Commit Graph

280 Commits

Author SHA256 Message Date
Dominique Leuenberger
7e39600418 Accepting request 567964 from mozilla:Factory
NSS update as prerequisite for Firefox 58 to be released coming week (to TW).

- update to NSS 3.34.1
  Changes in 3.34:
  Notable changes
  * The following CA certificates were Added:
    GDCA TrustAUTH R5 ROOT
    SSL.com Root Certification Authority RSA
    SSL.com Root Certification Authority ECC
    SSL.com EV Root Certification Authority RSA R2
    SSL.com EV Root Certification Authority ECC
    TrustCor RootCert CA-1
    TrustCor RootCert CA-2
    TrustCor ECA-1
  * The following CA certificates were Removed:
    Certum CA, O=Unizeto Sp. z o.o.
    StartCom Certification Authority
    StartCom Certification Authority G2
    TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
    ACEDICOM Root
    Certinomis - Autorité Racine
    TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
    PSCProcert
    CA 沃通根证书, O=WoSign CA Limited
    Certification Authority of WoSign
    Certification Authority of WoSign G2
    CA WoSign ECC Root
  * libfreebl no longer requires SSE2 instructions
  New functionality
  * When listing an NSS database using certutil -L, but the database
    hasn't yet been initialized with any non-empty or empty password,
    the text "Database needs user init" will be included in the listing.
  * When using certutil to set an inacceptable password in FIPS mode,
    a correct explanation of acceptable passwords will be printed.
  * SSLKEYLOGFILE is now supported with TLS 1.3, see bmo#1287711 for details.
  * SSLChannelInfo has two new fields (bmo#1396525):
    SSLNamedGroup originalKeaGroup holds the key exchange group of
    the original handshake when the session was resumed.
    PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE
    otherwise.
  * RSA-PSS signatures are now supported on certificates. Certificates
    with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS
    signature on a certificate using the --pss-sign argument to certutil.
  Changes in 3.34.1:
  * The following CA certificate was Re-Added. It was removed in NSS
    3.34, but has been re-added with only the Email trust bit set.
    (bmo#1418678):
    libfreebl no longer requires SSE2 instructionsCN = Certum CA, O=Unizeto Sp. z o.o.
  * Removed entries from certdata.txt for actively distrusted
    certificates that have expired (bmo#1409872)
  * The version of the CA list was set to 2.20.

OBS-URL: https://build.opensuse.org/request/show/567964
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=132
2018-01-22 14:56:48 +00:00
Wolfgang Rosenauer
0967a1196a - update to NSS 3.34.1
Changes in 3.34:
  Notable changes
  * The following CA certificates were Added:
    GDCA TrustAUTH R5 ROOT
    SSL.com Root Certification Authority RSA
    SSL.com Root Certification Authority ECC
    SSL.com EV Root Certification Authority RSA R2
    SSL.com EV Root Certification Authority ECC
    TrustCor RootCert CA-1
    TrustCor RootCert CA-2
    TrustCor ECA-1
  * The following CA certificates were Removed:
    Certum CA, O=Unizeto Sp. z o.o.
    StartCom Certification Authority
    StartCom Certification Authority G2
    TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
    ACEDICOM Root
    Certinomis - Autorité Racine
    TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
    PSCProcert
    CA 沃通根证书, O=WoSign CA Limited
    Certification Authority of WoSign
    Certification Authority of WoSign G2
    CA WoSign ECC Root
  * libfreebl no longer requires SSE2 instructions
  New functionality
  * When listing an NSS database using certutil -L, but the database
    hasn't yet been initialized with any non-empty or empty password,
    the text "Database needs user init" will be included in the listing.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=254
2018-01-20 20:25:21 +00:00
Dominique Leuenberger
8e7f335cf6 Accepting request 555849 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/555849
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=131
2017-12-12 20:20:33 +00:00
Wolfgang Rosenauer
bc2956241b Accepting request 554988 from home:dimstar:Factory
Fix build with RPM 4.14

OBS-URL: https://build.opensuse.org/request/show/554988
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=252
2017-12-11 08:31:33 +00:00
Dominique Leuenberger
5521bcbc4c Accepting request 531472 from mozilla:Factory
- update to NSS 3.33
  Notable changes
  * TLS compression is no longer supported. API calls that attempt
    to enable compression are accepted without failure. However,
    TLS compression will remain disabled.
  * This version of NSS uses a formally verified implementation of
    Curve25519 on 64-bit systems.
  * The compile time flag DISABLE_ECC has been removed.
  * When NSS is compiled without NSS_FORCE_FIPS=1 startup checks
    are not performed anymore.
  * Various minor improvements and correctness fixes.
  New functionality
  * When listing an NSS database using certutil -L, but the database
    hasn't yet been initialized with any non-empty or empty password,
    the text "Database needs user init" will be included in the listing.
  * When using certutil to set an inacceptable password in FIPS mode,
    a correct explanation of acceptable passwords will be printed.
  New functions
  * CERT_FindCertByIssuerAndSNCX - a variation of existing function
    CERT_FindCertByIssuerAndSN that accepts an additional password
    context parameter.
  * CERT_FindCertByNicknameOrEmailAddrCX - a variation of existing
    function CERT_FindCertByNicknameOrEmailAddr that accepts an
    additional password context parameter.
  * CERT_FindCertByNicknameOrEmailAddrForUsageCX - a variation of
    existing function CERT_FindCertByNicknameOrEmailAddrForUsage that
    accepts an additional password context parameter.
  * NSS_SecureMemcmpZero - check if a memory region is all zero in
    constant time.
  * PORT_ZAllocAligned - allocate aligned memory.

OBS-URL: https://build.opensuse.org/request/show/531472
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=130
2017-10-10 09:35:10 +00:00
Wolfgang Rosenauer
d4c9f5a5cf - update to NSS 3.33
Notable changes
  * TLS compression is no longer supported. API calls that attempt
    to enable compression are accepted without failure. However,
    TLS compression will remain disabled.
  * This version of NSS uses a formally verified implementation of
    Curve25519 on 64-bit systems.
  * The compile time flag DISABLE_ECC has been removed.
  * When NSS is compiled without NSS_FORCE_FIPS=1 startup checks
    are not performed anymore.
  * Various minor improvements and correctness fixes.
  New functionality
  * When listing an NSS database using certutil -L, but the database
    hasn't yet been initialized with any non-empty or empty password,
    the text "Database needs user init" will be included in the listing.
  * When using certutil to set an inacceptable password in FIPS mode,
    a correct explanation of acceptable passwords will be printed.
  New functions
  * CERT_FindCertByIssuerAndSNCX - a variation of existing function
    CERT_FindCertByIssuerAndSN that accepts an additional password
    context parameter.
  * CERT_FindCertByNicknameOrEmailAddrCX - a variation of existing
    function CERT_FindCertByNicknameOrEmailAddr that accepts an
    additional password context parameter.
  * CERT_FindCertByNicknameOrEmailAddrForUsageCX - a variation of
    existing function CERT_FindCertByNicknameOrEmailAddrForUsage that
    accepts an additional password context parameter.
  * NSS_SecureMemcmpZero - check if a memory region is all zero in
    constant time.
  * PORT_ZAllocAligned - allocate aligned memory.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=250
2017-10-04 20:50:43 +00:00
Dominique Leuenberger
89a3f3c56e Accepting request 528036 from mozilla:Factory
- update to NSS 3.32.1
  * no upstream changelog/releasenote provided

- update to NSS 3.32
  Notable changes
  * Various minor improvements and correctness fixes.
  * The Code Signing trust bit was turned off for all included root certificates.
  * The Websites (TLS/SSL) trust bit was turned off for the following
    root certificates:
    AddTrust Class 1 CA Root
    Swisscom Root CA 2
  * The following CA certificates were Removed:
    AddTrust Public CA Root
    AddTrust Qualified CA Root
    China Internet Network Information Center EV Certificates Root
    CNNIC ROOT
    ComSign Secured CA
    GeoTrust Global CA 2
    Secure Certificate Services
    Swisscom Root CA 1
    Swisscom Root EV CA 2
    Trusted Certificate Services
    UTN-USERFirst-Hardware
    UTN-USERFirst-Object
- requires NSPR 4.16

OBS-URL: https://build.opensuse.org/request/show/528036
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=129
2017-09-25 11:55:06 +00:00
Wolfgang Rosenauer
ee4c12609b - update to NSS 3.32.1
* no upstream changelog/releasenote provided

- update to NSS 3.32
  Notable changes
  * Various minor improvements and correctness fixes.
  * The Code Signing trust bit was turned off for all included root certificates.
  * The Websites (TLS/SSL) trust bit was turned off for the following
    root certificates:
    AddTrust Class 1 CA Root
    Swisscom Root CA 2
  * The following CA certificates were Removed:
    AddTrust Public CA Root
    AddTrust Qualified CA Root
    China Internet Network Information Center EV Certificates Root
    CNNIC ROOT
    ComSign Secured CA
    GeoTrust Global CA 2
    Secure Certificate Services
    Swisscom Root CA 1
    Swisscom Root EV CA 2
    Trusted Certificate Services
    UTN-USERFirst-Hardware
    UTN-USERFirst-Object
- requires NSPR 4.16

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=248
2017-09-21 07:14:07 +00:00
Dominique Leuenberger
e706e940a1 Accepting request 523645 from mozilla:Factory
- update to NSS 3.31.1
  * Potential deadlock when using an external PKCS#11 token (bmo#1381784)

OBS-URL: https://build.opensuse.org/request/show/523645
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=128
2017-09-13 19:36:33 +00:00
Wolfgang Rosenauer
7da2ef870f - update to NSS 3.31.1
* Potential deadlock when using an external PKCS#11 token (bmo#1381784)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=246
2017-09-12 08:58:38 +00:00
Dominique Leuenberger
add9601cb0 Accepting request 516062 from mozilla:Factory
- update to NSS 3.31
  New functionality
  * Allow certificates to be specified by RFC7512 PKCS#11 URIs.
  * Allow querying a certificate object for its temporary or permanent
    storage status in a thread safe way.
  New functions
  * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a
    certificate in a thread safe way.
  * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a
    certificate in a thread safe way.
  * PK11_FindCertFromURI - find a certificate identified by the given URI.
  * PK11_FindCertsFromURI - find a list of certificates identified by the given
    URI.
  * PK11_GetModuleURI - retrieve the URI of the given module.
  * PK11_GetTokenURI - retrieve the URI of a token based on the given slot
    information.
  * PK11URI_CreateURI - create a new PK11URI object from a set of attributes.
  * PK11URI_DestroyURI - destroy a PK11URI object.
  * PK11URI_FormatURI - format a PK11URI object to a string.
  * PK11URI_GetPathAttribute - retrieve a path attribute with the given name.
  * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name.
  * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object.
  New macros
  * Several new macros that start with PK11URI_PATTR_ for path attributes defined
    in RFC7512.
  * Several new macros that start with PK11URI_QATTR_ for query attributes defined
    in RFC7512.
  Notable changes
  * The APIs that set a TLS version range have been changed to trim the requested
    range to the overlap with a systemwide crypto policy, if configured.

OBS-URL: https://build.opensuse.org/request/show/516062
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=127
2017-08-17 09:47:59 +00:00
Wolfgang Rosenauer
279fac0f79 - removed obsolete nss-fix-hash.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=244
2017-08-11 07:28:38 +00:00
Wolfgang Rosenauer
3acc6b79e5 - update to NSS 3.31
New functionality
  * Allow certificates to be specified by RFC7512 PKCS#11 URIs.
  * Allow querying a certificate object for its temporary or permanent
    storage status in a thread safe way.
  New functions
  * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a
    certificate in a thread safe way.
  * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a
    certificate in a thread safe way.
  * PK11_FindCertFromURI - find a certificate identified by the given URI.
  * PK11_FindCertsFromURI - find a list of certificates identified by the given
    URI.
  * PK11_GetModuleURI - retrieve the URI of the given module.
  * PK11_GetTokenURI - retrieve the URI of a token based on the given slot
    information.
  * PK11URI_CreateURI - create a new PK11URI object from a set of attributes.
  * PK11URI_DestroyURI - destroy a PK11URI object.
  * PK11URI_FormatURI - format a PK11URI object to a string.
  * PK11URI_GetPathAttribute - retrieve a path attribute with the given name.
  * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name.
  * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object.
  New macros
  * Several new macros that start with PK11URI_PATTR_ for path attributes defined
    in RFC7512.
  * Several new macros that start with PK11URI_QATTR_ for query attributes defined
    in RFC7512.
  Notable changes
  * The APIs that set a TLS version range have been changed to trim the requested
    range to the overlap with a systemwide crypto policy, if configured.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=243
2017-08-08 18:40:45 +00:00
Dominique Leuenberger
e3b4251412 Accepting request 492757 from mozilla:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/492757
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=126
2017-05-06 16:26:16 +00:00
Wolfgang Rosenauer
8a54093a7b - update to NSS 3.30.2
New Functionality
  * In the PKCS#11 root CA module (nssckbi), CAs with positive trust
    are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY,
    set to true. Applications that need to distinguish them from other
    other root CAs, may use the exported function PK11_HasAttributeSet.
  * Support for callback functions that can be used to monitor SSL/TLS
    alerts that are sent or received.
  New Functions
  * CERT_CompareAVA - performs a comparison of two CERTAVA structures,
    and returns a SECComparison result.
  * PK11_HasAttributeSet - allows to check if a PKCS#11 object in a
    given slot has a specific boolean attribute set.
  * SSL_AlertReceivedCallback - register a callback function, that will
    be called whenever an SSL/TLS alert is received
  * SSL_AlertSentCallback - register a callback function, that will be
    called whenever an SSL/TLS alert is sent
  * SSL_SetSessionTicketKeyPair - configures an asymmetric key pair,
    for use in wrapping session ticket keys, used by the server. This
    function currently only accepts an RSA public/private key pair.
  New Macros
  * PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256
    cipher family identifiers corresponding to the PKCS#5 v2.1 AES
    based encryption schemes used in the PKCS#12 support in NSS
  * CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11
    attribute, that should be set to true, if a CA is present because
    of it's acceptance according to the Mozilla CA Policy
  Notable Changes
  * The TLS server code has been enhanced to support session tickets
    when no RSA certificate (e.g. only an ECDSA certificate) is configured.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=241
2017-04-26 21:50:12 +00:00
Dominique Leuenberger
9746ae6f6e Accepting request 487715 from mozilla:Factory
- update to NSS 3.29.5
  * Rare crashes in the base 64 decoder and encoder were fixed.
    (bmo#1344380)
  * A carry over bug in the RNG was fixed. (bmo#1345089)
- Allow use of session tickets when there is no ticket wrapping key
  (boo#1015499, bmo#1320695) (nss-bmo1320695.patch)

OBS-URL: https://build.opensuse.org/request/show/487715
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=125
2017-04-18 11:47:28 +00:00
Wolfgang Rosenauer
607f63b358 (boo#1015499, bmo#1320695) (nss-bmo1320695.patch)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=239
2017-04-12 21:31:19 +00:00
Wolfgang Rosenauer
c072bb869b - Allow use of session tickets when there is no ticket wrapping key
(boo#1015499, bmo#1320695)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=238
2017-04-12 21:26:25 +00:00
Wolfgang Rosenauer
32ecde7ac4 - update to NSS 3.29.5
* Rare crashes in the base 64 decoder and encoder were fixed.
    (bmo#1344380)
  * A carry over bug in the RNG was fixed. (bmo#1345089)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=237
2017-04-09 08:24:38 +00:00
Yuchen Lin
e1a86c52ad Accepting request 482051 from mozilla:Factory
- update to NSS 3.29.3
  * enables TLS 1.3 by default
- TLS 1.3 was already enabled in 3.28.x builds for openSUSE.
  This build option was removed.
- required for Firefox 53

OBS-URL: https://build.opensuse.org/request/show/482051
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=124
2017-03-31 13:02:07 +00:00
Wolfgang Rosenauer
0fddc4108c - update to NSS 3.29.3
* enables TLS 1.3 by default
- TLS 1.3 was already enabled in 3.28.x builds for openSUSE.
  This build option was removed.
- required for Firefox 53

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=235
2017-03-22 22:17:03 +00:00
Dominique Leuenberger
fb68cfad7c Accepting request 480619 from mozilla:Factory
1

OBS-URL: https://build.opensuse.org/request/show/480619
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=123
2017-03-21 21:44:19 +00:00
Wolfgang Rosenauer
11f3cdd1a0 Accepting request 479929 from home:rguenther:branches:mozilla:Factory
- Add nss-fix-hash.patch to fix hash computation (and build with
  GCC 7 which complains about shifts of boolean values).

OBS-URL: https://build.opensuse.org/request/show/479929
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=233
2017-03-16 13:54:28 +00:00
Dominique Leuenberger
df5ab6e44e Accepting request 459222 from mozilla:Factory
- update to NSS 3.28.3
  * This is a patch release to fix binary compatibility issues.
    NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were
    in violation with the NSS compatibility promise.
    ECParams, which is part of the public API of the freebl/softokn
    parts of NSS, had been changed to include an additional attribute.
    That size increase caused crashes or malfunctioning with applications
    that use that data structure directly, or indirectly through
    ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey,
    or potentially other data structures that reference ECParams.
    The change has been reverted to the original state in bug
    bmo#1334108.
    SECKEYECPublicKey had been extended with a new attribute, named
    "encoding". If an application passed type SECKEYECPublicKey to NSS
    (as part of SECKEYPublicKey), the NSS library read the uninitialized
    attribute. With this NSS release SECKEYECPublicKey.encoding is
    deprecated. NSS no longer reads the attribute, and will always
    set it to ECPoint_Undefined. See bug bmo#1340103.
- requires NSPR >= 4.13.1

OBS-URL: https://build.opensuse.org/request/show/459222
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=122
2017-02-22 12:51:29 +00:00
Wolfgang Rosenauer
521acd1a2e - update to NSS 3.28.3
* This is a patch release to fix binary compatibility issues.
    NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were
    in violation with the NSS compatibility promise.
    ECParams, which is part of the public API of the freebl/softokn
    parts of NSS, had been changed to include an additional attribute.
    That size increase caused crashes or malfunctioning with applications
    that use that data structure directly, or indirectly through
    ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey,
    or potentially other data structures that reference ECParams.
    The change has been reverted to the original state in bug
    bmo#1334108.
    SECKEYECPublicKey had been extended with a new attribute, named
    "encoding". If an application passed type SECKEYECPublicKey to NSS
    (as part of SECKEYPublicKey), the NSS library read the uninitialized
    attribute. With this NSS release SECKEYECPublicKey.encoding is
    deprecated. NSS no longer reads the attribute, and will always
    set it to ECPoint_Undefined. See bug bmo#1340103.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=231
2017-02-20 11:58:02 +00:00
Dominique Leuenberger
439202d1df Accepting request 456518 from mozilla:Factory
- update to NSS 3.28.2
  This is a stability and compatibility release. Below is a summary of
  the changes.
  * Fixed a NSS 3.28 regression in the signature scheme flexibility that
    causes connectivity issues between iOS 8 clients and NSS servers
    with ECDSA certificates (bmo#1334114)
  * Fixed a possible crash on some Windows systems (bmo#1323150)
  * Fixed a compatibility issue with TLS clients that do not provide a
    list of supported key exchange groups (bmo#1330612)

OBS-URL: https://build.opensuse.org/request/show/456518
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=121
2017-02-13 23:39:41 +00:00
Wolfgang Rosenauer
241444f8ce OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=229 2017-02-12 13:16:09 +00:00
Wolfgang Rosenauer
563cf68233 - update to NSS 3.28.2
This is a stability and compatibility release. Below is a summary of
  the changes.
  * Fixed a NSS 3.28 regression in the signature scheme flexibility that
    causes connectivity issues between iOS 8 clients and NSS servers
    with ECDSA certificates (bmo#1334114)
  * Fixed a possible crash on some Windows systems (bmo#1323150)
  * Fixed a compatibility issue with TLS clients that do not provide a
    list of supported key exchange groups (bmo#1330612)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=228
2017-02-12 07:39:39 +00:00
Dominique Leuenberger
be2004984d Accepting request 452363 from mozilla:Factory
- update to NSS 3.28.1
  No new functionality is introduced in this release. This is a patch release to
  update the list of root CA certificates and address a minor TLS compatibility
  issue that some applications experienced with NSS 3.28.
  * The following CA certificates were Removed
    CN = Buypass Class 2 CA 1
    CN = Root CA Generalitat Valenciana
    OU = RSA Security 2048 V3
  * The following CA certificates were Added
    OU = AC RAIZ FNMT-RCM
    CN = Amazon Root CA 1
    CN = Amazon Root CA 2
    CN = Amazon Root CA 3
    CN = Amazon Root CA 4
    CN = LuxTrust Global Root 2
    CN = Symantec Class 1 Public Primary Certification Authority - G4
    CN = Symantec Class 1 Public Primary Certification Authority - G6
    CN = Symantec Class 2 Public Primary Certification Authority - G4
    CN = Symantec Class 2 Public Primary Certification Authority - G6
  * The version number of the updated root CA list has been set to 2.11
  * A misleading assertion/alert has been removed when NSS tries to flush data
    to the peer but the connection was already reset.
- update to NSS 3.28
  New functionality:
  * NSS includes support for TLS 1.3 draft -18. This includes a number
    of improvements to TLS 1.3:
    - The signed certificate timestamp, used in certificate
      transparency, is supported in TLS 1.3.
    - Key exporters for TLS 1.3 are supported. This includes the early
      key exporter, which can be used if 0-RTT is enabled. Note that

OBS-URL: https://build.opensuse.org/request/show/452363
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=120
2017-01-29 09:29:48 +00:00
Wolfgang Rosenauer
0dac9b9d86 - raised the minimum softokn/freebl version to 3.28 as reported in
boo#1021636

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=226
2017-01-25 10:29:48 +00:00
Wolfgang Rosenauer
d5e09fcf99 - update to NSS 3.28.1
No new functionality is introduced in this release. This is a patch release to
  update the list of root CA certificates and address a minor TLS compatibility
  issue that some applications experienced with NSS 3.28.
  * The following CA certificates were Removed
    CN = Buypass Class 2 CA 1
    CN = Root CA Generalitat Valenciana
    OU = RSA Security 2048 V3
  * The following CA certificates were Added
    OU = AC RAIZ FNMT-RCM
    CN = Amazon Root CA 1
    CN = Amazon Root CA 2
    CN = Amazon Root CA 3
    CN = Amazon Root CA 4
    CN = LuxTrust Global Root 2
    CN = Symantec Class 1 Public Primary Certification Authority - G4
    CN = Symantec Class 1 Public Primary Certification Authority - G6
    CN = Symantec Class 2 Public Primary Certification Authority - G4
    CN = Symantec Class 2 Public Primary Certification Authority - G6
  * The version number of the updated root CA list has been set to 2.11
  * A misleading assertion/alert has been removed when NSS tries to flush data
    to the peer but the connection was already reset.
- update to NSS 3.28
  New functionality:
  * NSS includes support for TLS 1.3 draft -18. This includes a number
    of improvements to TLS 1.3:
    - The signed certificate timestamp, used in certificate
      transparency, is supported in TLS 1.3.
    - Key exporters for TLS 1.3 are supported. This includes the early
      key exporter, which can be used if 0-RTT is enabled. Note that

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=225
2017-01-18 22:18:23 +00:00
Dominique Leuenberger
cd8d06a318 Accepting request 440230 from mozilla:Factory
- update to NSS 3.26.2
  * required for Firefox 50.0
  Changes in 3.26
  New Functionality:
  * the selfserv test utility has been enhanced to support ALPN
    (HTTP/1.1) and 0-RTT
  * added support for the System-wide crypto policy available on
    Fedora Linux see http://fedoraproject.org/wiki/Changes/CryptoPolicy
  * introduced build flag NSS_DISABLE_LIBPKIX that allows compilation
    of NSS without the libpkix library
  Notable Changes:
  * The following CA certificate was Added
    CN = ISRG Root X1
  * NPN is disabled and ALPN is enabled by default
  * the NSS test suite now completes with the experimental TLS 1.3
    code enabled
  * several test improvements and additions, including a NIST known answer test
  Changes in 3.26.2
  * MD5 signature algorithms sent by the server in CertificateRequest
    messages are now properly ignored. Previously, with rare server
    configurations, an MD5 signature algorithm might have been selected
    for client authentication and caused the client to abort the
    connection soon after.

OBS-URL: https://build.opensuse.org/request/show/440230
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=119
2016-11-17 11:19:22 +00:00
Wolfgang Rosenauer
d90646d547 - update to NSS 3.26.2
* required for Firefox 50.0
  Changes in 3.26
  New Functionality:
  * the selfserv test utility has been enhanced to support ALPN
    (HTTP/1.1) and 0-RTT
  * added support for the System-wide crypto policy available on
    Fedora Linux see http://fedoraproject.org/wiki/Changes/CryptoPolicy
  * introduced build flag NSS_DISABLE_LIBPKIX that allows compilation
    of NSS without the libpkix library
  Notable Changes:
  * The following CA certificate was Added
    CN = ISRG Root X1
  * NPN is disabled and ALPN is enabled by default
  * the NSS test suite now completes with the experimental TLS 1.3
    code enabled
  * several test improvements and additions, including a NIST known answer test
  Changes in 3.26.2
  * MD5 signature algorithms sent by the server in CertificateRequest
    messages are now properly ignored. Previously, with rare server
    configurations, an MD5 signature algorithm might have been selected
    for client authentication and caused the client to abort the
    connection soon after.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=223
2016-11-14 12:44:27 +00:00
Dominique Leuenberger
0a604aadaf Accepting request 429413 from mozilla:Factory
- update to NSS 3.25
  New functionality:
  * Implemented DHE key agreement for TLS 1.3
  * Added support for ChaCha with TLS 1.3
  * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
  * In previous versions, when using client authentication with TLS 1.2,
    NSS only supported certificate_verify messages that used the same
    signature hash algorithm as used by the PRF. This limitation has
    been removed.
  * Several functions have been added to the public API of the
    NSS Cryptoki Framework.
  New functions:
  * NSSCKFWSlot_GetSlotID
  * NSSCKFWSession_GetFWSlot
  * NSSCKFWInstance_DestroySessionHandle
  * NSSCKFWInstance_FindSessionHandle
  Notable changes:
  * An SSL socket can no longer be configured to allow both TLS 1.3 and SSLv3
  * Regression fix: NSS no longer reports a failure if an application
    attempts to disable the SSLv2 protocol.
  * The list of trusted CA certificates has been updated to version 2.8
  * The following CA certificate was Removed
    Sonera Class1 CA
  * The following CA certificates were Added
    Hellenic Academic and Research Institutions RootCA 2015
    Hellenic Academic and Research Institutions ECC RootCA 2015
    Certplus Root CA G1
    Certplus Root CA G2
    OpenTrust Root CA G1
    OpenTrust Root CA G2

OBS-URL: https://build.opensuse.org/request/show/429413
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=118
2016-09-25 12:29:21 +00:00
Wolfgang Rosenauer
eae31781bc - update to NSS 3.25
New functionality:
  * Implemented DHE key agreement for TLS 1.3
  * Added support for ChaCha with TLS 1.3
  * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
  * In previous versions, when using client authentication with TLS 1.2,
    NSS only supported certificate_verify messages that used the same
    signature hash algorithm as used by the PRF. This limitation has
    been removed.
  * Several functions have been added to the public API of the
    NSS Cryptoki Framework.
  New functions:
  * NSSCKFWSlot_GetSlotID
  * NSSCKFWSession_GetFWSlot
  * NSSCKFWInstance_DestroySessionHandle
  * NSSCKFWInstance_FindSessionHandle
  Notable changes:
  * An SSL socket can no longer be configured to allow both TLS 1.3 and SSLv3
  * Regression fix: NSS no longer reports a failure if an application
    attempts to disable the SSLv2 protocol.
  * The list of trusted CA certificates has been updated to version 2.8
  * The following CA certificate was Removed
    Sonera Class1 CA
  * The following CA certificates were Added
    Hellenic Academic and Research Institutions RootCA 2015
    Hellenic Academic and Research Institutions ECC RootCA 2015
    Certplus Root CA G1
    Certplus Root CA G2
    OpenTrust Root CA G1
    OpenTrust Root CA G2

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=221
2016-09-19 19:25:03 +00:00
Dominique Leuenberger
0df0d19b00 Accepting request 421041 from mozilla:Factory
- fix build on certain toolchains (nss-uninitialized.patch)
  jarfile.c:805:13: error: 'it' may be used uninitialized in this
  function [-Werror=maybe-uninitialized]

OBS-URL: https://build.opensuse.org/request/show/421041
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=117
2016-08-26 21:13:21 +00:00
Wolfgang Rosenauer
a4d9b31978 - fix build on certain toolchains (nss-uninitialized.patch)
jarfile.c:805:13: error: 'it' may be used uninitialized in this
  function [-Werror=maybe-uninitialized]

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=219
2016-08-22 12:58:09 +00:00
Dominique Leuenberger
1fc885e369 Accepting request 417032 from mozilla:Factory
- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236)

- update to NSS 3.24
  New functionality:
  * NSS softoken has been updated with the latest National Institute
    of Standards and Technology (NIST) guidance (as of 2015):
    - Software integrity checks and POST functions are executed on
      shared library load. These checks have been disabled by default,
      as they can cause a performance regression. To enable these
      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
    - Counter mode and Galois/Counter Mode (GCM) have checks to
      prevent counter overflow.
    - Additional CSPs are zeroed in the code.
    - NSS softoken uses new guidance for how many Rabin-Miller tests
      are needed to verify a prime based on prime size.
  * NSS softoken has also been updated to allow NSS to run in FIPS
    Level 1 (no password). This mode is triggered by setting the
    database password to the empty string. In FIPS mode, you may move
    from Level 1 to Level 2 (by setting an appropriate password),
    but not the reverse.
  * A SSL_ConfigServerCert function has been added for configuring
    SSL/TLS server sockets with a certificate and private key. Use
    this new function in place of SSL_ConfigSecureServer,
    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
    determines the certificate type from the certificate and private key.
    The caller is no longer required to use SSLKEAType explicitly to
    select a "slot" into which the certificate is configured (which
    incorrectly identifies a key agreement type rather than a certificate).
    Separate functions for configuring Online Certificate Status Protocol

OBS-URL: https://build.opensuse.org/request/show/417032
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=116
2016-08-12 13:33:38 +00:00
Wolfgang Rosenauer
10edbe58e9 - also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=217
2016-08-05 05:48:45 +00:00
Wolfgang Rosenauer
05db003205 - update to NSS 3.24
New functionality:
  * NSS softoken has been updated with the latest National Institute
    of Standards and Technology (NIST) guidance (as of 2015):
    - Software integrity checks and POST functions are executed on
      shared library load. These checks have been disabled by default,
      as they can cause a performance regression. To enable these
      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
    - Counter mode and Galois/Counter Mode (GCM) have checks to
      prevent counter overflow.
    - Additional CSPs are zeroed in the code.
    - NSS softoken uses new guidance for how many Rabin-Miller tests
      are needed to verify a prime based on prime size.
  * NSS softoken has also been updated to allow NSS to run in FIPS
    Level 1 (no password). This mode is triggered by setting the
    database password to the empty string. In FIPS mode, you may move
    from Level 1 to Level 2 (by setting an appropriate password),
    but not the reverse.
  * A SSL_ConfigServerCert function has been added for configuring
    SSL/TLS server sockets with a certificate and private key. Use
    this new function in place of SSL_ConfigSecureServer,
    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
    determines the certificate type from the certificate and private key.
    The caller is no longer required to use SSLKEAType explicitly to
    select a "slot" into which the certificate is configured (which
    incorrectly identifies a key agreement type rather than a certificate).
    Separate functions for configuring Online Certificate Status Protocol
    (OCSP) responses or Signed Certificate Timestamps are not needed,
    since these can be added to the optional SSLExtraServerCertData struct

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=216
2016-07-31 10:48:39 +00:00
Dominique Leuenberger
56e877e029 Accepting request 400680 from mozilla:Factory
1

OBS-URL: https://build.opensuse.org/request/show/400680
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=115
2016-06-12 16:51:18 +00:00
Wolfgang Rosenauer
ec6a54a194 Accepting request 400673 from home:AndreasStieger:branches:mozilla:Factory
CVE-2016-1950 was already fixed in 3.22.3, add there.
Add CVE-2016-2834 to 3.23 section

OBS-URL: https://build.opensuse.org/request/show/400673
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=214
2016-06-08 12:57:14 +00:00
Wolfgang Rosenauer
0761a83e02 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=213 2016-06-08 09:52:56 +00:00
Dominique Leuenberger
d3cd8a43e8 Accepting request 397829 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/397829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=114
2016-05-31 10:10:06 +00:00
Wolfgang Rosenauer
f2c3469da1 - update to NSS 3.23
New functionality:
  * ChaCha20/Poly1305 cipher and TLS cipher suites now supported
  * Experimental-only support TLS 1.3 1-RTT mode (draft-11).
    This code is not ready for production use.
  New functions:
  * SSL_SetDowngradeCheckVersion - Set maximum version for new
    ServerRandom anti-downgrade mechanism. Clients that perform a
    version downgrade (which is generally a very bad idea) call this
    with the highest version number that they possibly support.
    This gives them access to the version downgrade protection from
    TLS 1.3.
  Notable changes:
  * The copy of SQLite shipped with NSS has been updated to version
    3.10.2
  * The list of TLS extensions sent in the TLS handshake has been
    reordered to increase compatibility of the Extended Master Secret
    with with servers
  * The build time environment variable NSS_ENABLE_ZLIB has been
    renamed to NSS_SSL_ENABLE_ZLIB
  * The build time environment variable NSS_DISABLE_CHACHAPOLY was
    added, which can be used to prevent compilation of the
    ChaCha20/Poly1305 code.
  * The following CA certificates were Removed
    - Staat der Nederlanden Root CA
    - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
    - NetLock Kozjegyzoi (Class A) Tanusitvanykiado
    - NetLock Uzleti (Class B) Tanusitvanykiado
    - NetLock Expressz (Class C) Tanusitvanykiado
    - VeriSign Class 1 Public PCA – G2

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=212
2016-05-26 20:20:47 +00:00
Wolfgang Rosenauer
fb6ae8911f Accepting request 390595 from home:michel_mno:branches:mozilla:Factory
-  add nss_gcc6_change.patch
to avoid build error in https://build.opensuse.org/package/show/openSUSE:Factory:Staging:Gcc6/mozilla-nss

OBS-URL: https://build.opensuse.org/request/show/390595
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=211
2016-04-18 20:51:42 +00:00
Dominique Leuenberger
2174d182f2 Accepting request 384318 from mozilla:Factory
- update to NSS 3.22.3
  * required for Firefox 46.0
  * Increase compatibility of TLS extended master secret,
    don't send an empty TLS extension last in the handshake
    (bmo#1243641)

- update to NSS 3.22.2
  New functionality:
  * RSA-PSS signatures are now supported (bmo#1215295)
  * Pseudorandom functions based on hashes other than SHA-1 are now supported
  * Enforce an External Policy on NSS from a config file (bmo#1009429)
  New functions:
  * PK11_SignWithMechanism - an extended version PK11_Sign()
  * PK11_VerifyWithMechanism - an extended version of PK11_Verify()
  * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp
    TLS extension data
  * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
    TLS extension data
  New types:
  * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
  * Constants for several object IDs are added to SECOidTag
  New macros:
  * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
  * NSS_USE_ALG_IN_SSL
  * NSS_USE_POLICY_IN_SSL
  * NSS_RSA_MIN_KEY_SIZE
  * NSS_DH_MIN_KEY_SIZE
  * NSS_DSA_MIN_KEY_SIZE
  * NSS_TLS_VERSION_MIN_POLICY
  * NSS_TLS_VERSION_MAX_POLICY

OBS-URL: https://build.opensuse.org/request/show/384318
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=113
2016-04-11 07:12:15 +00:00
Wolfgang Rosenauer
a9a3622567 - update to NSS 3.22.3
* required for Firefox 46.0
  * Increase compatibility of TLS extended master secret,
    don't send an empty TLS extension last in the handshake
    (bmo#1243641)

- update to NSS 3.22.2
  New functionality:
  * RSA-PSS signatures are now supported (bmo#1215295)
  * Pseudorandom functions based on hashes other than SHA-1 are now supported
  * Enforce an External Policy on NSS from a config file (bmo#1009429)
  New functions:
  * PK11_SignWithMechanism - an extended version PK11_Sign()
  * PK11_VerifyWithMechanism - an extended version of PK11_Verify()
  * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp
    TLS extension data
  * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
    TLS extension data
  New types:
  * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
  * Constants for several object IDs are added to SECOidTag
  New macros:
  * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
  * NSS_USE_ALG_IN_SSL
  * NSS_USE_POLICY_IN_SSL
  * NSS_RSA_MIN_KEY_SIZE
  * NSS_DH_MIN_KEY_SIZE
  * NSS_DSA_MIN_KEY_SIZE
  * NSS_TLS_VERSION_MIN_POLICY
  * NSS_TLS_VERSION_MAX_POLICY

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=209
2016-04-05 05:56:14 +00:00
Dominique Leuenberger
890082ce2c Accepting request 368766 from mozilla:Factory
- update to NSS 3.21.1 (bmo#969894)
  * required for Firefox 45.0
  * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
    Buffer overflow during ASN.1 decoding in NSS
    (fixed by requiring 3.21.1)
  * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
    Use-after-free during processing of DER encoded keys in NSS
    (fixed by requiring 3.21.1)

OBS-URL: https://build.opensuse.org/request/show/368766
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=112
2016-03-16 09:24:28 +00:00
Wolfgang Rosenauer
4db1acbc24 - update to NSS 3.21.1 (bmo#969894)
* MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
    Buffer overflow during ASN.1 decoding in NSS
    (fixed by requiring 3.21.1)
  * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
    Use-after-free during processing of DER encoded keys in NSS
    (fixed by requiring 3.21.1)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=207
2016-03-08 22:39:49 +00:00