Commit Graph

169 Commits

Author SHA256 Message Date
Wolfgang Rosenauer
ceb833b465 - update to 3.15.5
* required for Firefox 28
  * export FREEBL_LOWHASH to get the correct default headers
    (bnc#865539)
  New functionality
  * Added support for the TLS application layer protocol negotiation
    (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and
    SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both)
    should be used for application layer protocol negotiation.
  * Added the TLS padding extension. The extension type value is 35655,
    which may change when an official extension type value is assigned
    by IANA. NSS automatically adds the padding extension to ClientHello
    when necessary.
  * Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting
    the tail of a CERTCertList.
  Notable Changes
  * bmo#950129: Improve the OCSP fetching policy when verifying OCSP
    responses
  * bmo#949060: Validate the iov input argument (an array of PRIOVec
    structures) of ssl_WriteV (called via PR_Writev). Applications should
    still take care when converting struct iov to PRIOVec because the
    iov_len members of the two structures have different types
    (size_t vs. int). size_t is unsigned and may be larger than int.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=153
2014-02-25 12:02:07 +00:00
Wolfgang Rosenauer
d377e44364 Accepting request 223209 from home:aeneas_jaissle:branches:mozilla:Factory
BuildRequires mozilla-nspr-devel >= 4.9 to raise a 'unresolvable' and prevent distros with mozilla-nspr < 4.9 start building and just fail.

OBS-URL: https://build.opensuse.org/request/show/223209
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=152
2014-02-20 12:04:07 +00:00
Wolfgang Rosenauer
17f8bab0f2 * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491
NSS ticket handling issues

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=150
2014-02-05 06:01:36 +00:00
Wolfgang Rosenauer
14100a1118 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=148 2014-01-09 10:26:13 +00:00
Wolfgang Rosenauer
186557c50a * Reordered the cipher suites offered in SSL/TLS client hello
messages to match modern best practices.
  * Improved SSL/TLS false start. In addition to enabling the
    SSL_ENABLE_FALSE_START option, an application must now register
    a callback using the SSL_SetCanFalseStartCallback function.
  * When false start is enabled, libssl will sometimes return
    unencrypted, unauthenticated data from PR_Recv
    (CVE-2013-1740, bmo#919877)
  New functionality
  * Implemented OCSP querying using the HTTP GET method, which is
    the new default, and will fall back to the HTTP POST method.
  * Implemented OCSP server functionality for testing purposes
    (httpserv utility).
  * Support SHA-1 signatures with TLS 1.2 client authentication.
  * Added the --empty-password command-line option to certutil,
    to be used with -N: use an empty password when creating a new
    database.
  * Added the -w command-line option to pp: don't wrap long output
    lines.
  New functions
  * CERT_ForcePostMethodForOCSP
  * CERT_GetSubjectNameDigest
  * CERT_GetSubjectPublicKeyDigest
  * SSL_PeerCertificateChain
  * SSL_RecommendedCanFalseStart
  * SSL_SetCanFalseStartCallback
  New types
  * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used,
    libpkix will never attempt to use the HTTP GET method for OCSP
    requests; it will always use POST.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=147
2014-01-09 10:24:37 +00:00
Wolfgang Rosenauer
58591dfdb2 - update to 3.15.4
* required for Firefox 27
  * regular CA root store update (1.96)
  * some OSCP improvments
  * other bugfixes
- removed obsolete char.patch

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=146
2014-01-07 08:49:30 +00:00
Wolfgang Rosenauer
583d3a0e12 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=144 2013-12-09 19:28:29 +00:00
Wolfgang Rosenauer
09fb13cf21 - update to 3.15.3.1 (bnc#854367)
* includes certstore update (1.95) (bmo#946351)
    (explicitely distrust AC DG Tresor SSL)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=143
2013-12-09 12:35:34 +00:00
Wolfgang Rosenauer
a86677e628 Accepting request 209419 from openSUSE:Factory:PowerLE
fix ppc64le build, please forward to factory

OBS-URL: https://build.opensuse.org/request/show/209419
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=141
2013-12-04 17:44:48 +00:00
Wolfgang Rosenauer
38ebd6f8e7 - update to 3.15.3 (bnc#850148)
* fix CVE-2013-5605

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=139
2013-11-12 20:37:56 +00:00
Wolfgang Rosenauer
d14ddaa1f0 - update to 3.15.3
* CERT_VerifyCert returns SECSuccess (saying certificate is good)
    even for bad certificates, when the CERTVerifyLog log parameter
    is given (bmo#910438)
  * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello
    (bmo#919677)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=138
2013-11-11 22:19:45 +00:00
Wolfgang Rosenauer
dc0fe543b4 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=136 2013-09-28 08:34:54 +00:00
Wolfgang Rosenauer
5e4a477e3f - update to 3.15.2 (bnc#842979)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=135
2013-09-28 08:24:06 +00:00
Wolfgang Rosenauer
5163190a91 - version 3.15.2
* Support for AES-GCM ciphersuites that use the SHA-256 PRF
  * MD2, MD4, and MD5 signatures are no longer accepted for OCSP
    or CRLs
  * Add PK11_CipherFinal macro
  * sizeof() used incorrectly
  * nssutil_ReadSecmodDB() leaks memory
  * Allow SSL_HandshakeNegotiatedExtension to be called before
    the handshake is finished.
  * Deprecate the SSL cipher policy code
  * Avoid uninitialized data read in the event of a decryption
    failure. (CVE-2013-1739)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=134
2013-09-28 08:17:22 +00:00
Wolfgang Rosenauer
a2949dce64 Accepting request 201249 from home:elvigia:branches:mozilla:Factory
-version 3.15.2
- Support for AES-GCM ciphersuites that use the SHA-256 PRF 
- MD2, MD4, and MD5 signatures are no longer accepted for OCSP 
  or CRLs, 
- Add PK11_CipherFinal macro
- sizeof() used incorrectly
- nssutil_ReadSecmodDB() leaks memory
- Allow SSL_HandshakeNegotiatedExtension to be called before 
  the handshake is finished.
- Deprecate the SSL cipher policy code
- (CVE-2013-1739) Avoid uninitialized data read in the 
   event of a decryption failure.

OBS-URL: https://build.opensuse.org/request/show/201249
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=133
2013-09-28 08:13:46 +00:00
Wolfgang Rosenauer
7dddfd6c24 Accepting request 182277 from home:lnussel:branches:Base:System
- fix 32bit requirement, it's without () actually

OBS-URL: https://build.opensuse.org/request/show/182277
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=131
2013-07-05 12:48:09 +00:00
Wolfgang Rosenauer
997d66ac8e rebase patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=129
2013-07-03 12:27:52 +00:00
Wolfgang Rosenauer
1256cc6819 - update to 3.15.1
* TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites
    (RFC 5246 and RFC 5289) are supported, allowing TLS to be used
    without MD5 and SHA-1.
    Note the following limitations:
      The hash function used in the signature for TLS 1.2 client
      authentication must be the hash function of the TLS 1.2 PRF,
      which is always SHA-256 in NSS 3.15.1.
      AES GCM cipher suites are not yet supported.
  * some bugfixes and improvements

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=128
2013-07-03 12:00:07 +00:00
Wolfgang Rosenauer
80c4a0174f Accepting request 181778 from home:lnussel:branches:Base:System
- require libnssckbi instead of mozilla-nss-certs so p11-kit can
  conflict with the latter (fate#314991)

OBS-URL: https://build.opensuse.org/request/show/181778
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=127
2013-07-03 10:36:27 +00:00
Wolfgang Rosenauer
8893871f59 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=125 2013-06-12 08:21:54 +00:00
Wolfgang Rosenauer
506ad33ba3 - update to 3.15
* Packaging
    + removed obsolete patches
      * nss-disable-expired-testcerts.patch
      * bug-834091.patch
  * New Functionality
    + Support for OCSP Stapling (RFC 6066, Certificate Status
      Request) has been added for both client and server sockets.
      TLS client applications may enable this via a call to
      SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
    + Added function SECITEM_ReallocItemV2. It replaces function
      SECITEM_ReallocItem, which is now declared as obsolete.
    + Support for single-operation (eg: not multi-part) symmetric
      key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
    + certutil has been updated to support creating name constraints
      extensions.
  * New Functions
    in ssl.h
      SSL_PeerStapledOCSPResponse - Returns the server's stapled
        OCSP response, when used with a TLS client socket that
        negotiated the status_request extension.
      SSL_SetStapledOCSPResponses - Set's a stapled OCSP response
        for a TLS server socket to return when clients send the
        status_request extension.
    in ocsp.h
      CERT_PostOCSPRequest - Primarily intended for testing, permits
        the sending and receiving of raw OCSP request/responses.
    in secpkcs7.h
      SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7
        signature at a specific time other than the present time.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=124
2013-06-11 15:41:13 +00:00
Wolfgang Rosenauer
ddbab3a3b8 Accepting request 171078 from home:namtrac:bugfix
- Add Source URL, see https://en.opensuse.org/SourceUrls

OBS-URL: https://build.opensuse.org/request/show/171078
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=122
2013-04-16 11:16:38 +00:00
Wolfgang Rosenauer
a1f8432feb (nss-disable-expired-testcerts.patch)
(bug-834091.patch; bmo#834091)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=120
2013-04-03 07:43:24 +00:00
Wolfgang Rosenauer
1400caed25 * MFSA 2013-40/CVE-2013-0791 (bmo#629816)
Out-of-bounds array read in CERT_DecodeCertPackage

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=119
2013-04-02 21:31:01 +00:00
Wolfgang Rosenauer
15f7757c6e - disable tests with expired certificates
- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from
  mozilla tree to fulfill Firefox 21 requirements

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=118
2013-04-02 20:29:32 +00:00
Wolfgang Rosenauer
38168bf8bb - update to 3.14.3
* No new major functionality is introduced in this release. This
    release is a patch release to address CVE-2013-1620 (bmo#822365)
  * "certutil -a" was not correctly producing ASCII output as
    requested. (bmo#840714)
  * NSS 3.14.2 broke compilation with older versions of sqlite that
    lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now
    properly compiles when used with older versions of sqlite
    (bmo#837799) - remove system-sqlite.patch
- add aarch64 support

- added system-sqlite.patch (bmo#837799)
  * do not depend on latest sqlite just for a #define
- enable system sqlite usage again

- update to 3.14.2
  * required for Firefox >= 20
  * removed obsolete nssckbi update patch
- disable system sqlite usage since we depend on 3.7.15 which is
  not provided in any openSUSE distribution
  * add nss-sqlitename.patch to avoid any name clash

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=116
2013-02-28 22:53:05 +00:00
Wolfgang Rosenauer
99a81b336e - updated CA database (nssckbi-1.93.patch)
* MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628)
    revoke mis-issued intermediate certificates from TURKTRUST

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=114
2013-01-08 17:55:59 +00:00
Wolfgang Rosenauer
e5e52b65d8 (bmo#825022, bnc#796628)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=113
2013-01-05 14:50:59 +00:00
Wolfgang Rosenauer
9e5952a272 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=111 2013-01-04 11:03:16 +00:00
Wolfgang Rosenauer
61b05c4267 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=110 2012-12-30 18:23:59 +00:00
Wolfgang Rosenauer
41f3cb6358 - updated CA database (nssckbi-1.93.patch) (bmo#825022)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=109
2012-12-30 18:06:05 +00:00
Wolfgang Rosenauer
9cd1b1b874 - update to 3.14.1 RTM
* minimal requirement for Gecko 20
  * several bugfixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=107
2012-12-18 13:54:06 +00:00
Wolfgang Rosenauer
eb3cdf4581 - update to 3.14 RTM
* Support for TLS 1.1 (RFC 4346)
  * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
  * Support for AES-CTR, AES-CTS, and AES-GCM
  * Support for Keying Material Exporters for TLS (RFC 5705)
  * Support for certificate signatures using the MD5 hash algorithm
    is now disabled by default
  * The NSS license has changed to MPL 2.0. Previous releases were
    released under a MPL 1.1/GPL 2.0/LGPL  2.1 tri-license. For more
    information about MPL 2.0, please see
    http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional
    explanation on GPL/LGPL compatibility, see security/nss/COPYING
    in the source code.
  * Export and DES cipher suites are disabled by default. Non-ECC
    AES and Triple DES cipher suites are enabled by default
- disabled OCSP testcases since they need external network
  (nss-disable-ocsp-test.patch)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=105
2012-10-25 14:10:44 +00:00
Wolfgang Rosenauer
579c8a7cf9 - update to 3.13.6 RTM
* root CA update
  * other bugfixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=103
2012-08-16 04:53:56 +00:00
Wolfgang Rosenauer
20b5fe0209 - update to 3.13.5 RTM
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=101
2012-06-01 20:35:17 +00:00
Wolfgang Rosenauer
0c217ace95 Accepting request 113443 from mozilla
- update to 3.13.4 RTM
  * fixed some bugs
  * fixed cert verification regression in PKIX mode (bmo#737802)
    introduced in 3.13.2

OBS-URL: https://build.opensuse.org/request/show/113443
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=99
2012-04-13 19:11:33 +00:00
Wolfgang Rosenauer
8f7e6d6c4d - update to 3.13.3 RTM
- distrust Trustwave's MITM certificates (bmo#724929)
  - fix generic blacklisting mechanism (bmo#727204)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=97
2012-02-23 15:13:12 +00:00
Wolfgang Rosenauer
e36e0c6124 - update to 3.13.2 RTM
* requirement with Gecko >= 11
- removed obsolete patches
  * ckbi-1.88
  * pkcs11n-header-fix.patch

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=95
2012-02-17 08:35:36 +00:00
Wolfgang Rosenauer
f962eacea8 Accepting request 96964 from openSUSE:Factory:ARM
fix qemu workaround

OBS-URL: https://build.opensuse.org/request/show/96964
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=93
2011-12-18 17:50:41 +00:00
OBS User buildservice-autocommit
747b30ac4b Updating link to change in openSUSE:Factory/mozilla-nss revision 64.0
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=9d1835345282c5682f9c1b417d851c89
2011-12-06 17:29:55 +00:00
Wolfgang Rosenauer
7b17b9dfbc - Added a patch to fix errors in the pkcs11n.h header file.
(bmo#702090)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=90
2011-11-14 11:10:20 +00:00
Wolfgang Rosenauer
f7efd48411 - update to 3.13.1 RTM
* better SHA-224 support (bmo#647706)
  * fixed a regression (causing hangs in some situations)
    introduced in 3.13 (bmo#693228)
- update to 3.13.0 RTM
  * SSL 2.0 is disabled by default
  * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext
    attack demonstrated by Rizzo and Duong (CVE-2011-3389) is
    enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to
    PR_FALSE to disable it.
  * SHA-224 is supported
  * Ported to iOS. (Requires NSPR 4.9.)
  * Added PORT_ErrorToString and PORT_ErrorToName to return the
    error message and symbolic name of an NSS error code
  * Added NSS_GetVersion to return the NSS version string
  * Added experimental support of RSA-PSS to the softoken only
  * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db
    anymore (bmo#641052, bnc#726096)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=89
2011-11-14 07:51:45 +00:00
Wolfgang Rosenauer
7a675fbd45 - make sure NSS_NoDB_Init does not try to use wrong certificate
databases (CVE-2011-3640, bnc#726096, bmo#641052)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=86
2011-11-05 12:00:04 +00:00
Wolfgang Rosenauer
84b82c7866 - explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=85
2011-11-05 10:51:17 +00:00
Wolfgang Rosenauer
1c61842dc3 Accepting request 85842 from home:elvigia:branches:mozilla:Factory
- Workaround qemu-arm bugs.

OBS-URL: https://build.opensuse.org/request/show/85842
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=83
2011-10-01 07:54:39 +00:00
OBS User buildservice-autocommit
cec2c647df Updating link to change in openSUSE:Factory/mozilla-nss revision 59.0
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=0bdb996d13d849ef95ec1e85cd0e592a
2011-09-11 17:30:53 +00:00
Wolfgang Rosenauer
ea9e232b33 more diginotar stuff
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=80
2011-09-09 05:52:50 +00:00
OBS User buildservice-autocommit
2bf2af7bda Updating link to change in openSUSE:Factory/mozilla-nss revision 57.0
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=ebd170996bd2b5a5ed9da7f8b57f47f6
2011-09-05 14:39:19 +00:00
Petr Cerny
a6441bcebd - removed DigiNotar root certifiate from trusted db
(bmo#682927, bnc#714931)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=78
2011-09-02 15:49:39 +00:00
OBS User buildservice-autocommit
637ece63fb Updating link to change in openSUSE:Factory/mozilla-nss revision 55.0
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=35e8a8971fb211756ad1a66c8aeacd0c
2011-08-24 12:39:37 +00:00