diff options
| -rw-r--r-- | firefox-nss-addon-hack.patch | 19 | ||||
| -rw-r--r-- | firefox.spec | 7 |
2 files changed, 25 insertions, 1 deletions
diff --git a/firefox-nss-addon-hack.patch b/firefox-nss-addon-hack.patch new file mode 100644 index 0000000..0322707 --- /dev/null +++ b/firefox-nss-addon-hack.patch @@ -0,0 +1,19 @@ +diff -up firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp.nss-hack firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp
+--- firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp.nss-hack 2021-01-11 12:12:02.585514543 +0100
++++ firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp 2021-01-11 12:47:50.345984582 +0100
+@@ -1619,6 +1619,15 @@ SECStatus InitializeNSS(const nsACString
+ return srv;
+ }
+
++ /* Sets the NSS_USE_ALG_IN_ANY_SIGNATURE bit.
++ * does not change NSS_USE_ALG_IN_CERT_SIGNATURE,
++ * so policy will still disable use of sha1 in
++ * certificate related signature processing. */
++ srv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
++ if (srv != SECSuccess) {
++ NS_WARNING("Unable to use SHA1 for Add-ons, expect broken/disabled Add-ons. See https://bugzilla.redhat.com/show_bug.cgi?id=1908018 for details.");
++ }
++
+ if (nssDbConfig == NSSDBConfig::ReadWrite) {
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
diff --git a/firefox.spec b/firefox.spec index 62db459..5a42d1c 100644 --- a/firefox.spec +++ b/firefox.spec @@ -140,7 +140,7 @@ ExcludeArch: s390x Summary: Mozilla Firefox Web browser Name: firefox Version: 84.0.2 -Release: 1%{?pre_tag}%{?dist} +Release: 2%{?pre_tag}%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}%{?pre_version}/source/firefox-%{version}%{?pre_version}.source.tar.xz @@ -201,6 +201,7 @@ Patch224: mozilla-1170092.patch Patch226: rhbz-1354671.patch Patch227: firefox-locale-debug.patch Patch228: disable-openh264-download.patch +Patch229: firefox-nss-addon-hack.patch # Upstream patches Patch402: mozilla-1196777.patch @@ -418,6 +419,7 @@ This package contains results of tests executed during build. %endif %patch227 -p1 -b .locale-debug %patch228 -p1 -b .disable-openh264-download +%patch229 -p1 -b .firefox-nss-addon-hack %patch402 -p1 -b .1196777 %patch407 -p1 -b .1667096 @@ -1022,6 +1024,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Mon Jan 11 2021 Martin Stransky <stransky@redhat.com> - 84.0.2-2 +- Added a workaround for rhbz#1908018 + * Wed Jan 6 2021 Martin Stransky <stransky@redhat.com> - 84.0.2-1 - Updated to 84.0.2 |