2014-09-23 23:39:14 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 23 21:30:16 UTC 2014 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.17.1 (bnc#897890)
|
2014-09-24 21:29:06 +02:00
|
|
|
* MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405)
|
|
|
|
|
RSA Signature Forgery in NSS
|
2014-09-23 23:39:14 +02:00
|
|
|
* Change library's signature algorithm default to SHA256
|
|
|
|
|
* Add support for draft-ietf-tls-downgrade-scsv
|
|
|
|
|
* Add clang-cl support to the NSS build system
|
|
|
|
|
* Implement TLS 1.3:
|
|
|
|
|
* Part 1. Negotiate TLS 1.3
|
|
|
|
|
* Part 2. Remove deprecated cipher suites andcompression.
|
|
|
|
|
* Add support for little-endian powerpc64
|
|
|
|
|
|
2014-09-04 15:58:20 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 29 11:53:10 UTC 2014 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.17
|
|
|
|
|
* required for Firefox 33
|
|
|
|
|
New functionality:
|
|
|
|
|
* When using ECDHE, the TLS server code may be configured to generate
|
|
|
|
|
a fresh ephemeral ECDH key for each handshake, by setting the
|
|
|
|
|
SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
|
|
|
|
|
SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means
|
|
|
|
|
the server's ephemeral ECDH key is reused for multiple handshakes.
|
|
|
|
|
This option does not affect the TLS client code, which always
|
|
|
|
|
generates a fresh ephemeral ECDH key for each handshake.
|
|
|
|
|
New Macros
|
|
|
|
|
* SSL_REUSE_SERVER_ECDHE_KEY
|
|
|
|
|
Notable Changes:
|
|
|
|
|
* The manual pages for the certutil and pp tools have been updated to
|
|
|
|
|
document the new parameters that had been added in NSS 3.16.2.
|
|
|
|
|
* On Windows, the new build variable USE_STATIC_RTL can be used to
|
|
|
|
|
specify the static C runtime library should be used. By default the
|
|
|
|
|
dynamic C runtime library is used.
|
|
|
|
|
|
2014-08-12 13:04:16 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 12 10:56:55 UTC 2014 - wr@rosenauer.org
|
|
|
|
|
|
2014-09-02 20:14:14 +02:00
|
|
|
- update to 3.16.4 (bnc#894201)
|
2014-08-12 13:04:16 +02:00
|
|
|
* now required for Firefox 32
|
|
|
|
|
Notable Changes:
|
|
|
|
|
* The following 1024-bit root CA certificate was restored to allow more
|
|
|
|
|
time to develop a better transition strategy for affected sites. It was
|
|
|
|
|
removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy
|
|
|
|
|
forum led to the decision to keep this root included longer in order to
|
|
|
|
|
give website administrators more time to update their web servers.
|
|
|
|
|
- CN = GTE CyberTrust Global Root
|
|
|
|
|
* In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification
|
|
|
|
|
Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit
|
|
|
|
|
intermediate CA certificate has been included, without explicit trust.
|
|
|
|
|
The intention is to mitigate the effects of the previous removal of the
|
|
|
|
|
1024-bit Entrust.net root certificate, because many public Internet
|
|
|
|
|
sites still use the "USERTrust Legacy Secure Server CA" intermediate
|
|
|
|
|
certificate that is signed by the 1024-bit Entrust.net root certificate.
|
|
|
|
|
The inclusion of the intermediate certificate is a temporary measure to
|
|
|
|
|
allow those sites to function, by allowing them to find a trust path to
|
|
|
|
|
another 2048-bit root CA certificate. The temporarily included
|
|
|
|
|
intermediate certificate expires November 1, 2015.
|
|
|
|
|
|
2014-05-08 08:02:59 +02:00
|
|
|
-------------------------------------------------------------------
|
2014-07-05 15:02:10 +02:00
|
|
|
Sat Jul 5 12:10:36 UTC 2014 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.16.3
|
|
|
|
|
* required for Firefox 32
|
|
|
|
|
New Functions:
|
|
|
|
|
* CERT_GetGeneralNameTypeFromString (This function was already added
|
|
|
|
|
in NSS 3.16.2, however, it wasn't declared in a public header file.)
|
|
|
|
|
Notable Changes:
|
|
|
|
|
* The following 1024-bit CA certificates were removed
|
|
|
|
|
- Entrust.net Secure Server Certification Authority
|
|
|
|
|
- GTE CyberTrust Global Root
|
|
|
|
|
- ValiCert Class 1 Policy Validation Authority
|
|
|
|
|
- ValiCert Class 2 Policy Validation Authority
|
|
|
|
|
- ValiCert Class 3 Policy Validation Authority
|
|
|
|
|
* Additionally, the following CA certificate was removed as
|
|
|
|
|
requested by the CA:
|
|
|
|
|
- TDC Internet Root CA
|
|
|
|
|
* The following CA certificates were added:
|
|
|
|
|
- Certification Authority of WoSign
|
|
|
|
|
- CA 沃通根证书
|
|
|
|
|
- DigiCert Assured ID Root G2
|
|
|
|
|
- DigiCert Assured ID Root G3
|
|
|
|
|
- DigiCert Global Root G2
|
|
|
|
|
- DigiCert Global Root G3
|
|
|
|
|
- DigiCert Trusted Root G4
|
|
|
|
|
- QuoVadis Root CA 1 G3
|
|
|
|
|
- QuoVadis Root CA 2 G3
|
|
|
|
|
- QuoVadis Root CA 3 G3
|
|
|
|
|
* The Trust Bits were changed for the following CA certificates
|
|
|
|
|
- Class 3 Public Primary Certification Authority
|
|
|
|
|
- Class 3 Public Primary Certification Authority
|
|
|
|
|
- Class 2 Public Primary Certification Authority - G2
|
|
|
|
|
- VeriSign Class 2 Public Primary Certification Authority - G3
|
|
|
|
|
- AC Raíz Certicámara S.A.
|
|
|
|
|
- NetLock Uzleti (Class B) Tanusitvanykiado
|
|
|
|
|
- NetLock Expressz (Class C) Tanusitvanykiado
|
|
|
|
|
- changes in 3.16.2
|
|
|
|
|
New functionality:
|
|
|
|
|
* DTLS 1.2 is supported.
|
|
|
|
|
* The TLS application layer protocol negotiation (ALPN) extension
|
|
|
|
|
is also supported on the server side.
|
|
|
|
|
* RSA-OEAP is supported. Use the new PK11_PrivDecrypt and
|
|
|
|
|
PK11_PubEncrypt functions with the CKM_RSA_PKCS_OAEP mechanism.
|
|
|
|
|
* New Intel AES assembly code for 32-bit and 64-bit Windows,
|
|
|
|
|
contributed by Shay Gueron and Vlad Krasnov of Intel.
|
|
|
|
|
New Functions:
|
|
|
|
|
* CERT_AddExtensionByOID
|
|
|
|
|
* PK11_PrivDecrypt
|
|
|
|
|
* PK11_PubEncrypt
|
|
|
|
|
New Macros
|
|
|
|
|
* SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK
|
|
|
|
|
* SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL
|
|
|
|
|
Notable Changes:
|
|
|
|
|
* The btoa command has a new command-line option -w suffix, which
|
|
|
|
|
causes the output to be wrapped in BEGIN/END lines with the
|
|
|
|
|
given suffix
|
|
|
|
|
* The certutil commands supports additionals types of subject
|
|
|
|
|
alt name extensions.
|
|
|
|
|
* The certutil command supports generic certificate extensions,
|
|
|
|
|
by loading binary data from files, which have been prepared using
|
|
|
|
|
external tools, or which have been extracted from other existing
|
|
|
|
|
certificates and dumped to file.
|
|
|
|
|
* The certutil command supports three new certificate usage specifiers.
|
|
|
|
|
* The pp command supports printing UTF-8 (-u).
|
|
|
|
|
* On Linux, NSS is built with the -ffunction-sections -fdata-sections
|
|
|
|
|
compiler flags and the --gc-sections linker flag to allow unused
|
|
|
|
|
functions to be discarded.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2014-05-08 08:02:59 +02:00
|
|
|
Thu May 8 05:46:17 UTC 2014 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.16.1
|
|
|
|
|
* required for Firefox 31
|
|
|
|
|
New functionality:
|
|
|
|
|
* Added the "ECC" flag for modutil to select the module used for
|
|
|
|
|
elliptic curve cryptography (ECC) operations.
|
|
|
|
|
New Functions:
|
|
|
|
|
* PK11_ExportDERPrivateKeyInfo/PK11_ExportPrivKeyInfo
|
|
|
|
|
exports a private key in a DER-encoded ASN.1 PrivateKeyInfo type
|
|
|
|
|
or a SECKEYPrivateKeyInfo structure. Only RSA private keys are
|
|
|
|
|
supported now.
|
|
|
|
|
* SECMOD_InternalToPubMechFlags
|
|
|
|
|
converts from NSS-internal to public representation of mechanism
|
|
|
|
|
flags
|
|
|
|
|
New Types:
|
|
|
|
|
* ssl_padding_xtn
|
|
|
|
|
the value of this enum constant changed from the experimental
|
|
|
|
|
value 35655 to the IANA-assigned value 21
|
|
|
|
|
New Macros
|
|
|
|
|
* PUBLIC_MECH_ECC_FLAG
|
|
|
|
|
a public mechanism flag for elliptic curve cryptography (ECC)
|
|
|
|
|
operations
|
|
|
|
|
* SECMOD_ECC_FLAG
|
|
|
|
|
an NSS-internal mechanism flag for elliptic curve cryptography
|
|
|
|
|
(ECC) operations. This macro has the same numeric value as
|
|
|
|
|
PUBLIC_MECH_ECC_FLAG.
|
|
|
|
|
Notable Changes:
|
|
|
|
|
* Imposed name constraints on the French government root CA ANSSI
|
|
|
|
|
(DCISS).
|
|
|
|
|
|
- update to 3.16
* required for Firefox 29
* bmo#903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard
character should not be embedded within the U-label of an
internationalized domain name. See the last bullet point in RFC 6125,
Section 7.2.
* Supports the Linux x32 ABI. To build for the Linux x32 target, set
the environment variable USE_X32=1 when building NSS.
New Functions:
* NSS_CMSSignerInfo_Verify
New Macros
* TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.,
cipher suites that were first defined in SSL 3.0 can now be referred
to with their official IANA names in TLS, with the TLS_ prefix.
Previously, they had to be referred to with their names in SSL 3.0,
with the SSL_ prefix.
Notable Changes:
* ECC is enabled by default. It is no longer necessary to set the
environment variable NSS_ENABLE_ECC=1 when building NSS. To disable
ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS.
* libpkix should not include the common name of CA as DNS names when
evaluating name constraints.
* AESKeyWrap_Decrypt should not return SECSuccess for invalid keys.
* Fix a memory corruption in sec_pkcs12_new_asafe.
* If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime
test sdb_measureAccess.
* The built-in roots module has been updated to version 1.97, which
adds, removes, and distrusts several certificates.
* The atob utility has been improved to automatically ignore lines of
text that aren't in base64 format.
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=155
2014-03-21 22:54:13 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Mar 21 21:16:31 UTC 2014 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.16
|
|
|
|
|
* required for Firefox 29
|
|
|
|
|
* bmo#903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard
|
|
|
|
|
character should not be embedded within the U-label of an
|
|
|
|
|
internationalized domain name. See the last bullet point in RFC 6125,
|
|
|
|
|
Section 7.2.
|
|
|
|
|
* Supports the Linux x32 ABI. To build for the Linux x32 target, set
|
|
|
|
|
the environment variable USE_X32=1 when building NSS.
|
|
|
|
|
New Functions:
|
|
|
|
|
* NSS_CMSSignerInfo_Verify
|
|
|
|
|
New Macros
|
|
|
|
|
* TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.,
|
|
|
|
|
cipher suites that were first defined in SSL 3.0 can now be referred
|
|
|
|
|
to with their official IANA names in TLS, with the TLS_ prefix.
|
|
|
|
|
Previously, they had to be referred to with their names in SSL 3.0,
|
|
|
|
|
with the SSL_ prefix.
|
|
|
|
|
Notable Changes:
|
|
|
|
|
* ECC is enabled by default. It is no longer necessary to set the
|
|
|
|
|
environment variable NSS_ENABLE_ECC=1 when building NSS. To disable
|
|
|
|
|
ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS.
|
|
|
|
|
* libpkix should not include the common name of CA as DNS names when
|
|
|
|
|
evaluating name constraints.
|
|
|
|
|
* AESKeyWrap_Decrypt should not return SECSuccess for invalid keys.
|
|
|
|
|
* Fix a memory corruption in sec_pkcs12_new_asafe.
|
|
|
|
|
* If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime
|
|
|
|
|
test sdb_measureAccess.
|
|
|
|
|
* The built-in roots module has been updated to version 1.97, which
|
|
|
|
|
adds, removes, and distrusts several certificates.
|
|
|
|
|
* The atob utility has been improved to automatically ignore lines of
|
|
|
|
|
text that aren't in base64 format.
|
|
|
|
|
* The certutil utility has been improved to support creation of
|
|
|
|
|
version 1 and version 2 certificates, in addition to the existing
|
|
|
|
|
version 3 support.
|
|
|
|
|
|
2014-02-25 13:02:07 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 25 11:31:18 UTC 2014 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.15.5
|
|
|
|
|
* required for Firefox 28
|
|
|
|
|
* export FREEBL_LOWHASH to get the correct default headers
|
|
|
|
|
(bnc#865539)
|
|
|
|
|
New functionality
|
|
|
|
|
* Added support for the TLS application layer protocol negotiation
|
|
|
|
|
(ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and
|
|
|
|
|
SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both)
|
|
|
|
|
should be used for application layer protocol negotiation.
|
|
|
|
|
* Added the TLS padding extension. The extension type value is 35655,
|
|
|
|
|
which may change when an official extension type value is assigned
|
|
|
|
|
by IANA. NSS automatically adds the padding extension to ClientHello
|
|
|
|
|
when necessary.
|
|
|
|
|
* Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting
|
|
|
|
|
the tail of a CERTCertList.
|
|
|
|
|
Notable Changes
|
|
|
|
|
* bmo#950129: Improve the OCSP fetching policy when verifying OCSP
|
|
|
|
|
responses
|
|
|
|
|
* bmo#949060: Validate the iov input argument (an array of PRIOVec
|
|
|
|
|
structures) of ssl_WriteV (called via PR_Writev). Applications should
|
|
|
|
|
still take care when converting struct iov to PRIOVec because the
|
|
|
|
|
iov_len members of the two structures have different types
|
|
|
|
|
(size_t vs. int). size_t is unsigned and may be larger than int.
|
|
|
|
|
|
2014-02-20 13:04:07 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 20 10:55:30 UTC 2014 - aj@ajaissle.de
|
|
|
|
|
|
|
|
|
|
- BuildRequire mozilla-nspr >= 4.9
|
|
|
|
|
|
2013-12-09 13:35:34 +01:00
|
|
|
-------------------------------------------------------------------
|
2014-01-07 09:49:30 +01:00
|
|
|
Tue Jan 7 08:39:04 UTC 2014 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.15.4
|
|
|
|
|
* required for Firefox 27
|
|
|
|
|
* regular CA root store update (1.96)
|
2014-01-09 11:24:37 +01:00
|
|
|
* Reordered the cipher suites offered in SSL/TLS client hello
|
|
|
|
|
messages to match modern best practices.
|
|
|
|
|
* Improved SSL/TLS false start. In addition to enabling the
|
|
|
|
|
SSL_ENABLE_FALSE_START option, an application must now register
|
|
|
|
|
a callback using the SSL_SetCanFalseStartCallback function.
|
|
|
|
|
* When false start is enabled, libssl will sometimes return
|
|
|
|
|
unencrypted, unauthenticated data from PR_Recv
|
|
|
|
|
(CVE-2013-1740, bmo#919877)
|
2014-02-05 07:01:36 +01:00
|
|
|
* MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
|
|
|
|
|
NSS ticket handling issues
|
2014-01-09 11:24:37 +01:00
|
|
|
New functionality
|
|
|
|
|
* Implemented OCSP querying using the HTTP GET method, which is
|
|
|
|
|
the new default, and will fall back to the HTTP POST method.
|
|
|
|
|
* Implemented OCSP server functionality for testing purposes
|
|
|
|
|
(httpserv utility).
|
|
|
|
|
* Support SHA-1 signatures with TLS 1.2 client authentication.
|
|
|
|
|
* Added the --empty-password command-line option to certutil,
|
|
|
|
|
to be used with -N: use an empty password when creating a new
|
|
|
|
|
database.
|
|
|
|
|
* Added the -w command-line option to pp: don't wrap long output
|
|
|
|
|
lines.
|
|
|
|
|
New functions
|
|
|
|
|
* CERT_ForcePostMethodForOCSP
|
|
|
|
|
* CERT_GetSubjectNameDigest
|
|
|
|
|
* CERT_GetSubjectPublicKeyDigest
|
|
|
|
|
* SSL_PeerCertificateChain
|
|
|
|
|
* SSL_RecommendedCanFalseStart
|
|
|
|
|
* SSL_SetCanFalseStartCallback
|
|
|
|
|
New types
|
|
|
|
|
* CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used,
|
|
|
|
|
libpkix will never attempt to use the HTTP GET method for OCSP
|
|
|
|
|
requests; it will always use POST.
|
2014-01-07 09:49:30 +01:00
|
|
|
- removed obsolete char.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2013-12-09 13:35:34 +01:00
|
|
|
Thu Dec 5 18:59:27 UTC 2013 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.15.3.1 (bnc#854367)
|
|
|
|
|
* includes certstore update (1.95) (bmo#946351)
|
|
|
|
|
(explicitely distrust AC DG Tresor SSL)
|
|
|
|
|
|
2013-12-04 18:44:48 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 4 14:40:39 CET 2013 - mls@suse.de
|
|
|
|
|
|
|
|
|
|
- adapt specfile to ppc64le
|
|
|
|
|
|
2013-11-11 23:19:45 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 11 22:11:57 UTC 2013 - wr@rosenauer.org
|
|
|
|
|
|
2013-11-12 21:37:56 +01:00
|
|
|
- update to 3.15.3 (bnc#850148)
|
2013-11-11 23:19:45 +01:00
|
|
|
* CERT_VerifyCert returns SECSuccess (saying certificate is good)
|
|
|
|
|
even for bad certificates, when the CERTVerifyLog log parameter
|
|
|
|
|
is given (bmo#910438)
|
|
|
|
|
* NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello
|
|
|
|
|
(bmo#919677)
|
2013-11-12 21:37:56 +01:00
|
|
|
* fix CVE-2013-5605
|
2013-11-11 23:19:45 +01:00
|
|
|
|
2013-09-28 10:13:46 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Sep 28 04:20:41 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
2013-09-28 10:24:06 +02:00
|
|
|
- update to 3.15.2 (bnc#842979)
|
2013-09-28 10:17:22 +02:00
|
|
|
* Support for AES-GCM ciphersuites that use the SHA-256 PRF
|
|
|
|
|
* MD2, MD4, and MD5 signatures are no longer accepted for OCSP
|
|
|
|
|
or CRLs
|
|
|
|
|
* Add PK11_CipherFinal macro
|
|
|
|
|
* sizeof() used incorrectly
|
|
|
|
|
* nssutil_ReadSecmodDB() leaks memory
|
|
|
|
|
* Allow SSL_HandshakeNegotiatedExtension to be called before
|
|
|
|
|
the handshake is finished.
|
|
|
|
|
* Deprecate the SSL cipher policy code
|
|
|
|
|
* Avoid uninitialized data read in the event of a decryption
|
|
|
|
|
failure. (CVE-2013-1739)
|
2013-09-28 10:13:46 +02:00
|
|
|
|
2013-07-05 14:48:09 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 5 08:08:57 UTC 2013 - lnussel@suse.de
|
|
|
|
|
|
|
|
|
|
- fix 32bit requirement, it's without () actually
|
|
|
|
|
|
2013-07-03 14:00:07 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 3 11:55:58 UTC 2013 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.15.1
|
|
|
|
|
* TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites
|
|
|
|
|
(RFC 5246 and RFC 5289) are supported, allowing TLS to be used
|
|
|
|
|
without MD5 and SHA-1.
|
|
|
|
|
Note the following limitations:
|
|
|
|
|
The hash function used in the signature for TLS 1.2 client
|
|
|
|
|
authentication must be the hash function of the TLS 1.2 PRF,
|
|
|
|
|
which is always SHA-256 in NSS 3.15.1.
|
|
|
|
|
AES GCM cipher suites are not yet supported.
|
|
|
|
|
* some bugfixes and improvements
|
|
|
|
|
|
2013-07-03 12:36:27 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 28 09:27:24 UTC 2013 - lnussel@suse.de
|
|
|
|
|
|
|
|
|
|
- require libnssckbi instead of mozilla-nss-certs so p11-kit can
|
|
|
|
|
conflict with the latter (fate#314991)
|
|
|
|
|
|
2013-06-11 17:41:13 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 11 04:58:56 UTC 2013 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.15
|
|
|
|
|
* Packaging
|
|
|
|
|
+ removed obsolete patches
|
|
|
|
|
* nss-disable-expired-testcerts.patch
|
|
|
|
|
* bug-834091.patch
|
|
|
|
|
* New Functionality
|
|
|
|
|
+ Support for OCSP Stapling (RFC 6066, Certificate Status
|
|
|
|
|
Request) has been added for both client and server sockets.
|
|
|
|
|
TLS client applications may enable this via a call to
|
|
|
|
|
SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
|
|
|
|
|
+ Added function SECITEM_ReallocItemV2. It replaces function
|
|
|
|
|
SECITEM_ReallocItem, which is now declared as obsolete.
|
|
|
|
|
+ Support for single-operation (eg: not multi-part) symmetric
|
|
|
|
|
key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
|
|
|
|
|
+ certutil has been updated to support creating name constraints
|
|
|
|
|
extensions.
|
|
|
|
|
* New Functions
|
|
|
|
|
in ssl.h
|
|
|
|
|
SSL_PeerStapledOCSPResponse - Returns the server's stapled
|
|
|
|
|
OCSP response, when used with a TLS client socket that
|
|
|
|
|
negotiated the status_request extension.
|
|
|
|
|
SSL_SetStapledOCSPResponses - Set's a stapled OCSP response
|
|
|
|
|
for a TLS server socket to return when clients send the
|
|
|
|
|
status_request extension.
|
|
|
|
|
in ocsp.h
|
|
|
|
|
CERT_PostOCSPRequest - Primarily intended for testing, permits
|
|
|
|
|
the sending and receiving of raw OCSP request/responses.
|
|
|
|
|
in secpkcs7.h
|
|
|
|
|
SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7
|
|
|
|
|
signature at a specific time other than the present time.
|
|
|
|
|
in xconst.h
|
|
|
|
|
CERT_EncodeNameConstraintsExtension - Matching function for
|
|
|
|
|
CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
|
|
|
|
|
in secitem.h
|
|
|
|
|
SECITEM_AllocArray
|
|
|
|
|
SECITEM_DupArray
|
|
|
|
|
SECITEM_FreeArray
|
|
|
|
|
SECITEM_ZfreeArray - Utility functions to handle the
|
|
|
|
|
allocation and deallocation of SECItemArrays
|
|
|
|
|
SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is
|
|
|
|
|
now obsolete. SECITEM_ReallocItemV2 better matches caller
|
|
|
|
|
expectations, in that it updates item->len on allocation.
|
|
|
|
|
For more details of the issues with SECITEM_ReallocItem,
|
|
|
|
|
see Bug 298649 and Bug 298938.
|
|
|
|
|
in pk11pub.h
|
|
|
|
|
PK11_Decrypt - Performs decryption as a single PKCS#11
|
|
|
|
|
operation (eg: not multi-part). This is necessary for AES-GCM.
|
|
|
|
|
PK11_Encrypt - Performs encryption as a single PKCS#11
|
|
|
|
|
operation (eg: not multi-part). This is necessary for AES-GCM.
|
|
|
|
|
* New Types
|
|
|
|
|
in secitem.h
|
|
|
|
|
SECItemArray - Represents a variable-length array of SECItems.
|
|
|
|
|
* New Macros
|
|
|
|
|
in ssl.h
|
|
|
|
|
SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure
|
|
|
|
|
TLS client sockets to request the certificate_status extension
|
|
|
|
|
(eg: OCSP stapling) when set to PR_TRUE
|
|
|
|
|
* Notable changes
|
|
|
|
|
+ SECITEM_ReallocItem is now deprecated. Please consider using
|
|
|
|
|
SECITEM_ReallocItemV2 in all future code.
|
|
|
|
|
+ The list of root CA certificates in the nssckbi module has
|
|
|
|
|
been updated.
|
|
|
|
|
+ The default implementation of SSL_AuthCertificate has been
|
|
|
|
|
updated to add certificate status responses stapled by the TLS
|
|
|
|
|
server to the OCSP cache.
|
|
|
|
|
* a lot of bugfixes
|
|
|
|
|
|
2013-04-16 13:16:38 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 16 10:27:04 UTC 2013 - idonmez@suse.com
|
|
|
|
|
|
|
|
|
|
- Add Source URL, see https://en.opensuse.org/SourceUrls
|
|
|
|
|
|
2013-04-02 22:29:32 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Mar 24 20:07:59 UTC 2013 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- disable tests with expired certificates
|
2013-04-03 09:43:24 +02:00
|
|
|
(nss-disable-expired-testcerts.patch)
|
2013-04-02 22:29:32 +02:00
|
|
|
- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from
|
|
|
|
|
mozilla tree to fulfill Firefox 21 requirements
|
2013-04-03 09:43:24 +02:00
|
|
|
(bug-834091.patch; bmo#834091)
|
2013-04-02 22:29:32 +02:00
|
|
|
|
2013-02-28 23:53:05 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 28 21:55:49 UTC 2013 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.14.3
|
|
|
|
|
* No new major functionality is introduced in this release. This
|
|
|
|
|
release is a patch release to address CVE-2013-1620 (bmo#822365)
|
|
|
|
|
* "certutil -a" was not correctly producing ASCII output as
|
|
|
|
|
requested. (bmo#840714)
|
|
|
|
|
* NSS 3.14.2 broke compilation with older versions of sqlite that
|
|
|
|
|
lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now
|
|
|
|
|
properly compiles when used with older versions of sqlite
|
|
|
|
|
(bmo#837799) - remove system-sqlite.patch
|
|
|
|
|
- add aarch64 support
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 5 12:51:56 UTC 2013 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- added system-sqlite.patch (bmo#837799)
|
|
|
|
|
* do not depend on latest sqlite just for a #define
|
|
|
|
|
- enable system sqlite usage again
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Feb 2 16:05:20 UTC 2013 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.14.2
|
|
|
|
|
* required for Firefox >= 20
|
|
|
|
|
* removed obsolete nssckbi update patch
|
2013-04-02 23:31:01 +02:00
|
|
|
* MFSA 2013-40/CVE-2013-0791 (bmo#629816)
|
|
|
|
|
Out-of-bounds array read in CERT_DecodeCertPackage
|
2013-02-28 23:53:05 +01:00
|
|
|
- disable system sqlite usage since we depend on 3.7.15 which is
|
|
|
|
|
not provided in any openSUSE distribution
|
|
|
|
|
* add nss-sqlitename.patch to avoid any name clash
|
|
|
|
|
|
2012-12-30 19:06:05 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Dec 30 17:59:34 UTC 2012 - wr@rosenauer.org
|
|
|
|
|
|
2013-01-08 18:55:59 +01:00
|
|
|
- updated CA database (nssckbi-1.93.patch)
|
|
|
|
|
* MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628)
|
|
|
|
|
revoke mis-issued intermediate certificates from TURKTRUST
|
2012-12-30 19:06:05 +01:00
|
|
|
|
2012-12-18 14:54:06 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Dec 18 13:36:09 UTC 2012 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.14.1 RTM
|
|
|
|
|
* minimal requirement for Gecko 20
|
|
|
|
|
* several bugfixes
|
|
|
|
|
|
2012-10-25 16:10:44 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 25 12:02:22 UTC 2012 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.14 RTM
|
|
|
|
|
* Support for TLS 1.1 (RFC 4346)
|
|
|
|
|
* Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
|
|
|
|
|
* Support for AES-CTR, AES-CTS, and AES-GCM
|
|
|
|
|
* Support for Keying Material Exporters for TLS (RFC 5705)
|
|
|
|
|
* Support for certificate signatures using the MD5 hash algorithm
|
|
|
|
|
is now disabled by default
|
|
|
|
|
* The NSS license has changed to MPL 2.0. Previous releases were
|
|
|
|
|
released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more
|
|
|
|
|
information about MPL 2.0, please see
|
|
|
|
|
http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional
|
|
|
|
|
explanation on GPL/LGPL compatibility, see security/nss/COPYING
|
|
|
|
|
in the source code.
|
|
|
|
|
* Export and DES cipher suites are disabled by default. Non-ECC
|
|
|
|
|
AES and Triple DES cipher suites are enabled by default
|
|
|
|
|
- disabled OCSP testcases since they need external network
|
|
|
|
|
(nss-disable-ocsp-test.patch)
|
|
|
|
|
|
2012-08-16 06:53:56 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 15 13:57:42 UTC 2012 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.13.6 RTM
|
|
|
|
|
* root CA update
|
|
|
|
|
* other bugfixes
|
|
|
|
|
|
2012-06-01 22:35:17 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 1 18:46:28 UTC 2012 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.13.5 RTM
|
|
|
|
|
|
2012-04-13 21:11:33 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 13 18:55:57 UTC 2012 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.13.4 RTM
|
|
|
|
|
* fixed some bugs
|
|
|
|
|
* fixed cert verification regression in PKIX mode (bmo#737802)
|
|
|
|
|
introduced in 3.13.2
|
|
|
|
|
|
2012-02-23 16:13:12 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 23 15:06:34 UTC 2012 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.13.3 RTM
|
|
|
|
|
- distrust Trustwave's MITM certificates (bmo#724929)
|
|
|
|
|
- fix generic blacklisting mechanism (bmo#727204)
|
|
|
|
|
|
2012-02-17 09:35:36 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 16 08:48:42 UTC 2012 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.13.2 RTM
|
|
|
|
|
* requirement with Gecko >= 11
|
|
|
|
|
- removed obsolete patches
|
|
|
|
|
* ckbi-1.88
|
|
|
|
|
* pkcs11n-header-fix.patch
|
|
|
|
|
|
2011-11-14 12:10:20 +01:00
|
|
|
-------------------------------------------------------------------
|
2011-12-18 18:50:41 +01:00
|
|
|
Sun Dec 18 15:59:08 UTC 2011 - adrian@suse.de
|
|
|
|
|
|
|
|
|
|
- fix spec file syntax for qemu-workaround
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2011-11-14 12:10:20 +01:00
|
|
|
Mon Nov 14 10:13:17 UTC 2011 - john@redux.org.uk
|
|
|
|
|
|
|
|
|
|
- Added a patch to fix errors in the pkcs11n.h header file.
|
|
|
|
|
(bmo#702090)
|
|
|
|
|
|
2011-11-14 08:51:45 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Nov 5 10:58:20 UTC 2011 - wolfgang@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.13.1 RTM
|
|
|
|
|
* better SHA-224 support (bmo#647706)
|
|
|
|
|
* fixed a regression (causing hangs in some situations)
|
|
|
|
|
introduced in 3.13 (bmo#693228)
|
|
|
|
|
- update to 3.13.0 RTM
|
|
|
|
|
* SSL 2.0 is disabled by default
|
|
|
|
|
* A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext
|
|
|
|
|
attack demonstrated by Rizzo and Duong (CVE-2011-3389) is
|
|
|
|
|
enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to
|
|
|
|
|
PR_FALSE to disable it.
|
|
|
|
|
* SHA-224 is supported
|
|
|
|
|
* Ported to iOS. (Requires NSPR 4.9.)
|
|
|
|
|
* Added PORT_ErrorToString and PORT_ErrorToName to return the
|
|
|
|
|
error message and symbolic name of an NSS error code
|
|
|
|
|
* Added NSS_GetVersion to return the NSS version string
|
|
|
|
|
* Added experimental support of RSA-PSS to the softoken only
|
|
|
|
|
* NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db
|
|
|
|
|
anymore (bmo#641052, bnc#726096)
|
|
|
|
|
|
2011-11-05 11:51:17 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Nov 5 10:47:51 UTC 2011 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753)
|
2011-11-05 13:00:04 +01:00
|
|
|
- make sure NSS_NoDB_Init does not try to use wrong certificate
|
|
|
|
|
databases (CVE-2011-3640, bnc#726096, bmo#641052)
|
2011-11-05 11:51:17 +01:00
|
|
|
|
2011-10-01 09:54:39 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 30 23:27:07 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
2011-11-05 11:51:17 +01:00
|
|
|
- Workaround qemu-arm bugs.
|
2011-10-01 09:54:39 +02:00
|
|
|
|
2011-09-09 07:52:50 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 9 05:44:15 UTC 2011 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- explicitely distrust/override DigiNotar certs (bmo#683261)
|
|
|
|
|
(trustdb version 1.87)
|
|
|
|
|
|
2011-09-02 17:49:39 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com
|
|
|
|
|
|
2011-09-09 07:52:50 +02:00
|
|
|
- removed DigiNotar root certificate from trusted db
|
2011-09-02 17:49:39 +02:00
|
|
|
(bmo#682927, bnc#714931)
|
|
|
|
|
|
2011-08-24 10:38:15 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 24 08:37:13 UTC 2011 - andrea.turrini@gmail.com
|
|
|
|
|
|
|
|
|
|
- fixed typo in summary of mozilla-nss (libsoftokn3)
|
|
|
|
|
|
2011-08-12 22:57:47 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 12 20:55:38 UTC 2011 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.11 RTM
|
|
|
|
|
* no upstream release notes available
|
|
|
|
|
|
2011-07-13 18:13:34 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 13 16:45:23 CEST 2011 - meissner@suse.de
|
|
|
|
|
|
|
|
|
|
- Linux3.0 is the new Linux2.6 (make it build)
|
|
|
|
|
|
2011-05-23 20:44:21 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 23 17:37:34 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
2011-08-12 22:57:47 +02:00
|
|
|
- Do not include build dates in binaries, messes up
|
|
|
|
|
build compare
|
2011-05-23 20:44:21 +02:00
|
|
|
|
2011-05-19 07:43:34 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 19 05:37:02 UTC 2011 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.10 RTM
|
|
|
|
|
* no changes except internal release information
|
|
|
|
|
|
2011-04-28 08:41:37 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 28 06:34:50 UTC 2011 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.10beta1
|
|
|
|
|
* root CA changes
|
|
|
|
|
* filter certain bogus certs (bmo#642815)
|
|
|
|
|
* fix minor memory leaks
|
|
|
|
|
* other bugfixes
|
|
|
|
|
|
2011-01-10 00:12:14 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jan 9 23:05:11 UTC 2011 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.9rc0
|
|
|
|
|
* fix minor memory leaks (bmo#619268)
|
|
|
|
|
* fix crash in nss_cms_decoder_work_data (bmo#607058)
|
|
|
|
|
* fix crash in certutil (bmo#620908)
|
|
|
|
|
* handle invalid argument in JPAKE (bmo#609068)
|
|
|
|
|
|
2010-12-10 00:14:38 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 9 15:03:00 UTC 2010 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.9beta2
|
|
|
|
|
* J-PAKE support (API requirement for Firefox >= 4.0b8)
|
|
|
|
|
|
2010-11-09 11:00:46 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Nov 9 08:51:51 UTC 2010 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- replaced expired PayPal test certificate (fixing testsuite)
|
|
|
|
|
|
2010-09-27 00:45:55 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Sep 25 08:18:59 CEST 2010 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.8 RTM release
|
|
|
|
|
* support TLS false start (needed for Firefox4) (bmo#525092)
|
2010-11-09 11:00:46 +01:00
|
|
|
* fix wildcard matching for IP addresses (bnc#637290, bmo#578697)
|
2010-09-27 00:45:55 +02:00
|
|
|
(CVE-2010-3170)
|
|
|
|
|
* bugfixes
|
|
|
|
|
|
2010-07-23 22:02:38 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 23 21:18:30 CEST 2010 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.7 RTM release
|
2010-07-30 14:12:47 +02:00
|
|
|
* bugfix release
|
|
|
|
|
* updated root CA list
|
2010-07-23 22:02:38 +02:00
|
|
|
- removed obsolete patches
|
|
|
|
|
|
2010-07-09 20:06:01 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 9 16:32:33 UTC 2010 - jengelh@medozas.de
|
|
|
|
|
|
|
|
|
|
- Disable testsuite on SPARC. Some tests fails, probably due to
|
|
|
|
|
just bad timing/luck.
|
|
|
|
|
|
2010-06-03 22:48:06 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 3 22:45:51 CEST 2010 - wr@rosenauer.org
|
|
|
|
|
|
2010-11-09 11:00:46 +01:00
|
|
|
- Use preloaded empty system database since creating with
|
2010-06-03 22:48:06 +02:00
|
|
|
modutil leaves database in nonusable state
|
|
|
|
|
|
2010-04-24 17:21:39 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Apr 24 11:38:23 UTC 2010 - coolo@novell.com
|
|
|
|
|
|
|
|
|
|
- buildrequire pkg-config to fix provides
|
|
|
|
|
|
2010-04-04 20:08:25 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Apr 4 12:19:43 CEST 2010 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- disabled a test using an expired cert (bmo#557071)
|
|
|
|
|
|
2010-03-26 16:17:51 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Mar 20 20:19:50 CET 2010 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- fixed builds for older dists where internal sqlite3 is used
|
|
|
|
|
(nss-sqlitename.patch was not refreshed correctly)
|
|
|
|
|
- fixed baselibs.conf as <release> is not a valid identifier
|
|
|
|
|
|
2010-03-15 16:05:35 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 9 19:18:24 CET 2010 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.6 RTM release
|
|
|
|
|
* added mozilla-nss-sysinit subpackage
|
|
|
|
|
- change renegotiation behaviour to the old default for a
|
|
|
|
|
transition phase
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 9 13:08:24 CET 2010 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- split off libsoftokn3 subpackage to allow mixed NSS installation
|
|
|
|
|
|
2009-12-28 11:52:07 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Dec 26 12:42:56 CET 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- added mozilla-nss-certs baselibs (bnc#567322)
|
|
|
|
|
|
2009-12-21 14:21:30 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 18 13:24:16 CET 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- split mozilla-nss-certs from main package
|
|
|
|
|
- added rpmlintrc to ignore expected warnings
|
|
|
|
|
- added baselibs.conf as source
|
|
|
|
|
|
2009-12-16 09:35:15 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 14 07:56:26 CET 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- updated builtin certs (version 1.77)
|
|
|
|
|
|
2009-12-14 07:58:24 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 23 17:19:43 CET 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- rebased patches to apply w/o fuzz
|
|
|
|
|
|
2009-08-14 15:05:39 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 14 08:51:00 CEST 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.4 RTM release
|
|
|
|
|
|
2009-08-08 01:32:03 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 7 13:10:22 CEST 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to recent snapshot (20090806)
|
|
|
|
|
- libnssdbm3.so has to be signed starting with 3.12.4
|
|
|
|
|
|
2009-08-06 18:07:11 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 3 18:45:02 CEST 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to NSS 3.12.4pre snapshot
|
|
|
|
|
- rebased existing patches
|
|
|
|
|
- enable testsuite again (was disabled accidentally before)
|
|
|
|
|
|
2009-07-29 17:52:36 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 29 09:40:02 CEST 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611)
|
|
|
|
|
* RNG_SystemInfoForRNG called twice by nsc_CommonInitialize
|
|
|
|
|
(bmo#489811; other changes are unrelated to Linux)
|
|
|
|
|
- moved shlibsign to tools package again (as it's not needed at
|
|
|
|
|
library install time anymore)
|
|
|
|
|
- use %{_libexecdir} for the tools
|
|
|
|
|
|
2009-06-09 17:44:32 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jun 6 15:37:13 CEST 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- Temporary testsuite fix for Factory (bnc#509308) (malloc.patch)
|
|
|
|
|
- remove the post scriptlet which created the *.chk files and
|
|
|
|
|
use a RPM feature to create them after debuginfo stuff
|
|
|
|
|
|
2009-06-02 12:26:37 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 2 09:41:34 CEST 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- updated builtin root certs by updating to
|
|
|
|
|
NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the
|
|
|
|
|
base for Firefox 3.5.0
|
|
|
|
|
- PreReq coreutils in the main package already as "rm" is used
|
|
|
|
|
in its %post script
|
|
|
|
|
- disable testsuite for this moment as it crashes on Factory
|
|
|
|
|
currently for an unknown reason
|
|
|
|
|
|
2009-05-28 01:43:25 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 21 09:03:17 CEST 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- renew Paypal certs to fix testsuite errors (bmo#491163)
|
|
|
|
|
|
2009-04-29 00:40:53 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 20 14:47:43 CEST 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to version 3.12.3 RTM
|
|
|
|
|
* default behaviour changed slightly but can be set up
|
|
|
|
|
backward compatible using environment variables
|
|
|
|
|
https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables
|
|
|
|
|
* New Korean SEED cipher
|
|
|
|
|
* Some new functions in the nss library:
|
|
|
|
|
CERT_RFC1485_EscapeAndQuote (see cert.h)
|
|
|
|
|
CERT_CompareCerts (see cert.h)
|
|
|
|
|
CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h)
|
|
|
|
|
PK11_GetSymKeyHandle (see pk11pqg.h)
|
|
|
|
|
UTIL_SetForkState (see secoid.h)
|
|
|
|
|
NSS_GetAlgorithmPolicy (see secoid.h)
|
|
|
|
|
NSS_SetAlgorithmPolicy (see secoid.h)
|
|
|
|
|
- created libfreebl3 subpackage and build it w/o nspr and nss deps
|
|
|
|
|
- added patch to make all ASM noexecstack
|
|
|
|
|
- create the softokn3 and freebl3 checksums at installation time
|
|
|
|
|
(moved shlibsign to the main package to achieve that)
|
|
|
|
|
- applied upstream patch to avoid OSCP test failures (bmo#488646)
|
|
|
|
|
- applied upstream patch to fix libjar crashes (bmo#485145)
|
|
|
|
|
|
2009-03-26 23:25:02 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 4 08:46:15 CET 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to version 3.12.2 RTM (with CKBI 1.73) as in FF 3.0.6
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 13 09:10:29 CET 2009 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to version 3.12.2rc1 (as used by FF 3.0.5)
|
|
|
|
|
* NSS is now using system zlib (bmo#302670)
|
|
|
|
|
- create a system wide, sql based NSS database in /etc/pki/nssdb
|
|
|
|
|
(let previously created /etc/ssl/nssdb untouched)
|
|
|
|
|
|
2009-01-09 01:35:33 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 7 12:34:56 CET 2009 - olh@suse.de
|
|
|
|
|
|
|
|
|
|
- obsolete old -XXbit packages (bnc#437293)
|
|
|
|
|
|
2008-10-23 22:36:47 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 23 15:03:11 CDT 2008 - maw@suse.de
|
|
|
|
|
|
|
|
|
|
- Review and approve changes.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 21 11:36:37 CEST 2008 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- run testsuite (bnc#418233)
|
|
|
|
|
|
2008-06-23 23:32:56 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 17 19:15:49 CEST 2008 - maw@suse.de
|
|
|
|
|
|
|
|
|
|
- Merge changes from the build service (thanks, Wolfgang)
|
|
|
|
|
(bnc#400001 and SWAMP#18164).
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 28 21:05:13 CEST 2008 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to 3.12.0rc4 (20080528) (featuring FF3.0)
|
|
|
|
|
|
2008-04-30 01:03:28 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 29 20:41:34 CEST 2008 - maw@suse.de
|
|
|
|
|
|
|
|
|
|
- Prerequire coretools in the -tools subpackage (bnc#379540)
|
|
|
|
|
- Require sqlite3-devel to build.
|
|
|
|
|
|
2008-04-21 01:25:47 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 14 18:52:59 CEST 2008 - maw@suse.de
|
|
|
|
|
|
|
|
|
|
- Merge some fixes from the build service's version.
|
|
|
|
|
|
2008-04-10 14:54:28 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
- added baselibs.conf file to build xxbit packages
|
|
|
|
|
for multilib support
|
|
|
|
|
|
2008-04-03 01:00:13 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 31 18:55:42 CEST 2008 - maw@suse.de
|
|
|
|
|
|
|
|
|
|
- Undo the shared library package split, per discussion in
|
|
|
|
|
opensuse-packaging.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 31 14:22:17 CEST 2008 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- new snapshot still based on 3.12.0 Beta 3 (20080330)
|
|
|
|
|
|
2007-12-11 01:09:04 +01:00
|
|
|
-------------------------------------------------------------------
|
2008-03-26 16:24:30 +01:00
|
|
|
Tue Mar 25 22:21:18 CET 2008 - maw@suse.de
|
|
|
|
|
|
|
|
|
|
- Merge changes from the build service (thanks, Wolfgang)
|
|
|
|
|
- Update to a new snapshot of nss based on 3.12.0 Beta 2:
|
|
|
|
|
+ Update build requirements accordingly
|
|
|
|
|
+ Add nss-sqlitename.patch and nss-no-rpath.patch
|
|
|
|
|
- Split out a shared library subpackage.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
2007-12-11 01:09:04 +01:00
|
|
|
Mon Dec 10 16:22:37 CET 2007 - rguenther@suse.de
|
|
|
|
|
|
|
|
|
|
- disable use of freebl/mpi/mp_comba.c. [#346256]
|
|
|
|
|
|
2007-09-16 11:26:43 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Sep 16 10:27:06 CEST 2007 - coolo@suse.de
|
|
|
|
|
|
|
|
|
|
- fixing errors in %post during installation
|
|
|
|
|
|
2007-09-14 00:46:20 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 13 22:26:57 CEST 2007 - jberkman@novell.com
|
|
|
|
|
|
|
|
|
|
- merge -tools package into main package
|
|
|
|
|
- create system-wide nssdb for system configuration of smart cards,
|
|
|
|
|
as used by pam_pkcs11, krb5 pkinit, and others
|
|
|
|
|
|
2007-07-29 11:06:50 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jul 26 20:18:38 CEST 2007 - maw@suse.de
|
|
|
|
|
|
|
|
|
|
- Update to version 3.11.7 (from the build service)
|
|
|
|
|
- Bug fixes.
|
|
|
|
|
|
2007-06-14 00:40:35 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 11 11:41:27 CEST 2007 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
- use string[0] instead of string in char.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 11 11:33:34 CEST 2007 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
- update to NSS 3.11.6 (pull in from wr from opensuse BS)
|
|
|
|
|
|
2007-02-22 14:30:50 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 21 16:55:06 CST 2007 - maw@suse.de
|
|
|
|
|
|
|
|
|
|
- Update to NSS 3.11.5 (thanks, Wolfgang)
|
|
|
|
|
|
2007-01-16 00:25:44 +01:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Oct 1 23:01:38 CEST 2006 - wr@rosenauer.org
|
|
|
|
|
|
|
|
|
|
- update to NSS 3.11.3
|
|
|
|
|
- requires NSPR 4.6.3 (pkgconfig)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 6 08:23:45 CEST 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to NSS_3_11_20060905_TAG to be in sync with
|
|
|
|
|
Gecko 1.8.1
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 7 13:53:55 CEST 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- enabled usage of ECC
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Aug 5 09:50:47 CEST 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to NSS_3_11_20060731_TAG to be in sync with
|
|
|
|
|
Gecko 1.8.1
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 28 07:09:44 CEST 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- fixed usage of uninitialized pointers (uninit.patch)
|
|
|
|
|
- requires NSPR 4.6.2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jul 1 23:37:52 CEST 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 3.11.2 RTM version
|
|
|
|
|
* ECC not enabled but defines needed symbols
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 8 11:45:14 CEST 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 3.11.2 beta
|
|
|
|
|
* enabled ECC (needed since MOZILLA_1_8_BRANCH)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 15 20:38:37 CEST 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 3.11.1 RTM version
|
|
|
|
|
including:
|
|
|
|
|
* TLS server name indication extension support
|
|
|
|
|
* implement RFC 3546 (TLS v1.0 extensions)
|
|
|
|
|
* fixed bugs found by Coverity
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 30 08:34:45 CET 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- removed additional CA certs
|
|
|
|
|
- removed zip from BuildRequires
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 25 21:32:31 CET 2006 - mls@suse.de
|
|
|
|
|
|
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 11 16:15:18 CET 2006 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- install nss-config executable
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 16 20:24:05 CET 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- marked libfreebl3.so noexec stack
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 16 09:41:15 CET 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 3.11 RTM version
|
|
|
|
|
- provide nss-config file
|
|
|
|
|
- added static libs
|
|
|
|
|
- moved include files to /usr/include/nss3
|
|
|
|
|
- only ship a subset of the tools
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Nov 26 14:54:03 CET 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 3.11rc1
|
|
|
|
|
- fixed PC file for 64bit archs
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Nov 15 07:35:25 CET 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to current 3.10.2 snapshot (20051114)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Nov 2 12:17:23 CET 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- added tools subpackage which provides all NSS related
|
|
|
|
|
tools for managing and debugging NSS stuff
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 11 07:08:38 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to current 3.10.2 snapshot
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 26 21:59:00 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- prerequire the correct NSPR version
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 22 07:15:30 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to NSS_3_10_2_BETA1
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jul 5 15:33:18 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- use RPM_OPT_FLAGS
|
|
|
|
|
- fixed requirements for devel package
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 8 09:19:59 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- added pkgconfig file
|
|
|
|
|
- fixed permission for include directory
|
|
|
|
|
- fixed compiler/abuild warning
|
|
|
|
|
- included correct header files
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 9 09:34:30 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 3.10 RTM version
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Apr 27 07:52:55 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- don't package static libs
|
|
|
|
|
- copy NSPR static libs from new location
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 7 09:08:22 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 3.10beta3
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 1 15:55:58 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- don't parallelize build
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 31 07:39:45 CEST 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- fixed build on other archs
|
|
|
|
|
- update to 3.10beta2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Mar 19 13:36:51 CET 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 3.10beta1
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 8 09:16:59 CET 2005 - stark@suse.de
|
|
|
|
|
|
|
|
|
|
- initial standalone package
|
|
|
|
|
|
