------------------------------------------------------------------- Mon Oct 14 13:00:15 UTC 2013 - pcerny@suse.com - update to 3.15.2 (bnc#847708) * Support for AES-GCM ciphersuites that use the SHA-256 PRF * MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs * Add PK11_CipherFinal macro * sizeof() used incorrectly * nssutil_ReadSecmodDB() leaks memory * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. * Deprecate the SSL cipher policy code * Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739) - update to 3.15.1 * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. * some bugfixes and improvements - update to 3.15 * New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions. * New Functions + in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. + in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. + in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. + in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. + in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. + in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. * New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. * New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE * Notable changes + SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. + The list of root CA certificates in the nssckbi module has been updated. + The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. * a lot of bugfixes - require libnssckbi instead of mozilla-nss-certs so p11-kit can conflict with the latter (fate#314991) - removing obsolete patch nss-disable-expired-testcerts.patch - require NSPR >= 4.10.1 ------------------------------------------------------------------- Wed Apr 3 09:45:23 UTC 2013 - pcerny@suse.com - update to 3.14.3 (bnc#813026) - disable tests with expired certificates - require NSPR >= 4.9.6 ------------------------------------------------------------------- Wed Feb 6 17:38:13 UTC 2013 - pcerny@suse.com - update to 3.14.2 * required for Firefox >= 20 * removed obsolete nssckbi update patch - added system-sqlite.patch (bmo#837799) * do not depend on latest sqlite just for a #define ------------------------------------------------------------------- Tue Jan 8 09:35:58 UTC 2013 - pcerny@suse.com - updated CA database (nssckbi-1.93.patch) * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST - update to 3.14.1 RTM (several bugfixes) - require mozilla-nspr >= 4.9.4 ------------------------------------------------------------------- Mon Nov 19 17:45:19 UTC 2012 - pcerny@suse.com - update to 3.14 RTM * Support for TLS 1.1 (RFC 4346) * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) * Support for AES-CTR, AES-CTS, and AES-GCM * Support for Keying Material Exporters for TLS (RFC 5705) * Support for certificate signatures using the MD5 hash algorithm is now disabled by default * Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default - license change from tri-license to MPL-2.0 * for more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html and security/nss/COPYING in the source code - disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch) - require mozilla-nspr >= 4.9.3 ------------------------------------------------------------------- Tue Aug 28 19:23:14 UTC 2012 - pcerny@suse.com - update to 3.13.6 RTM * root CA update * other bugfixes - require mozilla-nspr >= 4.9.2 ------------------------------------------------------------------- Mon Jun 11 13:03:56 UTC 2012 - pcerny@suse.com - require mozilla-nspr >= 4.9.0 ------------------------------------------------------------------- Mon Jun 11 07:38:48 UTC 2012 - meissner@suse.com - bumped mozilla-nspr requirement to 4.9.1 ------------------------------------------------------------------- Tue Jun 5 15:27:35 UTC 2012 - pcerny@suse.com - update to version 3.13.5 * small bugfixes (memory leaks) ------------------------------------------------------------------- Mon Apr 23 14:06:06 UTC 2012 - pcerny@suse.com - update to 3.13.4 RTM * fixed some bugs * fixed cert verification regression in PKIX mode (bmo#737802) introduced in 3.13.2 ------------------------------------------------------------------- Wed Mar 14 23:04:03 UTC 2012 - pcerny@suse.com - update to 3.13.3 RTM * distrust Trustwave's MITM certificates (bmo#724929) * fix generic blacklisting mechanism (bmo#727204) - removed obsolete patch ckbi-1_88.patch ------------------------------------------------------------------- Wed Nov 9 12:08:25 UTC 2011 - pcerny@suse.com - update to 3.13.1 RTM * better SHA-224 support (bmo#647706) * fixed a regression (causing hangs in some situations) introduced in 3.13 (bmo#693228) - changes from update to 3.13.0 RTM * SSL 2.0 is disabled by default * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it. * SHA-224 is supported * Ported to iOS. (Requires NSPR 4.9.) * Added PORT_ErrorToString and PORT_ErrorToName to return the error message and symbolic name of an NSS error code * Added NSS_GetVersion to return the NSS version string * Added experimental support of RSA-PSS to the softoken only * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db anymore (bmo#641052, bnc#726096) - explicitly distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) ------------------------------------------------------------------- Sun Sep 11 09:18:27 UTC 2011 - pcerny@suse.com - update to 3.12.11 (v1.87) (bnc#714931) * extensive blocking of DigiNotar CAs (bmo#683449) ------------------------------------------------------------------- Fri Sep 2 14:10:41 UTC 2011 - pcerny@suse.com - update to 3.12.11 - update to 3.12.10 * root CA changes * filter certain bogus certs (bmo#642815) * fix minor memory leaks * other bugfixes - update to 3.12.9 * fix minor memory leaks (bmo#619268) * fix crash in nss_cms_decoder_work_data (bmo#607058) * fix crash in certutil (bmo#620908) * handle invalid argument in JPAKE (bmo#609068) * J-PAKE support (API requirement for Firefox >= 4.0b8) - replaced expired PayPal test certificate (fixing testsuite) - removed DigiNotar root certifiate from trusted db (bmo#682927, bnc#714931) ------------------------------------------------------------------- Wed Sep 29 16:07:59 CEST 2010 - wr@rosenauer.org - update to 3.12.8 RTM release * support TLS false start (needed for Firefox4) (bmo#525092) * fix wildcard matching for IP addresses (bnc#637290, bmo#578697) (CVE-2010-3170) * bugfixes ------------------------------------------------------------------- Sat Apr 3 19:22:08 CEST 2010 - wr@rosenauer.org - update to 3.12.6 RTM release (bmo#586567) - change renegotiation behaviour to the old default for a transition phase - disabled a test using an expired cert (bmo#557071) ------------------------------------------------------------------- Fri Aug 14 08:51:00 CEST 2009 - wr@rosenauer.org - update to 3.12.4 RTM release ------------------------------------------------------------------- Fri Aug 7 13:10:22 CEST 2009 - wr@rosenauer.org - update to recent snapshot (20090806) - libnssdbm3.so has to be signed starting with 3.12.4 ------------------------------------------------------------------- Mon Aug 3 18:45:02 CEST 2009 - wr@rosenauer.org - update to NSS 3.12.4pre snapshot - rebased existing patches - enable testsuite again (was disabled accidentally before) ------------------------------------------------------------------- Wed Jul 29 09:40:02 CEST 2009 - wr@rosenauer.org - update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611) * RNG_SystemInfoForRNG called twice by nsc_CommonInitialize (bmo#489811; other changes are unrelated to Linux) - moved shlibsign to tools package again (as it's not needed at library install time anymore) - use %{_libexecdir} for the tools ------------------------------------------------------------------- Sat Jun 6 15:37:13 CEST 2009 - wr@rosenauer.org - Temporary testsuite fix for Factory (bnc#509308) (malloc.patch) - remove the post scriptlet which created the *.chk files and use a RPM feature to create them after debuginfo stuff ------------------------------------------------------------------- Tue Jun 2 09:41:34 CEST 2009 - wr@rosenauer.org - updated builtin root certs by updating to NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the base for Firefox 3.5.0 - PreReq coreutils in the main package already as "rm" is used in its %post script - disable testsuite for this moment as it crashes on Factory currently for an unknown reason ------------------------------------------------------------------- Thu May 21 09:03:17 CEST 2009 - wr@rosenauer.org - renew Paypal certs to fix testsuite errors (bmo#491163) ------------------------------------------------------------------- Mon Apr 20 14:47:43 CEST 2009 - wr@rosenauer.org - update to version 3.12.3 RTM * default behaviour changed slightly but can be set up backward compatible using environment variables https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables * New Korean SEED cipher * Some new functions in the nss library: CERT_RFC1485_EscapeAndQuote (see cert.h) CERT_CompareCerts (see cert.h) CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) PK11_GetSymKeyHandle (see pk11pqg.h) UTIL_SetForkState (see secoid.h) NSS_GetAlgorithmPolicy (see secoid.h) NSS_SetAlgorithmPolicy (see secoid.h) - created libfreebl3 subpackage and build it w/o nspr and nss deps - added patch to make all ASM noexecstack - create the softokn3 and freebl3 checksums at installation time (moved shlibsign to the main package to achieve that) - applied upstream patch to avoid OSCP test failures (bmo#488646) - applied upstream patch to fix libjar crashes (bmo#485145) ------------------------------------------------------------------- Wed Feb 4 08:46:15 CET 2009 - wr@rosenauer.org - update to version 3.12.2 RTM (with CKBI 1.73) as in FF 3.0.6 ------------------------------------------------------------------- Tue Jan 13 09:10:29 CET 2009 - wr@rosenauer.org - update to version 3.12.2rc1 (as used by FF 3.0.5) * NSS is now using system zlib (bmo#302670) - create a system wide, sql based NSS database in /etc/pki/nssdb (let previously created /etc/ssl/nssdb untouched) ------------------------------------------------------------------- Wed Jan 7 12:34:56 CET 2009 - olh@suse.de - obsolete old -XXbit packages (bnc#437293) ------------------------------------------------------------------- Thu Oct 23 15:03:11 CDT 2008 - maw@suse.de - Review and approve changes. ------------------------------------------------------------------- Thu Aug 21 11:36:37 CEST 2008 - wr@rosenauer.org - run testsuite (bnc#418233) ------------------------------------------------------------------- Tue Jun 17 19:15:49 CEST 2008 - maw@suse.de - Merge changes from the build service (thanks, Wolfgang) (bnc#400001 and SWAMP#18164). ------------------------------------------------------------------- Wed May 28 21:05:13 CEST 2008 - wr@rosenauer.org - update to 3.12.0rc4 (20080528) (featuring FF3.0) ------------------------------------------------------------------- Tue Apr 29 20:41:34 CEST 2008 - maw@suse.de - Prerequire coretools in the -tools subpackage (bnc#379540) - Require sqlite3-devel to build. ------------------------------------------------------------------- Mon Apr 14 18:52:59 CEST 2008 - maw@suse.de - Merge some fixes from the build service's version. ------------------------------------------------------------------- Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de - added baselibs.conf file to build xxbit packages for multilib support ------------------------------------------------------------------- Mon Mar 31 18:55:42 CEST 2008 - maw@suse.de - Undo the shared library package split, per discussion in opensuse-packaging. ------------------------------------------------------------------- Mon Mar 31 14:22:17 CEST 2008 - wr@rosenauer.org - new snapshot still based on 3.12.0 Beta 3 (20080330) ------------------------------------------------------------------- Tue Mar 25 22:21:18 CET 2008 - maw@suse.de - Merge changes from the build service (thanks, Wolfgang) - Update to a new snapshot of nss based on 3.12.0 Beta 2: + Update build requirements accordingly + Add nss-sqlitename.patch and nss-no-rpath.patch - Split out a shared library subpackage. ------------------------------------------------------------------- Mon Dec 10 16:22:37 CET 2007 - rguenther@suse.de - disable use of freebl/mpi/mp_comba.c. [#346256] ------------------------------------------------------------------- Sun Sep 16 10:27:06 CEST 2007 - coolo@suse.de - fixing errors in %post during installation ------------------------------------------------------------------- Thu Sep 13 22:26:57 CEST 2007 - jberkman@novell.com - merge -tools package into main package - create system-wide nssdb for system configuration of smart cards, as used by pam_pkcs11, krb5 pkinit, and others ------------------------------------------------------------------- Thu Jul 26 20:18:38 CEST 2007 - maw@suse.de - Update to version 3.11.7 (from the build service) - Bug fixes. ------------------------------------------------------------------- Mon Jun 11 11:41:27 CEST 2007 - ro@suse.de - use string[0] instead of string in char.patch ------------------------------------------------------------------- Mon Jun 11 11:33:34 CEST 2007 - ro@suse.de - update to NSS 3.11.6 (pull in from wr from opensuse BS) ------------------------------------------------------------------- Wed Feb 21 16:55:06 CST 2007 - maw@suse.de - Update to NSS 3.11.5 (thanks, Wolfgang) ------------------------------------------------------------------- Sun Oct 1 23:01:38 CEST 2006 - wr@rosenauer.org - update to NSS 3.11.3 - requires NSPR 4.6.3 (pkgconfig) ------------------------------------------------------------------- Wed Sep 6 08:23:45 CEST 2006 - stark@suse.de - update to NSS_3_11_20060905_TAG to be in sync with Gecko 1.8.1 ------------------------------------------------------------------- Mon Aug 7 13:53:55 CEST 2006 - stark@suse.de - enabled usage of ECC ------------------------------------------------------------------- Sat Aug 5 09:50:47 CEST 2006 - stark@suse.de - update to NSS_3_11_20060731_TAG to be in sync with Gecko 1.8.1 ------------------------------------------------------------------- Fri Jul 28 07:09:44 CEST 2006 - stark@suse.de - fixed usage of uninitialized pointers (uninit.patch) - requires NSPR 4.6.2 ------------------------------------------------------------------- Sat Jul 1 23:37:52 CEST 2006 - stark@suse.de - update to 3.11.2 RTM version * ECC not enabled but defines needed symbols ------------------------------------------------------------------- Thu Jun 8 11:45:14 CEST 2006 - stark@suse.de - update to 3.11.2 beta * enabled ECC (needed since MOZILLA_1_8_BRANCH) ------------------------------------------------------------------- Mon May 15 20:38:37 CEST 2006 - stark@suse.de - update to 3.11.1 RTM version including: * TLS server name indication extension support * implement RFC 3546 (TLS v1.0 extensions) * fixed bugs found by Coverity ------------------------------------------------------------------- Mon Jan 30 08:34:45 CET 2006 - stark@suse.de - removed additional CA certs - removed zip from BuildRequires ------------------------------------------------------------------- Wed Jan 25 21:32:31 CET 2006 - mls@suse.de - converted neededforbuild to BuildRequires ------------------------------------------------------------------- Wed Jan 11 16:15:18 CET 2006 - stark@suse.de - install nss-config executable ------------------------------------------------------------------- Fri Dec 16 20:24:05 CET 2005 - stark@suse.de - marked libfreebl3.so noexec stack ------------------------------------------------------------------- Fri Dec 16 09:41:15 CET 2005 - stark@suse.de - update to 3.11 RTM version - provide nss-config file - added static libs - moved include files to /usr/include/nss3 - only ship a subset of the tools ------------------------------------------------------------------- Sat Nov 26 14:54:03 CET 2005 - stark@suse.de - update to 3.11rc1 - fixed PC file for 64bit archs ------------------------------------------------------------------- Tue Nov 15 07:35:25 CET 2005 - stark@suse.de - update to current 3.10.2 snapshot (20051114) ------------------------------------------------------------------- Wed Nov 2 12:17:23 CET 2005 - stark@suse.de - added tools subpackage which provides all NSS related tools for managing and debugging NSS stuff ------------------------------------------------------------------- Tue Oct 11 07:08:38 CEST 2005 - stark@suse.de - update to current 3.10.2 snapshot ------------------------------------------------------------------- Mon Sep 26 21:59:00 CEST 2005 - stark@suse.de - prerequire the correct NSPR version ------------------------------------------------------------------- Thu Sep 22 07:15:30 CEST 2005 - stark@suse.de - update to NSS_3_10_2_BETA1 ------------------------------------------------------------------- Tue Jul 5 15:33:18 CEST 2005 - stark@suse.de - use RPM_OPT_FLAGS - fixed requirements for devel package ------------------------------------------------------------------- Wed Jun 8 09:19:59 CEST 2005 - stark@suse.de - added pkgconfig file - fixed permission for include directory - fixed compiler/abuild warning - included correct header files ------------------------------------------------------------------- Mon May 9 09:34:30 CEST 2005 - stark@suse.de - update to 3.10 RTM version ------------------------------------------------------------------- Wed Apr 27 07:52:55 CEST 2005 - stark@suse.de - don't package static libs - copy NSPR static libs from new location ------------------------------------------------------------------- Thu Apr 7 09:08:22 CEST 2005 - stark@suse.de - update to 3.10beta3 ------------------------------------------------------------------- Fri Apr 1 15:55:58 CEST 2005 - stark@suse.de - don't parallelize build ------------------------------------------------------------------- Thu Mar 31 07:39:45 CEST 2005 - stark@suse.de - fixed build on other archs - update to 3.10beta2 ------------------------------------------------------------------- Sat Mar 19 13:36:51 CET 2005 - stark@suse.de - update to 3.10beta1 ------------------------------------------------------------------- Tue Mar 8 09:16:59 CET 2005 - stark@suse.de - initial standalone package