* [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17
@ 2017-10-12 21:17 Peter Korsgaard
2017-10-12 21:17 ` [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33 Peter Korsgaard
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Peter Korsgaard @ 2017-10-12 21:17 UTC (permalink / raw)
To: buildroot
libnss 3.33 needs libnspr >= 4.17.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libnspr/libnspr.hash | 6 ++++--
package/libnspr/libnspr.mk | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/package/libnspr/libnspr.hash b/package/libnspr/libnspr.hash
index 13cee6e7ef..46c091e0da 100644
--- a/package/libnspr/libnspr.hash
+++ b/package/libnspr/libnspr.hash
@@ -1,2 +1,4 @@
-# From https://ftp.mozilla.org/pub/nspr/releases/v4.15/src/SHA256SUMS
-sha256 27dde06bc3d0c88903a20d6ad807361a912cfb624ca0ab4efb10fc50b19e2d80 nspr-4.15.tar.gz
+# From https://ftp.mozilla.org/pub/nspr/releases/v4.17/src/SHA256SUMS
+sha256 590a0aea29412ae22d7728038c21ef2ab42646e48172a47d2e4bb782846d1095 nspr-4.17.tar.gz
+# Locally calculated
+sha256 fab3dd6bdab226f1c08630b1dd917e11fcb4ec5e1e020e2c16f83a0a13863e85 nspr/LICENSE
diff --git a/package/libnspr/libnspr.mk b/package/libnspr/libnspr.mk
index 7659baf6d3..0c782ae309 100644
--- a/package/libnspr/libnspr.mk
+++ b/package/libnspr/libnspr.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBNSPR_VERSION = 4.15
+LIBNSPR_VERSION = 4.17
LIBNSPR_SOURCE = nspr-$(LIBNSPR_VERSION).tar.gz
LIBNSPR_SITE = https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v$(LIBNSPR_VERSION)/src
LIBNSPR_SUBDIR = nspr
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33
2017-10-12 21:17 [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17 Peter Korsgaard
@ 2017-10-12 21:17 ` Peter Korsgaard
2017-10-15 21:04 ` Peter Korsgaard
2017-10-17 9:09 ` Peter Korsgaard
2017-10-15 13:59 ` [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17 Thomas Petazzoni
` (2 subsequent siblings)
3 siblings, 2 replies; 7+ messages in thread
From: Peter Korsgaard @ 2017-10-12 21:17 UTC (permalink / raw)
To: buildroot
Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
Network Security Service library, is prone to a use-after-free vulnerability
in the TLS 1.2 implementation when handshake hashes are generated. A remote
attacker can take advantage of this flaw to cause an application using the
nss library to crash, resulting in a denial of service, or potentially to
execute arbitrary code.
Also add a hash for the license file while we're at it.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libnss/libnss.hash | 6 ++++--
package/libnss/libnss.mk | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/package/libnss/libnss.hash b/package/libnss/libnss.hash
index e4e24283cb..6c8ce83784 100644
--- a/package/libnss/libnss.hash
+++ b/package/libnss/libnss.hash
@@ -1,2 +1,4 @@
-# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_31_RTM/src/SHA256SUMS
-sha256 e90561256a3271486162c1fbe8d614d118c333d36a4455be2af8688bd420a65d nss-3.31.tar.gz
+# From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_33_RTM/src/SHA256SUMS
+sha256 98f0dabd36408e83dd3a11727336cc3cdfee4cbdd9aede2b2831eb2389c284e4 nss-3.33.tar.gz
+# Locally calculated
+sha256 a20c1a32d1f8102432360b42e932869f7c11c7cdbacf9cac554c422132af47f4 nss/COPYING
diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk
index 51559295ef..27d305cc34 100644
--- a/package/libnss/libnss.mk
+++ b/package/libnss/libnss.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBNSS_VERSION = 3.31
+LIBNSS_VERSION = 3.33
LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz
LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src
LIBNSS_DISTDIR = dist
--
2.11.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17
2017-10-12 21:17 [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17 Peter Korsgaard
2017-10-12 21:17 ` [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33 Peter Korsgaard
@ 2017-10-15 13:59 ` Thomas Petazzoni
2017-10-15 21:04 ` Peter Korsgaard
2017-10-17 9:09 ` Peter Korsgaard
3 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni @ 2017-10-15 13:59 UTC (permalink / raw)
To: buildroot
Hello,
On Thu, 12 Oct 2017 23:17:51 +0200, Peter Korsgaard wrote:
> libnss 3.33 needs libnspr >= 4.17.
>
> Also add a hash for the license file while we're at it.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/libnspr/libnspr.hash | 6 ++++--
> package/libnspr/libnspr.mk | 2 +-
> 2 files changed, 5 insertions(+), 3 deletions(-)
Both applied. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17
2017-10-12 21:17 [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17 Peter Korsgaard
2017-10-12 21:17 ` [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33 Peter Korsgaard
2017-10-15 13:59 ` [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17 Thomas Petazzoni
@ 2017-10-15 21:04 ` Peter Korsgaard
2017-10-17 9:09 ` Peter Korsgaard
3 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2017-10-15 21:04 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> libnss 3.33 needs libnspr >= 4.17.
> Also add a hash for the license file while we're at it.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33
2017-10-12 21:17 ` [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33 Peter Korsgaard
@ 2017-10-15 21:04 ` Peter Korsgaard
2017-10-17 9:09 ` Peter Korsgaard
1 sibling, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2017-10-15 21:04 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
> Network Security Service library, is prone to a use-after-free vulnerability
> in the TLS 1.2 implementation when handshake hashes are generated. A remote
> attacker can take advantage of this flaw to cause an application using the
> nss library to crash, resulting in a denial of service, or potentially to
> execute arbitrary code.
> Also add a hash for the license file while we're at it.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17
2017-10-12 21:17 [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17 Peter Korsgaard
` (2 preceding siblings ...)
2017-10-15 21:04 ` Peter Korsgaard
@ 2017-10-17 9:09 ` Peter Korsgaard
3 siblings, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2017-10-17 9:09 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> libnss 3.33 needs libnspr >= 4.17.
> Also add a hash for the license file while we're at it.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33
2017-10-12 21:17 ` [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33 Peter Korsgaard
2017-10-15 21:04 ` Peter Korsgaard
@ 2017-10-17 9:09 ` Peter Korsgaard
1 sibling, 0 replies; 7+ messages in thread
From: Peter Korsgaard @ 2017-10-17 9:09 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes CVE-2017-7805 - Martin Thomson discovered that nss, the Mozilla
> Network Security Service library, is prone to a use-after-free vulnerability
> in the TLS 1.2 implementation when handshake hashes are generated. A remote
> attacker can take advantage of this flaw to cause an application using the
> nss library to crash, resulting in a denial of service, or potentially to
> execute arbitrary code.
> Also add a hash for the license file while we're at it.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2017.08.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-10-17 9:09 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-12 21:17 [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17 Peter Korsgaard
2017-10-12 21:17 ` [Buildroot] [PATCH 2/2] libnss: security bump to version 3.33 Peter Korsgaard
2017-10-15 21:04 ` Peter Korsgaard
2017-10-17 9:09 ` Peter Korsgaard
2017-10-15 13:59 ` [Buildroot] [PATCH 1/2] libnspr: bump version to 4.17 Thomas Petazzoni
2017-10-15 21:04 ` Peter Korsgaard
2017-10-17 9:09 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox