diff options
author | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2024-04-24 11:22:30 -0400 |
---|---|---|
committer | Maxim Cournoyer <maxim.cournoyer@gmail.com> | 2024-04-26 07:05:50 -0400 |
commit | e584ff08b162c46ef587daca438e97d56bc20b32 (patch) | |
tree | 04ee3fcf693ed8561443bb4450dda9bfacfd6c34 | |
parent | eb239e4793fb7b93c14ef52fedca01d2b01de0a0 (diff) | |
download | guix-e584ff08b162c46ef587daca438e97d56bc20b32.tar.gz guix-e584ff08b162c46ef587daca438e97d56bc20b32.zip |
gnu: nss: Graft with version 3.98 [security fixes].
This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.
* gnu/packages/nss.scm (nss) [replacement]: New field.
(nss-3.98): Rename variable to...
(nss/fixed): ... this. Make it a hidden package.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
nss/fixed.
Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
-rw-r--r-- | gnu/packages/librewolf.scm | 2 | ||||
-rw-r--r-- | gnu/packages/nss.scm | 71 |
2 files changed, 38 insertions, 35 deletions
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm index 87b76c661f..1717bad0b5 100644 --- a/gnu/packages/librewolf.scm +++ b/gnu/packages/librewolf.scm @@ -581,7 +581,7 @@ StartupWMClass=Navigator")) mesa mit-krb5 nspr - nss-3.98 + nss/fixed pango pciutils pipewire diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm index a2843be17a..8f6ed06e63 100644 --- a/gnu/packages/nss.scm +++ b/gnu/packages/nss.scm @@ -110,6 +110,7 @@ in the Mozilla clients.") ;; version and source to avoid a top-level variable reference & module ;; cycle. (version "3.88.1") + (replacement nss/fixed) (source (origin (method url-fetch) (uri (let ((version-with-underscores @@ -248,38 +249,40 @@ PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.") (license license:mpl2.0))) -(define-public nss-3.98 - (package - (inherit nss) - (version "3.98") - (source (origin - (inherit (package-source nss)) - (uri (let ((version-with-underscores - (string-join (string-split version #\.) "_"))) - (string-append - "https://ftp.mozilla.org/pub/mozilla.org/security/nss/" - "releases/NSS_" version-with-underscores "_RTM/src/" - "nss-" version ".tar.gz"))) - (sha256 - (base32 - "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm")))) - (arguments - (substitute-keyword-arguments (package-arguments nss) - ((#:phases phases) - #~(modify-phases #$phases - (replace 'check - (lambda* (#:key tests? #:allow-other-keys) - (if tests? - (begin - ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for - ;; testing. The latter requires a working DNS or /etc/hosts. - (setenv "DOMSUF" "localdomain") - (setenv "USE_IP" "TRUE") - (setenv "IP_ADDRESS" "127.0.0.1") +(define-public nss/fixed + (let ((actual-version "3.98")) + (hidden-package + (package + (inherit nss) + (version (string-append actual-version ".0")) ;for grafts requirements + (source (origin + (inherit (package-source nss)) + (uri (let ((version-with-underscores + (string-join (string-split actual-version #\.) "_"))) + (string-append + "https://ftp.mozilla.org/pub/mozilla.org/security/nss/" + "releases/NSS_" version-with-underscores "_RTM/src/" + "nss-" actual-version ".tar.gz"))) + (sha256 + (base32 + "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm")))) + (arguments + (substitute-keyword-arguments (package-arguments nss) + ((#:phases phases) + #~(modify-phases #$phases + (replace 'check + (lambda* (#:key tests? #:allow-other-keys) + (if tests? + (begin + ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for + ;; testing. The latter requires a working DNS or /etc/hosts. + (setenv "DOMSUF" "localdomain") + (setenv "USE_IP" "TRUE") + (setenv "IP_ADDRESS" "127.0.0.1") - ;; The "PayPalEE.cert" certificate expires every six months, - ;; leading to test failures: - ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To - ;; work around that, set the time to roughly the release date. - (invoke "faketime" "2024-01-23" "./nss/tests/all.sh")) - (format #t "test suite not run~%")))))))))) + ;; The "PayPalEE.cert" certificate expires every six months, + ;; leading to test failures: + ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To + ;; work around that, set the time to roughly the release date. + (invoke "faketime" "2024-01-23" "./nss/tests/all.sh")) + (format #t "test suite not run~%")))))))))))) |