CKT_NETSCAPE_TRUSTED_DELEGATOR is an old compat definition that is supposed to be dropped at some time...

nss-3.52]$ grep -R CKT_NETSCAPE_TRUSTED_DELEGATOR
nss/lib/ckfw/capi/staticobj.c:static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
nss/lib/util/pkcs11n.h:#define CKT_NETSCAPE_TRUSTED_DELEGATOR CKT_NSS_TRUSTED_DELEGATOR



And that define is protected by:
/* deprecated #defines. Drop in future NSS releases */
#ifdef NSS_PKCS11_2_0_COMPAT

And the change upstream was introduced
https://hg.mozilla.org/projects/nss/rev/b5d90a7fe217

So I guess a quickfix is to define NSS_PKCS11_2_0_COMPAT

CC: (none) => tmb

That's all because of nss-use_system_rootcerts.patch IMHO…

OK so it looks like a bug in staticobj.c where it should be using _NSS_ instead of _NETSCAPE_.  I'll try fixing that with a patch.

Thierry, you should not have disabled the system rootcerts patch.

OK I even patched it out of staticobj.c.  Seriously, where in the world is it getting NETSCAPE from?  I don't see it anywhere else in the code!

rootcerts:

rootcerts-igp-brasil.txt:CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
rootcerts-igp-brasil.txt:CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
rootcerts-igp-brasil.txt:CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR

Thanks Thomas!

Do you think it's time we removed these extra non-upstream certs?

Source2:        rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:        cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:        verisign-class-3-secure-server-ca.pem

Source2 should be dropped:
        Issuer: C = BR, O = ICP-Brasil, OU = Instituto Nacional de Tecnologia da Informacao - ITI, L = Brasilia, ST = DF, CN = Autoridade Certificadora Raiz Brasileira
        Validity
            Not Before: Nov 30 12:58:00 2001 GMT
            Not After : Nov 30 23:59:00 2011 GMT


Source3 should be updated to:
http://www.cacert.org/certs/root_X0F.der

Source4 shoud be dropped:

        Issuer: C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
        Validity
            Not Before: Jan 19 00:00:00 2005 GMT
            Not After : Jan 18 23:59:59 2015 GMT

Thanks again Thomas!  Do we *really* need to keep carrying the cacert.org certs?  I can't even access their site right now as it's giving me a 503, but between Mozilla not adding it all of these years and the availability now of the Let's Encrypt certs, should we really still be carrying this downstream?

Yeah, their signing machine went offline and is not accessible from Internet so they got some trouble fixing it up because of covid-19 travel restrictions...

I thought about it too regarding  letsencrypt and because of they not moving on the needed audit to get it in mozilla db.

But I'd rather not break the support atleast in a stable release, 
but we could probably do a:

--- rootcerts.spec	(revision 1580564)
+++ rootcerts.spec	(arbetskopia)
@@ -85,7 +85,9 @@
 head -4 builtins/certdata.txt > LICENSE
 
 # CAcert
+%if %mgaversion >= 8
 cp %{SOURCE3} .
+%endif
 
 cp %{SOURCE6} .
 %patch0 -p0



and watch the fallout...

(In reply to Thomas Backlund from comment #10)
> Yeah, their signing machine went offline and is not accessible from Internet
> so they got some trouble fixing it up because of covid-19 travel
> restrictions...
> 

I forgot to write... this should now be fixed.

Thanks again.  You meant %{mgaversion} < 8, but I knew what you meant.  I added that in SVN after I build it, so it'll happen the next time I update it.  I won't remove it from mga7.

Yeah I saw that the site came back up.  I failed to remove some other code from the spec, so this is all going in the Cauldron build now.

I guess you should be able to drop the nss-3.52-netscape-is-nss.patch now too

Just noting that rootcerts was rebuilt because some old expired CA certs had to be removed from rootcerts and nss for nss to build this time.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A race condition when running shutdown code for Web Worker led to a
use-after-free vulnerability. This resulted in a potentially exploitable crash
(CVE-2020-12387).

A buffer overflow could occur when parsing and validating SCTP chunks in
WebRTC. This could have led to memory corruption and a potentially exploitable
crash (CVE-2020-6831).

The 'Copy as cURL' feature of Devtools' network tab did not properly escape
the HTTP POST data of a request, which can be controlled by the website. If a
user used the 'Copy as cURL' feature and pasted the command into a terminal,
it could have resulted in the disclosure of local files (CVE-2020-12392).

Mozilla developers and community members Alexandru Michis, Jason Kratzer,
philipp, Ted Campbell, Bas Schouten, André Bargull, and Karl Tomlinson
reported memory safety bugs present in Firefox ESR 68.7. Some of these bugs
showed evidence of memory corruption and we presume that with enough effort
some of these could have been exploited to run arbitrary code
(CVE-2020-12395).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12395
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/
========================

Updated packages in core/updates_testing:
========================
rootcerts-20191126.00-2.mga7
rootcerts-java-20191126.00-2.mga7
nss-3.52.0-1.mga7
nss-doc-3.52.0-1.mga7
libnss3-3.52.0-1.mga7
libnss-devel-3.52.0-1.mga7
libnss-static-devel-3.52.0-1.mga7
firefox-68.8.0-1.mga7
firefox-devel-68.8.0-1.mga7
firefox-af-68.8.0-1.mga7
firefox-an-68.8.0-1.mga7
firefox-ar-68.8.0-1.mga7
firefox-ast-68.8.0-1.mga7
firefox-az-68.8.0-1.mga7
firefox-bg-68.8.0-1.mga7
firefox-bn-68.8.0-1.mga7
firefox-br-68.8.0-1.mga7
firefox-bs-68.8.0-1.mga7
firefox-ca-68.8.0-1.mga7
firefox-cs-68.8.0-1.mga7
firefox-cy-68.8.0-1.mga7
firefox-da-68.8.0-1.mga7
firefox-de-68.8.0-1.mga7
firefox-el-68.8.0-1.mga7
firefox-en_GB-68.8.0-1.mga7
firefox-en_US-68.8.0-1.mga7
firefox-eo-68.8.0-1.mga7
firefox-es_AR-68.8.0-1.mga7
firefox-es_CL-68.8.0-1.mga7
firefox-es_ES-68.8.0-1.mga7
firefox-es_MX-68.8.0-1.mga7
firefox-et-68.8.0-1.mga7
firefox-eu-68.8.0-1.mga7
firefox-fa-68.8.0-1.mga7
firefox-ff-68.8.0-1.mga7
firefox-fi-68.8.0-1.mga7
firefox-fr-68.8.0-1.mga7
firefox-fy_NL-68.8.0-1.mga7
firefox-ga_IE-68.8.0-1.mga7
firefox-gd-68.8.0-1.mga7
firefox-gl-68.8.0-1.mga7
firefox-gu_IN-68.8.0-1.mga7
firefox-he-68.8.0-1.mga7
firefox-hi_IN-68.8.0-1.mga7
firefox-hr-68.8.0-1.mga7
firefox-hsb-68.8.0-1.mga7
firefox-hu-68.8.0-1.mga7
firefox-hy_AM-68.8.0-1.mga7
firefox-id-68.8.0-1.mga7
firefox-is-68.8.0-1.mga7
firefox-it-68.8.0-1.mga7
firefox-ja-68.8.0-1.mga7
firefox-kk-68.8.0-1.mga7
firefox-km-68.8.0-1.mga7
firefox-kn-68.8.0-1.mga7
firefox-ko-68.8.0-1.mga7
firefox-lij-68.8.0-1.mga7
firefox-lt-68.8.0-1.mga7
firefox-lv-68.8.0-1.mga7
firefox-mk-68.8.0-1.mga7
firefox-mr-68.8.0-1.mga7
firefox-ms-68.8.0-1.mga7
firefox-nb_NO-68.8.0-1.mga7
firefox-nl-68.8.0-1.mga7
firefox-nn_NO-68.8.0-1.mga7
firefox-pa_IN-68.8.0-1.mga7
firefox-pl-68.8.0-1.mga7
firefox-pt_BR-68.8.0-1.mga7
firefox-pt_PT-68.8.0-1.mga7
firefox-ro-68.8.0-1.mga7
firefox-ru-68.8.0-1.mga7
firefox-si-68.8.0-1.mga7
firefox-sk-68.8.0-1.mga7
firefox-sl-68.8.0-1.mga7
firefox-sq-68.8.0-1.mga7
firefox-sr-68.8.0-1.mga7
firefox-sv_SE-68.8.0-1.mga7
firefox-ta-68.8.0-1.mga7
firefox-te-68.8.0-1.mga7
firefox-th-68.8.0-1.mga7
firefox-tr-68.8.0-1.mga7
firefox-uk-68.8.0-1.mga7
firefox-uz-68.8.0-1.mga7
firefox-vi-68.8.0-1.mga7
firefox-xh-68.8.0-1.mga7
firefox-zh_CN-68.8.0-1.mga7
firefox-zh_TW-68.8.0-1.mga7

from SRPMS:
rootcerts-20191126.00-2.mga7.src.rpm
nss-3.52.0-1.mga7.src.rpm
firefox-68.8.0-1.mga7.src.rpm
firefox-l10n-68.8.0-1.mga7.src.rpm

Source RPM: nss, firefox, firefox-l10n => rootcerts, nss, firefox, firefox-l10n
Assignee: thierry.vignaud => qa-bugs

RedHat has issued an advisory for this today (May 6):
https://access.redhat.com/errata/RHSA-2020:2031

MGA7-64 Plasma on Lenovo B50
No installation issues.
Tested by using newspaper site and logging in to governement site with my e-id card (demonstrates the plugins). All OK.

CC: (none) => herman.viaene

Tested mga7-64, general browsing, youtube video, jetstream for javascript, all ok.

CC: (none) => wrw105
Whiteboard: (none) => mga7-64-ok

Dell Inspiron 5100, 32-bit hardware, 32-bit Xfce system. Testing the US English version.

All packages installed cleanly. Used this Firefox to report that the rpm update had functioned properly, and am using it to make this report. Looks OK here.

Validating. Advisory in Comment 15.

Whiteboard: mga7-64-ok => mga7-64-ok MGA7-32-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0208.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED