From ef3085f396d2aa800cde816676d945c610ec5a1c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 07 2016 17:13:44 +0000
Subject: import nss-3.19.1-19.el7_2


---

diff --git a/SOURCES/cve-2015-7575-minimal.patch b/SOURCES/cve-2015-7575-minimal.patch
new file mode 100644
index 0000000..96d09b4
--- /dev/null
+++ b/SOURCES/cve-2015-7575-minimal.patch
@@ -0,0 +1,21 @@
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -4345,17 +4345,16 @@ ssl3_ConsumeHandshakeVariable(sslSocket 
+ }
+ 
+ /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the
+  * SECOidTag used internally by NSS. */
+ static const struct {
+     int tlsHash;
+     SECOidTag oid;
+ } tlsHashOIDMap[] = {
+-    { tls_hash_md5, SEC_OID_MD5 },
+     { tls_hash_sha1, SEC_OID_SHA1 },
+     { tls_hash_sha224, SEC_OID_SHA224 },
+     { tls_hash_sha256, SEC_OID_SHA256 },
+     { tls_hash_sha384, SEC_OID_SHA384 },
+     { tls_hash_sha512, SEC_OID_SHA512 }
+ };
+ 
+ /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value.
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 893792a..0c41c3b 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -23,7 +23,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.19.1
-Release:          18%{?dist}
+Release:          19%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -130,6 +130,7 @@ Patch110: reorder-cipher-suites.patch
 Patch111: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
 # TODO: File a bug upstream with and expanded patch
 Patch112: rh1238290.patch
+Patch113: cve-2015-7575-minimal.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -243,6 +244,7 @@ popd
 %patch111 -p0 -b .ocsp_sni
 pushd nss
 %patch112 -p1 -b .1238290
+%patch113 -p1 -b .cve-2015-7575
 popd
 
 
@@ -337,10 +339,12 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
 NSS_USE_SYSTEM_SQLITE=1
 export NSS_USE_SYSTEM_SQLITE
 
-%if %{__isa_bits} == 64
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
 USE_64=1
 export USE_64
 %endif
+%endif
 
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
@@ -443,10 +447,12 @@ export FREEBL_NO_DEPEND
 BUILD_OPT=1
 export BUILD_OPT
 
-%if %{__isa_bits} == 64
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
 USE_64=1
 export USE_64
 %endif
+%endif
 
 export NSS_BLTEST_NOT_AVAILABLE=1
 
@@ -838,6 +844,10 @@ fi
 
 
 %changelog
+* Tue Dec 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-19
+- Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol
+- Resolves: Bug 1289883
+
 * Wed Oct 21 2015 Kai Engert <kaie@redhat.com> - 3.19.1-18
 - Rebuild against updated NSPR