f1644f1832- update to NSS 3.68 * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. - required by Firefox 91.0
Wolfgang Rosenauer
2021-08-09 12:31:34 +0000
feed344e74Accepting request 906331 from mozilla:Factory
Dominique Leuenberger
2021-07-17 21:36:23 +0000
009bd2b01c- update to NSS 3.66 * no releasenotes available yet https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.66_release_notes - update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. - refreshed patches - Firefox 90.0 requires NSS 3.66
Wolfgang Rosenauer
2021-07-14 16:20:34 +0000
f3c19e461eAccepting request 895810 from mozilla:Factory
Dominique Leuenberger
2021-06-01 08:33:04 +0000
2607747af9Accepting request 895809 from home:AndreasStieger:branches:mozilla:Factory
Wolfgang Rosenauer
2021-05-27 17:36:07 +0000
926a532f98Accepting request 886901 from mozilla:Factory
Dominique Leuenberger
2021-04-23 15:49:45 +0000
eba5fa49ec- update to NSS 3.63.1 * no upstream release notes for 3.63.1 (yet) Fixed in 3.63 * bmo#1697380 - Make a clang-format run on top of helpful contributions. * bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * bmo#1694214 - tstclnt can't enable middlebox compat mode. * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * bmo#1685880 - Minor fix to prevent unused variable on early return. * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * bmo#1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS.
Wolfgang Rosenauer
2021-04-18 07:40:17 +0000
2fff3f55e1Accepting request 880741 from mozilla:Factory
Richard Brown
2021-04-06 15:29:00 +0000
2e8ea1e384- update to NSS 3.62 * bmo#1688374 - Fix parallel build NSS-3.61 with make * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable" * bmo#1690583 - Fix CH padding extension size calculation * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail * bmo#1690421 - Install packaged libabigail in docker-builds image * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing * bmo#1674819 - Fixup a51fae403328, enum type may be signed * bmo#1681585 - Add ECH support to selfserv * bmo#1681585 - Update ECH to Draft-09 * bmo#1678398 - Add Export/Import functions for HPKE context * bmo#1678398 - Update HPKE to draft-07 - required for Firefox 87
Wolfgang Rosenauer
2021-03-17 08:44:35 +0000
36801a3be6Accepting request 875778 from mozilla:Factory
Richard Brown
2021-03-02 11:28:14 +0000
bac7e766cbAccepting request 875772 from home:hellcp:branches:security:idm
Wolfgang Rosenauer
2021-02-28 12:47:39 +0000
5de44ac988- Mozilla Thunderbird 78.8.0 * various bugfixes MFSA 2021-09 (bsc#1182614) * CVE-2021-23969 (bmo#1542194) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23968 (bmo#1687342) Content Security Policy violation report could have contained the destination of a redirect * CVE-2021-23973 (bmo#1690976) MediaError message property could have leaked information about cross-origin resources * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391, bmo#1687597) Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8
Wolfgang Rosenauer
2021-02-24 08:07:17 +0000
3cea36e7acAccepting request 867003 from mozilla:Factory
Dominique Leuenberger
2021-01-29 13:55:23 +0000
56558e6d23- update to NSS 3.60.1 Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information. - removed obsolete ppc-old-abi-v3.patch
Wolfgang Rosenauer
2021-01-26 21:30:37 +0000
4c45e1b696Accepting request 859942 from mozilla:Factory
Dominique Leuenberger
2021-01-04 18:07:17 +0000
691fd0a9fa- update to NSS 3.59.1 * bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules
Wolfgang Rosenauer
2020-12-31 12:04:59 +0000
dee7c844b0Accepting request 852633 from mozilla:Factory
Dominique Leuenberger
2020-12-24 18:39:56 +0000
87892cd552Accepting request 851799 from mozilla:Factory
Dominique Leuenberger
2020-12-02 12:57:27 +0000
95bb1123a7- update to NSS 3.59 Notable changes * Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382) * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP * bmo#1667989 - Fix gyp linking on Solaris * bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
Wolfgang Rosenauer
2020-12-01 13:33:23 +0000
694386f519Accepting request 849662 from home:lnussel:usrmove
Wolfgang Rosenauer
2020-11-30 10:24:31 +0000
b54447fa2aAccepting request 849114 from mozilla:Factory
Dominique Leuenberger
2020-11-21 11:39:52 +0000
de30840f35- update to NSS 3.58 Bugs fixed: * bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode. * bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni). * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions. * bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows. * bmo#1667153 - Add PK11_ImportDataKey for data object import. * bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value.
Wolfgang Rosenauer
2020-11-17 13:50:18 +0000
93b007137aAccepting request 841322 from mozilla:Factory
Dominique Leuenberger
2020-10-14 13:38:13 +0000
da00e5afd0Accepting request 841320 from home:dimstar:Factory
Wolfgang Rosenauer
2020-10-12 15:35:14 +0000
d5a2413344Accepting request 840031 from mozilla:Factory
Dominique Leuenberger
2020-10-10 17:00:34 +0000
f6aa3fb9fb- update to NSS 3.57 * The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes - requires NSPR 4.29 - removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256) - introduced _constraints due to high memory requirements especially for LTO on Tumbleweed
Wolfgang Rosenauer
2020-10-07 08:15:55 +0000
0321aaf402Accepting request 837281 from mozilla:Factory
Dominique Leuenberger
2020-09-29 16:58:59 +0000
e43a7b9e4bAccepting request 837280 from home:Guillaume_G:branches:mozilla:Factory
Wolfgang Rosenauer
2020-09-25 06:58:55 +0000
626f71eef2Accepting request 835234 from mozilla:Factory
Dominique Leuenberger
2020-09-24 14:11:54 +0000
50269fd3cdAccepting request 835218 from home:hpjansson:nss-tw
Wolfgang Rosenauer
2020-09-17 14:55:31 +0000
cd3540b0de- update to NSS 3.56 Notable changes * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * bmo#1654142 - Add CPU feature detection for Intel SHA extension. * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. * bmo#1656986 - Properly detect arm64 during GYP build architecture detection. * bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. * bmo#1588941 - Send empty certificate message when scheme selection fails. * bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * bmo#1653975 - Fix 3.53 regression by setting "all" as the default makefile target. * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. * bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * bmo#1656519 - NSPR dependency updated to 4.28 - do not hard require mozilla-nss-certs-32bit via baselibs (boo#1176206)
Wolfgang Rosenauer
2020-09-08 20:23:09 +0000
b6c47560abAccepting request 829609 from mozilla:Factory
Dominique Leuenberger
2020-09-02 23:08:00 +0000
6364ad3ae6- update to NSS 3.55 Notable changes * P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. * PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633) * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length. * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). * bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. * bmo#1646594 - Fix AVX2 detection in makefile builds. * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. * bmo#1649226 - Add Wycheproof ECDSA tests. * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
Wolfgang Rosenauer
2020-08-22 07:01:08 +0000
1ce163d005Accepting request 823327 from mozilla:Factory
Dominique Leuenberger
2020-07-30 07:57:44 +0000
8581fb64fb- update to NSS 3.54 Notable changes * Support for TLS 1.3 external pre-shared keys (bmo#1603042). * Use ARM Cryptography Extension for SHA256, when available (bmo#1528113) * The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. * The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. * A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed * bmo#1528113 - Use ARM Cryptography Extension for SHA256. * bmo#1603042 - Add TLS 1.3 external PSK support. * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. * bmo#1645186 - Add "certSIGN Root CA G2" root certificate. * bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate. * bmo#1641716 - Add Microsoft's non-EV root certificates. * bmo1621151 - Disable email trust bit for "O=Government Root Certification Authority; C=TW" root. * bmo#1645199 - Remove AddTrust root certificates.
Wolfgang Rosenauer
2020-07-23 16:12:42 +0000
62b6732e56Accepting request 817441 from mozilla:Factory
Dominique Leuenberger
2020-06-30 19:52:57 +0000
c9da1099a1- removed obsolete nss-kremlin-ppc64le.patch
Wolfgang Rosenauer
2020-05-26 13:56:16 +0000
6553d00ceb* CVE-2020-12399 - Force a fixed length for DSA exponentiation (bmo#1631576)
Wolfgang Rosenauer
2020-05-26 09:14:39 +0000
e33a5800ee- update to NSS 3.52.1 * required for Firefox 77.0 Notable changes * Update NSS to support PKCS#11 v3.0 (bmo#1603628) * Support new PKCS #11 v3.0 Message Interface for AES-GCM and ChaChaPoly (bmo#1623374) * Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL* (bmo#1612493) - Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds
Wolfgang Rosenauer
2020-05-26 09:12:44 +0000
a00e1cb470Accepting request 799040 from mozilla:Factory
Dominique Leuenberger
2020-05-02 20:14:59 +0000
f615b8c01bAccepting request 798944 from home:marxin:branches:mozilla:Factory
Wolfgang Rosenauer
2020-04-29 21:43:25 +0000
ea7949cb9dAccepting request 793077 from mozilla:Factory
Dominique Leuenberger
2020-04-15 17:52:12 +0000
6ea59419f5Accepting request 793073 from home:AndreasStieger:branches:mozilla:Factory
Wolfgang Rosenauer
2020-04-11 10:30:25 +0000
0c74453c3fAccepting request 790238 from mozilla:Factory
Dominique Leuenberger
2020-04-04 10:05:24 +0000
507c7ec45bAccepting request 790234 from home:michel_mno:branches:mozilla:Factory
Wolfgang Rosenauer
2020-03-31 15:31:21 +0000
5c3b101fcbAccepting request 790066 from home:MSirringhaus:branches:mozilla:Factory
Wolfgang Rosenauer
2020-03-31 14:28:37 +0000
ab72679b5e- update to NSS 3.51 * Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892) * Correct swapped PKCS11 values of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL (bmo#1611209) * Complete integration of Wycheproof ECDH test cases (bmo#1612259) * Check if PPC __has_include(<sys/auxv.h>) (bmo#1614183) * Fix a compilation error for ‘getFIPSEnv’ "defined but not used" (bmo#1614786) * Send DTLS version numbers in DTLS 1.3 supported_versions extension to avoid an incompatibility. (bmo#1615208) * SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed to be null-terminated (bmo#1538980) * Correct a warning for comparison of integers of different signs: 'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88 (bmo#1561337) * Add test for mp_int clamping (bmo#1609751) * Don't attempt to read the fips_enabled flag on the machine unless NSS was built with FIPS enabled (bmo#1582169) * Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940) * Fix compiler warning in secsign.c (bmo#1617387) * Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval' (bmo#1618400) * Fix a crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics (bmo#1610687)
Wolfgang Rosenauer
2020-03-30 13:40:12 +0000
9b381f8d16Accepting request 783555 from mozilla:Factory
Dominique Leuenberger
2020-03-14 08:54:00 +0000
14bbc2e047- update to NSS 3.50 * Verified primitives from HACL* were updated, bringing performance improvements for several platforms. Note that Intel processors with SSE4 but without AVX are currently unable to use the improved ChaCha20/Poly1305 due to a build issue; such platforms will fall-back to less optimized algorithms. See bmo#1609569 for details * Updated DTLS 1.3 implementation to Draft-30. See bmo#1599514 for details. * Added NIST SP800-108 KBKDF - PKCS#11 implementation. See bmo#1599603 for details. * Several bugfixes and minor changes
Wolfgang Rosenauer
2020-03-03 21:21:24 +0000
deaa59ba87Accepting request 780186 from mozilla:Factory
Dominique Leuenberger
2020-02-29 20:20:04 +0000
b1721753f1Accepting request 779969 from home:fstrba:branches:mozilla:Factory
Wolfgang Rosenauer
2020-02-28 09:07:15 +0000
478511aedcAccepting request 779080 from home:Guillaume_G:branches:openSUSE:Factory:ARM
Wolfgang Rosenauer
2020-02-25 13:41:19 +0000
75fb6f4946Accepting request 772451 from mozilla:Factory
Oliver Kurz
2020-02-14 15:27:50 +0000
2e89924539- update to NSS 3.49.2 Fixed bugs: * Fix compilation problems with NEON-specific code in freebl (bmo#1608327) * Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895)
Wolfgang Rosenauer
2020-02-08 16:32:51 +0000
93fc73f5ebAccepting request 761944 from mozilla:Factory
Dominique Leuenberger
2020-01-11 13:37:50 +0000
715468ec8f- update to NSS 3.48 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes Notable Changes * TLS 1.3 is the default maximum TLS version (bmo#1573118) * TLS extended master secret is enabled by default, where possible (bmo#1575411) * The master password PBE now uses 10,000 iterations by default when using the default sql (key4.db) storage (bmo#1562671) Certificate Authority Changes * Added Entrust Root Certification Authority - G4 Cert (bmo#1591178) Bugfixes - requires NSPR 4.24 * CVE-2019-17006 Add length checks for cryptographic primitives (bmo#1539788)
Wolfgang Rosenauer
2020-01-07 08:45:34 +0000
6ffb12d365Accepting request 754368 from mozilla:Factory
Dominique Leuenberger
2019-12-11 11:01:08 +0000
0f7b852964Accepting request 754355 from home:AndreasStieger:branches:mozilla:Factory
Wolfgang Rosenauer
2019-12-05 12:37:31 +0000
15aca89c40Accepting request 750687 from mozilla:Factory
Dominique Leuenberger
2019-12-02 10:29:10 +0000
52a07131b8- update to NSS 3.47.1 * CVE-2019-11745 - EncryptUpdate should use maxout, not block size * Fix a crash that could be caused by client certificates during startup (bmo#1590495) * Fix compile-time warnings from uninitialized variables in a perl script (bmo#1589810) Notable changes * Support AES HW acceleration on ARMv8 (bmo#1152625) * Allow per-socket run-time ordering of the cipher suites presented in ClientHello (bmo#1267894) * Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501) Bugfixes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes - requires NSPR 4.23
Wolfgang Rosenauer
2019-11-24 07:38:02 +0000
d2868a861e- update to NSS 3.47 * required by Firefox 71.0 * no upstream release notes available (yet) - requires NSPR 4.23
Wolfgang Rosenauer
2019-11-17 06:35:18 +0000
e1514e2df5Accepting request 742855 from mozilla:Factory
Dominique Leuenberger
2019-11-04 16:01:15 +0000
62605b96c6- update to NSS 3.46.1 * required by Firefox 70.0 Notable changes in 3.46 * The following CA certificates were Removed: expired Class 2 Primary root certificate expired UTN-USERFirst-Client root certificate expired Deutsche Telekom Root CA 2 root certificate Swisscom Root CA 2 root certificate * Significant improvements to AES-GCM performance on ARM Many bugfixes Bug fixes in 3.46.1 * Soft token MAC verification not constant time (bmo#1582343) * Remove arbitrary HKDF output limit by allocating space as needed (bmo#1577953) - requires NSPR 4.22
Wolfgang Rosenauer
2019-10-18 20:55:17 +0000
d16200034fAccepting request 733663 from mozilla:Factory
Dominique Leuenberger
2019-10-02 09:56:05 +0000
c3513b6180Accepting request 720828 from mozilla:Factory
Dominique Leuenberger
2019-09-05 10:07:05 +0000
da65ab3299- Require exact version libsoftokn3/libfreebl3 as there seems to
Wolfgang Rosenauer
2019-08-30 07:14:36 +0000
2af2e412d2Accepting request 726875 from home:pluskalm:branches:mozilla:Factory
Wolfgang Rosenauer
2019-08-30 06:37:13 +0000
78519384c7- update to NSS 3.45 (bsc#1141322) * required by Firefox 69.0 New functions * PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets *results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and *results will be NULL. Notable changes * bmo#1540403 - Implement Delegated Credentials * bmo#1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto * bmo#1551129 - Support static linking on Windows * bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot * bmo#1546229 - Add IPSEC IKE support to softoken * bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23) * bmo#1543874 - Expose an external clock for SSL * bmo#1546477 - Various changes in response to the ongoing FIPS review Certificate Authority Changes * The following CA certificates were Removed: bmo#1552374 - CN = Certinomis - Root CA Bugs fixed * bmo#1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719) * bmo#1515342 - More thorough input checking (CVE-2019-11729) * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727) * bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed
Wolfgang Rosenauer
2019-08-03 21:32:27 +0000
0c5b621204- split hmac subpackages to match SLE's packaging
Wolfgang Rosenauer
2019-08-03 08:03:51 +0000
c02833f6f9Accepting request 713969 from mozilla:Factory
Dominique Leuenberger
2019-07-22 10:16:01 +0000
a83d017926Accepting request 717448 from home:marxin:branches:mozilla:Factory
Wolfgang Rosenauer
2019-07-22 07:16:21 +0000
f1ad8afe76- update to NSS 3.44.1 * required by Firefox 68.0 Bugs fixed * bmo#1554336 - Optimize away unneeded loop in mpi.c * bmo#1515342 - More thorough input checking * bmo#1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import * bmo#1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh * bmo#1546229 - Add IPSEC IKE support to softoken * bmo#1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys * bmo#1546477 - Updates to testing for FIPS validation * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 * bmo#1551041 - Unbreak build on GCC < 4.3 big-endian
Wolfgang Rosenauer
2019-07-08 07:31:28 +0000
0945bd4d97- update to NSS 3.44 * required by Firefox 68.0 New functions * CERT_GetCertificateDer - Access the DER-encoded form of a CERTCertificate Notable changes * It is now possible to build NSS as a static library (bmo#1543545) * Initial support for building for iOS Bugs fixed * full list https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44_release_notes - merge some baselibs fixes from SLE
Wolfgang Rosenauer
2019-06-12 21:59:32 +0000
55ad12fb68Accepting request 702840 from mozilla:Factory
Dominique Leuenberger
2019-05-17 21:37:55 +0000
4dc5341fd1- update to NSS 3.43 * required by Firefox 67.0 New functions * HASH_GetHashOidTagByHashType - convert type HASH_HashType to type SECOidTag * SSL_SendCertificateRequest - allow server to request post-handshake client authentication. To use this both peers need to enable the SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism is present, post-handshake authentication is currently not TLS 1.3 compliant due to bug 1532312 Notable changes * The following CA certificates were Added: - emSign Root CA - G1 - emSign ECC Root CA - G3 - emSign Root CA - C1 - emSign ECC Root CA - C3 - Hongkong Post Root CA 3 Bugs fixed * Improve Gyp build system handling (bmo#1528669, bmo#1529308) * Improve NSS S/MIME tests for Thunderbird (bmo#1529950, bmo#1521174) * If Docker isn't installed, try running a local clang-format as a fallback (bmo#1530134) * Enable FIPS mode automatically if the system FIPS mode flag is set (bmo#1531267) * Add a -J option to the strsclnt command to specify sigschemes (bmo#1528262) * Add manual for nss-policy-check (bmo#1513909) * Fix a deref after a null check in SECKEY_SetPublicValue (bmo#1531074) * Properly handle ESNI with HRR (bmo#1517714) * Expose HKDF-Expand-Label with mechanism (bmo#1529813) * Align TLS 1.3 HKDF trace levels (bmo#1535122)
Wolfgang Rosenauer
2019-04-23 12:14:51 +0000
1ab4b0f976Accepting request 686019 from mozilla:Factory
Dominique Leuenberger
2019-03-27 15:11:44 +0000
20f759b3c7- update to NSS 3.42.1 * required by Firefox 66.0 New functionality * Support XDG basedir specification (bmo#818686) Notable changes * added some testcases from the Wycheproof project Bugs fixed * Reject invalid CH.legacy_version in TLS 1.3 (bmo#1490006) * A fix for Solaris where Firefox 60 core dumps during start when using profile from version 52 (bmo#1513913)
Wolfgang Rosenauer
2019-03-17 10:11:02 +0000
2020048b9bAccepting request 669997 from mozilla:Factory
Stephan Kulow
2019-02-04 20:24:24 +0000
b94351d39a- update to NSS 3.41.1 * (3.41) required by Firefox 65.0 New functionality * Implemented EKU handling for IPsec IKE. (bmo#1252891) * Enable half-closed states for TLS. (bmo#1423043) * Enabled the following ciphersuites by default: (bmo#1493215) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 Notable changes * The following CA certificates were added: CN = Certigna Root CA CN = GTS Root R1 CN = GTS Root R2 CN = GTS Root R3 CN = GTS Root R4 CN = UCA Global G2 Root CN = UCA Extended Validation Root * The following CA certificates were removed: CN = AC Raíz Certicámara S.A. CN = Certplus Root CA G1 CN = Certplus Root CA G2 CN = OpenTrust Root CA G1 CN = OpenTrust Root CA G2 CN = OpenTrust Root CA G3 Bugs fixed * Reject empty supported_signature_algorithms in Certificate Request in TLS 1.2 (bmo#1412829) * Cache side-channel variant of the Bleichenbacher attack (bmo#1485864)
Wolfgang Rosenauer
2019-01-23 16:49:06 +0000
a1a6a1c1cfAccepting request 657061 from mozilla:Factory
Dominique Leuenberger
2018-12-19 12:26:06 +0000
56c24f32aa- update to NSS 3.40.1 * required by Firefox 64.0 * patch release fixes CVE-2018-12404 Notable bug fixes * FFDHE key exchange sometimes fails with decryption failure (bmo#1478698) New functionality * The draft-00 version of encrypted SNI support is implemented * tstclnt now takes -N option to specify encrypted SNI key Notable changes * The mozilla::pkix library has been ported from Mozilla PSM to NSS. This is a C++ library for building certification paths. mozilla::pkix APIs are not exposed in the libraries NSS builds. * It is easier to build NSS on Windows in mozilla-build environments * The following CA certificates were Removed: CN = Visa eCommerce Root
Wolfgang Rosenauer
2018-12-10 22:07:47 +0000
96d7217949Accepting request 644083 from mozilla:Factory
Dominique Leuenberger
2018-10-29 13:15:17 +0000
59089d94de- update to NSS 3.39 * required by Firefox 63.0 Notable bug fixes * NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) (bmo#1483128) New functionality * The tstclnt and selfserv utilities added support for configuring the enabled TLS signature schemes using the -J parameter. * NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by default but can be enabled using SSL_SignatureSchemePrefSet(). * certutil added the ability to delete an orphan private key from an NSS key database. * Added the nss-policy-check utility, which can be used to check an NSS policy configuration for problems. * A PKCS#11 URI can be used as an identifier for a PKCS#11 token. Notable changes * The TLS 1.3 implementation uses the final version number from RFC 8446. * Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature where the DigestInfo structure was missing the NULL parameter. Starting with version 3.39, NSS requires the encoding to contain the NULL parameter. * The tstclnt and selfserv test utilities no longer accept the -z parameter, as support for TLS compression was removed in a previous NSS version. * The CA certificates list was updated to version 2.26. * The following CA certificates were Added: - OU = GlobalSign Root CA - R6 - CN = OISTE WISeKey Global Root GC CA
Wolfgang Rosenauer
2018-10-21 07:59:26 +0000
a1f288c7e0Accepting request 641946 from mozilla:Factory
Dominique Leuenberger
2018-10-18 13:29:09 +0000
6351a29138Accepting request 641937 from home:msmeissn:branches:mozilla:Factory
Wolfgang Rosenauer
2018-10-14 18:31:34 +0000
3e03c59ca8Accepting request 634751 from mozilla:Factory
Dominique Leuenberger
2018-10-01 07:03:05 +0000
c19e605ddc- update to NSS 3.38 * required by Firefox 62.0 New Functionality * Added support for the TLS Record Size Limit Extension * When creating a certificate request (CSR) using certutil -R, an existing orphan private key can be reused. Parameter -k may be used to specify the ID of an existing orphan key. The available orphan key IDs can be displayed using command certutil -K. * When using certutil -O to print the chain for a given certificate nickname, the new parameter --simple-self-signed may be provided, which can avoid ambiguous output in some scenarios. New Functions * SECITEM_MakeItem - Allocate and make an item with the requested contents (secitem.h) New Macros * SSL_RECORD_SIZE_LIMIT - used to control the TLS Record Size Limit Extension (in ssl.h) Notable Changes * Fixed CVE-2018-0495 (bmo#1464971) * Various security fixes in the ASN.1 code * NSS automatically enables caching for SQL database storage on Linux, if it is located on a network filesystem that's known to benefit from caching. * When repeatedly importing the same certificate into an SQL database, the existing nickname will be kept.
Wolfgang Rosenauer
2018-09-10 12:44:44 +0000
00b9a0165fAccepting request 618894 from mozilla:Factory
Dominique Leuenberger
2018-07-04 21:48:37 +0000
09045d720a- update to NSS 3.37.3 * required by Firefox 61.0 Notable changes: * The TLS 1.3 implementation was updated to Draft 28. * Added HACL* Poly1305 32-bit * The code to support the NPN protocol has been fully removed. * NSS allows servers now to register ALPN handling callbacks to select a protocol. * NSS supports opening SQL databases in read-only mode. * On Linux, some build configurations can use glibc's function getentropy(), which uses the kernel's getrandom() function. * The CA list was updated to version 2.24, which removed the following CA certificates: - CN = S-TRUST Universal Root CA - CN = TC TrustCenter Class 3 CA II - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 * Fix build on armv6/armv7 and other platforms (bmo#1459739)
Wolfgang Rosenauer
2018-06-23 14:10:30 +0000
Richard Brown
Wolfgang Rosenauer
Dominique Leuenberger
Oliver Kurz
Stephan Kulow