![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / devel / nss
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.171 / (download) - annotate - [select for diffs], Wed Aug 30 22:25:20 2023 UTC (4 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2023Q3-base,
pkgsrc-2023Q3,
HEAD
Changes since 1.170: +4 -4
lines
Diff to previous 1.170 (colored)
nss: update to 3.93. - Bug 1849471 - Update zlib in NSS to 1.3. - Bug 1848183 - softoken: iterate hashUpdate calls for long inputs. - Bug 1813401 - regenerate NameConstraints test certificates.
Revision 1.170 / (download) - annotate - [select for diffs], Thu Jul 27 15:14:02 2023 UTC (2 months ago) by wiz
Branch: MAIN
Changes since 1.169: +4 -4
lines
Diff to previous 1.169 (colored)
nss: update to 3.92. Changes: - Bug 1822935 - Set nssckbi version number to 2.62. - Bug 1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS. - Bug 1839992 - Add 4 SSL.com Root CA certificates. - Bug 1840429 - Add Sectigo E46 and R46 Root CA certificates. - Bug 1840437 - Add LAWtrust Root CA2 (4096). - Bug 1822936 - Remove E-Tugra Certification Authority root. - Bug 1827224 - Remove Camerfirma Chambers of Commerce Root. - Bug 1840505 - Remove Hongkong Post Root CA 1. - Bug 1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3. - Bug 1842937 - Avoid redefining BYTE_ORDER on hppa Linux.
Revision 1.169 / (download) - annotate - [select for diffs], Fri Jun 30 07:05:55 2023 UTC (2 months, 4 weeks ago) by wiz
Branch: MAIN
Changes since 1.168: +4 -4
lines
Diff to previous 1.168 (colored)
nss: update to 3.91. Bugfix release.
Revision 1.168 / (download) - annotate - [select for diffs], Tue Jun 27 10:44:46 2023 UTC (3 months ago) by riastradh
Branch: MAIN
Changes since 1.167: +2 -1
lines
Diff to previous 1.167 (colored)
devel/nss: Fix cross-build under TOOLBASE/LOCALBASE split. Omit needless TOOL_DEPENDS on nspr; patch the problem away instead.
Revision 1.167 / (download) - annotate - [select for diffs], Fri May 5 21:01:20 2023 UTC (4 months, 3 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2023Q2-base,
pkgsrc-2023Q2
Changes since 1.166: +4 -4
lines
Diff to previous 1.166 (colored)
nss: update to 3.89.1. Changes: - Bug 1804505 - Update the technical constraints for KamuSM. - Bug 1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
Revision 1.166 / (download) - annotate - [select for diffs], Mon Mar 13 18:15:39 2023 UTC (6 months, 2 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2023Q1-base,
pkgsrc-2023Q1
Changes since 1.165: +4 -4
lines
Diff to previous 1.165 (colored)
nss: update to 3.89. Changes: - Bug 1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase. - Bug 1820175 - PR_STATIC_ASSERT is cursed. - Bug 1767883 - Need to add policy control to keys lengths for signatures. - Bug 1820175 - Fix unreachable code warning in fuzz builds. - Bug 1820175 - Fix various compiler warnings in NSS. - Bug 1820175 - Enable various compiler warnings for clang builds. - Bug 1815136 - set PORT error after sftk_HMACCmp failure. - Bug 1767883 - Need to add policy control to keys lengths for signatures. - Bug 1804662 - remove data length assertion in sec_PKCS7Decrypt. - Bug 1804660 - Make high tag number assertion failure an error. - Bug 1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384. - Bug 1815167 - Tolerate certificate_authorities xtn in ClientHello. - Bug 1789436 - Fix build failure on Windows. - Bug 1811337 - migrate Win 2012 tasks to Azure. - Bug 1810702 - fix title length in doc. - Bug 1570615 - Add interop tests for HRR and PSK to GREASE suite. - Bug 1570615 - Add presence/absence tests for TLS GREASE. - Bug 1804688 - Correct addition of GREASE value to ALPN xtn. - Bug 1789436 - CH extension permutation. - Bug 1570615 - TLS GREASE (RFC8701). - Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. - Bug 1815870 - use a different treeherder symbol for each docker image build task. - Bug 1815868 - pin an older version of the ubuntu:18.04 and 20.04 docker images. - Bug 1810702 - remove nested table in rst doc. - Bug 1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag. - Bug 1812671 - build failure while implicitly casting SECStatus to PRUInt32.
Revision 1.165 / (download) - annotate - [select for diffs], Fri Feb 10 07:32:45 2023 UTC (7 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.164: +4 -4
lines
Diff to previous 1.164 (colored)
nss: update to 3.88.1. - Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
Revision 1.164 / (download) - annotate - [select for diffs], Thu Feb 9 19:19:52 2023 UTC (7 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.163: +4 -4
lines
Diff to previous 1.163 (colored)
nss: update to 3.88. Changes: - Bug 1815870 - use a different treeherder symbol for each docker image build task. - Bug 1815868 - pin an older version of the ubuntu:18.04 and 20.04 docker images - Bug 1810702 - remove nested table in rst doc - Bug 1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag. - Bug 1812671 - build failure while implicitly casting SECStatus to PRUInt32. r=nss-reviewers,mt - Bug 1212915 - Add check for ClientHello SID max length. This is tested by Bogo tests - Bug 1771100 - Added EarlyData ALPN test support to BoGo shim. - Bug 1790357 - ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup. - Bug 1714245 - On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm. - Bug 1789410 - ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test. - Bug 1771100 - Added Bogo ECH rejection test support. - Bug 1771100 - Added ECH 0Rtt support to BoGo shim. - Bug 1747957 - RSA OAEP Wycheproof JSON - Bug 1747957 - RSA decrypt Wycheproof JSON - Bug 1747957 - ECDSA Wycheproof JSON - Bug 1747957 - ECDH Wycheproof JSON - Bug 1747957 - PKCS#1v1.5 wycheproof json - Bug 1747957 - Use X25519 wycheproof json - Bug 1766767 - Move scripts to python3 - Bug 1809627 - Properly link FuzzingEngine for oss-fuzz. - Bug 1805907 - Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384) - Bug 1804091 NSS needs to move off of DSA for integrity checks - Bug 1805815 - Add initial testing with ACVP vector sets using acvp-rust - Bug 1806369 - Don't clone libFuzzer, rely on clang instead
Revision 1.163 / (download) - annotate - [select for diffs], Thu Jan 5 23:17:49 2023 UTC (8 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.162: +4 -4
lines
Diff to previous 1.162 (colored)
nss: update to 3.87.
Changes:
- Bug 1803226 - NULL password encoding incorrect.
- Bug 1804071 - Fix rng stub signature for fuzzing builds.
- Bug 1803595 - Updating the compiler parsing for build.
- Bug 1749030 - Modification of supported compilers.
- Bug 1774654 tstclnt crashes when accessing gnutls server
without a user cert in the database.
- Bug 1751707 - Add configuration option to enable source-based
coverage sanitizer.
- Bug 1751705 - Update ECCKiila generated files.
- Bug 1730353 - Add support for the LoongArch 64-bit architecture.
- Bug 1798823 - add checks for zero-length RSA modulus to avoid
memory errors and failed assertions later.
- Bug 1798823 - Additional zero-length RSA modulus checks.
Revision 1.162 / (download) - annotate - [select for diffs], Thu Dec 8 23:39:31 2022 UTC (9 months, 2 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q4-base,
pkgsrc-2022Q4
Changes since 1.161: +4 -4
lines
Diff to previous 1.161 (colored)
nss: update to 3.86.
Changes:
- Bug 1803190 - conscious language removal in NSS.
- Bug 1794506 - Set nssckbi version number to 2.60.
- Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates.
- Bug 1799038 - Remove Staat der Nederlanden EV Root CA from NSS.
- Bug 1797559 - Remove EC-ACC root cert from NSS.
- Bug 1794507 - Remove SwissSign Platinum CA - G2 from NSS.
- Bug 1794495 - Remove Network Solutions Certificate Authority.
- Bug 1802331 - compress docker image artifact with zstd.
- Bug 1799315 - Migrate nss from AWS to GCP.
- Bug 1800989 - Enable static builds in the CI.
- Bug 1765759 - Removing SAW docker from the NSS build system.
- Bug 1783231 - Initialising variables in the rsa blinding code.
- Bug 320582 - Implementation of the double-signing of the message for ECDSA.
- Bug 1783231 - Adding exponent blinding for RSA.
Revision 1.161 / (download) - annotate - [select for diffs], Thu Nov 10 19:25:25 2022 UTC (10 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.160: +4 -4
lines
Diff to previous 1.160 (colored)
nss: update to 3.85.
Changes:
- Bug 1792821 - Modification of the primes.c and dhe-params.c in order to have better looking tables.
- Bug 1796815 - Update zlib in NSS to 1.2.13.
- Bug 1796504 - Skip building modutil and shlibsign when building in Firefox.
- Bug 1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard.
- Bug 1796407 - Fix -Wunused-but-set-variable warning from clang 15.
- Bug 1796308 - Fix -Wtautological-constant-out-of-range-compare and -Wtype-limits warnings.
- Bug 1796281 - Followup: add missing stdint.h include.
- Bug 1796281 - Fix -Wint-to-void-pointer-cast warnings.
- Bug 1796280 - Fix -Wunused-{function,variable,but-set-variable} warnings on Windows.
- Bug 1796079 - Fix -Wstring-conversion warnings.
- Bug 1796075 - Fix -Wempty-body warnings.
- Bug 1795242 - Fix unused-but-set-parameter warning.
- Bug 1795241 - Fix unreachable-code warnings.
- Bug 1795222 - Mark _nss_version_c unused on clang-cl.
- Bug 1795668 - Remove redundant variable definitions in lowhashtest.
- No bug - Add note about python executable to build instructions.
Revision 1.160 / (download) - annotate - [select for diffs], Fri Oct 14 00:17:00 2022 UTC (11 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.159: +4 -4
lines
Diff to previous 1.159 (colored)
nss: update to 3.84. Changes: - Bug 1791699 - Bump minimum NSPR version to 4.35. - Bug 1792103 - Add a flag to disable building libnssckbi.
Revision 1.159 / (download) - annotate - [select for diffs], Thu Sep 15 19:55:51 2022 UTC (12 months, 1 week ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q3-base,
pkgsrc-2022Q3
Changes since 1.158: +4 -4
lines
Diff to previous 1.158 (colored)
nss: update to 3.83.
Changes:
- Bug 1788875 - Remove set-but-unused variables from
SEC_PKCS12DecoderValidateBags
- Bug 1563221 - remove older oses that are unused part3/ BeOS
- Bug 1563221 - remove older unix support in NSS part 3 Irix
- Bug 1563221 - remove support for older unix in NSS part 2 DGUX
- Bug 1563221 - remove support for older unix in NSS part 1 OSF
- Bug 1778413 - Set nssckbi version number to 2.58
- Bug 1785297 - Add two SECOM root certificates to NSS
- Bug 1787075 - Add two DigitalSign root certificates to NSS
- Bug 1778412 - Remove Camerfirma Global Chambersign Root from NSS
- Bug 1771100 - Added bug reference and description to disabled
UnsolicitedServerNameAck bogo ECH test
- Bug 1779361 - Removed skipping of ECH on equality of private and
public server name
- Bug 1779357 - Added comment and bug reference to
ECHRandomHRRExtension bogo test
- Bug 1779370 - Added Bogo shim client HRR test support. Fixed
overwriting of CHInner.random on HRR
- Bug 1779234 - Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
- Bug 1771100 - Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
- Bug 1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
server accept_confirmation bugs
- Bug 1771100 - Update BoGo tests to recent BoringSSL version
- Bug 1785846 - Bump minimum NSPR version to 4.34.1
Revision 1.158 / (download) - annotate - [select for diffs], Fri Aug 19 16:34:54 2022 UTC (13 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.157: +4 -4
lines
Diff to previous 1.157 (colored)
nss: update to 3.82.
Changes:
- Bug 1330271 - check for null template in sec_asn1{d,e}_push_state
- Bug 1735925 - QuickDER: Forbid NULL tags with non-zero length
- Bug 1784724 - Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
- Bug 1784191 - Cast the result of GetProcAddress
- Bug 1681099 - pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
Revision 1.157 / (download) - annotate - [select for diffs], Thu Jul 21 13:52:50 2022 UTC (14 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.156: +4 -4
lines
Diff to previous 1.156 (colored)
nss: update to 3.81. Changes: - Bug 1762831: Enable aarch64 hardware crypto support on OpenBSD. - Bug 1775359 - make NSS_SecureMemcmp 0/1 valued. - Bug 1779285: Add no_application_protocol alert handler and test client error code is set. - Bug 1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
Revision 1.156 / (download) - annotate - [select for diffs], Sat Jul 16 19:11:15 2022 UTC (14 months, 1 week ago) by tnn
Branch: MAIN
Changes since 1.155: +1 -3
lines
Diff to previous 1.155 (colored)
nss: remove no longer needed aarch64 patches
Revision 1.155 / (download) - annotate - [select for diffs], Fri Jun 24 06:10:38 2022 UTC (15 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base,
pkgsrc-2022Q2
Changes since 1.154: +4 -4
lines
Diff to previous 1.154 (colored)
nss: update to 3.80. Ok during freeze: gdt@ Changes: - Bug 1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. - Bug 1617956 - Add support for asynchronous client auth hooks. - Bug 1497537 - nss-policy-check: make unknown keyword check optional. - Bug 1765383 - GatherBuffer: Reduced plaintext buffer allocations by allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. - Bug 1773022 - Mark 3.79 as an ESR release. - Bug 1764206 - Bump nssckbi version number for June. - Bug 1759815 - Remove Hellenic Academic 2011 Root. - Bug 1770267 - Add E-Tugra Roots. - Bug 1768970 - Add Certainly Roots. - Bug 1764392 - Add DigitCert Roots. - Bug 1759794 - Protect SFTKSlot needLogin with slotLock. - Bug 1366464 - Compare signature and signatureAlgorithm fields in legacy certificate verifier. - Bug 1771497 - Uninitialized value in cert_VerifyCertChainOld. - Bug 1771495 - Unchecked return code in sec_DecodeSigAlg. - Bug 1771498 - Uninitialized value in cert_ComputeCertType. - Bug 1760998 - Avoid data race on primary password change. - Bug 1769063 - Replace ppc64 dcbzl intrinisic. - Bug 1771036 - Allow LDFLAGS override in makefile builds.
Revision 1.154 / (download) - annotate - [select for diffs], Tue May 31 20:30:10 2022 UTC (15 months, 4 weeks ago) by wiz
Branch: MAIN
Changes since 1.153: +4 -4
lines
Diff to previous 1.153 (colored)
nss: update to 3.79. This release fixes memory safety violations that can occur when parsing CMS data. We presume that with enough effort these memory safety violations are exploitable. Change: - Bug 205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Bug 1766907 - Update mercurial in clang-format docker image. - Bug 1454072 - Use of uninitialized pointer in lg_init after alloc fail. - Bug 1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Bug 1753315 - Add SECMOD_LockedModuleHasRemovableSlots. - Bug 1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Bug 1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - Bug 1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Bug 1764788 - Correct invalid record inner and outer content type alerts. - Bug 1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - Bug 1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle. - Bug 1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - Bug 1769302 - NSS 3.79 should depend on NSPR 4.34
Revision 1.153 / (download) - annotate - [select for diffs], Fri May 13 13:40:36 2022 UTC (16 months, 2 weeks ago) by tnn
Branch: MAIN
Changes since 1.152: +2 -1
lines
Diff to previous 1.152 (colored)
nss: try to fix macOS/aarch64 to not detect as 32-bit
Revision 1.152 / (download) - annotate - [select for diffs], Thu Apr 28 11:15:55 2022 UTC (17 months ago) by wiz
Branch: MAIN
Changes since 1.151: +4 -4
lines
Diff to previous 1.151 (colored)
nss: update to 3.78. Change: - Bug 1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Bug 1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Bug 1763120 - Add ECH Grease Support to tstclnt - Bug 1765003 - Add a strict variant of moz::pkix::CheckCertHostname. - Bug 1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Bug 1760813 - Make SEC_PKCS12EnableCipher succeed - Bug 1762489 - Update zlib in NSS to 1.2.12.
Revision 1.151 / (download) - annotate - [select for diffs], Thu Apr 7 22:58:23 2022 UTC (17 months, 3 weeks ago) by ryoon
Branch: MAIN
Changes since 1.150: +14 -14
lines
Diff to previous 1.150 (colored)
nss: Regenerate distinfo to follow recent changes
Revision 1.150 / (download) - annotate - [select for diffs], Thu Apr 7 19:08:40 2022 UTC (17 months, 3 weeks ago) by riastradh
Branch: MAIN
Changes since 1.149: +14 -2
lines
Diff to previous 1.149 (colored)
devel/nss: Patch ctype(3) abuse.
Revision 1.149 / (download) - annotate - [select for diffs], Thu Mar 31 18:10:52 2022 UTC (17 months, 4 weeks ago) by wiz
Branch: MAIN
Changes since 1.148: +4 -4
lines
Diff to previous 1.148 (colored)
nss: update to 3.77. Changes: - Bug 1762244 - resolve mpitests build failure on Windows. - Bug 1761779 - Fix link to TLS page on wireshark wiki - Bug 1754890 - Add two D-TRUST 2020 root certificates. - Bug 1751298 - Add Telia Root CA v2 root certificate. - Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt. - Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix - Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Bug 1756271 - Remove token member from NSSSlot struct. - Bug 1602379 - Provide secure variants of mpp_pprime and mpp_make_prime. - Bug 1757279 - Support UTF-8 library path in the module spec string. - Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Bug 1760827 - Add a CI Target for gcc-11. - Bug 1760828 - Change to makefiles for gcc-4.8. - Bug 1741688 - Update googletest to 1.11.0 - Bug 1759525 - Add SetTls13GreaseEchSize to experimental API. - Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts. - Bug 1755904 - Fix calculation of ECH HRR Transcript. - Bug 1758741 - Allow ld path to be set as environment variable. - Bug 1760653 - Ensure we don't read uninitialized memory in ssl gtests. - Bug 1758478 - Fix DataBuffer Move Assignment. - Bug 1552254 - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - Bug 1755092 - rework signature verification in mozilla::pkix
Revision 1.148 / (download) - annotate - [select for diffs], Tue Mar 29 13:31:36 2022 UTC (18 months ago) by ryoon
Branch: MAIN
Changes since 1.147: +4 -4
lines
Diff to previous 1.147 (colored)
nss: Update to 3.76.1 Changelog: Change: - Bug 1756271 - Remove token member from NSSSlot struct.
Revision 1.147 / (download) - annotate - [select for diffs], Thu Mar 3 12:13:35 2022 UTC (18 months, 3 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base,
pkgsrc-2022Q1
Changes since 1.146: +4 -4
lines
Diff to previous 1.146 (colored)
nss: update to 3.76. Changes: - Bug 1755555 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Bug 1370866 - Check return value of PK11Slot_GetNSSToken. - Bug 1747957 - Use Wycheproof JSON for RSASSA-PSS - Bug 1679803 - Add SHA256 fingerprint comments to old certdata.txt entries. - Bug 1753505 - Avoid truncating files in nss-release-helper.py. - Bug 1751157 - Throw illegal_parameter alert for illegal extensions in handshake message.
Revision 1.146 / (download) - annotate - [select for diffs], Thu Feb 3 23:37:26 2022 UTC (19 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.145: +4 -4
lines
Diff to previous 1.145 (colored)
nss: update to 3.75. Changes: - Bug 1749030 - This patch adds gcc-9 and gcc-10 to the CI. - Bug 1749794 - Make DottedOIDToCode.py compatible with python3. - Bug 1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Bug 1748386 - Remove redundant key type check. - Bug 1749869 - Update ABI expectations to match ECH changes. - Bug 1748386 - Enable CKM_CHACHA20. - Bug 1747327 - check return on NSS_NoDB_Init and NSS_Shutdown. - Bug 1747310 - real move assignment operator. - Bug 1748245 - Run ECDSA test vectors from bltest as part of the CI tests. - Bug 1743302 - Add ECDSA test vectors to the bltest command line tool. - Bug 1747772 - Allow to build using clang's integrated assembler. - Bug 1321398 - Allow to override python for the build. - Bug 1747317 - test HKDF output rather than input. - Bug 1747316 - Use ASSERT macros to end failed tests early. - Bug 1747310 - move assignment operator for DataBuffer. - Bug 1712879 - Add test cases for ECH compression and unexpected extensions in SH. - Bug 1725938 - Update tests for ECH-13. - Bug 1725938 - Tidy up error handling. - Bug 1728281 - Add tests for ECH HRR Changes. - Bug 1728281 - Server only sends GREASE HRR extension if enabled by preference. - Bug 1725938 - Update generation of the Associated Data for ECH-13. - Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Bug 1712879 - Allow for compressed, non-contiguous, extensions. - Bug 1712879 - Scramble the PSK extension in CHOuter. - Bug 1712647 - Split custom extension handling for ECH. - Bug 1728281 - Add ECH-13 HRR Handling. - Bug 1677181 - Client side ECH padding. - Bug 1725938 - Stricter ClientHelloInner Decompression. - Bug 1725938 - Remove ECH_inner extension, use new enum format. - Bug 1725938 - Update the version number for ECH-13 and adjust the ECHConfig size.
Revision 1.145 / (download) - annotate - [select for diffs], Thu Jan 6 12:47:51 2022 UTC (20 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.144: +4 -4
lines
Diff to previous 1.144 (colored)
nss: update to 3.74. Changes: ãàBug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses. Bug 1553612 - Ensure clients offer consistent ciphersuites after HRR. Bug 1721426 - NSS does not properly restrict server keys based on policy. Bug 1733003 - Set nssckbi version number to 2.54. Bug 1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate in NSS. Bug 1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate in NSS. Bug 1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate in NSS. Bug 1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate in NSS. Bug 1735407 - Replace GlobalSign ECC Root CA R4 in NSS. Bug 1733560 - Remove Expired Root Certificates from NSS - DST Root CA X3. Bug 1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates from NSS. Bug 1741930 - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate to NSS. Bug 1740095 - Add iTrusChina ECC root certificate to NSS. Bug 1740095 - Add iTrusChina RSA root certificate to NSS. Bug 1738805 - Add ISRG Root X2 root certificate to NSS. Bug 1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate to NSS. Bug 1738028 - Avoid a clang 13 unused variable warning in opt build. Bug 1735028 - Check for missing signedData field. Bug 1737470 - Ensure DER encoded signatures are within size limits.
Revision 1.144 / (download) - annotate - [select for diffs], Thu Dec 30 15:49:14 2021 UTC (20 months, 4 weeks ago) by ryoon
Branch: MAIN
Changes since 1.143: +4 -4
lines
Diff to previous 1.143 (colored)
nss: Update to 3.73.1 Changelog: Change: - Add SHA-2 support to mozilla::pkix's OCSP implementation
Revision 1.138.2.1 / (download) - annotate - [select for diffs], Sun Dec 5 07:32:02 2021 UTC (21 months, 3 weeks ago) by spz
Branch: pkgsrc-2021Q3
Changes since 1.138: +5 -5
lines
Diff to previous 1.138 (colored) next main 1.139 (colored)
Pullup ticket #6548 - requested by mlelstv
devel/nss: security-update
Revisions pulled up:
- devel/nss/Makefile 1.215-1.217
- devel/nss/distinfo 1.139,1.142-1.143
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Thu Sep 30 21:39:55 UTC 2021
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Log Message:
nss: update to 3.71.
Changes:
- Bug 1717716 - Set nssckbi version number to 2.52.
- Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported
- Bug 1717707 - Add HARICA Client ECC Root CA 2021.
- Bug 1717707 - Add HARICA Client RSA Root CA 2021.
- Bug 1717707 - Add HARICA TLS ECC Root CA 2021.
- Bug 1717707 - Add HARICA TLS RSA Root CA 2021.
- Bug 1728394 - Add TunTrust Root CA certificate to NSS.
To generate a diff of this commit:
cvs rdiff -u -r1.214 -r1.215 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.138 -r1.139 pkgsrc/devel/nss/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Thu Oct 28 10:03:13 UTC 2021
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Log Message:
nss: update to 3.72.
Changes:
- Documentation: release notes for NSS 3.72
- Documentation: release notes for NSS 3.71
- Remove newline at the end of coreconf.dep
- Bug 1731911 - Fix nsinstall parallel failure.
- Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins.
To generate a diff of this commit:
cvs rdiff -u -r1.215 -r1.216 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.141 -r1.142 pkgsrc/devel/nss/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Wed Dec 1 17:04:11 UTC 2021
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Log Message:
nss: update to 3.73.
This contains the fix for CVE-2021-43527.
To generate a diff of this commit:
cvs rdiff -u -r1.216 -r1.217 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.142 -r1.143 pkgsrc/devel/nss/distinfo
Revision 1.143 / (download) - annotate - [select for diffs], Wed Dec 1 17:04:11 2021 UTC (21 months, 3 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base,
pkgsrc-2021Q4
Changes since 1.142: +4 -4
lines
Diff to previous 1.142 (colored)
nss: update to 3.73. This contains the fix for CVE-2021-43527.
Revision 1.142 / (download) - annotate - [select for diffs], Thu Oct 28 10:03:12 2021 UTC (23 months ago) by wiz
Branch: MAIN
Changes since 1.141: +4 -4
lines
Diff to previous 1.141 (colored)
nss: update to 3.72. Changes: - Documentation: release notes for NSS 3.72 - Documentation: release notes for NSS 3.71 - Remove newline at the end of coreconf.dep - Bug 1731911 - Fix nsinstall parallel failure. - Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins.
Revision 1.141 / (download) - annotate - [select for diffs], Tue Oct 26 10:15:44 2021 UTC (23 months ago) by nia
Branch: MAIN
Changes since 1.140: +2 -2
lines
Diff to previous 1.140 (colored)
archivers: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Could not be committed due to merge conflict: devel/py-traitlets/distinfo The following distfiles were unfetchable (note: some may be only fetched conditionally): ./devel/pvs/distinfo pvs-3.2-solaris.tgz ./devel/eclipse/distinfo eclipse-sourceBuild-srcIncluded-3.0.1.zip
Revision 1.140 / (download) - annotate - [select for diffs], Thu Oct 7 13:40:38 2021 UTC (23 months, 3 weeks ago) by nia
Branch: MAIN
Changes since 1.139: +1 -2
lines
Diff to previous 1.139 (colored)
devel: Remove SHA1 hashes for distfiles
Revision 1.139 / (download) - annotate - [select for diffs], Thu Sep 30 21:39:55 2021 UTC (23 months, 4 weeks ago) by wiz
Branch: MAIN
Changes since 1.138: +5 -5
lines
Diff to previous 1.138 (colored)
nss: update to 3.71. Changes: - Bug 1717716 - Set nssckbi version number to 2.52. - Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported - Bug 1717707 - Add HARICA Client ECC Root CA 2021. - Bug 1717707 - Add HARICA Client RSA Root CA 2021. - Bug 1717707 - Add HARICA TLS ECC Root CA 2021. - Bug 1717707 - Add HARICA TLS RSA Root CA 2021. - Bug 1728394 - Add TunTrust Root CA certificate to NSS.
Revision 1.138 / (download) - annotate - [select for diffs], Sun Sep 5 09:06:33 2021 UTC (2 years ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base
Branch point for: pkgsrc-2021Q3
Changes since 1.137: +5 -5
lines
Diff to previous 1.137 (colored)
nss: update to 3.70. Changes: - Documentation: release notes for NSS 3.70. - Documentation: release notes for NSS 3.69.1. - Bug 1726022 - Update test case to verify fix. - Bug 1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Bug 1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Formatting for lib/util - Bug 1681975 - Avoid using a lookup table in nssb64d. - Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian. - Bug 1714579 - Change default value of enableHelloDowngradeCheck to true. - Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc - Bug 1726022 - Cache additional PBE entries. - Bug 1709750 - Read HPKE vectors from official JSON. - Documentation: update for NSS 3.69 release.
Revision 1.137 / (download) - annotate - [select for diffs], Wed Sep 1 09:40:46 2021 UTC (2 years ago) by mrg
Branch: MAIN
Changes since 1.136: +2 -2
lines
Diff to previous 1.136 (colored)
re-do this patch using a GCC defined macro. this is still wrong, but it's less wrong than before and once again both arm64 and arm64eb (and amd64) build. this is really strange. the code in sha512.c uses: #if !defined(USE_HW_SHA2) || !defined(IS_LITTLE_ENDIAN) which originally this patch attempted to match, but IS_LITTLE_ENDIAN is never defined inside nss, even though it's used a few dozen times. there is a MP_IS_LITTLE_ENDIAN defined that is setup, but almost never used.
Revision 1.136 / (download) - annotate - [select for diffs], Tue Aug 31 11:12:30 2021 UTC (2 years ago) by wiz
Branch: MAIN
Changes since 1.135: +6 -6
lines
Diff to previous 1.135 (colored)
nss: update to 3.69.1. Bugs fixed: - Bug 1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default - Bug 1720226 (Backout) - integrity checks in key4.db not happening on private components with AES_CBC
Revision 1.135 / (download) - annotate - [select for diffs], Fri Aug 27 21:33:02 2021 UTC (2 years, 1 month ago) by mrg
Branch: MAIN
Changes since 1.134: +2 -1
lines
Diff to previous 1.134 (colored)
fix build on arm64eb: sha512.c and sha256-armv8.c both provided the same symbols. (sha256-x86.c has the same problem, but that file already requires little endian so is not a big deal.)
Revision 1.134 / (download) - annotate - [select for diffs], Mon Aug 9 07:54:47 2021 UTC (2 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.133: +5 -5
lines
Diff to previous 1.133 (colored)
nss: update to 3.69. Bugs fixed: - Bug 1722613 - Disable DTLS 1.0 and 1.1 by default - Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC - Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms. - Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures. - Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - Bug 1720232 - SQLite calls could timeout in starvation situations. - Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67 - Bug 1709817 - Import the NSS documentation from MDN in nss/doc. - Bug 1720227 - NSS using a tempdir to measure sql performance not active
Revision 1.133 / (download) - annotate - [select for diffs], Mon Jun 28 08:48:20 2021 UTC (2 years, 3 months ago) by wiz
Branch: MAIN
Changes since 1.132: +5 -5
lines
Diff to previous 1.132 (colored)
nss: update to 3.67. Bugs fixed: * Bug 1683710 - Add a means to disable ALPN. * Bug 1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * Bug 1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * Bug 1566124 - Fix counter increase in ppc-gcm-wrap.c. * Bug 1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
Revision 1.132 / (download) - annotate - [select for diffs], Fri Jun 4 09:58:03 2021 UTC (2 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base,
pkgsrc-2021Q2
Changes since 1.131: +5 -5
lines
Diff to previous 1.131 (colored)
nss: update to 3.66. Bugs fixed: * Bug 1710716 - Remove Expired Sonera Class2 CA from NSS. * Bug 1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * Bug 1708307 - Remove Trustis FPS Root CA from NSS. * Bug 1707097 - Add Certum Trusted Root CA to NSS. * Bug 1707097 - Add Certum EC-384 CA to NSS. * Bug 1703942 - Add ANF Secure Server Root CA to NSS. * Bug 1697071 - Add GLOBALTRUST 2020 root cert to NSS. * Bug 1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * Bug 1712230 - Don't build ppc-gcm.s with clang integrated assembler. * Bug 1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * Bug 1710773 - NSS needs FIPS 180-3 FIPS indicators. * Bug 1709291 - Add VerifyCodeSigningCertificateChain. * Use GNU tar for the release helper script.
Revision 1.131 / (download) - annotate - [select for diffs], Sun May 16 17:42:31 2021 UTC (2 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.130: +5 -6
lines
Diff to previous 1.130 (colored)
nss: update to 3.65. Bugs fixed in NSS 3.65: * Bug 1709654 - Update for NetBSD configuration. * Bug 1709750 - Disable HPKE test when fuzzing. * Bug 1566124 - Optimize AES-GCM for ppc64le. * Bug 1699021 - Add AES-256-GCM to HPKE. * Bug 1698419 - ECH -10 updates. * Bug 1692930 - Update HPKE to final version. * Bug 1707130 - NSS should use modern algorithms in PKCS#12 files by default. * Bug 1703936 - New coverity/cpp scanner errors. * Bug 1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * Bug 1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * Bug 1705119 - Deadlock when using GCM and non-thread safe tokens.
Revision 1.130 / (download) - annotate - [select for diffs], Wed May 5 16:54:02 2021 UTC (2 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.129: +2 -2
lines
Diff to previous 1.129 (colored)
nss: add upstream bug report URL
Revision 1.129 / (download) - annotate - [select for diffs], Sat May 1 21:52:02 2021 UTC (2 years, 4 months ago) by wiz
Branch: MAIN
Changes since 1.128: +3 -6
lines
Diff to previous 1.128 (colored)
nss: hide symbols on NetBSD like on other platforms Remove local workarounds again Bump PKGREVISION.
Revision 1.128 / (download) - annotate - [select for diffs], Fri Apr 23 16:07:43 2021 UTC (2 years, 5 months ago) by rin
Branch: MAIN
Changes since 1.127: +2 -2
lines
Diff to previous 1.127 (colored)
nss: Fix support for NetBSD/aarch64eb. Bump revision.
Revision 1.127 / (download) - annotate - [select for diffs], Fri Apr 16 14:29:22 2021 UTC (2 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.126: +5 -5
lines
Diff to previous 1.126 (colored)
nss: Update to 3.64
Changelog:
Bugs fixed in NSS 3.64:
* Bug 1705286 - Properly detect mips64.
* Bug 1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx.
* Bug 1698320 - replace __builtin_cpu_supports("vsx") with
ppc_crypto_support() for clang.
* Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
Revision 1.126 / (download) - annotate - [select for diffs], Thu Apr 15 08:54:54 2021 UTC (2 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.125: +4 -1
lines
Diff to previous 1.125 (colored)
nss: restore symbol rename patches While the link fix did fix the case of openssl calling nss code, the other way round still happens, e.g. in libreoffice (since fixed to not use nss) and konqueror. Bump PKGREVISION.
Revision 1.125 / (download) - annotate - [select for diffs], Fri Apr 9 06:40:59 2021 UTC (2 years, 5 months ago) by wiz
Branch: MAIN
Changes since 1.124: +3 -8
lines
Diff to previous 1.124 (colored)
nss: fix interoperability with openssl For a long time now (at least 15 years), the installed pkg-config file also linked against libsoftokn3, which is wrong according to upstream. This library is only intended to be loaded as a module. Having this library linked added symbols to the namespace that conflict with openssl symbols. This had caused problems before, and patches had been added to rename symbols to avoid this conflict. Instead, fix this correctly by not linking against libsoftokn3. Switch to using the pkg-config and nss-config files provided in the distfiles instead of pkgsrc-specific ones. Remove now unneeded symbol-renaming patches. Remove DragonFly patches while here. Bump PKGREVISION.
Revision 1.124 / (download) - annotate - [select for diffs], Tue Mar 30 16:34:05 2021 UTC (2 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.123: +5 -5
lines
Diff to previous 1.123 (colored)
nss: Update to 3.63 Changelog: Bugs fixed in NSS 3.63: * Bug 1697380 - Make a clang-format run on top of helpful contributions. * Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * Bug 1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * Bug 1694214 - tstclnt can't enable middlebox compat mode. * Bug 1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * Bug 1685880 - Minor fix to prevent unused variable on early return. * Bug 1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * Bug 1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * Bug 1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * Bug 1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * Bug 1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * Bug 1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * Bug 1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * Bug 1687822 - Turn off Websites trust bit for the ×´taat der Nederlanden Root CA - G3ãàroot cert in NSS. * Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008ãà * Bug 1694291 - Tracing fixes for ECH.
Revision 1.123 / (download) - annotate - [select for diffs], Tue Mar 9 03:44:23 2021 UTC (2 years, 6 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base,
pkgsrc-2021Q1
Changes since 1.122: +5 -5
lines
Diff to previous 1.122 (colored)
nss: Update to 3.62
* Change header files installation suggested by markd@.
Do not install dbm header files and install nss header files
under nss, not nss/nss.
Changelog:
Bugs fixed in NSS 3.62
Bug 1688374 - Fix parallel build NSS-3.61 with make.
Bug 1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable".
Bug 1690583 - Fix CH padding extension size calculation.
Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail.
Bug 1690421 - Install packaged libabigail in docker-builds image.
Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing.
Bug 1674819 - Fixup a51fae403328, enum type may be signed.
Bug 1681585 - Add ECH support to selfserv.
Bug 1681585 - Update ECH to Draft-09.
Bug 1678398 - Add Export/Import functions for HPKE context.
Bug 1678398 - Update HPKE to draft-07.
Revision 1.122 / (download) - annotate - [select for diffs], Wed Jan 27 16:28:20 2021 UTC (2 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.121: +5 -5
lines
Diff to previous 1.121 (colored)
nss: Update to 3.61 Changelog: Bugs fixed in NSS 3.61: * Bug 1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * Bug 1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * Bug 1651411 - Improve constant-timeness in RSA operations. * Bug 1677207 - Upgrade Google Test version to latest release. * Bug 1654332 - Add aarch64-make target to nss-try.
Revision 1.121 / (download) - annotate - [select for diffs], Thu Dec 17 09:52:27 2020 UTC (2 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base,
pkgsrc-2020Q4
Changes since 1.120: +5 -5
lines
Diff to previous 1.120 (colored)
nss: Update to 3.60 Changelog: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bug 1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bugs 1678189, 1678166, and 1670769 for more information. Bugs fixed in NSS 3.60:  * Bug 1654332 - Implement Encrypted Client Hello (draft-ietf-tls-esni-08).  * Bug 1678189 - Update CA list version to 2.46.  * Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS.  * Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS.  * Bug 1678384 - Add a build flag to allow building nssckbi-testlib in mozilla-central.  * Bug 1570539 - Remove -X alt-server-hello option from tstclnt.  * Bug 1675523 - Fix incorrect pkcs11t.h value CKR_PUBLIC_KEY_INVALID.  * Bug 1642174 - Fix PowerPC ABI version 1 build failure.  * Bug 1674819 - Fix undefined shift in fuzzer mode.  * Bug 1678990 - Fix ARM crypto extensions detection on macOS.  * Bug 1679290 - Fix lock order inversion and potential deadlock with libnsspem.  * Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey.
Revision 1.120 / (download) - annotate - [select for diffs], Wed Nov 18 14:24:00 2020 UTC (2 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.119: +5 -8
lines
Diff to previous 1.119 (colored)
nss: Update to 3.59 Changelog: Notable Changes in NSS 3.59 Exported two existing functions from libnss, CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData NOTE: NSS will soon require GCC 4.8 or newer. Gyp-based builds will stop supporting older GCC versions first, followed a few releases later by the make-based builds. Users of older GCC versions can continue to use the make-based build system while they upgrade to newer versions of GCC. Bugs fixed in NSS 3.59 * Bug 1607449 - Lock cert->nssCertificate to prevent a potential data race * Bug 1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent * Bug 1670835 - Support enabling and disabling signatures via Crypto Policy * Bug 1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * Bug 1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord * Bug 1666891 - Support key wrap/unwrap with RSA-OAEP * Bug 1667989 - Fix gyp linking on Solaris * Bug 1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
Revision 1.119 / (download) - annotate - [select for diffs], Sat Oct 31 19:36:30 2020 UTC (2 years, 10 months ago) by wiz
Branch: MAIN
Changes since 1.118: +9 -6
lines
Diff to previous 1.118 (colored)
nss: update to 3.58nb1. Add a post-release patch that broke some applications https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f Changes nout found.
Revision 1.118 / (download) - annotate - [select for diffs], Sat Sep 19 23:54:14 2020 UTC (3 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base,
pkgsrc-2020Q3
Changes since 1.117: +5 -5
lines
Diff to previous 1.117 (colored)
nss: Update to 3.57 Changelog: Notable Changes in NSS 3.57 * NSPR dependency updated to 4.29. * The following CA certificates were Added:   Bug 1663049 - CN=Trustwave Global Certification Authority     SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8   Bug 1663049 - CN=Trustwave Global ECC P256 Certification Authority     SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4   Bug 1663049 - CN=Trustwave Global ECC P384 Certification Authority     SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed:   Bug 1651211 - CN=EE Certification Centre Root CA     SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76   Bug 1656077 - O=Government Root Certification Authority; C=TW     SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified:   Bug 1653092 - CN=OISTE WISeKey Global Root GA CA     Websites (server authentication) trust bit removed. Bugs fixed in NSS 3.57 * Bug 1651211 - Remove EE Certification Centre Root CA certificate. * Bug 1653092 - Turn off Websites Trust Bit for OISTE WISeKey Global Root GA CA. * Bug 1656077 - Remove Taiwan Government Root Certification Authority certificate. * Bug 1663049 - Add SecureTrust's Trustwave Global root certificates to NSS. * Bug 1659256 - AArch64 AES optimization shouldn't be enabled with gcc 4.8. * Bug 1651834 - Fix Clang static analyzer warnings. * Bug 1661378 - Fix Build failure with Clang 11. * Bug 1659727 - Fix mpcpucache.c invalid output constraint on Linux/ARM. * Bug 1662738 - Only run freebl_fips_RNG_PowerUpSelfTest when linked with NSPR. * Bug 1661810 - Fix Crash @ arm_aes_encrypt_ecb_128 when building with Clang 11. * Bug 1659252 - Fix Make build with NSS_DISABLE_DBM=1. * Bug 1660304 - Add POST tests for KDFs as required by FIPS. * Bug 1663346 - Use 64-bit compilation on e2k architecture. * Bug 1605922 - Account for negative sign in mp_radix_size. * Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes. * Bug 1660372 - NSS 3.57 should depend on NSPR 4.29 * Bug 1660734 - Fix Makefile typos. * Bug 1660735 - Fix Makefile typos.
Revision 1.117 / (download) - annotate - [select for diffs], Sun Aug 23 08:31:27 2020 UTC (3 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.116: +5 -5
lines
Diff to previous 1.116 (colored)
nss: Update to 3.56 CHangelog: Notable Changes in NSS 3.56 * The known issue where Makefile builds failed to locate seccomon.h was fixed in Bug 1653975. * NSPR dependency updated to 4.28. Bugs fixed in NSS 3.56 * Bug 1650702 - Support SHA-1 HW acceleration on ARMv8 * Bug 1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * Bug 1654142 - Add CPU feature detection for Intel SHA extension. * Bug 1648822 - Add stricter validation of DH keys in FIPS mode. * Bug 1656986 - Properly detect arm64 during GYP build architecture detection. * Bug 1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * Bug 1656429 - Correct RTT estimate used in 0-RTT anti-replay. * Bug 1588941 - Send empty certificate message when scheme selection fails. * Bug 1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * Bug 1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * Bug 1653975 - Fix 3.53 regression by setting "all" as the default makefile target. * Bug 1659792 - Fix broken libpkix tests with unexpired PayPal cert. * Bug 1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * Bug 1656519 - Update NSPR dependency to 4.28.
Revision 1.116 / (download) - annotate - [select for diffs], Fri Jul 31 01:24:30 2020 UTC (3 years, 1 month ago) by maya
Branch: MAIN
Changes since 1.115: +5 -5
lines
Diff to previous 1.115 (colored)
nss: update to 3.55
Note that this says the NSPR dependency is bumped. I didn't encounter
any problems with 2.46. It seems to be a change that their automation
was updated to the newer version.
NSS 3.55
P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto and ECCKiila. Special thanks to the Network and Information Security Group (NISEC) at Tampere University.
PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. See Bug 1649633 for more details.
DTLS 1.3 implementation is updated to draft-38. See Bug 1647752 for details.
NSPR dependency updated to 4.27.
NSS 3.54
Support for TLS 1.3 external pre-shared keys (Bug 1603042).
Use ARM Cryptography Extension for SHA256, when available. (Bug 1528113).
Revision 1.115 / (download) - annotate - [select for diffs], Thu Jun 18 14:16:50 2020 UTC (3 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base,
pkgsrc-2020Q2
Changes since 1.114: +5 -5
lines
Diff to previous 1.114 (colored)
nss: Update to 3.53.1 Changelog: Bugs fixed in NSS 3.53.1 - Bug 1631597 (CVE-2020-12402) - Use constant-time GCD and modular inversion in MPI.
Revision 1.114 / (download) - annotate - [select for diffs], Wed Jun 3 08:51:26 2020 UTC (3 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.113: +5 -6
lines
Diff to previous 1.113 (colored)
nss: Update to 3.53
Changelog:
Notable Changes in NSS 3.53
* When using the Makefiles, NSS can be built in parallel, speeding up those
builds to more similar performance as the build.sh/ninja/gyp system. (Bug
290526)
* SEED is now moved into a new freebl directory freebl/deprecated (Bug
1636389).
- SEED will be disabled by default in a future release of NSS. At that time,
users will need to set the compile-time flag (Bug 1622033) to disable that
deprecation in order to use the algorithm.
- Algorithms marked as deprecated will ultimately be removed.
* Several root certificates in the Mozilla program now set the
CKA_NSS_SERVER_DISTRUST_AFTER attribute, which NSS consumers can query to
further refine trust decisions. (Bug 1618404, Bug 1621159) If a builtin
certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or
NotBefore date of a certificate that builtin issued, then clients can elect
not to trust it.
- This attribute provides a more graceful phase-out for certificate
authorities than complete removal from the root certificate builtin store.
Bugs fixed in NSS 3.53
* Bug 1640260 - Initialize PBE params (ASAN fix)
* Bug 1618404 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs
* Bug 1621159 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC, GRCA, and
SK ID root certs
* Bug 1629414 - PPC64: Correct compilation error between VMX vs. VSX vector
instructions
* Bug 1639033 - Fix various compile warnings in NSS
* Bug 1640041 - Fix a null pointer in security/nss/lib/ssl/sslencode.c:67
* Bug 1640042 - Fix a null pointer in security/nss/lib/ssl/sslsock.c:4460
* Bug 1638289 - Avoid multiple definitions of SHA{256,384,512}_* symbols when
linking libfreeblpriv3.so in Firefox on ppc64le
* Bug 1636389 - Relocate deprecated SEED algorithm
* Bug 1637083 - lib/ckfw: No such file or directory. Stop.
* Bug 1561331 - Additional modular inverse test
* Bug 1629553 - Rework and cleanup gmake builds
* Bug 1438431 - Remove mkdepend and "depend" make target
* Bug 290526 - Support parallel building of NSS when using the Makefiles
* Bug 1636206 - HACL* update after changes in libintvector.h
* Bug 1636058 - Fix building NSS on Debian s390x, mips64el, and riscv64
* Bug 1622033 - Add option to build without SEED
Revision 1.113 / (download) - annotate - [select for diffs], Wed May 6 01:09:43 2020 UTC (3 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.112: +5 -5
lines
Diff to previous 1.112 (colored)
nss: Update to 3.52
Changelog:
Notable Changes in NSS 3.52
Bug 1603628 - Update NSS to support PKCS #11 v3.0.
Bug 1623374 - Support new PKCS #11 v3.0 Message Interface for AES-GCM and ChaChaPoly.
Bug 1612493 - Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*.
Bugs fixed in NSS 3.52
Bug 1633498 - Fix unused variable 'getauxval' error on iOS compilation.
Bug 1630721 - Add Softoken functions for FIPS.
Bug 1630458 - Fix problem of GYP MSVC builds not producing debug symbol files.
Bug 1629663 - Add IKEv1 Quick Mode KDF.
Bug 1629661 - MPConfig calls in SSL initialize policy before NSS is initialized.
Bug 1629655 - Support temporary session objects in ckfw.
Bug 1629105 - Add PKCS11 v3.0 functions to module debug logger.
Bug 1626751 - Fix error in generation of fuzz32 docker image after updates.
Bug 1625133 - Fix implicit declaration of function 'getopt' error.
Bug 1624864 - Allow building of gcm-arm32-neon on non-armv7 architectures.
Bug 1624402 - Fix compilation error in Firefox Android.
Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed.
Bug 1624377 - Fix clang warning for unknown argument '-msse4'.
Bug 1623374 - Support new PKCS #11 v3.0 Message Interface for AES-GCM and ChaChaPoly.
Bug 1623184 - Fix freebl_cpuid for querying Extended Features.
Bug 1622555 - Fix argument parsing in lowhashtest.
Bug 1620799 - Introduce NSS_DISABLE_GCM_ARM32_NEON to build on arm32 without NEON support.
Bug 1619102 - Add workaround option to include both DTLS and TLS versions in DTLS supported_versions.
Bug 1619056 - Update README: TLS 1.3 is not experimental anymore.
Bug 1618915 - Fix UBSAN issue in ssl_ParseSessionTicket.
Bug 1618739 - Don't assert fuzzer behavior in SSL_ParseSessionTicket.
Bug 1617968 - Update Delegated Credentials implementation to draft-07.
Bug 1617533 - Update HACL* dependencies for libintvector.h
Bug 1613238 - Add vector accelerated SHA2 for POWER 8+.
Bug 1612493 - Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*.
Bug 1612281 - Maintain PKCS11 C_GetAttributeValue semantics on attributes that lack NSS database columns.
Bug 1612260 - Add Wycheproof RSA test vectors.
Bug 1608250 - broken fipstest handling of KI_len.
Bug 1608245 - Consistently handle NULL slot/session.
Bug 1603801 - Avoid dcache pollution from sdb_measureAccess().
Bug 1603628 - Update NSS to support PKCS #11 v3.0.
Bug 1561637 - TLS 1.3 does not work in FIPS mode.
Bug 1531906 - Fix overzealous assertion when evicting a cached sessionID or using external cache.
Bug 1465613 - Fix issue where testlib makefile build produced extraneous object files.
Bug 1619959 - Properly handle multi-block SEED ECB inputs.
Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfo to avoid a CMS crash
Bug 1571677 - Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name
Compatibility
NSS 3.52 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries
will work with NSS 3.52 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the functions
listed in NSS Public Functions will remain compatible with future versions
of the NSS shared libraries.
Revision 1.112 / (download) - annotate - [select for diffs], Sun Apr 26 21:43:43 2020 UTC (3 years, 5 months ago) by tnn
Branch: MAIN
Changes since 1.111: +2 -1
lines
Diff to previous 1.111 (colored)
nss: fix wrong value of CPU_ARCH on NetBSD/evbarm-earmv7hf Fixes PR pkg/53353 and maybe also PR pkg/55158
Revision 1.111 / (download) - annotate - [select for diffs], Sun Apr 12 15:13:33 2020 UTC (3 years, 5 months ago) by tnn
Branch: MAIN
Changes since 1.110: +2 -2
lines
Diff to previous 1.110 (colored)
g/c stale comment
Revision 1.110 / (download) - annotate - [select for diffs], Sun Apr 12 12:19:20 2020 UTC (3 years, 5 months ago) by tnn
Branch: MAIN
Changes since 1.109: +3 -1
lines
Diff to previous 1.109 (colored)
nss: interim NetBSD/aarch64 build fix
Revision 1.109 / (download) - annotate - [select for diffs], Sun Apr 12 10:25:17 2020 UTC (3 years, 5 months ago) by tnn
Branch: MAIN
Changes since 1.108: +2 -2
lines
Diff to previous 1.108 (colored)
nss: delete patch hunk which should no longer be necessary
Revision 1.108 / (download) - annotate - [select for diffs], Wed Mar 18 13:22:10 2020 UTC (3 years, 6 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base,
pkgsrc-2020Q1
Changes since 1.107: +5 -5
lines
Diff to previous 1.107 (colored)
nss: Update to 3.51 Changelog: Notable Changes in NSS 3.51 * Updated DTLS 1.3 implementation to Draft-34. See Bug 1608892 for details. Bugs fixed in NSS 3.51 * Bug 1608892 - Update DTLS 1.3 implementation to draft-34. * Bug 1611209 - Correct swapped PKCS11 values of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL * Bug 1612259 - Complete integration of Wycheproof ECDH test cases * Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>) * Bug 1614786 - Fix a compilation error for ÏÈetFIPSEnvãà"defined but not used" * Bug 1615208 - Send DTLS version numbers in DTLS 1.3 supported_versions extension to avoid an incompatibility. * Bug 1538980 - SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed to be null-terminated * Bug 1561337 - Correct a warning for comparison of integers of different signs: 'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88 * Bug 1609751 - Add test for mp_int clamping * Bug 1582169 - Don't attempt to read the fips_enabled flag on the machine unless NSS was built with FIPS enabled * Bug 1431940 - Fix a null pointer dereference in BLAKE2B_Update * Bug 1617387 - Fix compiler warning in secsign.c * Bug 1618400 - Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval' * Bug 1610687 - Fix a crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics
Revision 1.107 / (download) - annotate - [select for diffs], Fri Feb 14 13:02:41 2020 UTC (3 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.106: +5 -5
lines
Diff to previous 1.106 (colored)
nss: Update to 3.50 Changelog: Notable Changes in NSS 3.50 * Verified primitives from HACL* were updated, bringing performance improvements for several platforms. Note that Intel processors with SSE4 but without AVX are currently unable to use the improved ChaCha20/Poly1305 due to a build issue; such platforms will fall-back to less optimized algorithms. See Bug 1609569 for details. * Updated DTLS 1.3 implementation to Draft-30. See Bug 1599514 for details. * Added NIST SP800-108 KBKDF - PKCS#11 implementation. See Bug 1599603 for details. Bugs fixed in NSS 3.50 * Bug 1599514 - Update DTLS 1.3 implementation to Draft-30 * Bug 1603438 - Fix native tools build failure due to lack of zlib include dir if external * Bug 1599603 - NIST SP800-108 KBKDF - PKCS#11 implementation * Bug 1606992 - Cache the most recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts. NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also relevant for older NSS databases (also included in NSS 3.49.2) * Bug 1608895 - Gyp builds on taskcluster broken by Setuptools v45.0.0 (for lacking Python3) * Bug 1574643 - Upgrade HACL* verified implementations of ChaCha20, Poly1305, and 64-bit Curve25519 * Bug 1608327 - Two problems with NEON-specific code in freebl * Bug 1575843 - Detect AArch64 CPU features on FreeBSD * Bug 1607099 - Remove the buildbot configuration * Bug 1585429 - Add more HKDF test vectors * Bug 1573911 - Add more RSA test vectors * Bug 1605314 - Compare all 8 bytes of an mp_digit when clamping in Windows assembly/mp_comba * Bug 1604596 - Update Wycheproof vectors and add support for CBC, P256-ECDH, and CMAC tests * Bug 1608493 - Use AES-NI for non-GCM AES ciphers on platforms with no assembly-optimized implementation, such as macOS. * Bug 1547639 - Update zlib in NSS to 1.2.11 * Bug 1609181 - Detect ARM (32-bit) CPU features on FreeBSD * Bug 1602386 - Fix build on FreeBSD/powerpc* * Bug 1608151 - Introduce NSS_DISABLE_ALTIVEC * Bug 1612623 - Depend on NSPR 4.25 * Bug 1609673 - Fix a crash when NSS is compiled without libnssdbm support, but the nssdbm shared object is available anyway.
Revision 1.106 / (download) - annotate - [select for diffs], Wed Feb 5 03:31:58 2020 UTC (3 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.105: +5 -5
lines
Diff to previous 1.105 (colored)
nss: Update to 4.49.2 Changelog: No new functionality is introduced in this release. This release fixes several issues: - Bug 1606992 - Cache the most recent PBKDF1 password hash, to speed up repeated SDR operations when using profiles using that hash. This is covering additional cases not covered by NSS 3.49.1, important with the increased KDF iteration counts. - Bug 1608327 - Fix compilation problems with NEON-specific code in freebl - Bug 1608895 - Fix a taskcluster issue with Python 2 / Python 3 NSS 3.49.2 requires NSPR 4.24 or newer.
Revision 1.102.4.1 / (download) - annotate - [select for diffs], Sat Jan 18 22:29:04 2020 UTC (3 years, 8 months ago) by bsiegert
Branch: pkgsrc-2019Q4
Changes since 1.102: +7 -7
lines
Diff to previous 1.102 (colored) next main 1.103 (colored)
Pullup ticket #6117 - requested by nia
devel/nss: dependent update (for Firefox)
Revisions pulled up:
- devel/nss/Makefile 1.175-1.177
- devel/nss/distinfo 1.103-1.105
- devel/nss/patches/patch-me 1.6
- devel/nss/patches/patch-nss_coreconf_command.mk 1.4
---
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Dec 28 23:04:05 UTC 2019
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
pkgsrc/devel/nss/patches: patch-nss_coreconf_command.mk
Log Message:
Update to 3.48
Changelog:
Notable Changes in NSS 3.48
* TLS 1.3 is the default maximum TLS version. See Bug 1573118 for details.
* TLS extended master secret is enabled by default, where possible. See Bug
1575411 for details.
* The master password PBE now uses 10,000 iterations by default when using
the default sql (key4.db) storage. Because using an iteration count higher
than 1 with the legacy dbm (key3.db) storage creates files that are
incompatible with previous versions of NSS, applications that wish to enable
it for key3.db are required to set environment variable
NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment
variable NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count
than the library's default, or NSS_MAX_MP_PBE_ITERATION_COUNT to request a
lower iteration count for test environments. See Bug 1562671 for details.
Certificate Authority Changes
The following CA certificates were Added:
* Bug 1591178 - Entrust Root Certification Authority - G4 Cert
SHA-256 Fingerprint:
DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88
Bugs fixed in NSS 3.48
* Bug 1586176 - EncryptUpdate should use maxout not block size
(CVE-2019-11745)
-- Note that this was previously fixed in NSS 3.44.3 and 3.47.1.
* Bug 1600775 - Require NSPR 4.24 for NSS 3.48
* Bug 1593401 - Fix race condition in self-encrypt functions
* Bug 1599545 - Fix assertion and add test for early Key Update
* Bug 1597799 - Fix a crash in nssCKFWObject_GetAttributeSize
* Bug 1591178 - Add Entrust Root Certification Authority - G4 certificate to
NSS
* Bug 1590001 - Prevent negotiation of versions lower than 1.3 after
HelloRetryRequest
* Bug 1596450 - Added a simplified and unified MAC implementation for HMAC
and CMAC behind PKCS#11
* Bug 1522203 - Remove an old Pentium Pro performance workaround
* Bug 1592557 - Fix PRNG known-answer-test scripts
* Bug 1593141 - add `notBefore` or similar "beginning-of-validity-period"
parameter to mozilla::pkix::TrustDomain::CheckRevocation
* Bug 1591363 - Fix a PBKDF2 memory leak in NSC_GenerateKey if key length >
MAX_KEY_LEN (256)
* Bug 1592869 - Use ARM NEON for ctr_xor
* Bug 1566131 - Ensure SHA-1 fallback disabled in TLS 1.2
* Bug 1577803 - Mark PKCS#11 token as friendly if it implements
CKP_PUBLIC_CERTIFICATES_TOKEN
* Bug 1566126 - POWER GHASH Vector Acceleration
* Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c
* Bug 1590495 - Fix a crash in PK11_MakeCertFromHandle
* Bug 1591742 - Ensure DES IV length is valid before usage from PKCS#11
* Bug 1588567 - Enable mozilla::pkix gtests in NSS CI
* Bug 1591315 - Update NSC_Decrypt length in constant time
* Bug 1562671 - Increase NSS MP KDF default iteration count, by default for
modern key4 storage, optionally for legacy key3.db storage
* Bug 1590972 - Use -std=c99 rather than -std=gnu99
* Bug 1590676 - Fix build if ARM doesn't support NEON
* Bug 1575411 - Enable TLS extended master secret by default
* Bug 1590970 - SSL_SetTimeFunc has incomplete coverage
* Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
* Bug 1588244 - NSS changes for Delegated Credential key strength checks
* Bug 1459141 - Add more CBC padding tests that missed NSS 3.47
* Bug 1590339 - Fix a memory leak in btoa.c
* Bug 1589810 - fix uninitialized variable warnings from certdata.perl
* Bug 1573118 - Enable TLS 1.3 by default in NSS
---
Module Name: pkgsrc
Committed By: ryoon
Date: Fri Jan 10 03:43:20 UTC 2020
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
pkgsrc/devel/nss/patches: patch-me
Log Message:
nss: Update to 3.49
Changelog:
Notable Changes in NSS 3.49
* The legacy DBM database, libnssdbm, is no longer built by default when
using gyp builds. See Bug 1594933 for details.
Bugs fixed in NSS 3.49
* Bug 1513586 - Set downgrade sentinel for client TLS versions lower than
1.2.
* Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c
* Bug 1606119 - Fix PPC HW Crypto build failure
* Bug 1605545 - Memory leak in Pk11Install_Platform_Generate
* Bug 1602288 - Fix build failure due to missing posix signal.h
* Bug 1588714 - Implement CheckARMSupport for Win64/aarch64
* Bug 1585189 - NSS database uses 3DES instead of AES to encrypt DB entries
* Bug 1603257 - Fix UBSAN issue in softoken CKM_NSS_CHACHA20_CTR
initialization
* Bug 1590001 - Additional HRR Tests (CVE-2019-17023)
* Bug 1600144 - Treat ClientHello with message_seq of 1 as a second
ClientHello
* Bug 1603027 - Test that ESNI is regenerated after HelloRetryRequest
* Bug 1593167 - Intermittent mis-reporting potential security risk
SEC_ERROR_UNKNOWN_ISSUER
* Bug 1535787 - Fix automation/release/nss-release-helper.py on MacOS
* Bug 1594933 - Disable building DBM by default
* Bug 1562548 - Improve GCM perfomance on aarch32
---
Module Name: pkgsrc
Committed By: ryoon
Date: Tue Jan 14 12:58:08 UTC 2020
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Log Message:
nss: Update to 3.49.1
* Bump nspr requirement
Changelog:
No new functionality is introduced in these releases. These releases fix a
performance issue:
- Bug 1606992 - Cache the most recent PBKDF2 password hash, to speed up
repeated SDR operations, important with the increased KDF iteration counts.
Revision 1.105 / (download) - annotate - [select for diffs], Tue Jan 14 12:58:08 2020 UTC (3 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.104: +5 -5
lines
Diff to previous 1.104 (colored)
nss: Update to 3.49.1 * Bump nspr requirement Changelog: No new functionality is introduced in these releases. These releases fix a performance issue: - Bug 1606992 - Cache the most recent PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts.
Revision 1.104 / (download) - annotate - [select for diffs], Fri Jan 10 03:43:20 2020 UTC (3 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.103: +6 -6
lines
Diff to previous 1.103 (colored)
nss: Update to 3.49 Changelog: Notable Changes in NSS 3.49 * The legacy DBM database, libnssdbm, is no longer built by default when using gyp builds. See Bug 1594933 for details. Bugs fixed in NSS 3.49 * Bug 1513586 - Set downgrade sentinel for client TLS versions lower than 1.2. * Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c * Bug 1606119 - Fix PPC HW Crypto build failure * Bug 1605545 - Memory leak in Pk11Install_Platform_Generate * Bug 1602288 - Fix build failure due to missing posix signal.h * Bug 1588714 - Implement CheckARMSupport for Win64/aarch64 * Bug 1585189 - NSS database uses 3DES instead of AES to encrypt DB entries * Bug 1603257 - Fix UBSAN issue in softoken CKM_NSS_CHACHA20_CTR initialization * Bug 1590001 - Additional HRR Tests (CVE-2019-17023) * Bug 1600144 - Treat ClientHello with message_seq of 1 as a second ClientHello * Bug 1603027 - Test that ESNI is regenerated after HelloRetryRequest * Bug 1593167 - Intermittent mis-reporting potential security risk SEC_ERROR_UNKNOWN_ISSUER * Bug 1535787 - Fix automation/release/nss-release-helper.py on MacOS * Bug 1594933 - Disable building DBM by default * Bug 1562548 - Improve GCM perfomance on aarch32
Revision 1.103 / (download) - annotate - [select for diffs], Sat Dec 28 23:04:04 2019 UTC (3 years, 9 months ago) by ryoon
Branch: MAIN
Changes since 1.102: +6 -6
lines
Diff to previous 1.102 (colored)
Update to 3.48
Changelog:
Notable Changes in NSS 3.48
* TLS 1.3 is the default maximum TLS version. See Bug 1573118 for details.
* TLS extended master secret is enabled by default, where possible. See Bug
1575411 for details.
* The master password PBE now uses 10,000 iterations by default when using
the default sql (key4.db) storage. Because using an iteration count higher
than 1 with the legacy dbm (key3.db) storage creates files that are
incompatible with previous versions of NSS, applications that wish to enable
it for key3.db are required to set environment variable
NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment
variable NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count
than the library's default, or NSS_MAX_MP_PBE_ITERATION_COUNT to request a
lower iteration count for test environments. See Bug 1562671 for details.
Certificate Authority Changes
The following CA certificates were Added:
* Bug 1591178 - Entrust Root Certification Authority - G4 Cert
SHA-256 Fingerprint:
DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88
Bugs fixed in NSS 3.48
* Bug 1586176 - EncryptUpdate should use maxout not block size
(CVE-2019-11745)
-- Note that this was previously fixed in NSS 3.44.3 and 3.47.1.
* Bug 1600775 - Require NSPR 4.24 for NSS 3.48
* Bug 1593401 - Fix race condition in self-encrypt functions
* Bug 1599545 - Fix assertion and add test for early Key Update
* Bug 1597799 - Fix a crash in nssCKFWObject_GetAttributeSize
* Bug 1591178 - Add Entrust Root Certification Authority - G4 certificate to
NSS
* Bug 1590001 - Prevent negotiation of versions lower than 1.3 after
HelloRetryRequest
* Bug 1596450 - Added a simplified and unified MAC implementation for HMAC
and CMAC behind PKCS#11
* Bug 1522203 - Remove an old Pentium Pro performance workaround
* Bug 1592557 - Fix PRNG known-answer-test scripts
* Bug 1593141 - add `notBefore` or similar "beginning-of-validity-period"
parameter to mozilla::pkix::TrustDomain::CheckRevocation
* Bug 1591363 - Fix a PBKDF2 memory leak in NSC_GenerateKey if key length >
MAX_KEY_LEN (256)
* Bug 1592869 - Use ARM NEON for ctr_xor
* Bug 1566131 - Ensure SHA-1 fallback disabled in TLS 1.2
* Bug 1577803 - Mark PKCS#11 token as friendly if it implements
CKP_PUBLIC_CERTIFICATES_TOKEN
* Bug 1566126 - POWER GHASH Vector Acceleration
* Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c
* Bug 1590495 - Fix a crash in PK11_MakeCertFromHandle
* Bug 1591742 - Ensure DES IV length is valid before usage from PKCS#11
* Bug 1588567 - Enable mozilla::pkix gtests in NSS CI
* Bug 1591315 - Update NSC_Decrypt length in constant time
* Bug 1562671 - Increase NSS MP KDF default iteration count, by default for
modern key4 storage, optionally for legacy key3.db storage
* Bug 1590972 - Use -std=c99 rather than -std=gnu99
* Bug 1590676 - Fix build if ARM doesn't support NEON
* Bug 1575411 - Enable TLS extended master secret by default
* Bug 1590970 - SSL_SetTimeFunc has incomplete coverage
* Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
* Bug 1588244 - NSS changes for Delegated Credential key strength checks
* Bug 1459141 - Add more CBC padding tests that missed NSS 3.47
* Bug 1590339 - Fix a memory leak in btoa.c
* Bug 1589810 - fix uninitialized variable warnings from certdata.perl
* Bug 1573118 - Enable TLS 1.3 by default in NSS
Revision 1.102 / (download) - annotate - [select for diffs], Tue Dec 3 14:29:21 2019 UTC (3 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base
Branch point for: pkgsrc-2019Q4
Changes since 1.101: +6 -6
lines
Diff to previous 1.101 (colored)
Update to 3.47.1 Changelog: NSS 3.47.1 includes: * CVE-2019-11745 - EncryptUpdate should use maxout, not block size * Bug 1590495 - Fix a crash that could be caused by client certificates during startup * Bug 1589810 - Fix compile-time warnings from uninitialized variables in a perl script NSS 3.47.1 requires NSPR 4.23 or newer. The HG tag is NSS_3_47_1_RTM.
Revision 1.101 / (download) - annotate - [select for diffs], Fri Oct 4 12:35:15 2019 UTC (3 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.100: +5 -5
lines
Diff to previous 1.100 (colored)
Update to 3.46.1 Changelog: * 1582343 - Soft token MAC verification not constant time * 1577953 - Remove arbitrary HKDF output limit by allocating space as needed
Revision 1.100 / (download) - annotate - [select for diffs], Thu Sep 19 19:14:39 2019 UTC (4 years ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base,
pkgsrc-2019Q3
Changes since 1.99: +2 -2
lines
Diff to previous 1.99 (colored)
nss: aarch64 build fix From OpenBSD. Similar to PR pkg/53353 for ARM. Although different symbols missing in that case and that's believed to be fixed already.
Revision 1.99 / (download) - annotate - [select for diffs], Fri Sep 6 02:54:47 2019 UTC (4 years ago) by ryoon
Branch: MAIN
Changes since 1.98: +6 -6
lines
Diff to previous 1.98 (colored)
Update to 3.46 Changelog: Notable Changes: * The following CA certificates were Removed: - 1574670 - Remove expired Class 2 Primary root certificate - 1574670 - Remove expired UTN-USERFirst-Client root certificat - 1574670 - Remove expired Deutsche Telekom Root CA 2 root certificate - 1566569 - Remove Swisscom Root CA 2 root certificate * Significant improvements to AES-GCM performance on ARM Bugs fixed in NSS 3.46: * 1572164 - Don't unnecessarily free session in NSC_WrapKey * 1574220 - Improve controls after errors in tstcln, selfserv and vfyserv cmds * 1550636 - Upgrade SQLite in NSS to a 2019 version * 1572593 - Reset advertised extensions in ssl_ConstructExtensions * 1415118 - NSS build with ./build.sh --enable-libpkix fails * 1539788 - Add length checks for cryptographic primitives * 1542077 - mp_set_ulong and mp_set_int should return errors on bad values * 1572791 - Read out-of-bounds in DER_DecodeTimeChoice_Util from SSLExp_DelegateCredential * 1560593 - Cleanup.sh script does not set error exit code for tests that "Failed with core" * 1566601 - Add Wycheproof test vectors for AES-KW * 1571316 - curve25519_32.c:280: undefined reference to `PR_Assert' when building NSS 3.45 on armhf-linux * 1516593 - Client to generate new random during renegotiation * 1563258 - fips.sh fails due to non-existent "resp" directories * 1561598 - Remove -Wmaybe-uninitialized warning in pqg.c * 1560806 - Increase softoken password max size to 500 characters * 1568776 - Output paths relative to repository in NSS coverity * 1453408 - modutil -changepw fails in FIPS mode if password is an empty string * 1564727 - Use a PSS SPKI when possible for delegated credentials * 1493916 - fix ppc64 inline assembler for clang * 1561588 - Remove -Wmaybe-uninitialized warning in p7env.c * 1561548 - Remove -Wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c * 1512605 - Incorrect alert description after unencrypted Finished msg * 1564715 - Read /proc/cpuinfo when AT_HWCAP2 returns 0 * 1532194 - Remove or fix -DDEBUG_$USER from make builds * 1565577 - Visual Studio's cl.exe -? hangs on Windows x64 when building nss since changeset 9162c654d06915f0f15948fbf67d4103a229226f * 1564875 - Improve rebuilding with build.sh * 1565243 - Support TC_OWNER without email address in nss taskgraph * 1563778 - Increase maxRunTime on Mac taskcluster Tools, SSL tests * 1561591 - Remove -Wmaybe-uninitialized warning in tstclnt.c * 1561587 - Remove -Wmaybe-uninitialized warning in lgattr.c * 1561558 - Remove -Wmaybe-uninitialized warning in httpserv.c * 1561556 - Remove -Wmaybe-uninitialized warning in tls13esni.c * 1561332 - ec.c:28 warning: comparison of integers of different signs: 'int' and 'unsigned long' * 1564714 - Print certutil commands during setup * 1565013 - HACL image builder times out while fetching gpg key * 1563786 - Update hacl-star docker image to pull specific commit * 1559012 - Improve GCM perfomance using PMULL2 * 1528666 - Correct resumption validation checks * 1568803 - More tests for client certificate authentication * 1564284 - Support profile mobility across Windows and Linux * 1573942 - Gtest for pkcs11.txt with different breaking line formats * 1575968 - Add strsclnt option to enforce the use of either IPv4 or IPv6 * 1549847 - Fix NSS builds on iOS * 1485533 - Enable NSS_SSL_TESTS on taskcluster
Revision 1.98 / (download) - annotate - [select for diffs], Tue Jul 30 12:18:43 2019 UTC (4 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.97: +5 -5
lines
Diff to previous 1.97 (colored)
Update to 3.45
Changelog:
New Functions
in pk11pub.h:
PK11_FindRawCertsWithSubject - Finds all certificates on the given
slot with the given subject distinguished name and returns them as DER bytes.
If no such certificates can be found, returns SECSuccess and sets *results to
NULL. If a failure is encountered while fetching any of the matching
certificates, SECFailure is returned and *results will be NULL.
Notable Changes in NSS 3.45
Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
This adds a new experimental function: SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials.
See Bug 1548360.
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming
change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated
credential for better policy enforcement. See Bug 1563078.
Bug 1550579 - Replace ARM32 Curve25519 implementation with one from
fiat-crypto
Bug 1551129 - Support static linking on Windows
Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding
certificates with a given subject on a given slot
Bug 1546229 - Add IPSEC IKE support to softoken
Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
Bug 1543874 - Expose an external clock for SSL
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
Bug 1546477 - Various changes in response to the ongoing FIPS review
Note: The source package size has increased substantially due to the
new FIPS test vectors. This will likely prompt follow-on work, but please
accept our apologies in the meantime.
Certificate Authority Changes
The following CA certificates were Removed:
Bug 1552374 - CN = Certinomis - Root CA
SHA-256 Fingerprint:
2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
Bugs fixed in NSS 3.45
Bug 1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import (CVE-2019-11719)
Bug 1515342 - More thorough input checking (CVE-2019-11729)
Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
(CVE-2019-11727)
Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from
lib/freebl/pqg.c (static analysis)
Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from
lib/freebl/pqg.c (static analysis)
Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags
could be faked. Only relevant for clients that might have copied the unit test
code verbatim
Bug 1550022 - Ensure nssutil3 gets built on Android
Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on
failure
Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns
error
Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors
using NSS
Bug 1553443 - Send session ticket only after handshake is marked as
finished
Bug 1550708 - Fix gyp scripts on Solaris SPARC so that
libfreebl_64fpu_3.so builds
Bug 1554336 - Optimize away unneeded loop in mpi.c
Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor
specific mechanism
Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
Bug 1561523 - Add a string for the new-ish error
SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
Revision 1.97 / (download) - annotate - [select for diffs], Sat Jun 22 03:54:04 2019 UTC (4 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base,
pkgsrc-2019Q2
Changes since 1.96: +5 -5
lines
Diff to previous 1.96 (colored)
Update to 3.44.1 Changelog: 3.44.1: * 1554336 - Optimize away unneeded loop in mpi.c * 1515342 - More thorough input checking * 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import * 1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh * 1546229 - Add IPSEC IKE support to softoken * 1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys * 1546477 - Updates to testing for FIPS validation * 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 * 1551041 - Unbreak build on GCC < 4.3 big-endian
Revision 1.96 / (download) - annotate - [select for diffs], Thu May 16 14:08:16 2019 UTC (4 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.95: +5 -6
lines
Diff to previous 1.95 (colored)
Update to 3.44
Changelog:
New Functions:
in lib/certdb/cert.h
CERT_GetCertificateDer - Access the DER-encoded form of a
CERTCertificate.
Notable Changes in NSS 3.44:
* It is now possible to build NSS as a static library (Bug 1543545)
* Initial support for building for iOS.
Bugs fixed in NSS 3.44:
* 1501542 - Implement CheckARMSupport for Android
* 1531244 - Use __builtin_bswap64 in crypto_primitives.h
* 1533216 - CERT_DecodeCertPackage() crash with Netscape Certificate
Sequences
* 1533616 - sdb_GetAttributeValueNoLock should make at most one sql query,
rather than one for each attribute
* 1531236 - Provide accessor for CERTCertificate.derCert
* 1536734 - lib/freebl/crypto_primitives.c assumes a big endian machine
* 1532384 - In NSS test certificates, use @example.com (not @bogus.com)
* 1538479 - Post-Handshake messages after async server authentication break
when using record layer separation
* 1521578 - x25519 support in pk11pars.c
* 1540205 - freebl build fails with -DNSS_DISABLE_CHACHAPOLY
* 1532312 - post-handshake auth doesn't interoperate with OpenSSL
* 1542741 - certutil -F crashes with segmentation fault
* 1546925 - Allow preceding text in try comment
* 1534468 - Expose ChaCha20 primitive
* 1418944 - Quote CC/CXX variables passed to nspr
* 1543545 - Allow to build NSS as a static library
* 1487597 - Early data that arrives before the handshake completes can be
read afterwards
* 1548398 - freebl_gtest not building on Linux/Mac
* 1548722 - Fix some Coverity warnings
* 1540652 - softoken/sdb.c: Logically dead code
* 1549413 - Android log lib is not included in build
* 1537927 - IPsec usage is too restrictive for existing deployments
* 1549608 - Signature fails with dbm disabled
* 1549848 - Allow building NSS for iOS using gyp
* 1549847 - NSS's SQLite compilation warnings make the build fail on iOS
* 1550041 - freebl not building on iOS simulator
* 1542950 - MacOS cipher test timeouts
Revision 1.95 / (download) - annotate - [select for diffs], Sun May 5 22:47:27 2019 UTC (4 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.94: +6 -5
lines
Diff to previous 1.94 (colored)
Do not conflict with MD5_Update from OpenSSL Like SHA1_Update, define another name, NSS_MD5_Update and use via CPP macto. This change fixes PDF export of misc/libreoffice. And make pkglint happier.
Revision 1.94 / (download) - annotate - [select for diffs], Fri Mar 22 15:50:34 2019 UTC (4 years, 6 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base,
pkgsrc-2019Q1
Changes since 1.93: +5 -5
lines
Diff to previous 1.93 (colored)
Update to 3.43
Changelog:
New Functionality:
* in sechash.h
HASH_GetHashOidTagByHashType - convert type HASH_HashType to type
SECOidTag
* in sslexp.h
SSL_SendCertificateRequest - allow server to request post-handshake client
authentication. To use this both peers need to enable the
SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism is
present, post-handshake authentication is currently not TLS 1.3 compliant
due to Bug 1532312
Notable changes:
* The following CA certificates were Added:
- CN = emSign Root CA - G1
SHA-256 Fingerprint:
40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367
- CN = emSign ECC Root CA - G3
SHA-256 Fingerprint:
86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B
- CN = emSign Root CA - C1
SHA-256 Fingerprint:
125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F
- CN = emSign ECC Root CA - C3
SHA-256 Fingerprint:
BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3
- CN = Hongkong Post Root CA 3
SHA-256 Fingerprint:
5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6
Bugs fixed in NSS 3.43
* Bug 1528669 and Bug 1529308 - Improve Gyp build system handling
* Bug 1529950 and Bug 1521174 - Improve NSS S/MIME tests for Thunderbird
* Bug 1530134 - If Docker isn't installed, try running a local clang-format
as a fallback
* Bug 1531267 - Enable FIPS mode automatically if the system FIPS mode flag
is set
* Bug 1528262 - Add a -J option to the strsclnt command to specify sigschemes
* Bug 1513909 - Add manual for nss-policy-check
* Bug 1531074 - Fix a deref after a null check in SECKEY_SetPublicValue
* Bug 1517714 - Properly handle ESNI with HRR
* Bug 1529813 - Expose HKDF-Expand-Label with mechanism
* Bug 1535122 - Align TLS 1.3 HKDF trace levels
* Bug 1530102 - Use getentropy on compatible versions of FreeBSD
Revision 1.93 / (download) - annotate - [select for diffs], Tue Jan 29 13:07:36 2019 UTC (4 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.92: +5 -5
lines
Diff to previous 1.92 (colored)
Update to 3.42 Changelog: New Functionality: * Bug 818686 - Support XDG basedir specification Notable changes: * Added support for some of the testcases from the Wycheproof project: - Bug 1508666 - Added AES-GCM test cases - Bug 1508673 - Added ChaCha20-Poly1305 test cases - Bug 1514999 - Added the Curve25519 test cases - Thanks to Jonas Allmann for adapting these tests. Bugs fixed in NSS 3.42: * Bug 1490006 - Reject invalid CH.legacy_version in TLS 1.3 * Bug 1507135 and Bug 1507174 - Add additional null checks to several CMS functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak for the discovery and fixes. * Bug 1513913 - A fix for Solaris where Firefox 60 core dumps during start when using profile from version 52
Revision 1.92 / (download) - annotate - [select for diffs], Wed Dec 12 14:02:01 2018 UTC (4 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base,
pkgsrc-2018Q4
Changes since 1.91: +5 -5
lines
Diff to previous 1.91 (colored)
Update to 3.41
New functionality:
* Bug 1252891 - Implemented EKU handling for IPsec IKE.
* Bug 1423043 - Enable half-closed states for TLS.
* Bug 1493215 - Enabled the following ciphersuites by default:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
Notable changes:
* The following CA certificates were added:
CN = Certigna Root CA
CN = GTS Root R1
CN = GTS Root R2
CN = GTS Root R3
CN = GTS Root R4
CN = UCA Global G2 Root
CN = UCA Extended Validation Root
* The following CA certificates were removed:
CN = AC RaÃz Certicámara S.A.
CN = Certplus Root CA G1
CN = Certplus Root CA G2
CN = OpenTrust Root CA G1
CN = OpenTrust Root CA G2
CN = OpenTrust Root CA G3
Bugs fixed in NSS 3.41:
* Bug 1412829, Reject empty supported_signature_algorithms in Certificate
Request in TLS 1.2
* Bug 1485864 - Cache side-channel variant of the Bleichenbacher attack
(CVE-2018-12404)
* Bug 1481271 - Resend the same ticket in ClientHello after HelloRetryRequest
* Bug 1493769 - Set session_id for external resumption tokens
* Bug 1507179 - Reject CCS after handshake is complete in TLS 1.3
Revision 1.91 / (download) - annotate - [select for diffs], Sun Nov 4 00:33:27 2018 UTC (4 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.90: +5 -5
lines
Diff to previous 1.90 (colored)
Update to 3.40
Changelog:
Notable bug fixes:
* Bug 1478698 - FFDHE key exchange sometimes fails with decryption failure
New functionality:
* The draft-00 version of encrypted SNI support is implemented
* tstclnt now takes -N option to specify encrypted SNI key
Notable changes:
* The mozilla::pkix library has been ported from Mozilla PSM to NSS.
This is a C++ library for building certification paths.
mozilla::pkix APIs are not exposed in the libraries NSS builds.
* It is easier to build NSS on Windows in mozilla-build environments.
* The following CA certificates were Removed:
CN = Visa eCommerce Root
Revision 1.90 / (download) - annotate - [select for diffs], Wed Sep 5 15:19:03 2018 UTC (5 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base,
pkgsrc-2018Q3
Changes since 1.89: +5 -5
lines
Diff to previous 1.89 (colored)
Update to 3.39 Changelog: Notable bug fixes: * Bug 1483128 - NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) New functionality: * The tstclnt and selfserv utilities added support for configuring the enabled TLS signature schemes using the -J parameter. * NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by default but can be enabled using SSL_SignatureSchemePrefSet(). * certutil added the ability to delete an orphan private key from an NSS key database. * Added the nss-policy-check utility, which can be used to check an NSS policy configuration for problems. * A PKCS#11 URI can be used as an identifier for a PKCS#11 token. Notable changes: * The TLS 1.3 implementation uses the final version number from RFC 8446. * Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature where the DigestInfo structure was missing the NULL parameter. Starting with version 3.39, NSS requires the encoding to contain the NULL parameter. * The tstclnt and selfserv test utilities no longer accept the -z parameter, as support for TLS compression was removed in a previous NSS version. * The CA certificates list was updated to version 2.26. * The following CA certificates were Added: - OU = GlobalSign Root CA - R6 - CN = OISTE WISeKey Global Root GC CA The following CA certificate was Removed: - CN = ComSign The following CA certificates had the Websites trust bit disabled: - CN = Certplus Root CA G1 - CN = Certplus Root CA G2 - CN = OpenTrust Root CA G1 - CN = OpenTrust Root CA G2 - CN = OpenTrust Root CA G3
Revision 1.89 / (download) - annotate - [select for diffs], Thu Jun 7 19:04:59 2018 UTC (5 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base,
pkgsrc-2018Q2
Changes since 1.88: +5 -5
lines
Diff to previous 1.88 (colored)
Update to 3.37.3 Changelog: No new functionality is introduced in these releases. The following compatibility fixes are included. Users are encouraged to upgrade. * Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3 would result in a SSL_RX_MALFORMED_SERVER_HELLO error. * Bug 1460673 - Fix a rare bug with PKCS#12 files.
Revision 1.88 / (download) - annotate - [select for diffs], Fri Jun 1 12:18:03 2018 UTC (5 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.87: +5 -5
lines
Diff to previous 1.87 (colored)
Update to 3.37.1 Changelog: No new functionality is introduced in these releases. The following compatibility fixes are included. Users are encouraged to upgrade. * Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3 would result in a SSL_RX_MALFORMED_SERVER_HELLO error. * Bug 1460673 - Fix a rare bug with PKCS#12 files.
Revision 1.87 / (download) - annotate - [select for diffs], Thu May 10 20:20:41 2018 UTC (5 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.86: +5 -5
lines
Diff to previous 1.86 (colored)
Update to 3.37 Changelog: * The TLS 1.3 implementation was updated to Draft 28. * An issue where NSS erroneously accepted HRR requests was resolved. * Added HACL* Poly1305 32-bit * The code to support the NPN protocol has been fully removed. * NSS allows servers now to register ALPN handling callbacks to select a protocol. * NSS supports opening SQL databases in read-only mode. * On Linux, some build configurations can use glibc's function getentropy(), which uses the kernel's getrandom() function. * The CA list was updated to version 2.24, which removed the following CA certificates: - CN = S-TRUST Universal Root CA - CN = TC TrustCenter Class 3 CA II - CN = TRKTRUST Elektronik Sertifika Hizmet Salayıcısı H5
Revision 1.86 / (download) - annotate - [select for diffs], Thu Apr 12 14:32:51 2018 UTC (5 years, 5 months ago) by bouyer
Branch: MAIN
Changes since 1.85: +2 -2
lines
Diff to previous 1.85 (colored)
Ajust patch for 3.36.1
Revision 1.85 / (download) - annotate - [select for diffs], Thu Apr 12 10:37:11 2018 UTC (5 years, 5 months ago) by bouyer
Branch: MAIN
Changes since 1.84: +2 -1
lines
Diff to previous 1.84 (colored)
!defined(__ANDROID__) doens't mean this is a linux host. Check defined(__linux__) instead. XXX do other systems have <sys/auxv.h> ?
Revision 1.83.2.1 / (download) - annotate - [select for diffs], Wed Apr 11 11:48:59 2018 UTC (5 years, 5 months ago) by bsiegert
Branch: pkgsrc-2018Q1
Changes since 1.83: +5 -5
lines
Diff to previous 1.83 (colored) next main 1.84 (colored)
Pullup ticket #5735 - requested by maya
devel/nss: bugfix
Revisions pulled up:
- devel/nss/Makefile 1.149
- devel/nss/distinfo 1.84
---
Module Name: pkgsrc
Committed By: maya
Date: Tue Apr 10 15:21:30 UTC 2018
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Log Message:
nss: update to 3.36.1
No new functionality is introduced in this release. This is a patch release to fix regression bugs.
In NSS version 3.35 the iteration count in optimized builds, which is used for password based encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million
iterations. That change had caused an interoperability regression with operating systems that are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit.
Certain smartcard operations could result in a deadlock
This Bugzilla query returns all the bugs fixed in NSS 3.36.1:
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.1
Revision 1.84 / (download) - annotate - [select for diffs], Tue Apr 10 15:21:29 2018 UTC (5 years, 5 months ago) by maya
Branch: MAIN
Changes since 1.83: +5 -5
lines
Diff to previous 1.83 (colored)
nss: update to 3.36.1 No new functionality is introduced in this release. This is a patch release to fix regression bugs. In NSS version 3.35 the iteration count in optimized builds, which is used for password based encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million iterations. That change had caused an interoperability regression with operating systems that are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit. Certain smartcard operations could result in a deadlock This Bugzilla query returns all the bugs fixed in NSS 3.36.1: https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.1
Revision 1.79.2.1 / (download) - annotate - [select for diffs], Thu Mar 22 06:56:21 2018 UTC (5 years, 6 months ago) by spz
Branch: pkgsrc-2017Q4
Changes since 1.79: +5 -7
lines
Diff to previous 1.79 (colored) next main 1.80 (colored)
Pullup ticket #5728 - requested by maya
devel/nspr: dependency update
devel/nss: dependency update
www/firefox-l10n: dependent update
www/firefox: security update
Revisions pulled up:
- devel/nspr/Makefile 1.94-1.95
- devel/nspr/distinfo 1.48-1.49
- devel/nspr/patches/patch-az deleted
- devel/nspr/patches/patch-nspr_pr_include_md___pth.h 1.1
- devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c 1.1
- devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h deleted
- devel/nss/Makefile 1.146,1.148
- devel/nss/PLIST 1.24
- devel/nss/distinfo 1.81,1.83
- devel/nss/patches/patch-nss_lib_freebl_config.mk deleted
- devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h deleted
- www/firefox-l10n/Makefile 1.121-1.123
- www/firefox-l10n/distinfo 1.111-1.113
- www/firefox/Makefile 1.320-1.321,1.324
- www/firefox/PLIST 1.127
- www/firefox/distinfo 1.307-1.309
- www/firefox/mozilla-common.mk 1.105-1.106
- www/firefox/patches/patch-aa 1.56
- www/firefox/patches/patch-build_gyp.mozbuild 1.8
- www/firefox/patches/patch-build_moz.configure_keyfiles.configure 1.5
- www/firefox/patches/patch-build_moz.configure_memory.configure deleted
- www/firefox/patches/patch-config_baseconfig.mk deleted
- www/firefox/patches/patch-config_external_moz.build 1.17
- www/firefox/patches/patch-dom_media_moz.build 1.9
- www/firefox/patches/patch-gfx_skia_generate__mozbuild.py 1.8
- www/firefox/patches/patch-gfx_skia_moz.build 1.15
- www/firefox/patches/patch-gfx_thebes_moz.build 1.9
- www/firefox/patches/patch-media_libcubeb_gtest_moz.build 1.2
- www/firefox/patches/patch-media_libtheora_moz.build 1.8
- www/firefox/patches/patch-media_libvorbis_moz.build 1.4
- www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc 1.1
- www/firefox/patches/patch-modules_libpref_init_all.js 1.7
- www/firefox/patches/patch-modules_pdfium_update.sh 1.2
- www/firefox/patches/patch-netwerk_dns_moz.build 1.8
- www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c deleted
- www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c deleted
- www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs deleted
- www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json 1.1
- www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs 1.1
- www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h deleted
- www/firefox/patches/patch-toolkit_moz.configure 1.10
- www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp deleted
- www/firefox/patches/patch-xpcom_build_BinaryPath.h 1.3-1.4
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 24 16:21:43 UTC 2018
Modified Files:
pkgsrc/devel/nspr: Makefile distinfo
Added Files:
pkgsrc/devel/nspr/patches: patch-nspr_pr_include_md___pth.h
patch-nspr_pr_src_pthreads_ptthread.c
Removed Files:
pkgsrc/devel/nspr/patches: patch-az patch-nsprpub_pr_include_md__pth.h
Log Message:
Update to 4.18
Changelog:
NSPR 4.18 contains the following changes:
- removed HP-UX DCE threads support
- improvements for the Windows implementation of PR_SetCurrentThreadName
- fixes for the Windows implementation of TCP Fast Open
To generate a diff of this commit:
cvs rdiff -u -r1.93 -r1.94 pkgsrc/devel/nspr/Makefile
cvs rdiff -u -r1.47 -r1.48 pkgsrc/devel/nspr/distinfo
cvs rdiff -u -r1.4 -r0 pkgsrc/devel/nspr/patches/patch-az
cvs rdiff -u -r0 -r1.1 \
pkgsrc/devel/nspr/patches/patch-nspr_pr_include_md___pth.h \
pkgsrc/devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c
cvs rdiff -u -r1.3 -r0 \
pkgsrc/devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Mar 17 01:06:18 UTC 2018
Modified Files:
pkgsrc/devel/nspr: Makefile distinfo
Log Message:
Update to 4.29
Changelog:
NSPR 4.19 contains the following changes:
- changed order of shutdown cleanup to avoid a crash on Mac OSX
- build compatibility with Android NDK r16 and glibc 2.26
To generate a diff of this commit:
cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/nspr/Makefile
cvs rdiff -u -r1.48 -r1.49 pkgsrc/devel/nspr/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 24 16:23:52 UTC 2018
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Removed Files:
pkgsrc/devel/nss/patches: patch-nss_lib_freebl_config.mk
patch-nss_lib_freebl_verified_kremlib.h
Log Message:
Update to 3.35
Changelog:
The NSS team has released Network Security Services (NSS) 3.35,
which is a minor release.
Summary of the major changes included in this release:
- The default database storage format has been changed to SQL,
using filenames cert9.db, key4.db, pkcs11.txt.
- TLS 1.3 support has been updated to draft -23, along with
additional significant changes.
- Support for TLS compression was removed.
- Added formally verified implementations of non-vectorized Chacha20
and non-vectorized Poly1305 64-bit.
- When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a
higher iteration count for stronger security.
- The CA trust list was updated to version 2.22.
To generate a diff of this commit:
cvs rdiff -u -r1.145 -r1.146 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/nss/distinfo
cvs rdiff -u -r1.2 -r0 \
pkgsrc/devel/nss/patches/patch-nss_lib_freebl_config.mk
cvs rdiff -u -r1.1 -r0 \
pkgsrc/devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Mar 17 01:07:15 UTC 2018
Modified Files:
pkgsrc/devel/nss: Makefile PLIST distinfo
Log Message:
Update to 3.36
* Require devel/nspr-4.19
Changelog:
The NSS team has released Network Security Services (NSS) 3.36,
which is a minor release.
Summary of the major changes included in this release:
- Replaced existing vectorized ChaCha20 code with verified
HACL* implementation.
- Experimental APIs for TLS session cache handling.
To generate a diff of this commit:
cvs rdiff -u -r1.147 -r1.148 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/nss/PLIST
cvs rdiff -u -r1.82 -r1.83 pkgsrc/devel/nss/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 31 14:02:18 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile distinfo
Added Files:
pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h
Log Message:
Update to 58.0.1
* Fix build under netbsd-7, PR pkg/52956
Changelog:
Fix Mozilla Foundation Security Advisory 2018-05:
Arbitrary code execution through unsanitized browser UI
When using certain non-default security policies on Windows (for
example with Windows Defender Exploit Protection or Webroot security
products), Firefox 58.0 would fail to load pages (bug 1433065).
To generate a diff of this commit:
cvs rdiff -u -r1.319 -r1.320 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.306 -r1.307 pkgsrc/www/firefox/distinfo
cvs rdiff -u -r0 -r1.3 \
pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Feb 10 07:02:47 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile distinfo mozilla-common.mk
pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h
Log Message:
Update to 58.0.2
* Fix segfault on netbsd-7
Changelog:
Fix
Avoid a signature validation issue during update on macOS
Blocklisted graphics drivers related to off main thread painting crashes
Tab crash during printing
Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook
(OWA) webmail
To generate a diff of this commit:
cvs rdiff -u -r1.320 -r1.321 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.307 -r1.308 pkgsrc/www/firefox/distinfo
cvs rdiff -u -r1.104 -r1.105 pkgsrc/www/firefox/mozilla-common.mk
cvs rdiff -u -r1.3 -r1.4 \
pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Mar 17 00:59:03 UTC 2018
Modified Files:
pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
pkgsrc/www/firefox/patches: patch-aa patch-build_gyp.mozbuild
patch-config_external_moz.build patch-dom_media_moz.build
patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build
patch-gfx_thebes_moz.build patch-media_libcubeb_gtest_moz.build
patch-media_libtheora_moz.build patch-media_libvorbis_moz.build
patch-modules_pdfium_update.sh patch-netwerk_dns_moz.build
patch-toolkit_moz.configure
Added Files:
pkgsrc/www/firefox/patches:
patch-build_moz.configure_keyfiles.configure
patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc
patch-modules_libpref_init_all.js
patch-third__party_rust_simd_.cargo-checksum.json
patch-third__party_rust_simd_src_x86_avx2.rs
Removed Files:
pkgsrc/www/firefox/patches: patch-build_moz.configure_memory.configure
patch-config_baseconfig.mk
patch-netwerk_srtp_src_crypto_hash_hmac.c
patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c
patch-servo_components_style_properties_helpers_animated__properties.mako.rs
patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h
patch-toolkit_xre_nsEmbedFunctions.cpp
Log Message:
Update to 59.0.1
Changelog:
59.0.1
Security fix
#CVE-2018-5146: Out of bounds memory write in libvorbis
59.0
New
Performance enhancements:
- Faster load times for content on the Firefox Home page
- Faster page load times by loading either from the networked cache
or the cache on the user's hard drive (Race Cache With Network)
- Improved graphics rendering using Off-Main-Thread Painting (OMTP)
for Mac users (OMTP for Windows was released in Firefox 58)
Drag-and-drop to rearrange Top Sites on the Firefox Home page, and
customize new windows and tabs in other ways
Added features for Firefox Screenshots:
- Basic annotation lets the user draw on and highlight saved screenshots
- Recropping to change the viewable area of saved screenshots
Enhanced WebExtensions API including better support for decentralized
protocols and the ability to dynamically register content scripts
Improved Real-Time Communications (RTC) capabilities.
- Implemented RTP Transceiver to give pages more fine grained control
over calls
- Implemented features to support large scale conferences
Added support for W3C specs for pointer events and improved platform
integration with added device support for mouse, pen, and touch
screen pointer input
Added the Ecosia search engine as an option for German Firefox
Added the Qwant search engine as an option for French Firefox
Added settings in about:preferences to stop websites from asking to
send notifications or access your device's camera, microphone, and
location, while still allowing trusted websites to use these features
Fixed
Various security fixes
Changed
Firefox Private Browsing Mode will remove path information from
referrers to prevent cross-site tracking
Security fixes:
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5128: Use-after-free manipulating editor selection ranges
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
#CVE-2018-5131: Fetch API improperly returns cached copies of
no-store/no-cache resources
#CVE-2018-5132: WebExtension Find API can search privileged pages
#CVE-2018-5133: Value of the app.support.baseURL preference is not properly
sanitized
#CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content
restrictions
#CVE-2018-5135: WebExtension browserAction can inject scripts into
unintended contexts
#CVE-2018-5136: Same-origin policy violation with data: URL shared workers
#CVE-2018-5137: Script content can access legacy extension
non-contentaccessible resources
#CVE-2018-5138: Android Custom Tab address spoofing through long domain names
#CVE-2018-5140: Moz-icon images accessible to web content through moz-icon:
protocol
#CVE-2018-5141: DOS attack through notifications Push API
#CVE-2018-5142: Media Capture and Streams API permissions display
incorrect origin with data: and blob: URLs
#CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into
addressbar
#CVE-2018-5126: Memory safety bugs fixed in Firefox 59
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7
To generate a diff of this commit:
cvs rdiff -u -r1.323 -r1.324 pkgsrc/www/firefox/Makefile
cvs rdiff -u -r1.126 -r1.127 pkgsrc/www/firefox/PLIST
cvs rdiff -u -r1.308 -r1.309 pkgsrc/www/firefox/distinfo
cvs rdiff -u -r1.105 -r1.106 pkgsrc/www/firefox/mozilla-common.mk
cvs rdiff -u -r1.55 -r1.56 pkgsrc/www/firefox/patches/patch-aa
cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox/patches/patch-build_gyp.mozbuild \
pkgsrc/www/firefox/patches/patch-gfx_skia_generate__mozbuild.py \
pkgsrc/www/firefox/patches/patch-media_libtheora_moz.build \
pkgsrc/www/firefox/patches/patch-netwerk_dns_moz.build
cvs rdiff -u -r0 -r1.5 \
pkgsrc/www/firefox/patches/patch-build_moz.configure_keyfiles.configure
cvs rdiff -u -r1.2 -r0 \
pkgsrc/www/firefox/patches/patch-build_moz.configure_memory.configure \
pkgsrc/www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h
cvs rdiff -u -r1.10 -r0 pkgsrc/www/firefox/patches/patch-config_baseconfig.mk
cvs rdiff -u -r1.16 -r1.17 \
pkgsrc/www/firefox/patches/patch-config_external_moz.build
cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/firefox/patches/patch-dom_media_moz.build \
pkgsrc/www/firefox/patches/patch-gfx_thebes_moz.build
cvs rdiff -u -r1.14 -r1.15 \
pkgsrc/www/firefox/patches/patch-gfx_skia_moz.build
cvs rdiff -u -r1.1 -r1.2 \
pkgsrc/www/firefox/patches/patch-media_libcubeb_gtest_moz.build \
pkgsrc/www/firefox/patches/patch-modules_pdfium_update.sh
cvs rdiff -u -r1.3 -r1.4 \
pkgsrc/www/firefox/patches/patch-media_libvorbis_moz.build
cvs rdiff -u -r0 -r1.1 \
pkgsrc/www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc \
pkgsrc/www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json \
pkgsrc/www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs
cvs rdiff -u -r0 -r1.7 \
pkgsrc/www/firefox/patches/patch-modules_libpref_init_all.js
cvs rdiff -u -r1.4 -r0 \
pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c
cvs rdiff -u -r1.3 -r0 \
pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c
cvs rdiff -u -r1.1 -r0 \
pkgsrc/www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs
cvs rdiff -u -r1.9 -r1.10 \
pkgsrc/www/firefox/patches/patch-toolkit_moz.configure
cvs rdiff -u -r1.7 -r0 \
pkgsrc/www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 31 14:03:25 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile distinfo
Log Message:
Update to 58.0.1
* Sync with www/firefox-58.0.1
To generate a diff of this commit:
cvs rdiff -u -r1.120 -r1.121 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.110 -r1.111 pkgsrc/www/firefox-l10n/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Feb 10 07:05:20 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile distinfo
Log Message:
Update to 58.0.2
* Sync with www/firefox-58.0.2
To generate a diff of this commit:
cvs rdiff -u -r1.121 -r1.122 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.111 -r1.112 pkgsrc/www/firefox-l10n/distinfo
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Mar 17 01:00:20 UTC 2018
Modified Files:
pkgsrc/www/firefox-l10n: Makefile distinfo
Log Message:
Update to 59.0.1
* Sync with www/firefox-59.0.1
To generate a diff of this commit:
cvs rdiff -u -r1.122 -r1.123 pkgsrc/www/firefox-l10n/Makefile
cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/firefox-l10n/distinfo
Revision 1.83 / (download) - annotate - [select for diffs], Sat Mar 17 01:07:15 2018 UTC (5 years, 6 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base
Branch point for: pkgsrc-2018Q1
Changes since 1.82: +5 -5
lines
Diff to previous 1.82 (colored)
Update to 3.36 * Require devel/nspr-4.19 Changelog: The NSS team has released Network Security Services (NSS) 3.36, which is a minor release. Summary of the major changes included in this release: - Replaced existing vectorized ChaCha20 code with verified HACL* implementation. - Experimental APIs for TLS session cache handling.
Revision 1.82 / (download) - annotate - [select for diffs], Sat Feb 24 11:35:48 2018 UTC (5 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.81: +4 -1
lines
Diff to previous 1.81 (colored)
Change default file type back to DBM from SQL. Bump PKGREVISION This back out fixes XML-based files open of misc/libreoffice. The problem is reported by Mustafa Dogan via private e-mail.
Revision 1.81 / (download) - annotate - [select for diffs], Wed Jan 24 16:23:52 2018 UTC (5 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.80: +5 -7
lines
Diff to previous 1.80 (colored)
Update to 3.35 Changelog: The NSS team has released Network Security Services (NSS) 3.35, which is a minor release. Summary of the major changes included in this release: - The default database storage format has been changed to SQL, using filenames cert9.db, key4.db, pkcs11.txt. - TLS 1.3 support has been updated to draft -23, along with additional significant changes. - Support for TLS compression was removed. - Added formally verified implementations of non-vectorized Chacha20 and non-vectorized Poly1305 64-bit. - When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a higher iteration count for stronger security. - The CA trust list was updated to version 2.22.
Revision 1.80 / (download) - annotate - [select for diffs], Mon Jan 22 11:43:14 2018 UTC (5 years, 8 months ago) by jperkin
Branch: MAIN
Changes since 1.79: +3 -3
lines
Diff to previous 1.79 (colored)
nss: Fix build on SunOS with clang.
Revision 1.79 / (download) - annotate - [select for diffs], Mon Nov 27 23:49:06 2017 UTC (5 years, 10 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base
Branch point for: pkgsrc-2017Q4
Changes since 1.78: +5 -5
lines
Diff to previous 1.78 (colored)
Update to 3.34.1
Changelog:
The following CA certificate was Re-Added. It was removed in
NSS 3.34, but has been re-added with only the Email trust bit
set. (bug 1418678)
CN = Certum CA, O=Unizeto Sp. z o.o.
SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24
Removed entries from certdata.txt for actively distrusted
certificates that have expired (bug 1409872).
The version of the CA list was set to 2.20.
Revision 1.78 / (download) - annotate - [select for diffs], Thu Nov 16 01:15:57 2017 UTC (5 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.77: +5 -5
lines
Diff to previous 1.77 (colored)
Update to 3.34 The following CA certificates were Added: CN = GDCA TrustAUTH R5 ROOT SHA-256 Fingerprint: BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93 Trust Flags: Websites CN = SSL.com Root Certification Authority RSA SHA-256 Fingerprint: 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69 Trust Flags: Websites, Email CN = SSL.com Root Certification Authority ECC SHA-256 Fingerprint: 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65 Trust Flags: Websites, Email CN = SSL.com EV Root Certification Authority RSA R2 SHA-256 Fingerprint: 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C Trust Flags: Websites CN = SSL.com EV Root Certification Authority ECC SHA-256 Fingerprint: 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8 Trust Flags: Websites CN = TrustCor RootCert CA-1 SHA-256 Fingerprint: D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C Trust Flags: Websites, Email CN = TrustCor RootCert CA-2 SHA-256 Fingerprint: 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65 Trust Flags: Websites, Email CN = TrustCor ECA-1 SHA-256 Fingerprint: 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C Trust Flags: Websites, Email The following CA certificates were Removed: CN = Certum CA, O=Unizeto Sp. z o.o. SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24 CN = StartCom Certification Authority SHA-256 Fingerprint: C7:66:A9:BE:F2:D4:07:1C:86:3A:31:AA:49:20:E8:13:B2:D1:98:60:8C:B7:B7:CF:E2:11:43:B8:36:DF:09:EA CN = StartCom Certification Authority SHA-256 Fingerprint: E1:78:90:EE:09:A3:FB:F4:F4:8B:9C:41:4A:17:D6:37:B7:A5:06:47:E9:BC:75:23:22:72:7F:CC:17:42:A9:11 CN = StartCom Certification Authority G2 SHA-256 Fingerprint: C7:BA:65:67:DE:93:A7:98:AE:1F:AA:79:1E:71:2D:37:8F:AE:1F:93:C4:39:7F:EA:44:1B:B7:CB:E6:FD:59:95 CN = TBÄ°TAK UEKAE Kök Sertifika Hizmet Salayıcısı - Sürüm 3 SHA-256 Fingerprint: E4:C7:34:30:D7:A5:B5:09:25:DF:43:37:0A:0D:21:6E:9A:79:B9:D6:DB:83:73:A0:C6:9E:B1:CC:31:C7:C5:2A CN = ACEDICOM Root SHA-256 Fingerprint: 03:95:0F:B4:9A:53:1F:3E:19:91:94:23:98:DF:A9:E0:EA:32:D7:BA:1C:DD:9B:C8:5D:B5:7E:D9:40:0B:43:4A CN = Certinomis - Autorité Racine SHA-256 Fingerprint: FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17 CN = TRKTRUST Elektronik Sertifika Hizmet Salayıcısı SHA-256 Fingerprint: 97:8C:D9:66:F2:FA:A0:7B:A7:AA:95:00:D9:C0:2E:9D:77:F2:CD:AD:A6:AD:6B:A7:4A:F4:B9:1C:66:59:3C:50 CN = PSCProcert SHA-256 Fingerprint: 3C:FC:3C:14:D1:F6:84:FF:17:E3:8C:43:CA:44:0C:00:B9:67:EC:93:3E:8B:FE:06:4C:A1:D7:2C:90:F2:AD:B0 CN = CA 沦ë좹è书¬ O=WoSign CA Limited SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 CN = Certification Authority of WoSign SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08 CN = Certification Authority of WoSign G2 SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16 CN = CA WoSign ECC Root SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02 libfreebl no longer requires SSE2 instructions. New in NSS 3.34 New Functionality When listing an NSS database using certutil -L, but the database hasn't yet been initialized with any non-empty or empty password, the text "Database needs user init" will be included in the listing. When using certutil to set an inacceptable password in FIPS mode, a correct explanation of acceptable passwords will be printed. SSLKEYLOGFILE is now supported with TLS 1.3, see Bug 1287711 for details. SSLChannelInfo has two new fields (Bug 1396525) SSLNamedGroup originalKeaGroup holds the key exchange group of the original handshake when the session was resumed. PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE otherwise. RSA-PSS signatures are now supported on certificates. Certificates with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS signature on a certificate using the --pss-sign argument to certutil. New Functions Compatibility NSS 3.34 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.34 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Revision 1.77 / (download) - annotate - [select for diffs], Thu Oct 19 15:28:45 2017 UTC (5 years, 11 months ago) by jperkin
Branch: MAIN
Changes since 1.76: +2 -1
lines
Diff to previous 1.76 (colored)
nss: Support SunOS byteswap macros.
Revision 1.76 / (download) - annotate - [select for diffs], Tue Sep 26 10:59:39 2017 UTC (6 years ago) by ryoon
Branch: MAIN
Changes since 1.75: +6 -6
lines
Diff to previous 1.75 (colored)
Update to 3.33
Changelog:
Notable Changes in NSS 3.33
TLS compression is no longer supported. API calls that attempt to enable compression are accepted without failure. However, TLS compression will remain disabled.
This version of NSS uses a formally verified implementation of Curve25519 on 64-bit systems.
The compile time flag DISABLE_ECC has been removed.
When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are not performed anymore.
Various minor improvements and correctness fixes.
Revision 1.75 / (download) - annotate - [select for diffs], Tue Aug 1 12:15:15 2017 UTC (6 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base,
pkgsrc-2017Q3
Changes since 1.74: +5 -5
lines
Diff to previous 1.74 (colored)
Update to 3.32 Changelog: Notable Changes: ================ * Various minor improvements and correctness fixes. * The Code Signing trust bit was turned off for all included root certificates. * The Websites (TLS/SSL) trust bit was turned off for the following root certificates: - CN = AddTrust Class 1 CA Root - CN = Swisscom Root CA 2 * The following CA certificates were Removed: - CN = AddTrust Public CA Root - CN = AddTrust Qualified CA Root - CN = China Internet Network Information Center EV Certificates Root - CN = CNNIC ROOT - CN = ComSign Secured CA - CN = GeoTrust Global CA 2 - CN = Secure Certificate Services - CN = Swisscom Root CA 1 - CN = Swisscom Root EV CA 2 - CN = Trusted Certificate Services - CN = UTN-USERFirst-Hardware - CN = UTN-USERFirst-Object
Revision 1.74 / (download) - annotate - [select for diffs], Wed Jun 14 11:18:55 2017 UTC (6 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base,
pkgsrc-2017Q2
Changes since 1.73: +5 -5
lines
Diff to previous 1.73 (colored)
Update to 3.31 Changelog: New functionality: ================== * Allow certificates to be specified by RFC7512 PKCS#11 URIs. * Allow querying a certificate object for its temporary or permanent storage  status in a thread safe way. New Functions: ============== * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a  certificate in a thread safe way. * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a  certificate in a thread safe way. * PK11_FindCertFromURI - find a certificate identified by the given URI. * PK11_FindCertsFromURI - find a list of certificates identified by the given  URI. * PK11_GetModuleURI - retrieve the URI of the given module. * PK11_GetTokenURI - retrieve the URI of a token based on the given slot  information. * PK11URI_CreateURI - create a new PK11URI object from a set of attributes. * PK11URI_DestroyURI - destroy a PK11URI object. * PK11URI_FormatURI - format a PK11URI object to a string. * PK11URI_GetPathAttribute - retrieve a path attribute with the given name. * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name. * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object. New Macros: =========== * Several new macros that start with PK11URI_PATTR_ for path attributes defined  in RFC7512. * Several new macros that start with PK11URI_QATTR_ for query attributes defined  in RFC7512. Notable Changes: ================ * The APIs that set a TLS version range have been changed to trim the requested  range to the overlap with a systemwide crypto policy, if configured.  SSL_VersionRangeGetSupported can be used to query the overlap between the  library's supported range of TLS versions and the systemwide policy. * Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a  failure if the requested version range wasn't fully allowed by the systemwide  crypto policy. They have been changed to return success, if at least one TLS  version overlaps between the requested range and the systemwide policy. An  application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to  query the TLS version range that was effectively activated. * Corrected the encoding of Domain Name Constraints extensions created by  certutil. * NSS supports a clean seeding mechanism for *NIX systems now using only  /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile  time. * CERT_AsciiToName can handle OIDs in dotted decimal form now. The HG tag is NSS_3_31_RTM. NSS 3.31 requires NSPR 4.15 or newer.
Revision 1.73 / (download) - annotate - [select for diffs], Thu Apr 27 01:47:21 2017 UTC (6 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.72: +5 -5
lines
Diff to previous 1.72 (colored)
Update to 3.30.2 Changelog: The NSS team has released Network Security Services (NSS) 3.30.2, which is a patch release to update the list of root CA certificates. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. Notable Changes: * The following CA certificates were Removed - O = Japanese Government, OU = ApplicationCA - CN = WellsSecure Public Root Certificate Authority - CN = TRKTRUST Elektronik Sertifika Hizmet Salayıcısı H6 - CN = Microsec e-Szigno Root * The following CA certificates were Added - CN = D-TRUST Root CA 3 2013 - CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 * The version number of the updated root CA list has been set to 2.14 (Bug 1350859) * Domain name constraints for one of the new CAs have been added to the NSS code (Bug 1349705)
Revision 1.72 / (download) - annotate - [select for diffs], Thu Apr 13 03:21:05 2017 UTC (6 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.71: +5 -5
lines
Diff to previous 1.71 (colored)
Update to 3.30.1 Changelog: Not available.
Revision 1.71 / (download) - annotate - [select for diffs], Fri Mar 31 23:39:52 2017 UTC (6 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.70: +5 -5
lines
Diff to previous 1.70 (colored)
Update to 3.30 Changelog: New in NSS 3.30: ================ * In the PKCS#11 root CA module (nssckbi), CAs with positive trust are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY, set to true. Applications that need to distinguish them from other other root CAs may use the exported function PK11_HasAttributeSet. * Support for callback functions that can be used to monitor SSL/TLS alerts that are sent or received. Notable Changes: ================ * The TLS server code has been enhanced to support session tickets when no RSA certificate is configured. * RSA-PSS signatures produced by key pairs with a modulus bit length that is not a multiple of 8 are now supported. * The pk12util tool now supports importing and exporting data encrypted in the AES based schemes defined in PKCS#5 v2.1.
Revision 1.70 / (download) - annotate - [select for diffs], Tue Mar 7 20:53:22 2017 UTC (6 years, 6 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base,
pkgsrc-2017Q1
Changes since 1.69: +5 -5
lines
Diff to previous 1.69 (colored)
Update to 3.29.3 Changelog: The NSS team has released Network Security Services (NSS) 3.29.3 No new functionality is introduced in this release. This is a patch release to fix a rare crash when initializing an SSL socket fails. The NSS team has released Network Security Services (NSS) 3.29.2 No new functionality is introduced in this release. This is a patch release to fix an issue with TLS session tickets.
Revision 1.69 / (download) - annotate - [select for diffs], Mon Feb 20 12:30:50 2017 UTC (6 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.68: +5 -5
lines
Diff to previous 1.68 (colored)
Update to 3.29.1 Changelog: Fix binary compatibility issues in 3.29
Revision 1.68 / (download) - annotate - [select for diffs], Sat Feb 11 07:24:55 2017 UTC (6 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.67: +5 -5
lines
Diff to previous 1.67 (colored)
Update to 3.29 Changelog: Notable Changes: ================ * Fixed a NSS 3.28 regression in the signature scheme flexibility that causes connectivity issues between iOS 8 clients and NSS servers with ECDSA certificates (bug1334114 <https://bugzilla.mozilla.org/show_bug.cgi?id=1334114>).
Revision 1.67 / (download) - annotate - [select for diffs], Sun Feb 5 02:41:13 2017 UTC (6 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.66: +1 -2
lines
Diff to previous 1.66 (colored)
Disable internal sqlite3. Bump PKGREVISION It is my mistake. Builds confirmed on NetBSD/amd64 current and macOS Sierra.
Revision 1.66 / (download) - annotate - [select for diffs], Thu Feb 2 07:25:44 2017 UTC (6 years, 7 months ago) by yyamano
Branch: MAIN
Changes since 1.65: +2 -1
lines
Diff to previous 1.65 (colored)
Always use the sqlite3 library in NSS to avoid installation error on Mac OS X, just like other platforms.
Revision 1.65 / (download) - annotate - [select for diffs], Fri Jan 20 15:01:23 2017 UTC (6 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.64: +5 -5
lines
Diff to previous 1.64 (colored)
Update to 3.28.1 * Bump nspr requirement Changelog: 3.28.1: The NSS team has released Network Security Services (NSS) 3.28.1, which is a patch release. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. No new functionality is introduced in this release. This is a patch release to update the list of root CA certificates and address a minor TLS compatibility issue that some applications experienced with NSS 3.28. Notable Changes: * The following CA certificates were Removed - CN = Buypass Class 2 CA 1 - CN = Root CA Generalitat Valenciana - OU = RSA Security 2048 V3 * The following CA certificates were Added - OU = AC RAIZ FNMT-RCM - CN = Amazon Root CA 1 - CN = Amazon Root CA 2 - CN = Amazon Root CA 3 - CN = Amazon Root CA 4 - CN = LuxTrust Global Root 2 - CN = Symantec Class 1 Public Primary Certification Authority - G4 - CN = Symantec Class 1 Public Primary Certification Authority - G6 - CN = Symantec Class 2 Public Primary Certification Authority - G4 - CN = Symantec Class 2 Public Primary Certification Authority - G6 * The version number of the updated root CA list has been set to 2.11 * A misleading assertion/alert has been removed when NSS tries to flush data  to the peer but the connection was already reset. 3.28: The NSS team has released Network Security Services (NSS) 3.28, which is a minor release. Below is a summary of the changes. Please refer to the full release notes for additional details: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes Request to test and prepare for TLS 1.3 (draft): ================================================ To prepare for a change of default build options, which is planned for the future NSS 3.29 release, we'd like to encourage all users of NSS 3.28 to override the standard NSS build configuration to enable support for (draft ) TLS 1.3 by defining NSS_ENABLE_TLS_1_3=1 at build time. We'd like to ask you to please give feedback to the NSS developers for any compatibility issues that you might encounter in your tests. For providing feedback, you may send a message to this mailing list, see:   https://lists.mozilla.org/listinfo/dev-tech-crypto or please report a bug here:   https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS New functionality: ================== * NSS includes support for TLS 1.3 draft -18. This includes a number  of improvements to TLS 1.3:  - The signed certificate timestamp, used in certificate transparency,   is supported in TLS 1.3.  - Key exporters for TLS 1.3 are supported. This includes the early key   exporter, which can be used if 0-RTT is enabled. Note that there is a   difference between TLS 1.3 and key exporters in older versions of TLS.   TLS 1.3 does not distinguish between an empty context and no context.  - The TLS 1.3 (draft) protocol can be enabled, by defining   NSS_ENABLE_TLS_1_3=1 when building NSS. * NSS includes support for the X25519 key exchange algorithm, which is  supported and enabled by default in all versions of TLS. New Functions: ============== * SSL_ExportEarlyKeyingMaterial * SSL_SendAdditionalKeyShares * SSL_SignatureSchemePrefSet * SSL_SignatureSchemePrefGet Notable Changes: ================ * NSS can no longer be compiled with support for additional elliptic curves.  This was previously possible by replacing certain NSS source files. * NSS will now detect the presence of tokens that support additional  elliptic curves and enable those curves for use in TLS.  Note that this detection has a one-off performance cost, which can be  avoided by using the SSL_NamedGroupConfig function to limit supported  groups to those that NSS provides. * PKCS#11 bypass for TLS is no longer supported and has been removed. * Support for "export" grade SSL/TLS cipher suites has been removed. * NSS now uses the signature schemes definition in TLS 1.3.  This also affects TLS 1.2. NSS will now only generate signatures with the  combinations of hash and signature scheme that are defined in TLS 1.3,  even when negotiating TLS 1.2.  - This means that SHA-256 will only be used with P-256 ECDSA certificates,   SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.   SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward   compatibility reasons.  - New functions to configure signature schemes are provided:   SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet.   The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are   now deprecated.  - NSS will now no longer assume that default signature schemes are   supported by a peer if there was no commonly supported signature scheme. * NSS will now check if RSA-PSS signing is supported by the token that holds  the private key prior to using it for TLS. * The certificate validation code contains checks to no longer trust  certificates that are issued by old WoSign and StartCom CAs after  October 21, 2016. This is equivalent to the behavior that Mozilla will  release with Firefox 51.
Revision 1.64 / (download) - annotate - [select for diffs], Tue Nov 29 22:51:12 2016 UTC (6 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base,
pkgsrc-2016Q4
Changes since 1.63: +5 -5
lines
Diff to previous 1.63 (colored)
Update to 3.27.2 Changelog: The NSS Development Team announces the release of NSS 3.27.2, which is a patch release to address a memory leak in the TLS implementation. No new functionality is introduced in this release. Notable Changes: * Bug 1318561 - SSL_SetTrustAnchors leaks
Revision 1.63 / (download) - annotate - [select for diffs], Sat Oct 8 10:26:12 2016 UTC (6 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.62: +5 -5
lines
Diff to previous 1.62 (colored)
Update to 3.27.1 Changelog: The NSS team has released Network Security Services (NSS) 3.27.1. This is a patch release to address a TLS compatibility issue that some applications experienced with NSS 3.27. Notable Changes: Availability of the TLS 1.3 (draft) implementation has been re-disabled in the default build. Previous versions of NSS made TLS 1.3 (draft) available only when compiled with NSS_ENABLE_TLS_1_3. NSS 3.27 set this value on by default, allowing TLS 1.3 (draft) to be disabled using NSS_DISABLE_TLS_1_3, although the maximum version used by default remained TLS 1.2. However, some applications query the list of protocol versions that are supported by the NSS library, and enable all supported TLS protocol versions. Because NSS 3.27 enabled compilation of TLS 1.3 (draft) by default, it caused those applications to enable TLS 1.3 (draft). This resulted in connectivity failures, as some TLS servers are version 1.3 intolerant, and failed to negotiate an earlier TLS version with NSS 3.27 clients.
Revision 1.62 / (download) - annotate - [select for diffs], Fri Sep 30 11:59:12 2016 UTC (6 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.61: +7 -7
lines
Diff to previous 1.61 (colored)
Update to 3.27 Changelog: The NSS team has released Network Security Services (NSS) 3.27, which is a minor release. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. New functionality: * Allow custom named group priorities for TLS key exchange handshake  (SSL_NamedGroupConfig). * Added support for RSA-PSS signatures in TLS 1.2 and TLS 1.3 New Functions: * SSL_NamedGroupConfig Notable Changes: * NPN can not be enabled anymore. * Hard limits on the maximum number of TLS records encrypted with the same  key are enforced. * Disabled renegotiation in DTLS. * The following CA certificates were Removed - CN = IGC/A, O = PM/SGDN, OU = DCSSI - CN = Juur-SK, O = AS Sertifitseerimiskeskus - CN = EBG Elektronik Sertifika Hizmet Salayıcısı - CN = S-TRUST Authentication and Encryption Root CA 2005:PN - O = VeriSign, Inc., OU = Class 1 Public Primary Certification Authority - O = VeriSign, Inc., OU = Class 2 Public Primary Certification Authority - G2 - O = VeriSign, Inc., OU = Class 3 Public Primary Certification Authority - O = Equifax, OU = Equifax Secure Certificate Authority - CN = Equifax Secure eBusiness CA-1 - CN = Equifax Secure Global eBusiness CA-1 The full release notes are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27_release_notes
Revision 1.61 / (download) - annotate - [select for diffs], Sat Jul 2 12:22:47 2016 UTC (7 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base,
pkgsrc-2016Q3
Changes since 1.60: +5 -5
lines
Diff to previous 1.60 (colored)
Update to 3.25 Changelog: The NSS team has released Network Security Services (NSS) 3.25, which is a minor release. Below is a short summary of the changes. Please refer to the full release notes for additional details. New functionality: * Implemented DHE key agreement for TLS 1.3 * Added support for ChaCha with TLS 1.3 * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF * In previous versions, when using client authentication with TLS 1.2,  NSS only supported certificate_verify messages that used the same  signature hash algorithm as used by the PRF.  This limitation has been removed. * Several functions have been added to the public API of the NSS  Cryptoki Framework. New Functions: * NSSCKFWSlot_GetSlotID * NSSCKFWSession_GetFWSlot * NSSCKFWInstance_DestroySessionHandle * NSSCKFWInstance_FindSessionHandle Notable Changes: * An SSL socket can no longer be configured to allow both TLS 1.3 and SSL v3 * Regression fix: NSS no longer reports a failure if an application attempts  to disable the SSL v2 protocol. * The list of trusted CA certificates has been updated to version 2.8 * The following CA certificate was Removed - CN = Sonera Class1 CA * The following CA certificates were Added - CN = Hellenic Academic and Research Institutions RootCA 2015 - CN = Hellenic Academic and Research Institutions ECC RootCA 2015 - CN = Certplus Root CA G1 - CN = Certplus Root CA G2 - CN = OpenTrust Root CA G1 - CN = OpenTrust Root CA G2 - CN = OpenTrust Root CA G3
Revision 1.60 / (download) - annotate - [select for diffs], Wed May 25 13:17:13 2016 UTC (7 years, 4 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base,
pkgsrc-2016Q2
Changes since 1.59: +6 -6
lines
Diff to previous 1.59 (colored)
Update to 3.24 * Require nspr 4.12 or later, from he@. Thank you. Changelog: The NSS team has released Network Security Services (NSS) 3.24, which is a minor release. Below is a short summary of the changes. Please refer to the full release notes for additional details. New functionality: * NSS softoken has been updated with the latest NIST guidance (as of 2015) * NSS softoken has also been updated to allow NSS to run in FIPS level-1 (no password). * SSL_ConfigServerCert function has been added for configuring SSL/TLS server sockets with a certificate and private key. This method should be used in preference to SSL_ConfigSecureServer, SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and SSL_SetSignedCertTimestamps. * Added PORTCheapArena for temporary arenas allocated on the stack. New Functions: * SSL_ConfigServerCert - Configures an SSL/TLS socket with a certificate, private key and other information. * PORT_InitCheapArena - This initializes an arena that was created on the stack. See PORTCheapArenaPool. * PORT_DestroyCheapArena - This destroys an arena that was created on the stack. See PORTCheapArenaPool. New Types * SSLExtraServerCertData - This struct is optionally passed as an argument to SSL_ConfigServerCert. It contains supplementary information about a certificate, such as the intended type of the certificate, stapled OCSP responses, or signed certificate timestamps (used for certificate transparency). * PORTCheapArenaPool - A stack-allocated arena pool, to be used for temporary arena allocations. New Macros * CKM_TLS12_MAC * SEC_OID_TLS_ECDHE_PSK - This OID is used to govern use of the TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is only used for session resumption in TLS 1.3. Notable Changes: * The following functions have been deprecated (applications should use the new SSL_ConfigServerCert function instead): * SSL_SetStapledOCSPResponses * SSL_SetSignedCertTimestamps * SSL_ConfigSecureServer * SSL_ConfigSecureServerWithCertChain * Function NSS_FindCertKEAType is now deprecated, as it reports a misleading value for certificates that might be used for signing rather than key exchange. * SSLAuthType has been updated to define a larger number of authentication key types. * The member attribute authAlgorithm of type SSLCipherSuiteInfo has been deprecated. Instead, applications should use the newly added attribute authType. * ssl_auth_rsa has been renamed to ssl_auth_rsa_decrypt. * On Linux platforms that define FREEBL_LOWHASH, a shared library has been added: libfreeblpriv3 * Most code related to the SSL v2 has been removed, including the ability to actively send a SSL v2 compatible client hello. However, the server side implementation of the SSL/TLS protocol continues to support processing of received v2 compatible client hello messages. * NSS supports a mechanism to log SSL/TLS key material to a logfile if the environment variable named SSLKEYLOGFILE is set. NSS has been changed to disable this functionality in optimized builds by default. In order to enable the functionality in optimized builds, the symbol NSS_ALLOW_SSLKEYLOGFILE must be defined when building NSS. * NSS has been updated to be protected against the Cachebleed attack. * Support for DTLS compression has been disabled. * Support for TLS 1.3 has been improved. This includes support for DTLS 1.3. Note that TLS 1.3 support is experimental and is not suitable for production use.
Revision 1.59 / (download) - annotate - [select for diffs], Sun Apr 17 19:27:10 2016 UTC (7 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.58: +7 -7
lines
Diff to previous 1.58 (colored)
Update to 3.23 Changelog: The NSS team has released Network Security Services (NSS) 3.23, which is a minor release. The following security-relevant bug has been resolved in NSS 3.23. Users are encouraged to upgrade immediately. * Bug 1245528 (CVE-2016-1950): Fixed a heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or execution of arbitrary code with the permissions of the user. New functionality: * ChaCha20/Poly1305 cipher and TLS cipher suites now supported (bug 917571, bug 1227905) * Experimental-only support TLS 1.3 1-RTT mode (draft-11). This code is not ready for production use. New Functions: * SSL_SetDowngradeCheckVersion - Set maximum version for new ServerRandom anti-downgrade mechanism Notable Changes: * The copy of SQLite shipped with NSS has been updated to version 3.10.2 (bug 1234698) * The list of TLS extensions sent in the TLS handshake has been reordered to improve compatibility of the Extended Master Secret feature with servers (bug 1243641) * The build time environment variable NSS_ENABLE_ZLIB has been renamed to NSS_SSL_ENABLE_ZLIB (Bug 1243872). * The build time environment variable NSS_DISABLE_CHACHAPOLY was added, which can be used to prevent compilation of the ChaCha20/Poly1305 code. * The following CA certificates were Removed - Staat der Nederlanden Root CA - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado - NetLock Kozjegyzoi (Class A) Tanusitvanykiado - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado - VeriSign Class 1 Public PCA G2 - VeriSign Class 3 Public PCA - VeriSign Class 3 Public PCA ãàG2 - CA Disig * The following CA certificates were Added - SZAFIR ROOT CA2 - Certum Trusted Network CA 2 * The following CA certificate had the Email trust bit turned on - Actalis Authentication Root CA The full release notes, including the SHA256 fingerprints of the changed CA certificates, are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes
Revision 1.54.2.1 / (download) - annotate - [select for diffs], Sun Apr 3 21:02:56 2016 UTC (7 years, 5 months ago) by spz
Branch: pkgsrc-2015Q4
Changes since 1.54: +5 -5
lines
Diff to previous 1.54 (colored) next main 1.55 (colored)
Pullup ticket #4952 - requested by bsiegert
devel/nss: security update
Revisions pulled up:
- devel/nss/Makefile 1.106
- devel/nss/distinfo 1.55
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: ryoon
Date: Sat Feb 6 22:09:56 UTC 2016
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Log Message:
Update to 3.22
Changelog:
The NSS team has released Network Security Services (NSS) 3.22,
which is a minor release.
New functionality:
* RSA-PSS signatures are now supported (bug 1215295)
* Pseudorandom functions based on hashes other than SHA-1 are now supported
* Enforce an External Policy on NSS from a config file (bug 1009429)
New Functions:
* PK11_SignWithMechanism - an extended version PK11_Sign()
* PK11_VerifyWithMechanism - an extended version of PK11_Verify()
* SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp
TLS extension data
* SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
TLS extension data
New Types:
* ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
* Constants for several object IDs are added to SECOidTag
New Macros:
* SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
* NSS_USE_ALG_IN_SSL
* NSS_USE_POLICY_IN_SSL
* NSS_RSA_MIN_KEY_SIZE
* NSS_DH_MIN_KEY_SIZE
* NSS_DSA_MIN_KEY_SIZE
* NSS_TLS_VERSION_MIN_POLICY
* NSS_TLS_VERSION_MAX_POLICY
* NSS_DTLS_VERSION_MIN_POLICY
* NSS_DTLS_VERSION_MAX_POLICY
* CKP_PKCS5_PBKD2_HMAC_SHA224
* CKP_PKCS5_PBKD2_HMAC_SHA256
* CKP_PKCS5_PBKD2_HMAC_SHA384
* CKP_PKCS5_PBKD2_HMAC_SHA512
* CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported)
* CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported)
* CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported)
table Changes:
* NSS C++ tests are built by default, requiring a C++11 compiler.
Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.
The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.
To generate a diff of this commit:
cvs rdiff -u -r1.105 -r1.106 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.54 -r1.55 pkgsrc/devel/nss/distinfo
Revision 1.58 / (download) - annotate - [select for diffs], Tue Mar 15 03:12:06 2016 UTC (7 years, 6 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base,
pkgsrc-2016Q1
Changes since 1.57: +5 -5
lines
Diff to previous 1.57 (colored)
Update to 3.22.3 Changelog: The NSS Development Team announces the release of NSS 3.22.3, which is a patch release for NSS 3.22. No new functionality is introduced in this release. The following bugs have been resolved in NSS 3.22.3 * Bug 1243641 - Increase compatibility of TLS extended master secret, don't send an empty TLS extension last in the handshake
Revision 1.57 / (download) - annotate - [select for diffs], Mon Mar 7 12:31:17 2016 UTC (7 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.56: +5 -5
lines
Diff to previous 1.56 (colored)
Update to 3.22.2 Changelog: New root certificates backported from 3.23.
Revision 1.56 / (download) - annotate - [select for diffs], Wed Feb 17 22:00:14 2016 UTC (7 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.55: +5 -5
lines
Diff to previous 1.55 (colored)
Update to 3.22.1 Changelog: The NSS Development Team announces the release of NSS 3.22.1 No new functionality is introduced in this release. Notable Changes: * NSS has been changed to use the PR_GetEnvSecure function that was made available in NSPR 4.12
Revision 1.55 / (download) - annotate - [select for diffs], Sat Feb 6 22:09:55 2016 UTC (7 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.54: +5 -5
lines
Diff to previous 1.54 (colored)
Update to 3.22 Changelog: The NSS team has released Network Security Services (NSS) 3.22, which is a minor release. New functionality: * RSA-PSS signatures are now supported (bug 1215295) * Pseudorandom functions based on hashes other than SHA-1 are now supported * Enforce an External Policy on NSS from a config file (bug 1009429) New Functions: * PK11_SignWithMechanism - an extended version PK11_Sign() * PK11_VerifyWithMechanism - an extended version of PK11_Verify() * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp TLS extension data * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp TLS extension data New Types: * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType * Constants for several object IDs are added to SECOidTag New Macros: * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS * NSS_USE_ALG_IN_SSL * NSS_USE_POLICY_IN_SSL * NSS_RSA_MIN_KEY_SIZE * NSS_DH_MIN_KEY_SIZE * NSS_DSA_MIN_KEY_SIZE * NSS_TLS_VERSION_MIN_POLICY * NSS_TLS_VERSION_MAX_POLICY * NSS_DTLS_VERSION_MIN_POLICY * NSS_DTLS_VERSION_MAX_POLICY * CKP_PKCS5_PBKD2_HMAC_SHA224 * CKP_PKCS5_PBKD2_HMAC_SHA256 * CKP_PKCS5_PBKD2_HMAC_SHA384 * CKP_PKCS5_PBKD2_HMAC_SHA512 * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported) * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported) * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported) table Changes: * NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests. The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.
Revision 1.54 / (download) - annotate - [select for diffs], Thu Dec 17 13:39:59 2015 UTC (7 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base
Branch point for: pkgsrc-2015Q4
Changes since 1.53: +2 -1
lines
Diff to previous 1.53 (colored)
Fix build under GCC 4.5.3 (NetBSD 6)
Revision 1.53 / (download) - annotate - [select for diffs], Fri Nov 20 18:54:50 2015 UTC (7 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.52: +5 -5
lines
Diff to previous 1.52 (colored)
Update to 3.21
* Disable gtest option
Changelog:
The NSS team has released Network Security Services (NSS) 3.21,
which is a minor release.
New functionality:
* certutil now supports a --rename option to change a nickname (bug 1142209)
* TLS extended master secret extension (RFC 7627) is supported (bug 1117022)
* New info functions added for use during mid-handshake callbacks (bug 1084669)
New Functions:
* NSS_OptionSet - sets NSS global options
* NSS_OptionGet - gets the current value of NSS global options
* SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name
string, module parameters string, NSS specific parameters string, and NSS
configuration parameter string. The module represented by the module
structure is not loaded. The difference with SECMOD_CreateModule is the new
function handles NSS configuration parameter strings.
* SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior
to the handshake being completed, for use with the callbacks that are invoked
during the handshake
* SSL_SignaturePrefSet - configures the enabled signature and hash algorithms
for TLS
* SSL_SignaturePrefGet - retrieves the currently configured signature and hash
algorithms
* SSL_SignatureMaxCount - obtains the maximum number signature algorithms that
can be configured with SSL_SignaturePrefSet
* NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared
library string, module name string, module parameters string, NSS specific
parameters string, and NSS configuration parameter strings. The returned
strings must be freed by the caller. The difference with
NSS_ArgParseModuleSpec is the new function handles NSS configuration
parameter strings.
* NSSUTIL_MkModuleSpecEx - take a shared library string, module name string,
module parameters string, NSS specific parameters string, and NSS
configuration parameter string and returns a module string which the caller
must free when it is done. The difference with NSS_MkModuleSpec is the new
function handles NSS configuration parameter strings.
New Types:
* CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for
CKM_TLS12_MASTER_KEY_DERIVE
* CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for
CKM_TLS12_KEY_AND_MAC_DERIVE
* CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF
* CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC
* SSLHashType - identifies a hash function
* SSLSignatureAndHashAlg - identifies a signature and hash function
* SSLPreliminaryChannelInfo - provides information about the session state
prior to handshake completion
New Macros:
* NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum RSA key size
* NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum DH key size
* NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
get the minimum DSA key size
* CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret
* CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV
* CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and
ECDH) cipher suites
* CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional
PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS.
* CKM_TLS_MAC - computes TLS Finished MAC
* NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key
exchange
* SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete
DTLS record in a UDP packet
* SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid
signature and hash algorithm is available
* SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an
unsupported signature and hash algorithm is configured
* SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended
master secret is missing after having been negotiated
* SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an
extended master secret when previously not negotiated
* SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended
master secret extension (RFC 7627)
* ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a
TLS version has been selected
* ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate
that a TLS cipher suite has been selected
* ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all
preliminary information has been set
Notable Changes:
* NSS now builds with elliptic curve ciphers enabled by default (bug 1205688)
* NSS now builds with warnings as errors (bug 1182667)
* The following CA certificates were Removed
- CN = VeriSign Class 4 Public Primary Certification Authority - G3
- CN = UTN-USERFirst-Network Applications
- CN = TC TrustCenter Universal CA III
- CN = A-Trust-nQual-03
- CN = USERTrust Legacy Secure Server CA
- Friendly Name: Digital Signature Trust Co. Global CA 1
- Friendly Name: Digital Signature Trust Co. Global CA 3
- CN = UTN - DATACorp SGC
- O = TRKTRUST Bilgi İletiim ve Biliim Güvenlii Hizmetleri A.. (c) Kasım 2\
005
* The following CA certificate had the Websites trust bit turned off
- OU = Equifax Secure Certificate Authority
* The following CA certificates were Added
- CN = Certification Authority of WoSign G2
- CN = CA WoSign ECC Root
- CN = OISTE WISeKey Global Root GB CA
Revision 1.50.2.1 / (download) - annotate - [select for diffs], Thu Nov 19 20:39:15 2015 UTC (7 years, 10 months ago) by bsiegert
Branch: pkgsrc-2015Q3
Changes since 1.50: +5 -4
lines
Diff to previous 1.50 (colored) next main 1.51 (colored)
Pullup ticket #4853 - requested by he
devel/nss: security fix
Revisions pulled up:
- devel/nss/Makefile 1.103
- devel/nss/distinfo 1.52
---
Module Name: pkgsrc
Committed By: ryoon
Date: Tue Nov 3 16:55:07 UTC 2015
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Log Message:
Update to 3.20.1
Changelog:
The following security-relevant bugs have been resolved in NSS 3.20.1.
Users are encouraged to upgrade immediately.
* Bug 1192028 (CVE-2015-7181) and
Bug 1202868 (CVE-2015-7182):
Several issues existed within the ASN.1 decoder used by NSS for handling
streaming BER data. While the majority of NSS uses a separate, unaffected
DER decoder, several public routines also accept BER data, and thus are
affected. An attacker that successfully exploited these issues can overflow
the heap and may be able to obtain remote code execution.
Revision 1.52 / (download) - annotate - [select for diffs], Tue Nov 3 16:55:07 2015 UTC (7 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.51: +5 -5
lines
Diff to previous 1.51 (colored)
Update to 3.20.1 Changelog: The following security-relevant bugs have been resolved in NSS 3.20.1. Users are encouraged to upgrade immediately. * Bug 1192028 (CVE-2015-7181) and Bug 1202868 (CVE-2015-7182): Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data. While the majority of NSS uses a separate, unaffected DER decoder, several public routines also accept BER data, and thus are affected. An attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
Revision 1.51 / (download) - annotate - [select for diffs], Tue Nov 3 03:27:51 2015 UTC (7 years, 10 months ago) by agc
Branch: MAIN
Changes since 1.50: +2 -1
lines
Diff to previous 1.50 (colored)
Add SHA512 digests for distfiles for devel category Issues found with existing distfiles: distfiles/eclipse-sourceBuild-srcIncluded-3.0.1.zip distfiles/fortran-utils-1.1.tar.gz distfiles/ivykis-0.39.tar.gz distfiles/enum-1.11.tar.gz distfiles/pvs-3.2-libraries.tgz distfiles/pvs-3.2-linux.tgz distfiles/pvs-3.2-solaris.tgz distfiles/pvs-3.2-system.tgz No changes made to these distinfo files. Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail.
Revision 1.50 / (download) - annotate - [select for diffs], Thu Aug 20 10:54:24 2015 UTC (8 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base
Branch point for: pkgsrc-2015Q3
Changes since 1.49: +4 -4
lines
Diff to previous 1.49 (colored)
Update to 3.20 Changelog: The NSS team has released Network Security Services (NSS) 3.20, which is a minor release. New functionality: * The TLS library has been extended to support DHE ciphersuites in server applications. New Functions: * SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group parameters that can be used by NSS for a server socket. * SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group parameters that are smaller than the library default's minimum size. New Types: * SSLDHEGroupType - Enumerates the set of DHE parameters embedded in NSS that can be used with function SSL_DHEGroupPrefSet. New Macros: * SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable DHE ciphersuites for a server socket. Notable Changes: * The TLS library has been extended to support DHE ciphersuites in server applications. * For backwards compatibility reasons, the server side implementation of the TLS library keeps all DHE ciphersuites disabled by default. They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API. * The server side implementation of the TLS implementation does not support session tickets when using a DHE ciphersuite (see bug 1174677). * Support for the following ciphersuites has been added: - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * By default, the server side TLS implementation will use DHE parameters with a size of 2048 bits when using DHE ciphersuites. * NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and 8192 bits, which were copied from version 08 of the Internet-Draft "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS", Appendix A. * A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a server application to select one or multiple of the embedded DHE parameters as the preferred parameters. The current implementation of NSS will always use the first entry in the array that is passed as a parameter to the SSL_DHEGroupPrefSet API. In future versions of the TLS implementation, a TLS client might signal a preference for certain DHE parameters, and the NSS TLS server side implementation might select a matching entry from the set of parameters that have been configured as preferred on the server side. * NSS optionally supports the use of weak DHE parameters with DHE ciphersuites to support legacy clients. In order to enable this support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each time this API is called for the first time in a process, a fresh set of weak DHE parameters will be randomly created, which may take a long amount of time. Please refer to the comments in the header file that declares the SSL_EnableWeakDHEPrimeGroup API for additional details. * The size of the default PQG parameters used by certutil when creating DSA keys has been increased to use 2048 bit parameters. * The selfserv utility has been enhanced to support the new DHE features. * NSS no longer supports C compilers that predate the ANSI C standard (C89).
Revision 1.49 / (download) - annotate - [select for diffs], Tue Jun 23 13:16:47 2015 UTC (8 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base,
pkgsrc-2015Q2
Changes since 1.48: +4 -4
lines
Diff to previous 1.48 (colored)
Update to 3.19.2 * Approved by wiz@. Changelog: Network Security Services (NSS) is a patch release for NSS 3.19. No new functionality is introduced in this release. This release addresses a backwards compatibility issue with the NSS 3.19.1 release. Notable Changes: * In NSS 3.19.1, the minimum key sizes that the freebl cryptographic implementation (part of the softoken cryptographic module used by default by NSS) was willing to generate or use was increased - for RSA keys, to 512 bits, and for DH keys, 1023 bits. This was done as part of a security fix for Bug 1138554 / CVE-2015-4000. Applications that requested or attempted to use keys smaller then the minimum size would fail. However, this change in behaviour unintentionally broke existing NSS applications that need to generate or use such keys, via APIs such as SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey. In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix for Bug 1138554 has been moved to libssl, and will now only affect the minimum keystrengths used in SSL/TLS.
Revision 1.48 / (download) - annotate - [select for diffs], Fri May 29 14:19:25 2015 UTC (8 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.47: +4 -4
lines
Diff to previous 1.47 (colored)
Update to 3.19.1 Changelog: Network Security Services (NSS) 3.19.1 is a patch release for NSS 3.19. No new functionality is introduced in this release. This patch release includes a fix for the recently published logjam attack. Notable Changes: * The minimum strength of keys that libssl will accept for finite field algorithms (RSA, Diffie-Hellman, and DSA) have been increased to 1023 bits (bug 1138554). * NSS reports the bit length of keys more accurately. Thus, the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits functions could report smaller values for values that have leading zero values. This affects the key strength values that are reported by SSL_GetChannelInfo. The NSS development team would like to thank Matthew Green and Karthikeyan Bhargavan for responsibly disclosing the issue in bug 1138554. The HG tag is NSS_3_19_1_RTM. NSS 3.19.1 requires NSPR 4.10.8 or newer.
Revision 1.47 / (download) - annotate - [select for diffs], Tue May 5 21:42:19 2015 UTC (8 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.46: +6 -5
lines
Diff to previous 1.46 (colored)
Update to 3.19 Changelog: The NSS team has released Network Security Services (NSS) 3.19, which is a minor release. New functionality: * For some certificates, such as root CA certificates, that don't embed any constraints, NSS might impose additional constraints, such as name constraints. A new API has been added that allows to lookup imposed constraints. * It is possible to override the directory in which the NSS build system will look for the sqlite library. New Functions: * CERT_GetImposedNameConstraints Notable Changes: * The SSL 3 protocol has been disabled by default. * NSS now more strictly validates TLS extensions and will fail a handshake that contains malformed extensions. * Fixed a bug related to the ordering of TLS handshake messages. * In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm, in order to be compatible with TLS servers that use certificates with a SHA512 signature.
Revision 1.46 / (download) - annotate - [select for diffs], Tue Apr 21 11:38:19 2015 UTC (8 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.45: +4 -4
lines
Diff to previous 1.45 (colored)
Update to 3.18.1 Changelog: The NSS Development Team announces the release of NSS 3.18.1 Network Security Services (NSS) 3.18.1 is a patch release for NSS 3.18 to update the list of root CA certificates. No new functionality is introduced in this release. Notable Changes: * The following CA certificate had the Websites and Code Signing trust bits restored to their original state to allow more time to develop a better transition strategy for affected sites: - OU = Equifax Secure Certificate Authority * The following CA certificate was removed: - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi * The following intermediate CA certificate has been added as actively distrusted because it was mis-used to issue certificates for domain names the holder did not own or control: - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG * The version number of the updated root CA list has been set to 2.4 The full release notes, including further details and the SHA1 fingerprints of the changed CA certificates, are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes
Revision 1.45 / (download) - annotate - [select for diffs], Sun Apr 5 12:51:51 2015 UTC (8 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.44: +4 -4
lines
Diff to previous 1.44 (colored)
Update to 3.18 Changelog: The NSS team has released Network Security Services (NSS) 3.18, which is a minor release. New functionality: * When importing certificates and keys from a PKCS#12 source, it's now possible to override the nicknames, prior to importing them into the NSS database, using new API SEC_PKCS12DecoderRenameCertNicknames. * The tstclnt test utility program has new command-line options -C, -D, -b and -R. Use -C one, two or three times to print information about the certificates received from a server, and information about the locally found and trusted issuer certificates, to diagnose server side configuration issues. It is possible to run tstclnt without providing a database (-D). A PKCS#11 library that contains root CA certificates can be loaded by tstclnt, which may either be the nssckbi library provided by NSS (-b) or another compatible library (-R). New Functions: * SEC_CheckCrlTimes * SEC_GetCrlTimes * SEC_PKCS12DecoderRenameCertNicknames New Types * SEC_PKCS12NicknameRenameCallback Notable Changes: * The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from DTLS 1.0 to DTLS 1.2. * The default key size used by certutil when creating an RSA key pair has been increased from 1024 bits to 2048 bits. * On Mac OS X, by default the softokn shared library will link with the sqlite library installed by the operating system, if it is version 3.5 or newer. * The following CA certificates had the Websites and Code Signing trust bits turned off: - Equifax Secure Certificate Authority - Equifax Secure Global eBusiness CA-1 - TC TrustCenter Class 3 CA II * The following CA certificates were Added: - Staat der Nederlanden Root CA - G3 - Staat der Nederlanden EV Root CA - IdenTrust Commercial Root CA 1 - IdenTrust Public Sector Root CA 1 - S-TRUST Universal Root CA - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - CFCA EV ROOT * The version number of the updated root CA list has been set to 2.3
Revision 1.44 / (download) - annotate - [select for diffs], Wed Jan 28 21:12:09 2015 UTC (8 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base,
pkgsrc-2015Q1
Changes since 1.43: +4 -4
lines
Diff to previous 1.43 (colored)
Update to 3.17.4 Changelog: Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17. No new functionality is introduced in this release. Notable Changes: * If an SSL/TLS connection fails, because client and server don't have any common protocol version enabled, NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting SSL_ERROR_NO_CYPHER_OVERLAP). * libpkix was fixed to prefer the newest certificate, if multiple certificates match. * fixed a memory corruption issue during failure of keypair generation. * fixed a failure to reload a PKCS#11 module in FIPS mode. * fixed interoperability of NSS server code with a LibreSSL client.
Revision 1.43 / (download) - annotate - [select for diffs], Mon Dec 1 18:23:29 2014 UTC (8 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base,
pkgsrc-2014Q4
Changes since 1.42: +4 -4
lines
Diff to previous 1.42 (colored)
Update to 3.17.3 Changelog: New functionality: * Support for TLS_FALLBACK_SCSV has been added to the ssltap and tstclnt utilities Notable Changes: * The QuickDER decoder now decodes lengths robustly (CVE-2014-1569) * The following 1024-bit CA certificates were Removed: - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 * The following CA certificates had the Websites and Code Signing trust bits turned off: - Class 3 Public Primary Certification Authority - G2 - Equifax Secure eBusiness CA-1 * The following CA certificates were Added: - COMODO RSA Certification Authority - USERTrust RSA Certification Authority - USERTrust ECC Certification Authority - GlobalSign ECC Root CA - R4 - GlobalSign ECC Root CA - R5 * The version number of the updated root CA list has been set to 2.2
Revision 1.42 / (download) - annotate - [select for diffs], Wed Oct 15 13:04:20 2014 UTC (8 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.41: +4 -4
lines
Diff to previous 1.41 (colored)
Update to 3.17.2
Changelog:
New in NSS 3.17.2
New Functionality
No new functionality is introduced in this release. This is a patch release to fix a regression and other bugs.
Notable Changes in NSS 3.17.2
Bug 1049435: Change RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2 that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated by other crypto libraries.
Bug 1057161: Check that an imported elliptic curve public key is valid. Previously NSS would only validate the peer's public key before performing ECDH key agreement. Now EC public keys are validated at import time.
Bug 1078669: certutil crashes when an argument is passed to the --certVersion option.
Bugs fixed in NSS 3.17.2
This Bugzilla query returns all the bugs fixed in NSS 3.17.2:
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.2
Compatibility
NSS 3.17.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.17.2 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Revision 1.41 / (download) - annotate - [select for diffs], Fri Sep 26 03:25:22 2014 UTC (9 years ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base,
pkgsrc-2014Q3
Changes since 1.40: +4 -4
lines
Diff to previous 1.40 (colored)
security update fixing: - Incorrect DigestInfo validation in NSS (CVE-2014-1568) - RSA signature verification vulnerabilities in parsing of DigestInfo (see https://www.mozilla.org/security/announce/2014/mfsa2014-73.html)
Revision 1.40 / (download) - annotate - [select for diffs], Tue Aug 12 09:43:06 2014 UTC (9 years, 1 month ago) by markd
Branch: MAIN
Changes since 1.39: +4 -4
lines
Diff to previous 1.39 (colored)
Update to nss 3.16.4 This release consists primarily of CA certificate changes as listed below, and includes a small number of bug fixes. Notable Changes: * The following 1024-bit root CA certificate was restored to allow more time to develop a better transition strategy for affected sites. It was removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers. - CN = GTE CyberTrust Global Root * In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit intermediate CA certificate has been included, without explicit trust. The intention is to mitigate the effects of the previous removal of the 1024-bit Entrust.net root certificate, because many public Internet sites still use the "USERTrust Legacy Secure Server CA" intermediate certificate that is signed by the 1024-bit Entrust.net root certificate. The inclusion of the intermediate certificate is a temporary measure to allow those sites to function, by allowing them to find a trust path to another 2048-bit root CA certificate. The temporarily included intermediate certificate expires November 1, 2015.
Revision 1.39 / (download) - annotate - [select for diffs], Sat Jul 5 04:53:39 2014 UTC (9 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.38: +4 -4
lines
Diff to previous 1.38 (colored)
Update to 3.16.2 Changelog: Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16. This release consists primarily of CA certificate changes as listed below, and fixes an issue with a recently added utility function. New Functions: * CERT_GetGeneralNameTypeFromString (This function was already added in NSS 3.16.2, however, it wasn't declared in a public header file.) Notable Changes: * The following 1024-bit CA certificates were Removed - Entrust.net Secure Server Certification Authority - GTE CyberTrust Global Root - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority * Additionally, the following CA certificate was Removed as requested by the CA: - TDC Internet Root CA * The following CA certificates were Added: - Certification Authority of WoSign - CA 沦ë좹èä¹ - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 * The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC RaÃz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado
Revision 1.38 / (download) - annotate - [select for diffs], Wed Jul 2 13:39:25 2014 UTC (9 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.37: +4 -4
lines
Diff to previous 1.37 (colored)
Update to 3.16.2 Changelog: Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16. New functionality: * DTLS 1.2 is supported. * The TLS application layer protocol negotiation (ALPN) extension is also supported on the server side. * RSA-OEAP is supported. Use the new PK11_PrivDecrypt and PK11_PubEncrypt functions with the CKM_RSA_PKCS_OAEP mechanism. * New Intel AES assembly code for 32-bit and 64-bit Windows, contributed by Shay Gueron and Vlad Krasnov of Intel. New Functions: * CERT_AddExtensionByOID * PK11_PrivDecrypt * PK11_PubEncrypt New Macros * SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK * SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL Notable Changes: * The btoa command has a new command-line option -w suffix, which causes the output to be wrapped in BEGIN/END lines with the given suffix * The certutil commands supports additionals types of subject alt name extensions. * The certutil command supports generic certificate extensions, by loading binary data from files, which have been prepared using external tools, or which have been extracted from other existing certificates and dumped to file. * The certutil command supports three new certificate usage specifiers. * The pp command supports printing UTF-8 (-u). * On Linux, NSS is built with the -ffunction-sections -fdata-sections compiler flags and the --gc-sections linker flag to allow unused functions to be discarded.
Revision 1.37 / (download) - annotate - [select for diffs], Sun May 25 23:45:58 2014 UTC (9 years, 4 months ago) by pho
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base,
pkgsrc-2014Q2
Changes since 1.36: +2 -1
lines
Diff to previous 1.36 (colored)
Correct wrong install_name for Darwin. Makefile had a SUBST for this but it wasn't working.
Revision 1.36 / (download) - annotate - [select for diffs], Fri May 16 13:59:17 2014 UTC (9 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.35: +4 -4
lines
Diff to previous 1.35 (colored)
Update to 3.16.1 Changelog: Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16. New functionality: * Added the "ECC" flag for modutil to select the module used for elliptic curve cryptography (ECC) operations. New Functions: * PK11_ExportDERPrivateKeyInfo * PK11_ExportPrivKeyInfo * SECMOD_InternalToPubMechFlags New Types: * ssl_padding_xtn New Macros * PUBLIC_MECH_ECC_FLAG * SECMOD_ECC_FLAG Notable Changes: * Imposed name constraints on the French government root CA ANSSI (DCISS).
Revision 1.35 / (download) - annotate - [select for diffs], Fri May 16 12:38:01 2014 UTC (9 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.34: +2 -1
lines
Diff to previous 1.34 (colored)
Reduce PLIST divergence for OpenBSD
Revision 1.34 / (download) - annotate - [select for diffs], Sat Mar 22 23:32:46 2014 UTC (9 years, 6 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q1-base,
pkgsrc-2014Q1
Changes since 1.33: +4 -4
lines
Diff to previous 1.33 (colored)
Update to 3.16 * Improve 3.16 like 2 number version support (firefox etc. requires 3 number version string) Changelog: From https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes The following security-relevant bug has been resolved. Users are encouraged to upgrade immediately. * Bug 903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. New functionality: * Supports the Linux x32 ABI. To build for the Linux x32 target, set the environment variable USE_X32=1 when building NSS. New Functions: * NSS_CMSSignerInfo_Verify New Macros * TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc., cipher suites that were first defined in SSL 3.0 can now be referred to with their official IANA names in TLS, with the TLS_ prefix. Previously, they had to be referred to with their names in SSL 3.0, with the SSL_ prefix. Notable Changes: * ECC is enabled by default. It is no longer necessary to set the environment variable NSS_ENABLE_ECC=1 when building NSS. To disable ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS. * libpkix should not include the common name of CA as DNS names when evaluating name constraints. * AESKeyWrap_Decrypt should not return SECSuccess for invalid keys. * Fix a memory corruption in sec_pkcs12_new_asafe. * If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime test sdb_measureAccess. * The built-in roots module has been updated to version 1.97, which adds, removes, and distrusts several certificates. * The atob utility has been improved to automatically ignore lines of text that aren't in base64 format. * The certutil utility has been improved to support creation of version 1 and version 2 certificates, in addition to the existing version 3 support.
Revision 1.33 / (download) - annotate - [select for diffs], Mon Mar 10 18:42:34 2014 UTC (9 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.32: +4 -4
lines
Diff to previous 1.32 (colored)
Update to 3.15.5 Changelog: From: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.5_release_notes Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15. New functionality: * Added support for the TLS application layer protocol negotiation (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both) should be used for application layer protocol negotiation. * Added the TLS padding extension. The extension type value is 35655, which may change when an official extension type value is assigned by IANA. NSS automatically adds the padding extension to ClientHello when necessary. * Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting the tail of a CERTCertList. Notable Changes: * Bug 950129: Improve the OCSP fetching policy when verifying OCSP responses * Bug 949060: Validate the iov input argument (an array of PRIOVec structures) of ssl_WriteV (called via PR_Writev). Applications should still take care when converting struct iov to PRIOVec because the iov_len members of the two structures have different types (size_t vs. int). size_t is unsigned and may be larger than int.
Revision 1.31.2.1 / (download) - annotate - [select for diffs], Wed Jan 15 21:44:09 2014 UTC (9 years, 8 months ago) by tron
Branch: pkgsrc-2013Q4
Changes since 1.31: +4 -4
lines
Diff to previous 1.31 (colored) next main 1.32 (colored)
Pullup ticket #4301 - requested by ryoon
devel/nss: security update
Revisions pulled up:
- devel/nss/Makefile 1.75
- devel/nss/distinfo 1.32
---
Module Name: pkgsrc
Committed By: ryoon
Date: Wed Jan 15 14:38:53 UTC 2014
Modified Files:
pkgsrc/devel/nss: Makefile distinfo
Log Message:
Update to 3.15.4
Changelog:
from: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes
Security Advisories
The following security-relevant bugs have been resolved in NSS 3.15.4.
Users are encouraged to upgrade immediately.
Bug 919877 - (CVE-2013-1740) When false start is enabled, libssl will
sometimes return unencrypted, unauthenticated data from PR_Recv
New in NSS 3.15.4
New Functionality
Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method.
Implemented OCSP server functionality for testing purposes (httpserv utility).
Support SHA-1 signatures with TLS 1.2 client authentication.
Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database.
Added the -w command-line option to pp: don't wrap long output lines.
New Functions
CERT_ForcePostMethodForOCSP
CERT_GetSubjectNameDigest
CERT_GetSubjectPublicKeyDigest
SSL_PeerCertificateChain
SSL_RecommendedCanFalseStart
SSL_SetCanFalseStartCallback
New Types
CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.
New PKCS #11 Mechanisms
None.
Notable Changes in NSS 3.15.4
Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices.
Updated the set of root CA certificates (version 1.96).
Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function.
When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT.
Bugs fixed in NSS 3.15.4
A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS
Compatibility
NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.4 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
Revision 1.32 / (download) - annotate - [select for diffs], Wed Jan 15 14:38:53 2014 UTC (9 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.31: +4 -4
lines
Diff to previous 1.31 (colored)
Update to 3.15.4
Changelog:
from: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes
Security Advisories
The following security-relevant bugs have been resolved in NSS 3.15.4.
Users are encouraged to upgrade immediately.
Bug 919877 - (CVE-2013-1740) When false start is enabled, libssl will
sometimes return unencrypted, unauthenticated data from PR_Recv
New in NSS 3.15.4
New Functionality
Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method.
Implemented OCSP server functionality for testing purposes (httpserv utility).
Support SHA-1 signatures with TLS 1.2 client authentication.
Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database.
Added the -w command-line option to pp: don't wrap long output lines.
New Functions
CERT_ForcePostMethodForOCSP
CERT_GetSubjectNameDigest
CERT_GetSubjectPublicKeyDigest
SSL_PeerCertificateChain
SSL_RecommendedCanFalseStart
SSL_SetCanFalseStartCallback
New Types
CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.
New PKCS #11 Mechanisms
None.
Notable Changes in NSS 3.15.4
Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices.
Updated the set of root CA certificates (version 1.96).
Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function.
When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT.
Bugs fixed in NSS 3.15.4
A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS
Compatibility
NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.4 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
Revision 1.31 / (download) - annotate - [select for diffs], Sun Dec 15 14:21:01 2013 UTC (9 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base
Branch point for: pkgsrc-2013Q4
Changes since 1.30: +4 -4
lines
Diff to previous 1.30 (colored)
Update to 3.15.3.1
Changelog:
New in NSS 3.15.3.1
New Functionality
No new major functionality is introduced in this release. This is
a patch release to revoke trust of a subordinate CA certificate
that was mis-used to generate a certificate used by a network
appliance.
Bugs fixed in NSS 3.15.3.1
Bug 946351 - Misissued Google certificates from DCSSI
A complete list of all bugs resolved in this release can be obtained
at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3.1&product=NSS
Compatibility
NSS 3.15.3.1 shared libraries are backward compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with NSS 3.15.3.1 shared libraries
without recompiling or relinking. Furthermore, applications that
restrict their use of NSS APIs to the functions listed in NSS Public
Functions will remain compatible with future versions of the NSS
shared libraries.
Revision 1.30 / (download) - annotate - [select for diffs], Thu Nov 21 15:23:47 2013 UTC (9 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.29: +4 -4
lines
Diff to previous 1.29 (colored)
Update to 3.15.3
Changelog:
Security Advisories
The following security-relevant bugs have been resolved in NSS 3.15.3. Users are encouraged to upgrade immediately.
Bug 925100 - (CVE-2013-1741) Ensure a size is <= half of the maximum PRUint32 value
Bug 934016 - (CVE-2013-5605) Handle invalid handshake packets
Bug 910438 - (CVE-2013-5606) Return the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used
New in NSS 3.15.3
New Functionality
No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1741, CVE-2013-5605 and CVE-2013-5606.
Bugs fixed in NSS 3.15.3
Bug 850478 - List RC4_128 cipher suites after AES_128 cipher suites
Bug 919677 - Don't advertise TLS 1.2-only ciphersuites in a TLS 1.1 ClientHello
A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3&product=NSS
Compatibility
NSS 3.15.3 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.3 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
Revision 1.29 / (download) - annotate - [select for diffs], Tue Oct 15 16:10:33 2013 UTC (9 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.28: +4 -4
lines
Diff to previous 1.28 (colored)
Update to 3.15.2
Changelog:
Security Advisories
The following security-relevant bugs have been resolved in NSS 3.15.2. Users are encouraged to upgrade immediately.
Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure.
New in NSS 3.15.2
New Functionality
AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
New Functions
PK11_CipherFinal has been introduced, which is a simple alias for PK11_DigestFinal.
New Types
No new types have been introduced.
New PKCS #11 Mechanisms
No new PKCS#11 mechanisms have been introduced
Notable Changes in NSS 3.15.2
Bug 880543 - Support for AES-GCM ciphersuites that use the SHA-256 PRF
Bug 663313 - MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general certificate signatures.
Bug 884178 - Add PK11_CipherFinal macro
Bugs fixed in NSS 3.15.2
Bug 734007 - sizeof() used incorrectly
Bug 900971 - nssutil_ReadSecmodDB() leaks memory
Bug 681839 - Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished.
Bug 848384 - Deprecate the SSL cipher policy code, as it's no longer relevant. It is no longer necessary to call NSS_SetDomesticPolicy because all cipher suites are now allowed by default.
A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.2&product=NSS&list_id=7982238
Compatibility
NSS 3.15.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.2 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Revision 1.28 / (download) - annotate - [select for diffs], Sat Jul 20 09:28:11 2013 UTC (10 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base,
pkgsrc-2013Q3
Changes since 1.27: +14 -14
lines
Diff to previous 1.27 (colored)
Update to 3.15.1
Changelog:
NSS 3.15.1 release notes
Introduction
Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below.
Distribution Information
NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download:
Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/
New in NSS 3.15.1
New Functionality
TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations.
The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1.
AES GCM cipher suites are not yet supported.
New Functions
None.
New Types
in sslprot.h
SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the wire, value 0x0303.
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites.
in sslerr.h
SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2.
in sslt.h
ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type.
ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum type.
New PKCS #11 Mechanisms
None.
Notable Changes in NSS 3.15.1
Bug 856060 - Enforce name constraints on the common name in libpkix when no subjectAltName is present.
Bug 875156 - Add const to the function arguments of SEC_CertNicknameConflict.
Bug 877798 - Fix ssltap to print the certificate_status handshake message correctly.
Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the RtlGenRandom function.
Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious failures.
Bug 884072 - Fix a typo in the header include guard macro of secmod.h.
Bug 876352 - certutil now warns if importing a PEM file that contains a private key.
Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it failed.
The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed.
Bugs fixed in NSS 3.15.1
https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS
Compatibility
NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
NSS 3.15 release notes
Introduction
The NSS team has released Network Security Services (NSS) 3.15, which is a minor release.
Distribution Information
The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.
NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download:
Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/
New in NSS 3.15
New Functionality
Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete.
Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
certutil has been updated to support creating name constraints extensions.
New Functions
in ssl.h
SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension.
SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension.
in ocsp.h
CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses.
in secpkcs7.h
SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time.
in xconst.h
CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
in secitem.h
SECITEM_AllocArray
SECITEM_DupArray
SECITEM_FreeArray
SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays
SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938.
in pk11pub.h
PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.
PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.
New Types
in secitem.h
SECItemArray - Represents a variable-length array of SECItems.
New Macros
in ssl.h
SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE
Notable Changes in NSS 3.15
SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code.
NSS has migrated from CVS to the Mercurial source control management system.
Updated build instructions are available at Migration to HG
As part of this migration, the source code directory layout has been re-organized.
The list of root CA certificates in the nssckbi module has been updated.
The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache.
Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel.
Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour.
Bug 853285: Fixed bugs in AES GCM.
Bug 341127: Fix the invalid read in rc4_wordconv.
Faster NIST curve P-256 implementation.
Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced.
Bugs fixed in NSS 3.15
This Bugzilla query returns all the bugs fixed in NSS 3.15:
https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15
Revision 1.27 / (download) - annotate - [select for diffs], Wed Feb 20 19:49:17 2013 UTC (10 years, 7 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base,
pkgsrc-2013Q2,
pkgsrc-2013Q1-base,
pkgsrc-2013Q1
Changes since 1.26: +5 -6
lines
Diff to previous 1.26 (colored)
Update to 3.14.3 Changelog: * Bugfixes * Fix CVE-2013-1620.
Revision 1.26 / (download) - annotate - [select for diffs], Sat Jan 5 19:02:45 2013 UTC (10 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.25: +5 -5
lines
Diff to previous 1.25 (colored)
Udate to 3.14.1 Changelog unknown.
Revision 1.25 / (download) - annotate - [select for diffs], Sat Dec 15 09:48:00 2012 UTC (10 years, 9 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base,
pkgsrc-2012Q4
Changes since 1.24: +4 -6
lines
Diff to previous 1.24 (colored)
Update to 3.14.0
Changelog:
The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the following new features:
Support for TLS 1.1 (RFC 4346)
Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
Support for AES-CTR, AES-CTS, and AES-GCM
Support for Keying Material Exporters for TLS (RFC 5705)
In addition to the above new features, the following major changes have been introduced:
Support for certificate signatures using the MD5 hash algorithm is now disabled by default.
The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explantation on GPL/LGPL compatibility, see security/nss/COPYING in the source code.
Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default.
Revision 1.24 / (download) - annotate - [select for diffs], Mon Oct 1 11:29:35 2012 UTC (10 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.23: +3 -1
lines
Diff to previous 1.23 (colored)
Fix build on OS X/Darwin. Fix embedding @executable_path, and make package errors.
Revision 1.23 / (download) - annotate - [select for diffs], Sun Aug 12 15:29:16 2012 UTC (11 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base,
pkgsrc-2012Q3
Changes since 1.22: +4 -4
lines
Diff to previous 1.22 (colored)
Update to 3.13.6 * No API and ABI changes Changelog: unknown
Revision 1.22 / (download) - annotate - [select for diffs], Thu Jun 7 13:49:11 2012 UTC (11 years, 3 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base,
pkgsrc-2012Q2
Changes since 1.21: +4 -4
lines
Diff to previous 1.21 (colored)
Update to 3.13.5 No ChangeLog is provided.
Revision 1.21 / (download) - annotate - [select for diffs], Wed Apr 18 21:01:42 2012 UTC (11 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.20: +15 -15
lines
Diff to previous 1.20 (colored)
Update 3.13.4 * Change distfile to separated source. Changelog is not shown. Probably some bugs are fixed. Tested on NetBSD/i386 6.99.4 and DragonFly/i386 3.0.1.
Revision 1.20, Sat Jan 16 14:41:25 2010 UTC (13 years, 8 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base,
pkgsrc-2011Q4,
pkgsrc-2011Q2-base,
pkgsrc-2011Q2
Changes since 1.19: +1 -1
lines
FILE REMOVED
- update to 3.12.4.5 - reach over to xulrunner, track the stable gecko release - use external sqlite3 - cleanup - take maintainership This is the second part of PR pkg/42277.
Revision 1.19 / (download) - annotate - [select for diffs], Sun Oct 11 07:51:48 2009 UTC (13 years, 11 months ago) by sno
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base,
pkgsrc-2009Q4
Changes since 1.18: +3 -1
lines
Diff to previous 1.18 (colored)
Fix nss build on FreeBSD
Revision 1.18 / (download) - annotate - [select for diffs], Wed Mar 21 06:53:25 2007 UTC (16 years, 6 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2009Q3-base,
pkgsrc-2009Q3,
pkgsrc-2009Q2-base,
pkgsrc-2009Q2,
pkgsrc-2009Q1-base,
pkgsrc-2009Q1,
pkgsrc-2008Q4-base,
pkgsrc-2008Q4,
pkgsrc-2008Q3-base,
pkgsrc-2008Q3,
pkgsrc-2008Q2-base,
pkgsrc-2008Q2,
pkgsrc-2008Q1-base,
pkgsrc-2008Q1,
pkgsrc-2007Q4-base,
pkgsrc-2007Q4,
pkgsrc-2007Q3-base,
pkgsrc-2007Q3,
pkgsrc-2007Q2-base,
pkgsrc-2007Q2,
pkgsrc-2007Q1-base,
pkgsrc-2007Q1,
cwrapper,
cube-native-xorg-base,
cube-native-xorg
Changes since 1.17: +4 -4
lines
Diff to previous 1.17 (colored)
Update to 3.11.5, security fix.
Revision 1.17 / (download) - annotate - [select for diffs], Sat Jan 20 18:55:09 2007 UTC (16 years, 8 months ago) by wiz
Branch: MAIN
Changes since 1.16: +10 -11
lines
Diff to previous 1.16 (colored)
Update to 3.11.4:
The following bugs have been fixed in NSS 3.11.4.
* Bug 115951: freebl dynamic library is never unloaded by
libsoftoken or libssl. Also tiny one-time leak in freebl's
loader.c.
* Bug 127960: SSL force handshake function should take a timeout.
* Bug 335454: Unable to find library 'libsoftokn3.sl' on HP-UX 64 bit.
* Bug 350200: Implement DHMAC based POP (ProofOfPossession).
* Bug 351482: audit_log_user_message doesn't exist in all
versions of libaudit.so.0. (the "paranoia patch")
* Bug 352041: oom [@ CERT_DecodeDERCrlWithFlags] "extended"
tracked as NULL was dereferenced.
* Bug 353422: Klocwork bugs in nss/lib/crmf.
* Bug 353475: Cannot run cmd tools compiled with VC++ 2005.
* Bug 353572: leak in sftk_OpenCertDB.
* Bug 353608: NSS_RegisterShutdown may fail, and appData argument
to callbacks is always NULL.
* Bug 353749: PowerUpSelf tests update for DSA and ECDSA KAT.
* Bug 353896: Building tip with NSS_ECC_MORE_THAN_SUITE_B causes
crashes in all.sh.
* Bug 353910: memory leak in RNG_RNGInit.
* Bug 354313: STAN_GetCERTCertificateName leaks "instance" struct.
* Bug 354384: vfyserv shutdown failure when client auth requested.
* Bug 354900: Audit modifications, accesses, deletions, and
additions of cryptographic keys.
* Bug 355297: Improve the very first RNG_RandomUpdate call.
* Bug 356073: C_GetTokenInfo should return CKR_CRYPTOKI_NOT_INITIALIZED
if not initialized.
* Bug 356309: CertVerifyLog in CERT_VerifyCertificate terminates
early on expired certs.
* Bug 357197: OCSP response code fails to match CERTIds. (hot fix only)
* Bug 359484: FireFox 2 tries to negotiate ECC cipher suites
using ssl2 client hello. (hot fix only)
* Bug 360818: No RPATH set for signtool and signver.
Revision 1.16 / (download) - annotate - [select for diffs], Mon Nov 20 17:06:03 2006 UTC (16 years, 10 months ago) by riz
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base,
pkgsrc-2006Q4
Changes since 1.15: +2 -2
lines
Diff to previous 1.15 (colored)
Fix up DYLD_LIBRARY_PATH so that MacOS X looks for nspr in the correct place.
Revision 1.15 / (download) - annotate - [select for diffs], Sun Oct 22 15:32:47 2006 UTC (16 years, 11 months ago) by dmcmahill
Branch: MAIN
Changes since 1.14: +2 -2
lines
Diff to previous 1.14 (colored)
Various solaris fixes. In particular: - when building with gcc, the solaris /usr/ccs/bin/as assembler is still used in a couple of places but the correct flags aren't set. - The object directory has a different name when building with gcc instead of the sun studio compilers. - There are a couple of libs which are installed that aren't part of the install for other systems (freebl).
Revision 1.14 / (download) - annotate - [select for diffs], Wed Jul 12 16:32:00 2006 UTC (17 years, 2 months ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2006Q3-base,
pkgsrc-2006Q3
Changes since 1.13: +1 -2
lines
Diff to previous 1.13 (colored)
Removed patch-am, which had been added accidentally. The problem that it tried to solve is properly fixed by patch-an.
Revision 1.13 / (download) - annotate - [select for diffs], Wed Jul 12 16:30:03 2006 UTC (17 years, 2 months ago) by rillig
Branch: MAIN
Changes since 1.12: +10 -11
lines
Diff to previous 1.12 (colored)
Updated nss to 3.11. No ChangeLog available, but some libraries have changed: - removed libfort - added libfreebl3 - removed libswft
Revision 1.12 / (download) - annotate - [select for diffs], Wed Jul 12 15:38:28 2006 UTC (17 years, 2 months ago) by rillig
Branch: MAIN
Changes since 1.11: +13 -13
lines
Diff to previous 1.11 (colored)
Fixed most pkglint warnings.
Revision 1.11 / (download) - annotate - [select for diffs], Tue Jul 4 22:27:43 2006 UTC (17 years, 2 months ago) by rillig
Branch: MAIN
Changes since 1.10: +2 -2
lines
Diff to previous 1.10 (colored)
Oops. I had better not removed the leading "@" from a line in the Makefile. It resulted in some output being re-read by make, which in turn resulted in damaged shell commands. Thanks to wiz for notifying me.
Revision 1.10 / (download) - annotate - [select for diffs], Sun Jul 2 12:40:41 2006 UTC (17 years, 3 months ago) by rillig
Branch: MAIN
Changes since 1.9: +2 -1
lines
Diff to previous 1.9 (colored)
Added a patch so that the package works with GNU Make 3.81 again.
Revision 1.9 / (download) - annotate - [select for diffs], Sun Jun 25 15:25:35 2006 UTC (17 years, 3 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2006Q2-base,
pkgsrc-2006Q2
Changes since 1.8: +2 -2
lines
Diff to previous 1.8 (colored)
Better fix for gcc4 build problem, suggested by martin@.
Revision 1.8 / (download) - annotate - [select for diffs], Sun Jun 25 14:53:00 2006 UTC (17 years, 3 months ago) by wiz
Branch: MAIN
Changes since 1.7: +4 -3
lines
Diff to previous 1.7 (colored)
Add patch to fix compilation on NetBSD-current.
Revision 1.7 / (download) - annotate - [select for diffs], Sun Jan 15 16:09:21 2006 UTC (17 years, 8 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2006Q1-base,
pkgsrc-2006Q1
Changes since 1.6: +3 -1
lines
Diff to previous 1.6 (colored)
Strip everything after the first hyphen to match OS_VERSION in pkgsrc for DragonFly. Inspired by PR 32230.
Revision 1.6 / (download) - annotate - [select for diffs], Thu Aug 25 00:11:01 2005 UTC (18 years, 1 month ago) by reed
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base,
pkgsrc-2005Q4,
pkgsrc-2005Q3-base,
pkgsrc-2005Q3
Changes since 1.5: +1 -2
lines
Diff to previous 1.5 (colored)
Only for Linux, FreeBSD, DragonFly and NetBSD for now. NSS will build and run on other platforms when MAINTAINER knows what magic Makefile glue is required. This is from maintainer's discussion on tech-pkg. Remove patch-af. Use LD_LIBS instead, which the build already knows about. Add custom settings for above platforms so they install correctly. Idea provided by maintainer on tech-pkg. I tweaked it more. I tested on NetBSD 2.0.2, Linux and DragonFly. Also remove blank line from end of Makefile.
Revision 1.5 / (download) - annotate - [select for diffs], Fri Aug 12 20:11:26 2005 UTC (18 years, 1 month ago) by reed
Branch: MAIN
Changes since 1.4: +4 -2
lines
Diff to previous 1.4 (colored)
Add patch-ah and patch-ai and update patch-ae for DragonFly support. This is from PR #30711. Note that I didn't test on DragonFly. Also note that this is still incomplete for DragonFly -- it needs the mk file too.
Revision 1.4 / (download) - annotate - [select for diffs], Wed Feb 23 22:24:22 2005 UTC (18 years, 7 months ago) by agc
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base,
pkgsrc-2005Q2,
pkgsrc-2005Q1-base,
pkgsrc-2005Q1
Changes since 1.3: +2 -1
lines
Diff to previous 1.3 (colored)
Add RMD160 digests.
Revision 1.3 / (download) - annotate - [select for diffs], Wed Feb 9 16:19:35 2005 UTC (18 years, 7 months ago) by jschauma
Branch: MAIN
Changes since 1.2: +2 -1
lines
Diff to previous 1.2 (colored)
Add a patch needed on OS/versions that don't have native pthreads. Patch provided by Matthew Luckie Bump PKGREVISION.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Feb 3 18:05:40 2005 UTC (18 years, 7 months ago) by jschauma
Branch: MAIN
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored)
We can't install these libraries into ${PREFIX}/lib, since mozilla
browsers might then falsely load these instead of their own.
So: Install the libraries into their own directory.
Bump PKGREVISION.
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Tue Feb 1 21:51:12 2005 UTC (18 years, 7 months ago) by jschauma
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0
lines
Diff to previous 1.1 (colored)
Initial import of devel/nss from pkgsrc-wip, provided by matthewluckie: Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Revision 1.1 / (download) - annotate - [select for diffs], Tue Feb 1 21:51:12 2005 UTC (18 years, 7 months ago) by jschauma
Branch: MAIN
Initial revision