65 Commits

Author SHA1 Message Date
Wang Mingyu 43b2d8745f nss: upgrade 3.124 -> 3.125
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-06-20 23:41:44 -07:00
Wang Mingyu 99a4b9d98b nss: upgrade 3.123.1 -> 3.124
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-05-31 03:08:49 -07:00
Wang Mingyu 695729a1c1 nss: upgrade 3.122 -> 3.123.1
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-05-12 01:06:52 -07:00
Jason Schonberg cf480608a7 nss: upgrade 3.121 -> 3.122
Changelog: https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_122.html

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
2026-04-01 19:10:14 -07:00
Andrej Kozemcak 84e05a05d9 nss: upgrade 3.119 -> 3.121
Adapt patch 0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
to new version of the code. Remove code which not exist and adapt to
new code.

Changelog:

v3.121:
  https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html

  Bugs:
    - update vendored zlib to v1.3.2.
    - Revert the unnecessary changes to intel-gcm-wrap.gyp.
    - Use C fallback for AES-GCM on MinGW builds.
    - fix ML-KEM PCT.
    - Extend NSS Fuzzing docs.
    - avoid integer overflow in platform-independent ghash.
    - Fix errant whitespace in OISTE Server Root RSA G1 nickname.
    - fix build with glibc-2.43 assignment discards ‘const’ qualifier from pointer.
    - add gcm.gyp dependency for Solaris SPARC builds.
    - Set nssckbi version to 2.84.
    - Add e-Szigno TLS Root CA 2023 to NSS.
    - allow manual selection of CPU_ARCH=x86_64 and ppc64 in coreconf/Darwin.mk.
    - Update cryptofuzz version.
    - Paranoia assert.
    - Darwin compatibility for intel-aes.S and intel-gcm.S.
    - rename intel-{aes,gcm}.s to .S.
    - rename C files for platform-specific ghash implementations.
    - simplify compilation of platform-specific GCM and GHASH.
    - FORWARD_NULL null deref of worker in p7decode.c (sec_pkcs7_decoder_abort_digests).
    - Out-of-Bounds Read in ML-DSA Private Key Parsing (zero-length privateKey).

v3.120:
  https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html

  Bugs:
    - Fix docs generation bug.
    - CID 1678226: Dereferencing null pointer plaintext.data().
    - Run PKCS12 fuzz target with –fuzz=tls in CI.
    - Allowing RT be started several times.
    - move linux decision and build tasks to d2g worker pools.

v3.119.1:
  https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_119_1.html

  Bugs:
    - restore coreconf/Darwin.mk behavior for intel archs.

Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2026-03-17 22:02:52 -07:00
Wang Mingyu 1645c5e518 nss: upgrade 3.118.1 -> 3.119
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-12-09 15:11:00 -08:00
Wang Mingyu 10776ec8a7 nss: upgrade 3.117 -> 3.118.1
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-11-25 07:44:41 -08:00
Jason Schonberg 3e272a20f5 nss: upgrade 3.116 -> 3.117
Update homepage to location where it is being redirected.

Changelog: https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_117.html

Signed-off-by: Jason Schonberg <schonm@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-10-12 20:58:51 -07:00
Wang Mingyu 3550637bd7 nss: upgrade 3.115.1 -> 3.116
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-09-16 09:59:17 -07:00
Wang Mingyu 248b39249f nss: upgrade 3.115 -> 3.115.1
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-09-04 10:28:24 -07:00
Wang Mingyu 92318cb3a9 nss: upgrade 3.114 -> 3.115
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-08-20 07:35:09 -07:00
Wang Mingyu deb49cdd8e nss: upgrade 3.112 -> 3.114
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-07-30 08:03:07 -07:00
Khem Raj ea8387ba41 nss: Fix build when using clang toolchain
When using clang cross compiler, nss make system adds
some clang specific options e.g. Qunused-options to CFLAGS
which is fine for cross/target compile but some portions e.g.
nsinstall is build natively so it uses NATIVE_CC to compile this
utility, its is set to BUILD_CC rightly but when using clang for CC
and gcc for BUILD_CC, nss build system is confused because its
trying to use the computed set of warnings for both native and cross
compile and they may not match between clang and gcc. So here we
explicitly use clang for NATIVE_CC when TOOLCHAIN is clang

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-07-17 19:14:31 -07:00
Wang Mingyu d9a2118f41 nss: upgrade 3.111 -> 3.112
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-06-09 21:24:11 -07:00
Wang Mingyu 35f6c5c07d nss: upgrade 3.110 -> 3.111
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-05-21 07:38:25 -07:00
Yi Zhao 97aed429b8 nss: upgrade 3.109 -> 3.110
ChangeLog:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_110.html

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-03-31 14:42:06 -07:00
Wang Mingyu a21a3c79ca nss: upgrade 3.108 -> 3.109
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-03-11 17:17:21 -07:00
Wang Mingyu 64426a4928 nss: upgrade 3.107 -> 3.108
0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
refreshed for 3.108

Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-02-12 09:16:00 -08:00
Yi Zhao f65596ce3e nss: upgrade 3.103 -> 3.107
* Refresh patches.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2025-01-01 19:02:17 -08:00
Wang Mingyu adf0c1d6c0 nss: upgrade 3.102 -> 3.103
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-08-09 14:25:16 -07:00
Alexandre Truong c8c4433e23 nss: modify UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status
Modifying existing UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
fix UNKNOWN_BROKEN status from running devtool check-upgrade-status.

The next version of the package can be found from upstream
sources.

Signed-off-by: Alexandre Truong <alexandre.truong@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
2024-07-24 08:56:45 -07:00
Markus Volk 975c047a1f nss: update 3.101 > 3.102
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-16 08:24:26 -07:00
Khem Raj d4a7efe3a8 nss: Upgrade to 3.101 release
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-06-14 10:23:13 -07:00
Khem Raj ffc64e9c6f recipes: Start WORKDIR -> UNPACKDIR transition
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-05-23 08:44:44 -07:00
Mingli Yu 05afab094d nss: Upgrade 3.74 -> 3.98
* Remove one backported patch and rebase two patches to the new version.

* License update:
  Copyright year updated to 2023

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-03-08 10:07:26 -08:00
Andrej Valek 8af2f17a6f cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-27 08:54:40 -07:00
Peter Marko 81c18e0797 nss: ignore CVE-2022-3479
Investigation based on https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 leads to following:
* fixed in 3.87
  (https://hg.mozilla.org/projects/nss/rev/a7f363511333b8062945557607691002fd6e40b9)
* changed code was introduced in 3.77
  (https://hg.mozilla.org/projects/nss/rev/be6a97823bfe10fa08e17c9584938a2d525a38da)
* NVD claims fix in 3.81, but there is no evidence for it in commit history
  (https://hg.mozilla.org/projects/nss/graph/a7f363511333b8062945557607691002fd6e40b9)
* Debian also says for old versions "nss <not-affected> (Vulnerable code not present/was introduced later)"
  (https://security-tracker.debian.org/tracker/CVE-2022-3479)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-04 22:29:45 -07:00
Wentao Zhang 366af48fa5 nss: fix failed test of nss.
The expiration date of the "PayPalEE.cert" test certificate in the nss package
is Jan 12 2022 and causing a test failure.

Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-04-10 20:13:28 -07:00
Mathieu Dubois-Briand 90645db2fa nss: Whitelist CVEs related to libnssdbm
These CVEs only affect libnssdbm, compiled when --enable-legacy-db is
used.

https://bugzilla.mozilla.org/show_bug.cgi?id=1360782#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778#c8
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779#c9
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-12-09 10:39:27 -08:00
Mathieu Dubois-Briand 8e0432fd54 nss: Add missing CVE product
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-12-09 10:39:27 -08:00
Dmitry Baryshkov da1ff7a5ae nss: fix cross-compilation error
Change OS_TEST to be soft assignment so that the cross-compilation
doens't fail with the errors like (note the difference in CPU tags):

| make[4]: *** No rule to make target
'../certhigh/Linux3.4_x86_64_glibc_PTH_64_OPT.OBJ/certhtml.o', needed by
'Linux3.4_aarch64_glibc_PTH_64_OPT.OBJ/libnss3.so'.  Stop.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-11-25 18:11:10 -08:00
Martin Jansa 74f131ffe8 nss: fix SRC_URI
* http://ftp.mozilla.org/pub/mozilla.org now returns 404, but the SRC_URI still works without
  "mozilla.org" directory

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-11-15 08:26:44 -08:00
Khem Raj 14c7d8a0d7 recipes: Update LICENSE variable to use SPDX license identifiers
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-04 17:41:45 -08:00
Khem Raj f2df270179 recipes: Use new CVE_CHECK_IGNORE variable
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-02-21 18:12:04 -08:00
Sakib Sajal a29f3b1003 nss: uprev v3.73.1 -> v3.74
Upgrade to newer version to resolve CVE-2022-22747.

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-02-03 15:14:43 -08:00
Sakib Sajal 1d2145c3e2 nss: upgrade 3.64 -> 3.73.1
Upgrade to 3.73.1 fixes CVE-2021-43527.

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-12-24 15:48:38 -08:00
Martin Jansa c61dc077bb Convert to new override syntax
This is the result of automated script (0.9.1) conversion:

oe-core/scripts/contrib/convert-overrides.py .

converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2021-08-03 10:21:25 -07:00
Masaki Ambai 44113dcb5f nss: add CVE-2006-5201 to allowlist
CVE-2006-5201 affects only using an RSA key with exponent 3 on Sun Solaris.

Signed-off-by: Masaki Ambai <ambai.masaki@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-06-24 12:55:11 -07:00
Marek Vasut 30148b33b5 nss: Fix build on Centos 7
Centos 7 has glibc 2.18 and nss-native build fails due to implicit
declaration of function putenv during build. This is because of the
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):

  putenv(): _XOPEN_SOURCE
      || /* Glibc since 2.19: */ _DEFAULT_SOURCE
      || /* Glibc versions <= 2.19: */ _SVID_SOURCE

and because nss coreconf/Linux.mk only defines

 -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE

So on such system with glibc 2.18, neither macro makes putenv()
available. Add -D_XOPEN_SOURCE for the Centos 7 and glibc 2.18
native build case.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Armin Kuster <akuster808@gmail.com>
Cc: Armin Kuster <akuster@mvista.com>
Cc: Khem Raj <raj.khem@gmail.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-06-03 16:47:04 -07:00
Ross Burton 7fa165e0df nss: remove -march vs -mcpu workaround
NSS's build tries to be clever and passes for example -march=armv8-a+crypto
explicitly, instead of relying on the person doing the compilation to
set the right flags.

This conflicts with our compiler flags which typically pass the ideal
tune for the target, for example -mcpu=cortex-a55+crc+crypto.

When this happens GCC warns that the flags conflict (which was promoted
to an error, now fixed) and -march takes precedence over -mcpu.

As there's a huge number of potential tune flags to remove to avoid the
conflict, now that warnings are not fatal we can stop removing the flags
and let GCC warn as the generated code is the same.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-05-14 07:27:26 -07:00
Ross Burton c16459a2e6 nss: disable -Werror
-Werror should be used by developers and not packagers, because new
compiler flags or GCC versions can use new warnings.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-05-14 07:27:26 -07:00
zangrc a7d0d87854 nss: upgrade 3.63 -> 3.64
-License-Update: Add the license of MIT.

Signed-off-by: Zang Ruochen <zangrc.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-23 21:41:26 -07:00
Khem Raj 5178615b43 nss: Re-enable -Werror
GCC-11 has fixed the problem [1]

[1] https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=da879e01ecd35737c18be1da3324f4560aba1961
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-16 08:30:19 -07:00
zangrc e0ff02fc3c nss: upgrade 3.62 -> 3.63
Signed-off-by: Zang Ruochen <zangrc.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-28 12:12:58 -07:00
Randy MacLeod d7aa1a60f6 nss: upgrade 3.60.1 -> 3.62
The patch: nss-fix-nsinstall-build.patch is embedded specific
so set it's Upstream-Status to inappropriate.

Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-09 08:33:51 -08:00
Khem Raj 9b62982d6c nss: Disable Werror
with newer compilers we are seeing new warnings, e.g.

error: argument 1 of type 'int[1]' with mismatched bound [-Werror=array-parameter=]
    8 |     extern void pr_static_assert(int arg[(((long unsigned int)-1) > (long unsigned int)1) ? 1 : -1]);
      |                                  ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

with gcc11 and clang has its own set which triggers here as well, its
better to disable werror therefore, we still have warnings if someone
wants to fix them but they wont break the builds

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-05 12:22:57 -08:00
Andrei Gherzan dad2aef6be nss: Fix warnings generated by getcwd
getcwd() conforms to POSIX.1-2001 which leaves the behaviour when the
buf argument is NULL, undefined. This makes gcc 10+ throw the following
warning:

argument 1 is null but the corresponding size argument 2 value is 4096

Initially, this was fixed by disabling NSS_ENABLE_WERROR. This patch
re-enables NSS_ENABLE_WERROR (by leaving it to its default value) and
takes advantage of the existing functionality in nss that wraps the
getcwd call into a function making sure that the buf argument is always
properly allocated.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-03 19:55:28 -08:00
Khem Raj 8c1c0ad349 nss: Add powerpc64 little endian support
Fix build with clang/ppc64le while here

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-02-23 11:08:21 -08:00
Yi Zhao 1c2b1b919c nss: upgrade 3.60 -> 3.60.1
Bugs fixed in NSS 3.60.1:
Bug 1682863 - Fix remaining hang issues with slow third-party PKCS #11
              tokens.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-01-21 00:26:41 -08:00
zangrc 2f47e6bb43 nss: upgrade 3.59 -> 3.60
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-01-05 09:16:27 -08:00