summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--firefox-nss-addon-hack.patch19
-rw-r--r--firefox.spec7
2 files changed, 25 insertions, 1 deletions
diff --git a/firefox-nss-addon-hack.patch b/firefox-nss-addon-hack.patch
new file mode 100644
index 0000000..0322707
--- /dev/null
+++ b/firefox-nss-addon-hack.patch
@@ -0,0 +1,19 @@
+diff -up firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp.nss-hack firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp
+--- firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp.nss-hack 2021-01-11 12:12:02.585514543 +0100
++++ firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp 2021-01-11 12:47:50.345984582 +0100
+@@ -1619,6 +1619,15 @@ SECStatus InitializeNSS(const nsACString
+ return srv;
+ }
+
++ /* Sets the NSS_USE_ALG_IN_ANY_SIGNATURE bit.
++ * does not change NSS_USE_ALG_IN_CERT_SIGNATURE,
++ * so policy will still disable use of sha1 in
++ * certificate related signature processing. */
++ srv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0);
++ if (srv != SECSuccess) {
++ NS_WARNING("Unable to use SHA1 for Add-ons, expect broken/disabled Add-ons. See https://bugzilla.redhat.com/show_bug.cgi?id=1908018 for details.");
++ }
++
+ if (nssDbConfig == NSSDBConfig::ReadWrite) {
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
+ if (!slot) {
diff --git a/firefox.spec b/firefox.spec
index 62db459..5a42d1c 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -140,7 +140,7 @@ ExcludeArch: s390x
Summary: Mozilla Firefox Web browser
Name: firefox
Version: 84.0.2
-Release: 1%{?pre_tag}%{?dist}
+Release: 2%{?pre_tag}%{?dist}
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}%{?pre_version}/source/firefox-%{version}%{?pre_version}.source.tar.xz
@@ -201,6 +201,7 @@ Patch224: mozilla-1170092.patch
Patch226: rhbz-1354671.patch
Patch227: firefox-locale-debug.patch
Patch228: disable-openh264-download.patch
+Patch229: firefox-nss-addon-hack.patch
# Upstream patches
Patch402: mozilla-1196777.patch
@@ -418,6 +419,7 @@ This package contains results of tests executed during build.
%endif
%patch227 -p1 -b .locale-debug
%patch228 -p1 -b .disable-openh264-download
+%patch229 -p1 -b .firefox-nss-addon-hack
%patch402 -p1 -b .1196777
%patch407 -p1 -b .1667096
@@ -1022,6 +1024,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#---------------------------------------------------------------------
%changelog
+* Mon Jan 11 2021 Martin Stransky <stransky@redhat.com> - 84.0.2-2
+- Added a workaround for rhbz#1908018
+
* Wed Jan 6 2021 Martin Stransky <stransky@redhat.com> - 84.0.2-1
- Updated to 84.0.2
bgstack15