The NetBSD Project

CVS log for pkgsrc/devel/nss/distinfo

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / devel / nss

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.157 / (download) - annotate - [select for diffs], Thu Jul 21 13:52:50 2022 UTC (4 weeks ago) by wiz
Branch: MAIN
CVS Tags: HEAD
Changes since 1.156: +4 -4 lines
Diff to previous 1.156 (colored)

nss: update to 3.81.

Changes:
 - Bug 1762831: Enable aarch64 hardware crypto support on OpenBSD.
 - Bug 1775359 - make NSS_SecureMemcmp 0/1 valued.
 - Bug 1779285: Add no_application_protocol alert handler and test client error code is set.
 - Bug 1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.

Revision 1.156 / (download) - annotate - [select for diffs], Sat Jul 16 19:11:15 2022 UTC (4 weeks, 5 days ago) by tnn
Branch: MAIN
Changes since 1.155: +1 -3 lines
Diff to previous 1.155 (colored)

nss: remove no longer needed aarch64 patches

Revision 1.155 / (download) - annotate - [select for diffs], Fri Jun 24 06:10:38 2022 UTC (7 weeks, 6 days ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q2-base, pkgsrc-2022Q2
Changes since 1.154: +4 -4 lines
Diff to previous 1.154 (colored)

nss: update to 3.80.

Ok during freeze: gdt@

Changes:
   - Bug 1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
   - Bug 1617956 - Add support for asynchronous client auth hooks.
   - Bug 1497537 - nss-policy-check: make unknown keyword check optional.
   - Bug 1765383 - GatherBuffer: Reduced plaintext buffer allocations
   by allocating it on initialization. Replaced redundant code with
   assert. Debug builds: Added buffer freeing/allocation for each
   record.
   - Bug 1773022 - Mark 3.79 as an ESR release.
   - Bug 1764206 - Bump nssckbi version number for June.
   - Bug 1759815 - Remove Hellenic Academic 2011 Root.
   - Bug 1770267 - Add E-Tugra Roots.
   - Bug 1768970 - Add Certainly Roots.
   - Bug 1764392 - Add DigitCert Roots.
   - Bug 1759794 - Protect SFTKSlot needLogin with slotLock.
   - Bug 1366464 - Compare signature and signatureAlgorithm fields
   in legacy certificate verifier.
   - Bug 1771497 - Uninitialized value in cert_VerifyCertChainOld.
   - Bug 1771495 - Unchecked return code in sec_DecodeSigAlg.
   - Bug 1771498 - Uninitialized value in cert_ComputeCertType.
   - Bug 1760998 - Avoid data race on primary password change.
   - Bug 1769063 - Replace ppc64 dcbzl intrinisic.
   - Bug 1771036 - Allow LDFLAGS override in makefile builds.

Revision 1.154 / (download) - annotate - [select for diffs], Tue May 31 20:30:10 2022 UTC (2 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.153: +4 -4 lines
Diff to previous 1.153 (colored)

nss: update to 3.79.

This release fixes memory safety violations that can occur when parsing CMS
data. We presume that with enough effort these memory safety violations are
exploitable.

Change:
   - Bug 205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
   - Bug 1766907 - Update mercurial in clang-format docker image.
   - Bug 1454072 - Use of uninitialized pointer in lg_init after alloc fail.
   - Bug 1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
   - Bug 1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
   - Bug 1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
   - Bug 1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
   - Bug 1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
   - Bug 1764788 - Correct invalid record inner and outer content type alerts.
   - Bug 1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
   - Bug 1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
   - Bug 1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
   - Bug 1769302 - NSS 3.79 should depend on NSPR 4.34

Revision 1.153 / (download) - annotate - [select for diffs], Fri May 13 13:40:36 2022 UTC (3 months ago) by tnn
Branch: MAIN
Changes since 1.152: +2 -1 lines
Diff to previous 1.152 (colored)

nss: try to fix macOS/aarch64 to not detect as 32-bit

Revision 1.152 / (download) - annotate - [select for diffs], Thu Apr 28 11:15:55 2022 UTC (3 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.151: +4 -4 lines
Diff to previous 1.151 (colored)

nss: update to 3.78.

Change:

- Bug 1755264 - Added TLS 1.3 zero-length inner plaintext checks
  and tests, zero-length record/fragment handling tests.
- Bug 1294978 - Reworked overlong record size checks and added
  TLS1.3 specific boundaries.
- Bug 1763120 - Add ECH Grease Support to tstclnt
- Bug 1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
- Bug 1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Bug 1760813 - Make SEC_PKCS12EnableCipher succeed
- Bug 1762489 - Update zlib in NSS to 1.2.12.

Revision 1.151 / (download) - annotate - [select for diffs], Thu Apr 7 22:58:23 2022 UTC (4 months, 1 week ago) by ryoon
Branch: MAIN
Changes since 1.150: +14 -14 lines
Diff to previous 1.150 (colored)

nss: Regenerate distinfo to follow recent changes

Revision 1.150 / (download) - annotate - [select for diffs], Thu Apr 7 19:08:40 2022 UTC (4 months, 1 week ago) by riastradh
Branch: MAIN
Changes since 1.149: +14 -2 lines
Diff to previous 1.149 (colored)

devel/nss: Patch ctype(3) abuse.

Revision 1.149 / (download) - annotate - [select for diffs], Thu Mar 31 18:10:52 2022 UTC (4 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.148: +4 -4 lines
Diff to previous 1.148 (colored)

nss: update to 3.77.

Changes:
   - Bug 1762244 - resolve mpitests build failure on Windows.
   - Bug 1761779 - Fix link to TLS page on wireshark wiki
   - Bug 1754890 - Add two D-TRUST 2020 root certificates.
   - Bug 1751298 - Add Telia Root CA v2 root certificate.
   - Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt.
   - Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix
   - Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
   - Bug 1756271 - Remove token member from NSSSlot struct.
   - Bug 1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
   - Bug 1757279 - Support UTF-8 library path in the module spec string.
   - Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
   - Bug 1760827 - Add a CI Target for gcc-11.
   - Bug 1760828 - Change to makefiles for gcc-4.8.
   - Bug 1741688 - Update googletest to 1.11.0
   - Bug 1759525 - Add SetTls13GreaseEchSize to experimental API.
   - Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
   - Bug 1755904 - Fix calculation of ECH HRR Transcript.
   - Bug 1758741 - Allow ld path to be set as environment variable.
   - Bug 1760653 - Ensure we don't read uninitialized memory in ssl gtests.
   - Bug 1758478 - Fix DataBuffer Move Assignment.
   - Bug 1552254 - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
   - Bug 1755092 - rework signature verification in mozilla::pkix

Revision 1.148 / (download) - annotate - [select for diffs], Tue Mar 29 13:31:36 2022 UTC (4 months, 2 weeks ago) by ryoon
Branch: MAIN
Changes since 1.147: +4 -4 lines
Diff to previous 1.147 (colored)

nss: Update to 3.76.1

Changelog:
Change:
   - Bug 1756271 - Remove token member from NSSSlot struct.

Revision 1.147 / (download) - annotate - [select for diffs], Thu Mar 3 12:13:35 2022 UTC (5 months, 2 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2022Q1-base, pkgsrc-2022Q1
Changes since 1.146: +4 -4 lines
Diff to previous 1.146 (colored)

nss: update to 3.76.

Changes:
   - Bug 1755555 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
   - Bug 1370866 - Check return value of PK11Slot_GetNSSToken.
   - Bug 1747957 - Use Wycheproof JSON for RSASSA-PSS
   - Bug 1679803 - Add SHA256 fingerprint comments to old certdata.txt entries.
   - Bug 1753505 - Avoid truncating files in nss-release-helper.py.
   - Bug 1751157 - Throw illegal_parameter alert for illegal extensions in handshake message.

Revision 1.146 / (download) - annotate - [select for diffs], Thu Feb 3 23:37:26 2022 UTC (6 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.145: +4 -4 lines
Diff to previous 1.145 (colored)

nss: update to 3.75.

Changes:
   - Bug 1749030 - This patch adds gcc-9 and gcc-10 to the CI.
   - Bug 1749794 - Make DottedOIDToCode.py compatible with python3.
   - Bug 1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
   - Bug 1748386 - Remove redundant key type check.
   - Bug 1749869 - Update ABI expectations to match ECH changes.
   - Bug 1748386 - Enable CKM_CHACHA20.
   - Bug 1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
   - Bug 1747310 - real move assignment operator.
   - Bug 1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
   - Bug 1743302 - Add ECDSA test vectors to the bltest command line tool.
   - Bug 1747772 - Allow to build using clang's integrated assembler.
   - Bug 1321398 - Allow to override python for the build.
   - Bug 1747317 - test HKDF output rather than input.
   - Bug 1747316 - Use ASSERT macros to end failed tests early.
   - Bug 1747310 - move assignment operator for DataBuffer.
   - Bug 1712879 - Add test cases for ECH compression and unexpected extensions in SH.
   - Bug 1725938 - Update tests for ECH-13.
   - Bug 1725938 - Tidy up error handling.
   - Bug 1728281 - Add tests for ECH HRR Changes.
   - Bug 1728281 - Server only sends GREASE HRR extension if enabled by preference.
   - Bug 1725938 - Update generation of the Associated Data for ECH-13.
   - Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
   - Bug 1712879 - Allow for compressed, non-contiguous, extensions.
   - Bug 1712879 - Scramble the PSK extension in CHOuter.
   - Bug 1712647 - Split custom extension handling for ECH.
   - Bug 1728281 - Add ECH-13 HRR Handling.
   - Bug 1677181 - Client side ECH padding.
   - Bug 1725938 - Stricter ClientHelloInner Decompression.
   - Bug 1725938 - Remove ECH_inner extension, use new enum format.
   - Bug 1725938 - Update the version number for ECH-13 and adjust the ECHConfig size.

Revision 1.145 / (download) - annotate - [select for diffs], Thu Jan 6 12:47:51 2022 UTC (7 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.144: +4 -4 lines
Diff to previous 1.144 (colored)

nss: update to 3.74.

Changes:
Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses.
Bug 1553612 - Ensure clients offer consistent ciphersuites after HRR.
Bug 1721426 - NSS does not properly restrict server keys based on policy.
Bug 1733003 - Set nssckbi version number to 2.54.
Bug 1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate in NSS.
Bug 1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate in NSS.
Bug 1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate in NSS.
Bug 1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate in NSS.
Bug 1735407 - Replace GlobalSign ECC Root CA R4 in NSS.
Bug 1733560 - Remove Expired Root Certificates from NSS - DST Root CA X3.
Bug 1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates from NSS.
Bug 1741930 - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate to NSS.
Bug 1740095 - Add iTrusChina ECC root certificate to NSS.
Bug 1740095 - Add iTrusChina RSA root certificate to NSS.
Bug 1738805 - Add ISRG Root X2 root certificate to NSS.
Bug 1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate to NSS.
Bug 1738028 - Avoid a clang 13 unused variable warning in opt build.
Bug 1735028 - Check for missing signedData field.
Bug 1737470 - Ensure DER encoded signatures are within size limits.

Revision 1.144 / (download) - annotate - [select for diffs], Thu Dec 30 15:49:14 2021 UTC (7 months, 2 weeks ago) by ryoon
Branch: MAIN
Changes since 1.143: +4 -4 lines
Diff to previous 1.143 (colored)

nss: Update to 3.73.1

Changelog:
Change:
   - Add SHA-2 support to mozilla::pkix's OCSP implementation

Revision 1.138.2.1 / (download) - annotate - [select for diffs], Sun Dec 5 07:32:02 2021 UTC (8 months, 1 week ago) by spz
Branch: pkgsrc-2021Q3
Changes since 1.138: +5 -5 lines
Diff to previous 1.138 (colored) next main 1.139 (colored)

Pullup ticket #6548 - requested by mlelstv
devel/nss: security-update

Revisions pulled up:
- devel/nss/Makefile                                            1.215-1.217
- devel/nss/distinfo                                            1.139,1.142-1.143

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   wiz
   Date:           Thu Sep 30 21:39:55 UTC 2021

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo

   Log Message:
   nss: update to 3.71.

   Changes:
   - Bug 1717716 - Set nssckbi version number to 2.52.
   - Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
   - Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported
   - Bug 1717707 - Add HARICA Client ECC Root CA 2021.
   - Bug 1717707 - Add HARICA Client RSA Root CA 2021.
   - Bug 1717707 - Add HARICA TLS ECC Root CA 2021.
   - Bug 1717707 - Add HARICA TLS RSA Root CA 2021.
   - Bug 1728394 - Add TunTrust Root CA certificate to NSS.


   To generate a diff of this commit:
   cvs rdiff -u -r1.214 -r1.215 pkgsrc/devel/nss/Makefile
   cvs rdiff -u -r1.138 -r1.139 pkgsrc/devel/nss/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   wiz
   Date:           Thu Oct 28 10:03:13 UTC 2021

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo

   Log Message:
   nss: update to 3.72.

   Changes:
      - Documentation: release notes for NSS 3.72
      - Documentation: release notes for NSS 3.71
      - Remove newline at the end of coreconf.dep
      - Bug 1731911 - Fix nsinstall parallel failure.
      - Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins.


   To generate a diff of this commit:
   cvs rdiff -u -r1.215 -r1.216 pkgsrc/devel/nss/Makefile
   cvs rdiff -u -r1.141 -r1.142 pkgsrc/devel/nss/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   wiz
   Date:           Wed Dec  1 17:04:11 UTC 2021

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo

   Log Message:
   nss: update to 3.73.

   This contains the fix for CVE-2021-43527.


   To generate a diff of this commit:
   cvs rdiff -u -r1.216 -r1.217 pkgsrc/devel/nss/Makefile
   cvs rdiff -u -r1.142 -r1.143 pkgsrc/devel/nss/distinfo

Revision 1.143 / (download) - annotate - [select for diffs], Wed Dec 1 17:04:11 2021 UTC (8 months, 2 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q4-base, pkgsrc-2021Q4
Changes since 1.142: +4 -4 lines
Diff to previous 1.142 (colored)

nss: update to 3.73.

This contains the fix for CVE-2021-43527.

Revision 1.142 / (download) - annotate - [select for diffs], Thu Oct 28 10:03:12 2021 UTC (9 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.141: +4 -4 lines
Diff to previous 1.141 (colored)

nss: update to 3.72.

Changes:
   - Documentation: release notes for NSS 3.72
   - Documentation: release notes for NSS 3.71
   - Remove newline at the end of coreconf.dep
   - Bug 1731911 - Fix nsinstall parallel failure.
   - Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins.

Revision 1.141 / (download) - annotate - [select for diffs], Tue Oct 26 10:15:44 2021 UTC (9 months, 3 weeks ago) by nia
Branch: MAIN
Changes since 1.140: +2 -2 lines
Diff to previous 1.140 (colored)

archivers: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Could not be committed due to merge conflict:
devel/py-traitlets/distinfo

The following distfiles were unfetchable (note: some may be only fetched
conditionally):

./devel/pvs/distinfo pvs-3.2-solaris.tgz
./devel/eclipse/distinfo eclipse-sourceBuild-srcIncluded-3.0.1.zip

Revision 1.140 / (download) - annotate - [select for diffs], Thu Oct 7 13:40:38 2021 UTC (10 months, 1 week ago) by nia
Branch: MAIN
Changes since 1.139: +1 -2 lines
Diff to previous 1.139 (colored)

devel: Remove SHA1 hashes for distfiles

Revision 1.139 / (download) - annotate - [select for diffs], Thu Sep 30 21:39:55 2021 UTC (10 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.138: +5 -5 lines
Diff to previous 1.138 (colored)

nss: update to 3.71.

Changes:
- Bug 1717716 - Set nssckbi version number to 2.52.
- Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported
- Bug 1717707 - Add HARICA Client ECC Root CA 2021.
- Bug 1717707 - Add HARICA Client RSA Root CA 2021.
- Bug 1717707 - Add HARICA TLS ECC Root CA 2021.
- Bug 1717707 - Add HARICA TLS RSA Root CA 2021.
- Bug 1728394 - Add TunTrust Root CA certificate to NSS.

Revision 1.138 / (download) - annotate - [select for diffs], Sun Sep 5 09:06:33 2021 UTC (11 months, 1 week ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q3-base
Branch point for: pkgsrc-2021Q3
Changes since 1.137: +5 -5 lines
Diff to previous 1.137 (colored)

nss: update to 3.70.

Changes:
   - Documentation: release notes for NSS 3.70.
   - Documentation: release notes for NSS 3.69.1.
   - Bug 1726022 - Update test case to verify fix.
   - Bug 1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
   - Bug 1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
   - Formatting for lib/util
   - Bug 1681975 - Avoid using a lookup table in nssb64d.
   - Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
   - Bug 1714579 - Change default value of enableHelloDowngradeCheck to true.
   - Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc
   - Bug 1726022 - Cache additional PBE entries.
   - Bug 1709750 - Read HPKE vectors from official JSON.
   - Documentation: update for NSS 3.69 release.

Revision 1.137 / (download) - annotate - [select for diffs], Wed Sep 1 09:40:46 2021 UTC (11 months, 2 weeks ago) by mrg
Branch: MAIN
Changes since 1.136: +2 -2 lines
Diff to previous 1.136 (colored)

re-do this patch using a GCC defined macro.

this is still wrong, but it's less wrong than before and once again
both arm64 and arm64eb (and amd64) build.


this is really strange.  the code in sha512.c uses:

#if !defined(USE_HW_SHA2) || !defined(IS_LITTLE_ENDIAN)

which originally this patch attempted to match, but IS_LITTLE_ENDIAN
is never defined inside nss, even though it's used a few dozen times.
there is a MP_IS_LITTLE_ENDIAN defined that is setup, but almost
never used.

Revision 1.136 / (download) - annotate - [select for diffs], Tue Aug 31 11:12:30 2021 UTC (11 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.135: +6 -6 lines
Diff to previous 1.135 (colored)

nss: update to 3.69.1.

Bugs fixed:
   - Bug 1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
   - Bug 1720226 (Backout) - integrity checks in key4.db not happening on private components with AES_CBC

Revision 1.135 / (download) - annotate - [select for diffs], Fri Aug 27 21:33:02 2021 UTC (11 months, 3 weeks ago) by mrg
Branch: MAIN
Changes since 1.134: +2 -1 lines
Diff to previous 1.134 (colored)

fix build on arm64eb: sha512.c and sha256-armv8.c both provided the
same symbols.  (sha256-x86.c has the same problem, but that file
already requires little endian so is not a big deal.)

Revision 1.134 / (download) - annotate - [select for diffs], Mon Aug 9 07:54:47 2021 UTC (12 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.133: +5 -5 lines
Diff to previous 1.133 (colored)

nss: update to 3.69.

Bugs fixed:
   - Bug 1722613 - Disable DTLS 1.0 and 1.1 by default
   - Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC
   - Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms.
   - Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures.
   - Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports.
   - Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
   - Bug 1720232 - SQLite calls could timeout in starvation situations.
   - Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67
   - Bug 1709817 - Import the NSS documentation from MDN in nss/doc.
   - Bug 1720227 - NSS using a tempdir to measure sql performance not active

Revision 1.133 / (download) - annotate - [select for diffs], Mon Jun 28 08:48:20 2021 UTC (13 months, 3 weeks ago) by wiz
Branch: MAIN
Changes since 1.132: +5 -5 lines
Diff to previous 1.132 (colored)

nss: update to 3.67.

Bugs fixed:
* Bug 1683710 - Add a means to disable ALPN.
* Bug 1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* Bug 1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* Bug 1566124 - Fix counter increase in ppc-gcm-wrap.c.
* Bug 1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.

Revision 1.132 / (download) - annotate - [select for diffs], Fri Jun 4 09:58:03 2021 UTC (14 months, 2 weeks ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base, pkgsrc-2021Q2
Changes since 1.131: +5 -5 lines
Diff to previous 1.131 (colored)

nss: update to 3.66.

Bugs fixed:
* Bug 1710716 - Remove Expired Sonera Class2 CA from NSS.
* Bug 1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* Bug 1708307 - Remove Trustis FPS Root CA from NSS.
* Bug 1707097 - Add Certum Trusted Root CA to NSS.
* Bug 1707097 - Add Certum EC-384 CA to NSS.
* Bug 1703942 - Add ANF Secure Server Root CA to NSS.
* Bug 1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* Bug 1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* Bug 1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* Bug 1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* Bug 1710773 - NSS needs FIPS 180-3 FIPS indicators.
* Bug 1709291 - Add VerifyCodeSigningCertificateChain.
* Use GNU tar for the release helper script.

Revision 1.131 / (download) - annotate - [select for diffs], Sun May 16 17:42:31 2021 UTC (15 months ago) by wiz
Branch: MAIN
Changes since 1.130: +5 -6 lines
Diff to previous 1.130 (colored)

nss: update to 3.65.

Bugs fixed in NSS 3.65:
* Bug 1709654 - Update for NetBSD configuration.
* Bug 1709750 - Disable HPKE test when fuzzing.
* Bug 1566124 - Optimize AES-GCM for ppc64le.
* Bug 1699021 - Add AES-256-GCM to HPKE.
* Bug 1698419 - ECH -10 updates.
* Bug 1692930 - Update HPKE to final version.
* Bug 1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* Bug 1703936 - New coverity/cpp scanner errors.
* Bug 1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* Bug 1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* Bug 1705119 - Deadlock when using GCM and non-thread safe tokens.

Revision 1.130 / (download) - annotate - [select for diffs], Wed May 5 16:54:02 2021 UTC (15 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.129: +2 -2 lines
Diff to previous 1.129 (colored)

nss: add upstream bug report URL

Revision 1.129 / (download) - annotate - [select for diffs], Sat May 1 21:52:02 2021 UTC (15 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.128: +3 -6 lines
Diff to previous 1.128 (colored)

nss: hide symbols on NetBSD like on other platforms

Remove local workarounds again

Bump PKGREVISION.

Revision 1.128 / (download) - annotate - [select for diffs], Fri Apr 23 16:07:43 2021 UTC (15 months, 3 weeks ago) by rin
Branch: MAIN
Changes since 1.127: +2 -2 lines
Diff to previous 1.127 (colored)

nss: Fix support for NetBSD/aarch64eb. Bump revision.

Revision 1.127 / (download) - annotate - [select for diffs], Fri Apr 16 14:29:22 2021 UTC (16 months ago) by ryoon
Branch: MAIN
Changes since 1.126: +5 -5 lines
Diff to previous 1.126 (colored)

nss: Update to 3.64

Changelog:
Bugs fixed in NSS 3.64:
* Bug 1705286 - Properly detect mips64.
* Bug 1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx.
* Bug 1698320 - replace __builtin_cpu_supports("vsx") with
ppc_crypto_support() for clang.
* Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.

Revision 1.126 / (download) - annotate - [select for diffs], Thu Apr 15 08:54:54 2021 UTC (16 months ago) by wiz
Branch: MAIN
Changes since 1.125: +4 -1 lines
Diff to previous 1.125 (colored)

nss: restore symbol rename patches

While the link fix did fix the case of openssl calling nss code,
the other way round still happens, e.g. in libreoffice (since fixed to
not use nss) and konqueror.

Bump PKGREVISION.

Revision 1.125 / (download) - annotate - [select for diffs], Fri Apr 9 06:40:59 2021 UTC (16 months, 1 week ago) by wiz
Branch: MAIN
Changes since 1.124: +3 -8 lines
Diff to previous 1.124 (colored)

nss: fix interoperability with openssl

For a long time now (at least 15 years), the installed pkg-config
file also linked against libsoftokn3, which is wrong according to
upstream. This library is only intended to be loaded as a module.

Having this library linked added symbols to the namespace that conflict
with openssl symbols. This had caused problems before, and patches
had been added to rename symbols to avoid this conflict.

Instead, fix this correctly by not linking against libsoftokn3.

Switch to using the pkg-config and nss-config files provided in the
distfiles instead of pkgsrc-specific ones.

Remove now unneeded symbol-renaming patches.

Remove DragonFly patches while here.

Bump PKGREVISION.

Revision 1.124 / (download) - annotate - [select for diffs], Tue Mar 30 16:34:05 2021 UTC (16 months, 2 weeks ago) by ryoon
Branch: MAIN
Changes since 1.123: +5 -5 lines
Diff to previous 1.123 (colored)

nss: Update to 3.63

Changelog:
Bugs fixed in NSS 3.63:
* Bug 1697380 - Make a clang-format run on top of helpful contributions.
* Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization
to prevent build isses with GCC 4.8.
* Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar
multiplication.
* Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization
to prevent build isses with GCC 4.8.
* Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar
multiplication.
* Bug 1696800 - HACL* update March 2021 -
c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* Bug 1694214 - tstclnt can't enable middlebox compat mode.
* Bug 1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* Bug 1685880 - Minor fix to prevent unused variable on early return.
* Bug 1685880 - Fix for the gcc compiler version 7 to support setenv with nss
build.
* Bug 1693217 - Increase nssckbi.h version number for March 2021 batch of root
CA changes, CA list version 2.48.
* Bug 1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* Bug 1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* Bug 1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* Bug 1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* Bug 1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from
NSS.
* Bug 1687822 - Turn off Websites trust bit for the ״taat der Nederlanden
Root CA - G3root cert in NSS.
* Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root -
2008' and 'Global Chambersign Root - 2008
* Bug 1694291 - Tracing fixes for ECH.

Revision 1.123 / (download) - annotate - [select for diffs], Tue Mar 9 03:44:23 2021 UTC (17 months, 1 week ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.122: +5 -5 lines
Diff to previous 1.122 (colored)

nss: Update to 3.62

* Change header files installation suggested by markd@.
  Do not install dbm header files and install nss header files
  under nss, not nss/nss.

Changelog:
Bugs fixed in NSS 3.62

    Bug 1688374 - Fix parallel build NSS-3.61 with make.
    Bug 1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable".
    Bug 1690583 - Fix CH padding extension size calculation.
    Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail.
    Bug 1690421 - Install packaged libabigail in docker-builds image.
    Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing.
    Bug 1674819 - Fixup a51fae403328, enum type may be signed.
    Bug 1681585 - Add ECH support to selfserv.
    Bug 1681585 - Update ECH to Draft-09.
    Bug 1678398 - Add Export/Import functions for HPKE context.
    Bug 1678398 - Update HPKE to draft-07.

Revision 1.122 / (download) - annotate - [select for diffs], Wed Jan 27 16:28:20 2021 UTC (18 months, 2 weeks ago) by ryoon
Branch: MAIN
Changes since 1.121: +5 -5 lines
Diff to previous 1.121 (colored)

nss: Update to 3.61

Changelog:
Bugs fixed in NSS 3.61:
 * Bug 1682071 - Fix issue with IKE Quick mode deriving incorrect key values
under certain conditions.
 * Bug 1684300 - Fix default PBE iteration count when NSS is compiled with
NSS_DISABLE_DBM.
 * Bug 1651411 - Improve constant-timeness in RSA operations.
 * Bug 1677207 - Upgrade Google Test version to latest release.
 * Bug 1654332 - Add aarch64-make target to nss-try.

Revision 1.121 / (download) - annotate - [select for diffs], Thu Dec 17 09:52:27 2020 UTC (20 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.120: +5 -5 lines
Diff to previous 1.120 (colored)

nss: Update to 3.60

Changelog:
Notable changes in NSS 3.60: 
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been
added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation.
See bug 1654332 for more information. 
* December 2020 batch of Root CA changes, builtins library updated to version
2.46. See bugs 1678189, 1678166, and 1670769 for more information.

Bugs fixed in NSS 3.60:
 * Bug 1654332 - Implement Encrypted Client Hello (draft-ietf-tls-esni-08).
 * Bug 1678189 - Update CA list version to 2.46.
 * Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS.
 * Bug 1678166 - Add NAVER Global Root Certification Authority root cert to
NSS.
 * Bug 1678384 - Add a build flag to allow building nssckbi-testlib in
mozilla-central.
 * Bug 1570539 - Remove -X alt-server-hello option from tstclnt.
 * Bug 1675523 - Fix incorrect pkcs11t.h value CKR_PUBLIC_KEY_INVALID.
 * Bug 1642174 - Fix PowerPC ABI version 1 build failure.
 * Bug 1674819 - Fix undefined shift in fuzzer mode.
 * Bug 1678990 - Fix ARM crypto extensions detection on macOS.
 * Bug 1679290 - Fix lock order inversion and potential deadlock with
libnsspem.
 * Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey.

Revision 1.120 / (download) - annotate - [select for diffs], Wed Nov 18 14:24:00 2020 UTC (20 months, 4 weeks ago) by ryoon
Branch: MAIN
Changes since 1.119: +5 -8 lines
Diff to previous 1.119 (colored)

nss: Update to 3.59

Changelog:
Notable Changes in NSS 3.59

Exported two existing functions from libnss, CERT_AddCertToListHeadWithData
and CERT_AddCertToListTailWithData

NOTE: NSS will soon require GCC 4.8 or newer. Gyp-based builds will stop
supporting older GCC versions first, followed a few releases later by the
make-based builds. Users of older GCC versions can continue to use the
make-based build system while they upgrade to newer versions of GCC.

Bugs fixed in NSS 3.59

* Bug 1607449 - Lock cert->nssCertificate to prevent a potential data race
* Bug 1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* Bug 1670835 - Support enabling and disabling signatures via Crypto Policy
* Bug 1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs
when SHA1 signatures are disabled.
* Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some
test intermittents
* Bug 1672703 - Tolerate the first CCS in TLS 1.3  to fix a regression in our
CVE-2020-25648 fix that broke purple-discord
* Bug 1666891 - Support key wrap/unwrap with RSA-OAEP
* Bug 1667989 - Fix gyp linking on Solaris
* Bug 1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder
that affected decoding certain PKCS8 private keys when using NSS debug builds
* Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.

Revision 1.119 / (download) - annotate - [select for diffs], Sat Oct 31 19:36:30 2020 UTC (21 months, 2 weeks ago) by wiz
Branch: MAIN
Changes since 1.118: +9 -6 lines
Diff to previous 1.118 (colored)

nss: update to 3.58nb1.

Add a post-release patch that broke some applications
https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f

Changes nout found.

Revision 1.118 / (download) - annotate - [select for diffs], Sat Sep 19 23:54:14 2020 UTC (22 months, 4 weeks ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.117: +5 -5 lines
Diff to previous 1.117 (colored)

nss: Update to 3.57

Changelog:
Notable Changes in NSS 3.57

* NSPR dependency updated to 4.29.
* The following CA certificates were Added:
    Bug 1663049 - CN=Trustwave Global Certification Authority
        SHA-256 Fingerprint:
97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
    Bug 1663049 - CN=Trustwave Global ECC P256 Certification Authority
        SHA-256 Fingerprint:
945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
    Bug 1663049 - CN=Trustwave Global ECC P384 Certification Authority
        SHA-256 Fingerprint:
55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
    Bug 1651211 - CN=EE Certification Centre Root CA
        SHA-256 Fingerprint:
3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
    Bug 1656077 - O=Government Root Certification Authority; C=TW
        SHA-256 Fingerprint:
7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
    Bug 1653092 - CN=OISTE WISeKey Global Root GA CA
        Websites (server authentication) trust bit removed.

Bugs fixed in NSS 3.57

* Bug 1651211 - Remove EE Certification Centre Root CA certificate.
* Bug 1653092 - Turn off Websites Trust Bit for OISTE WISeKey Global Root GA
CA.
* Bug 1656077 - Remove Taiwan Government Root Certification Authority
certificate.
* Bug 1663049 - Add SecureTrust's Trustwave Global root certificates to NSS.
* Bug 1659256 - AArch64 AES optimization shouldn't be enabled with gcc 4.8.
* Bug 1651834 - Fix Clang static analyzer warnings.
* Bug 1661378 - Fix Build failure with Clang 11.
* Bug 1659727 - Fix mpcpucache.c invalid output constraint on Linux/ARM.
* Bug 1662738 - Only run freebl_fips_RNG_PowerUpSelfTest when linked with
NSPR.
* Bug 1661810 - Fix Crash @ arm_aes_encrypt_ecb_128 when building with Clang
11.
* Bug 1659252 - Fix Make build with NSS_DISABLE_DBM=1.
* Bug 1660304 - Add POST tests for KDFs as required by FIPS.
* Bug 1663346 - Use 64-bit compilation on e2k architecture.
* Bug 1605922 - Account for negative sign in mp_radix_size.
* Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes.
* Bug 1660372 - NSS 3.57 should depend on NSPR 4.29
* Bug 1660734 - Fix Makefile typos.
* Bug 1660735 - Fix Makefile typos.

Revision 1.117 / (download) - annotate - [select for diffs], Sun Aug 23 08:31:27 2020 UTC (23 months, 3 weeks ago) by ryoon
Branch: MAIN
Changes since 1.116: +5 -5 lines
Diff to previous 1.116 (colored)

nss: Update to 3.56

CHangelog:
Notable Changes in NSS 3.56

* The known issue where Makefile builds failed to locate seccomon.h was fixed
in Bug 1653975.
* NSPR dependency updated to 4.28.

Bugs fixed in NSS 3.56

* Bug 1650702 - Support SHA-1 HW acceleration on ARMv8
* Bug 1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* Bug 1654142 - Add CPU feature detection for Intel SHA extension.
* Bug 1648822 - Add stricter validation of DH keys in FIPS mode.
* Bug 1656986 - Properly detect arm64 during GYP build architecture detection.
* Bug 1652729 - Add build flag to disable RC2 and relocate to
lib/freebl/deprecated.
* Bug 1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* Bug 1588941 - Send empty certificate message when scheme selection fails.
* Bug 1652032 - Fix failure to build in Windows arm64 makefile
cross-compilation.
* Bug 1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* Bug 1653975 - Fix 3.53 regression by setting "all" as the default makefile
target.
* Bug 1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* Bug 1659814 - Fix interop.sh failures with newer tls-interop commit and
dependencies.
* Bug 1656519 - Update NSPR dependency to 4.28.

Revision 1.116 / (download) - annotate - [select for diffs], Fri Jul 31 01:24:30 2020 UTC (2 years ago) by maya
Branch: MAIN
Changes since 1.115: +5 -5 lines
Diff to previous 1.115 (colored)

nss: update to 3.55

Note that this says the NSPR dependency is bumped. I didn't encounter
any problems with 2.46. It seems to be a change that their automation
was updated to the newer version.

NSS 3.55

    P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto and ECCKiila. Special thanks to the Network and Information Security Group (NISEC) at Tampere University.
    PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. See Bug 1649633 for more details.
    DTLS 1.3 implementation is updated to draft-38. See Bug 1647752 for details.
    NSPR dependency updated to 4.27.


NSS 3.54

    Support for TLS 1.3 external pre-shared keys (Bug 1603042).
    Use ARM Cryptography Extension for SHA256, when available. (Bug 1528113).

Revision 1.115 / (download) - annotate - [select for diffs], Thu Jun 18 14:16:50 2020 UTC (2 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.114: +5 -5 lines
Diff to previous 1.114 (colored)

nss: Update to 3.53.1

Changelog:
Bugs fixed in NSS 3.53.1

- Bug 1631597 (CVE-2020-12402) - Use constant-time GCD and modular inversion
in MPI.

Revision 1.114 / (download) - annotate - [select for diffs], Wed Jun 3 08:51:26 2020 UTC (2 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.113: +5 -6 lines
Diff to previous 1.113 (colored)

nss: Update to 3.53

Changelog:
Notable Changes in NSS 3.53

* When using the Makefiles, NSS can be built in parallel, speeding up those
builds to more similar performance as the build.sh/ninja/gyp system. (Bug
290526)

* SEED is now moved into a new freebl directory freebl/deprecated (Bug
1636389).

  - SEED will be disabled by default in a future release of NSS. At that time,
users will need to set the compile-time flag (Bug 1622033) to disable that
deprecation in order to use the algorithm.

  - Algorithms marked as deprecated will ultimately be removed.

* Several root certificates in the Mozilla program now set the
CKA_NSS_SERVER_DISTRUST_AFTER attribute, which NSS consumers can query to
further refine trust decisions. (Bug 1618404, Bug 1621159) If a builtin
certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the  SCT or
NotBefore date of a certificate that builtin issued, then clients can elect
not to trust it.
  - This attribute provides a more graceful phase-out for certificate
authorities than complete removal from the root certificate builtin store.

Bugs fixed in NSS 3.53

* Bug 1640260 - Initialize PBE params (ASAN fix)
* Bug 1618404 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs
* Bug 1621159 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC, GRCA, and
SK ID root certs
* Bug 1629414 - PPC64: Correct compilation error between VMX vs. VSX vector
instructions
* Bug 1639033 - Fix various compile warnings in NSS
* Bug 1640041 - Fix a null pointer in security/nss/lib/ssl/sslencode.c:67
* Bug 1640042 - Fix a null pointer in security/nss/lib/ssl/sslsock.c:4460
* Bug 1638289 - Avoid multiple definitions of SHA{256,384,512}_* symbols when
linking libfreeblpriv3.so in Firefox on ppc64le
* Bug 1636389 - Relocate deprecated SEED algorithm
* Bug 1637083 - lib/ckfw: No such file or directory. Stop.
* Bug 1561331 - Additional modular inverse test
* Bug 1629553 - Rework and cleanup gmake builds
* Bug 1438431 - Remove mkdepend and "depend" make target
* Bug 290526 - Support parallel building of NSS when using the Makefiles
* Bug 1636206 - HACL* update after changes in libintvector.h
* Bug 1636058 - Fix building NSS on Debian s390x, mips64el, and riscv64
* Bug 1622033 - Add option to build without SEED

Revision 1.113 / (download) - annotate - [select for diffs], Wed May 6 01:09:43 2020 UTC (2 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.112: +5 -5 lines
Diff to previous 1.112 (colored)

nss: Update to 3.52

Changelog:
Notable Changes in NSS 3.52

    Bug 1603628 - Update NSS to support PKCS #11 v3.0.
    Bug 1623374 - Support new PKCS #11 v3.0 Message Interface for AES-GCM and ChaChaPoly.
    Bug 1612493 - Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*.

Bugs fixed in NSS 3.52

    Bug 1633498 - Fix unused variable 'getauxval' error on iOS compilation.
    Bug 1630721 - Add Softoken functions for FIPS.
    Bug 1630458 - Fix problem of GYP MSVC builds not producing debug symbol files.
    Bug 1629663 - Add IKEv1 Quick Mode KDF.
    Bug 1629661 - MPConfig calls in SSL initialize policy before NSS is initialized.
    Bug 1629655 - Support temporary session objects in ckfw.
    Bug 1629105 - Add PKCS11 v3.0 functions to module debug logger.
    Bug 1626751 - Fix error in generation of fuzz32 docker image after updates.
    Bug 1625133 - Fix implicit declaration of function 'getopt' error.
    Bug 1624864 - Allow building of gcm-arm32-neon on non-armv7 architectures.
    Bug 1624402 - Fix compilation error in Firefox Android.
    Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed.
    Bug 1624377 - Fix clang warning for unknown argument '-msse4'.
    Bug 1623374 - Support new PKCS #11 v3.0 Message Interface for AES-GCM and ChaChaPoly.
    Bug 1623184 - Fix freebl_cpuid for querying Extended Features.
    Bug 1622555 - Fix argument parsing in lowhashtest.
    Bug 1620799 - Introduce NSS_DISABLE_GCM_ARM32_NEON to build on arm32 without NEON support.
    Bug 1619102 - Add workaround option to include both DTLS and TLS versions in DTLS supported_versions.
    Bug 1619056 - Update README: TLS 1.3 is not experimental anymore.
    Bug 1618915 - Fix UBSAN issue in ssl_ParseSessionTicket.
    Bug 1618739 - Don't assert fuzzer behavior in SSL_ParseSessionTicket.
    Bug 1617968 - Update Delegated Credentials implementation to draft-07.
    Bug 1617533 - Update HACL* dependencies for libintvector.h
    Bug 1613238 - Add vector accelerated SHA2 for POWER 8+.
    Bug 1612493 - Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*.
    Bug 1612281 - Maintain PKCS11 C_GetAttributeValue semantics on attributes that lack NSS database columns.
    Bug 1612260 - Add Wycheproof RSA test vectors.
    Bug 1608250 - broken fipstest handling of KI_len.
    Bug 1608245 - Consistently handle NULL slot/session.
    Bug 1603801 - Avoid dcache pollution from sdb_measureAccess().
    Bug 1603628 - Update NSS to support PKCS #11 v3.0.
    Bug 1561637 - TLS 1.3 does not work in FIPS mode.
    Bug 1531906 - Fix overzealous assertion when evicting a cached sessionID or using external cache.
    Bug 1465613 - Fix issue where testlib makefile build produced extraneous object files.
    Bug 1619959 - Properly handle multi-block SEED ECB inputs.
    Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfo to avoid a CMS crash
    Bug 1571677 - Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name

Compatibility

NSS 3.52 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries
will work with NSS 3.52 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the functions
listed in NSS Public Functions will remain compatible with future versions
of the NSS shared libraries.

Revision 1.112 / (download) - annotate - [select for diffs], Sun Apr 26 21:43:43 2020 UTC (2 years, 3 months ago) by tnn
Branch: MAIN
Changes since 1.111: +2 -1 lines
Diff to previous 1.111 (colored)

nss: fix wrong value of CPU_ARCH on NetBSD/evbarm-earmv7hf

Fixes PR pkg/53353 and maybe also PR pkg/55158

Revision 1.111 / (download) - annotate - [select for diffs], Sun Apr 12 15:13:33 2020 UTC (2 years, 4 months ago) by tnn
Branch: MAIN
Changes since 1.110: +2 -2 lines
Diff to previous 1.110 (colored)

g/c stale comment

Revision 1.110 / (download) - annotate - [select for diffs], Sun Apr 12 12:19:20 2020 UTC (2 years, 4 months ago) by tnn
Branch: MAIN
Changes since 1.109: +3 -1 lines
Diff to previous 1.109 (colored)

nss: interim NetBSD/aarch64 build fix

Revision 1.109 / (download) - annotate - [select for diffs], Sun Apr 12 10:25:17 2020 UTC (2 years, 4 months ago) by tnn
Branch: MAIN
Changes since 1.108: +2 -2 lines
Diff to previous 1.108 (colored)

nss: delete patch hunk which should no longer be necessary

Revision 1.108 / (download) - annotate - [select for diffs], Wed Mar 18 13:22:10 2020 UTC (2 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.107: +5 -5 lines
Diff to previous 1.107 (colored)

nss: Update to 3.51

Changelog:
Notable Changes in NSS 3.51

* Updated DTLS 1.3 implementation to Draft-34. See Bug 1608892 for details.

Bugs fixed in NSS 3.51

* Bug 1608892 - Update DTLS 1.3 implementation to draft-34.
* Bug 1611209 - Correct swapped PKCS11 values of CKM_AES_CMAC and
CKM_AES_CMAC_GENERAL
* Bug 1612259 - Complete integration of Wycheproof ECDH test cases
* Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>)
* Bug 1614786 - Fix a compilation error for etFIPSEnv"defined but not
used"
* Bug 1615208 - Send DTLS version numbers in DTLS 1.3 supported_versions
extension to avoid an incompatibility.
* Bug 1538980 - SECU_ReadDERFromFile calls strstr on a string that isn't
guaranteed to be null-terminated
* Bug 1561337 - Correct a warning for comparison of integers of different
signs: 'int' and 'unsigned long' in
security/nss/lib/freebl/ecl/ecp_25519.c:88
* Bug 1609751 - Add test for mp_int clamping
* Bug 1582169 - Don't attempt to read the fips_enabled flag on the machine
unless NSS was built with FIPS enabled
* Bug 1431940 - Fix a null pointer dereference in BLAKE2B_Update
* Bug 1617387 - Fix compiler warning in secsign.c
* Bug 1618400 - Fix a OpenBSD/arm64 compilation error: unused variable
'getauxval'
* Bug 1610687 - Fix a crash on unaligned CMACContext.aes.keySchedule when
using AES-NI intrinsics

Revision 1.107 / (download) - annotate - [select for diffs], Fri Feb 14 13:02:41 2020 UTC (2 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.106: +5 -5 lines
Diff to previous 1.106 (colored)

nss: Update to 3.50

Changelog:
Notable Changes in NSS 3.50

* Verified primitives from HACL* were updated, bringing performance
improvements for several platforms.
  Note that Intel processors with SSE4 but without AVX are currently unable to
use the improved ChaCha20/Poly1305 due to a build issue; such platforms will
fall-back to less optimized algorithms. See Bug 1609569 for details.

* Updated DTLS 1.3 implementation to Draft-30. See Bug 1599514 for details.

* Added NIST SP800-108 KBKDF - PKCS#11 implementation. See Bug 1599603 for
details.

Bugs fixed in NSS 3.50

* Bug 1599514 - Update DTLS 1.3 implementation to Draft-30
* Bug 1603438 - Fix native tools build failure due to lack of zlib include dir
if external
* Bug 1599603 - NIST SP800-108 KBKDF - PKCS#11 implementation
* Bug 1606992 - Cache the most recent PBKDF1 password hash, to speed up
repeated SDR operations, important with the increased KDF iteration counts.
NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also
relevant for older NSS databases (also included in NSS 3.49.2)
* Bug 1608895 - Gyp builds on taskcluster broken by Setuptools v45.0.0 (for
lacking Python3)
* Bug 1574643 - Upgrade HACL* verified implementations of ChaCha20, Poly1305,
and 64-bit Curve25519
* Bug 1608327 - Two problems with NEON-specific code in freebl
* Bug 1575843 - Detect AArch64 CPU features on FreeBSD
* Bug 1607099 - Remove the buildbot configuration
* Bug 1585429 - Add more HKDF test vectors
* Bug 1573911 - Add more RSA test vectors
* Bug 1605314 - Compare all 8 bytes of an mp_digit when clamping in Windows
assembly/mp_comba
* Bug 1604596 - Update Wycheproof vectors and add support for CBC, P256-ECDH,
and CMAC tests
* Bug 1608493 - Use AES-NI for non-GCM AES ciphers on platforms with no
assembly-optimized implementation, such as macOS.
* Bug 1547639 - Update zlib in NSS to 1.2.11
* Bug 1609181 - Detect ARM (32-bit) CPU features on FreeBSD
* Bug 1602386 - Fix build on FreeBSD/powerpc*
* Bug 1608151 - Introduce NSS_DISABLE_ALTIVEC
* Bug 1612623 - Depend on NSPR 4.25
* Bug 1609673 - Fix a crash when NSS is compiled without libnssdbm support,
but the nssdbm shared object is available anyway.

Revision 1.106 / (download) - annotate - [select for diffs], Wed Feb 5 03:31:58 2020 UTC (2 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.105: +5 -5 lines
Diff to previous 1.105 (colored)

nss: Update to 4.49.2

Changelog:
No new functionality is introduced in this release. This release fixes several
issues:

 - Bug 1606992 - Cache the most recent PBKDF1 password hash, to speed up
repeated SDR
   operations when using profiles using that hash. This is covering additional
cases
   not covered by NSS 3.49.1, important with the increased KDF iteration
counts.
 - Bug 1608327 - Fix compilation problems with NEON-specific code in freebl
 - Bug 1608895 - Fix a taskcluster issue with Python 2 / Python 3

NSS 3.49.2 requires NSPR 4.24 or newer.

Revision 1.102.4.1 / (download) - annotate - [select for diffs], Sat Jan 18 22:29:04 2020 UTC (2 years, 6 months ago) by bsiegert
Branch: pkgsrc-2019Q4
Changes since 1.102: +7 -7 lines
Diff to previous 1.102 (colored) next main 1.103 (colored)

Pullup ticket #6117 - requested by nia
devel/nss: dependent update (for Firefox)

Revisions pulled up:
- devel/nss/Makefile                                            1.175-1.177
- devel/nss/distinfo                                            1.103-1.105
- devel/nss/patches/patch-me                                    1.6
- devel/nss/patches/patch-nss_coreconf_command.mk               1.4

---
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Dec 28 23:04:05 UTC 2019

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo
           pkgsrc/devel/nss/patches: patch-nss_coreconf_command.mk

   Log Message:
   Update to 3.48

   Changelog:
   Notable Changes in NSS 3.48

    * TLS 1.3 is the default maximum TLS version.  See Bug 1573118 for details.

    * TLS extended master secret is enabled by default, where possible.  See Bug
   1575411 for details.

    * The master password PBE now uses 10,000 iterations by default when using
   the default sql (key4.db) storage. Because using an iteration count higher
   than 1 with the legacy dbm (key3.db) storage creates files that are
   incompatible with previous versions of NSS, applications that wish to enable
   it for key3.db are required to set environment variable
   NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment
   variable NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count
   than the library's default, or NSS_MAX_MP_PBE_ITERATION_COUNT to request a
   lower iteration count for test environments. See Bug 1562671 for details.

   Certificate Authority Changes

   The following CA certificates were Added:
    * Bug 1591178 - Entrust Root Certification Authority - G4 Cert
      SHA-256 Fingerprint:
   DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88

   Bugs fixed in NSS 3.48

    * Bug 1586176 - EncryptUpdate should use maxout not block size
   (CVE-2019-11745)
       -- Note that this was previously fixed in NSS 3.44.3 and 3.47.1.
    * Bug 1600775 - Require NSPR 4.24 for NSS 3.48
    * Bug 1593401 - Fix race condition in self-encrypt functions
    * Bug 1599545 - Fix assertion and add test for early Key Update
    * Bug 1597799 - Fix a crash in nssCKFWObject_GetAttributeSize
    * Bug 1591178 - Add Entrust Root Certification Authority - G4 certificate to
   NSS
    * Bug 1590001 - Prevent negotiation of versions lower than 1.3 after
   HelloRetryRequest
    * Bug 1596450 - Added a simplified and unified MAC implementation for HMAC
   and CMAC behind PKCS#11
    * Bug 1522203 - Remove an old Pentium Pro performance workaround
    * Bug 1592557 - Fix PRNG known-answer-test scripts
    * Bug 1593141 - add `notBefore` or similar "beginning-of-validity-period"
   parameter to mozilla::pkix::TrustDomain::CheckRevocation
    * Bug 1591363 - Fix a PBKDF2 memory leak in NSC_GenerateKey if key length >
   MAX_KEY_LEN (256)
    * Bug 1592869 - Use ARM NEON for ctr_xor
    * Bug 1566131 - Ensure SHA-1 fallback disabled in TLS 1.2
    * Bug 1577803 - Mark PKCS#11 token as friendly if it implements
   CKP_PUBLIC_CERTIFICATES_TOKEN
    * Bug 1566126 - POWER GHASH Vector Acceleration
    * Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c
    * Bug 1590495 - Fix a crash in PK11_MakeCertFromHandle
    * Bug 1591742 - Ensure DES IV length is valid before usage from PKCS#11
    * Bug 1588567 - Enable mozilla::pkix gtests in NSS CI
    * Bug 1591315 - Update NSC_Decrypt length in constant time
    * Bug 1562671 - Increase NSS MP KDF default iteration count, by default for
   modern key4 storage, optionally for legacy key3.db storage
    * Bug 1590972 - Use -std=c99 rather than -std=gnu99
    * Bug 1590676 - Fix build if ARM doesn't support NEON
    * Bug 1575411 - Enable TLS extended master secret by default
    * Bug 1590970 - SSL_SetTimeFunc has incomplete coverage
    * Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
    * Bug 1588244 - NSS changes for Delegated Credential key strength checks
    * Bug 1459141 - Add more CBC padding tests that missed NSS 3.47
    * Bug 1590339 - Fix a memory leak in btoa.c
    * Bug 1589810 - fix uninitialized variable warnings from certdata.perl
    * Bug 1573118 - Enable TLS 1.3 by default in NSS

---
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Fri Jan 10 03:43:20 UTC 2020

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo
           pkgsrc/devel/nss/patches: patch-me

   Log Message:
   nss: Update to 3.49

   Changelog:
   Notable Changes in NSS 3.49
    * The legacy DBM database, libnssdbm, is no longer built by default when
   using gyp builds. See Bug 1594933 for details.

   Bugs fixed in NSS 3.49
    * Bug 1513586 - Set downgrade sentinel for client TLS versions lower than
   1.2.
    * Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c
    * Bug 1606119 - Fix PPC HW Crypto build failure
    * Bug 1605545 - Memory leak in Pk11Install_Platform_Generate
    * Bug 1602288 - Fix build failure due to missing posix signal.h
    * Bug 1588714 - Implement CheckARMSupport for Win64/aarch64
    * Bug 1585189 - NSS database uses 3DES instead of AES to encrypt DB entries
    * Bug 1603257 - Fix UBSAN issue in softoken CKM_NSS_CHACHA20_CTR
   initialization
    * Bug 1590001 - Additional HRR Tests (CVE-2019-17023)
    * Bug 1600144 - Treat ClientHello with message_seq of 1 as a second
   ClientHello
    * Bug 1603027 - Test that ESNI is regenerated after HelloRetryRequest
    * Bug 1593167 - Intermittent mis-reporting potential security risk
   SEC_ERROR_UNKNOWN_ISSUER
    * Bug 1535787 - Fix automation/release/nss-release-helper.py on MacOS
    * Bug 1594933 - Disable building DBM by default
    * Bug 1562548 - Improve GCM perfomance on aarch32

---
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Tue Jan 14 12:58:08 UTC 2020

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo

   Log Message:
   nss: Update to 3.49.1

   * Bump nspr requirement

   Changelog:
   No new functionality is introduced in these releases. These releases fix a
   performance issue:

    - Bug 1606992 - Cache the most recent PBKDF2 password hash, to speed up
   repeated SDR operations, important with the increased KDF iteration counts.

Revision 1.105 / (download) - annotate - [select for diffs], Tue Jan 14 12:58:08 2020 UTC (2 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.104: +5 -5 lines
Diff to previous 1.104 (colored)

nss: Update to 3.49.1

* Bump nspr requirement

Changelog:
No new functionality is introduced in these releases. These releases fix a
performance issue:

 - Bug 1606992 - Cache the most recent PBKDF2 password hash, to speed up
repeated SDR operations, important with the increased KDF iteration counts.

Revision 1.104 / (download) - annotate - [select for diffs], Fri Jan 10 03:43:20 2020 UTC (2 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.103: +6 -6 lines
Diff to previous 1.103 (colored)

nss: Update to 3.49

Changelog:
Notable Changes in NSS 3.49
 * The legacy DBM database, libnssdbm, is no longer built by default when
using gyp builds. See Bug 1594933 for details.

Bugs fixed in NSS 3.49
 * Bug 1513586 - Set downgrade sentinel for client TLS versions lower than
1.2.
 * Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c
 * Bug 1606119 - Fix PPC HW Crypto build failure
 * Bug 1605545 - Memory leak in Pk11Install_Platform_Generate
 * Bug 1602288 - Fix build failure due to missing posix signal.h
 * Bug 1588714 - Implement CheckARMSupport for Win64/aarch64
 * Bug 1585189 - NSS database uses 3DES instead of AES to encrypt DB entries
 * Bug 1603257 - Fix UBSAN issue in softoken CKM_NSS_CHACHA20_CTR
initialization
 * Bug 1590001 - Additional HRR Tests (CVE-2019-17023)
 * Bug 1600144 - Treat ClientHello with message_seq of 1 as a second
ClientHello
 * Bug 1603027 - Test that ESNI is regenerated after HelloRetryRequest
 * Bug 1593167 - Intermittent mis-reporting potential security risk
SEC_ERROR_UNKNOWN_ISSUER
 * Bug 1535787 - Fix automation/release/nss-release-helper.py on MacOS
 * Bug 1594933 - Disable building DBM by default
 * Bug 1562548 - Improve GCM perfomance on aarch32

Revision 1.103 / (download) - annotate - [select for diffs], Sat Dec 28 23:04:04 2019 UTC (2 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.102: +6 -6 lines
Diff to previous 1.102 (colored)

Update to 3.48

Changelog:
Notable Changes in NSS 3.48

 * TLS 1.3 is the default maximum TLS version.  See Bug 1573118 for details.

 * TLS extended master secret is enabled by default, where possible.  See Bug
1575411 for details.

 * The master password PBE now uses 10,000 iterations by default when using
the default sql (key4.db) storage. Because using an iteration count higher
than 1 with the legacy dbm (key3.db) storage creates files that are
incompatible with previous versions of NSS, applications that wish to enable
it for key3.db are required to set environment variable
NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment
variable NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count
than the library's default, or NSS_MAX_MP_PBE_ITERATION_COUNT to request a
lower iteration count for test environments. See Bug 1562671 for details.

Certificate Authority Changes

The following CA certificates were Added:
 * Bug 1591178 - Entrust Root Certification Authority - G4 Cert
   SHA-256 Fingerprint:
DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88

Bugs fixed in NSS 3.48

 * Bug 1586176 - EncryptUpdate should use maxout not block size
(CVE-2019-11745)
    -- Note that this was previously fixed in NSS 3.44.3 and 3.47.1.
 * Bug 1600775 - Require NSPR 4.24 for NSS 3.48
 * Bug 1593401 - Fix race condition in self-encrypt functions
 * Bug 1599545 - Fix assertion and add test for early Key Update
 * Bug 1597799 - Fix a crash in nssCKFWObject_GetAttributeSize
 * Bug 1591178 - Add Entrust Root Certification Authority - G4 certificate to
NSS
 * Bug 1590001 - Prevent negotiation of versions lower than 1.3 after
HelloRetryRequest
 * Bug 1596450 - Added a simplified and unified MAC implementation for HMAC
and CMAC behind PKCS#11
 * Bug 1522203 - Remove an old Pentium Pro performance workaround
 * Bug 1592557 - Fix PRNG known-answer-test scripts
 * Bug 1593141 - add `notBefore` or similar "beginning-of-validity-period"
parameter to mozilla::pkix::TrustDomain::CheckRevocation
 * Bug 1591363 - Fix a PBKDF2 memory leak in NSC_GenerateKey if key length >
MAX_KEY_LEN (256)
 * Bug 1592869 - Use ARM NEON for ctr_xor
 * Bug 1566131 - Ensure SHA-1 fallback disabled in TLS 1.2
 * Bug 1577803 - Mark PKCS#11 token as friendly if it implements
CKP_PUBLIC_CERTIFICATES_TOKEN
 * Bug 1566126 - POWER GHASH Vector Acceleration
 * Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c
 * Bug 1590495 - Fix a crash in PK11_MakeCertFromHandle
 * Bug 1591742 - Ensure DES IV length is valid before usage from PKCS#11
 * Bug 1588567 - Enable mozilla::pkix gtests in NSS CI
 * Bug 1591315 - Update NSC_Decrypt length in constant time
 * Bug 1562671 - Increase NSS MP KDF default iteration count, by default for
modern key4 storage, optionally for legacy key3.db storage
 * Bug 1590972 - Use -std=c99 rather than -std=gnu99
 * Bug 1590676 - Fix build if ARM doesn't support NEON
 * Bug 1575411 - Enable TLS extended master secret by default
 * Bug 1590970 - SSL_SetTimeFunc has incomplete coverage
 * Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
 * Bug 1588244 - NSS changes for Delegated Credential key strength checks
 * Bug 1459141 - Add more CBC padding tests that missed NSS 3.47
 * Bug 1590339 - Fix a memory leak in btoa.c
 * Bug 1589810 - fix uninitialized variable warnings from certdata.perl
 * Bug 1573118 - Enable TLS 1.3 by default in NSS

Revision 1.102 / (download) - annotate - [select for diffs], Tue Dec 3 14:29:21 2019 UTC (2 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base
Branch point for: pkgsrc-2019Q4
Changes since 1.101: +6 -6 lines
Diff to previous 1.101 (colored)

Update to 3.47.1

Changelog:
NSS 3.47.1 includes:

* CVE-2019-11745 - EncryptUpdate should use maxout, not block size
* Bug 1590495 - Fix a crash that could be caused by client certificates during
startup
* Bug 1589810 - Fix compile-time warnings from uninitialized variables in a
perl script

NSS 3.47.1 requires NSPR 4.23 or newer. The HG tag is NSS_3_47_1_RTM.

Revision 1.101 / (download) - annotate - [select for diffs], Fri Oct 4 12:35:15 2019 UTC (2 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.100: +5 -5 lines
Diff to previous 1.100 (colored)

Update to 3.46.1

Changelog:
* 1582343 - Soft token MAC verification not constant time
* 1577953 - Remove arbitrary HKDF output limit by allocating space as needed

Revision 1.100 / (download) - annotate - [select for diffs], Thu Sep 19 19:14:39 2019 UTC (2 years, 10 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3
Changes since 1.99: +2 -2 lines
Diff to previous 1.99 (colored)

nss: aarch64 build fix

From OpenBSD. Similar to PR pkg/53353 for ARM. Although different symbols
missing in that case and that's believed to be fixed already.

Revision 1.99 / (download) - annotate - [select for diffs], Fri Sep 6 02:54:47 2019 UTC (2 years, 11 months ago) by ryoon
Branch: MAIN
Changes since 1.98: +6 -6 lines
Diff to previous 1.98 (colored)

Update to 3.46

Changelog:
Notable Changes:
 * The following CA certificates were Removed:
  - 1574670 - Remove expired Class 2 Primary root certificate
  - 1574670 - Remove expired UTN-USERFirst-Client root certificat
  - 1574670 - Remove expired Deutsche Telekom Root CA 2 root certificate
  - 1566569 - Remove Swisscom Root CA 2 root certificate
 * Significant improvements to AES-GCM performance on ARM

Bugs fixed in NSS 3.46:

 * 1572164 - Don't unnecessarily free session in NSC_WrapKey
 * 1574220 - Improve controls after errors in tstcln, selfserv and vfyserv
cmds
 * 1550636 - Upgrade SQLite in NSS to a 2019 version
 * 1572593 - Reset advertised extensions in ssl_ConstructExtensions
 * 1415118 - NSS build with ./build.sh --enable-libpkix fails
 * 1539788 - Add length checks for cryptographic primitives
 * 1542077 - mp_set_ulong and mp_set_int should return errors on bad values
 * 1572791 - Read out-of-bounds in DER_DecodeTimeChoice_Util from
SSLExp_DelegateCredential
 * 1560593 - Cleanup.sh script does not set error exit code for tests that
"Failed with core"
 * 1566601 - Add Wycheproof test vectors for AES-KW
 * 1571316 - curve25519_32.c:280: undefined reference to `PR_Assert' when
building NSS 3.45 on armhf-linux
 * 1516593 - Client to generate new random during renegotiation
 * 1563258 - fips.sh fails due to non-existent "resp" directories
 * 1561598 - Remove -Wmaybe-uninitialized warning in pqg.c
 * 1560806 - Increase softoken password max size to 500 characters
 * 1568776 - Output paths relative to repository in NSS coverity
 * 1453408 - modutil -changepw fails in FIPS mode if password is an empty
string
 * 1564727 - Use a PSS SPKI when possible for delegated credentials
 * 1493916 - fix ppc64 inline assembler for clang
 * 1561588 - Remove -Wmaybe-uninitialized warning in p7env.c
 * 1561548 - Remove -Wmaybe-uninitialized warning in
pkix_pl_ldapdefaultclient.c
 * 1512605 - Incorrect alert description after unencrypted Finished msg
 * 1564715 - Read /proc/cpuinfo when AT_HWCAP2 returns 0
 * 1532194 - Remove or fix -DDEBUG_$USER from make builds
 * 1565577 - Visual Studio's cl.exe -? hangs on Windows x64 when building nss
since changeset 9162c654d06915f0f15948fbf67d4103a229226f
 * 1564875 - Improve rebuilding with build.sh
 * 1565243 - Support TC_OWNER without email address in nss taskgraph
 * 1563778 - Increase maxRunTime on Mac taskcluster Tools, SSL tests
 * 1561591 - Remove -Wmaybe-uninitialized warning in tstclnt.c
 * 1561587 - Remove -Wmaybe-uninitialized warning in lgattr.c
 * 1561558 - Remove -Wmaybe-uninitialized warning in httpserv.c
 * 1561556 - Remove -Wmaybe-uninitialized warning in tls13esni.c
 * 1561332 - ec.c:28 warning: comparison of integers of different signs: 'int'
and 'unsigned long'
 * 1564714 - Print certutil commands during setup
 * 1565013 - HACL image builder times out while fetching gpg key
 * 1563786 - Update hacl-star docker image to pull specific commit
 * 1559012 - Improve GCM perfomance using PMULL2
 * 1528666 - Correct resumption validation checks
 * 1568803 - More tests for client certificate authentication
 * 1564284 - Support profile mobility across Windows and Linux
 * 1573942 - Gtest for pkcs11.txt with different breaking line formats
 * 1575968 - Add strsclnt option to enforce the use of either IPv4 or IPv6
 * 1549847 - Fix NSS builds on iOS
 * 1485533 - Enable NSS_SSL_TESTS on taskcluster

Revision 1.98 / (download) - annotate - [select for diffs], Tue Jul 30 12:18:43 2019 UTC (3 years ago) by ryoon
Branch: MAIN
Changes since 1.97: +5 -5 lines
Diff to previous 1.97 (colored)

Update to 3.45

Changelog:
New Functions

    in pk11pub.h:
	PK11_FindRawCertsWithSubject - Finds all certificates on the given
slot with the given subject distinguished name and returns them as DER bytes.
If no such certificates can be found, returns SECSuccess and sets *results to
NULL. If a failure is encountered while fetching any of the matching
certificates, SECFailure is returned and *results will be NULL.

Notable Changes in NSS 3.45

    Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
	This adds a new experimental function: SSL_DelegateCredential
	Note: In 3.45, selfserv does not yet support delegated credentials.
See Bug 1548360.
	Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming
change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated
credential for better policy enforcement. See Bug 1563078.
    Bug 1550579 - Replace ARM32 Curve25519 implementation with one from
fiat-crypto
    Bug 1551129 - Support static linking on Windows
    Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding
certificates with a given subject on a given slot
    Bug 1546229 - Add IPSEC IKE support to softoken
    Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
    Bug 1543874 - Expose an external clock for SSL
	This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
	The experimental function SSL_InitAntiReplay is removed.
    Bug 1546477 - Various changes in response to the ongoing FIPS review
	Note: The source package size has increased substantially due to the
new FIPS test vectors. This will likely prompt follow-on work, but please
accept our apologies in the meantime.

Certificate Authority Changes

    The following CA certificates were Removed:
	Bug 1552374 - CN = Certinomis - Root CA
	    SHA-256 Fingerprint:
2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158

Bugs fixed in NSS 3.45

    Bug 1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import (CVE-2019-11719)
    Bug 1515342 - More thorough input checking (CVE-2019-11729)
    Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
(CVE-2019-11727)
    Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from
lib/freebl/pqg.c (static analysis)
    Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from
lib/freebl/pqg.c  (static analysis)
    Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
    Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags
could be faked. Only relevant for clients that might have copied the unit test
code verbatim
    Bug 1550022 - Ensure nssutil3 gets built on Android
    Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on
failure
    Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns
error
    Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
    Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors
using NSS
    Bug 1553443 - Send session ticket only after handshake is marked as
finished
    Bug 1550708 - Fix gyp scripts on Solaris SPARC so that
libfreebl_64fpu_3.so builds
    Bug 1554336 - Optimize away unneeded loop in mpi.c
    Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor
specific mechanism
    Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
    Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
    Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
    Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
    Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
    Bug 1561523 - Add a string for the new-ish error
SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION

Revision 1.97 / (download) - annotate - [select for diffs], Sat Jun 22 03:54:04 2019 UTC (3 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.96: +5 -5 lines
Diff to previous 1.96 (colored)

Update to 3.44.1

Changelog:
3.44.1:
* 1554336 - Optimize away unneeded loop in mpi.c
* 1515342 - More thorough input checking
* 1540541 - Don't unnecessarily strip leading 0's from key material during
PKCS11 import
* 1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh
* 1546229 - Add IPSEC IKE support to softoken
* 1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys
* 1546477 - Updates to testing for FIPS validation
* 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
* 1551041 - Unbreak build on GCC < 4.3 big-endian

Revision 1.96 / (download) - annotate - [select for diffs], Thu May 16 14:08:16 2019 UTC (3 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.95: +5 -6 lines
Diff to previous 1.95 (colored)

Update to 3.44

Changelog:
New Functions:

    in lib/certdb/cert.h
	CERT_GetCertificateDer - Access the DER-encoded form of a
CERTCertificate.

Notable Changes in NSS 3.44:

   * It is now possible to build NSS as a static library (Bug 1543545)
   * Initial support for building for iOS.

Bugs fixed in NSS 3.44:

   * 1501542 - Implement CheckARMSupport for Android
   * 1531244 - Use __builtin_bswap64 in crypto_primitives.h
   * 1533216 - CERT_DecodeCertPackage() crash with Netscape Certificate
Sequences
   * 1533616 - sdb_GetAttributeValueNoLock should make at most one sql query,
rather than one for each attribute
   * 1531236 - Provide accessor for CERTCertificate.derCert
   * 1536734 - lib/freebl/crypto_primitives.c assumes a big endian machine
   * 1532384 - In NSS test certificates, use @example.com (not @bogus.com)
   * 1538479 - Post-Handshake messages after async server authentication break
when using record layer separation
   * 1521578 - x25519 support in pk11pars.c
   * 1540205 - freebl build fails with -DNSS_DISABLE_CHACHAPOLY
   * 1532312 - post-handshake auth doesn't interoperate with OpenSSL
   * 1542741 - certutil -F crashes with segmentation fault
   * 1546925 - Allow preceding text in try comment
   * 1534468 - Expose ChaCha20 primitive
   * 1418944 - Quote CC/CXX variables passed to nspr
   * 1543545 - Allow to build NSS as a static library
   * 1487597 - Early data that arrives before the handshake completes can be
read afterwards
   * 1548398 - freebl_gtest not building on Linux/Mac
   * 1548722 - Fix some Coverity warnings
   * 1540652 - softoken/sdb.c: Logically dead code
   * 1549413 - Android log lib is not included in build
   * 1537927 - IPsec usage is too restrictive for existing deployments
   * 1549608 - Signature fails with dbm disabled
   * 1549848 - Allow building NSS for iOS using gyp
   * 1549847 - NSS's SQLite compilation warnings make the build fail on iOS
   * 1550041 - freebl not building on iOS simulator
   * 1542950 - MacOS cipher test timeouts

Revision 1.95 / (download) - annotate - [select for diffs], Sun May 5 22:47:27 2019 UTC (3 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.94: +6 -5 lines
Diff to previous 1.94 (colored)

Do not conflict with MD5_Update from OpenSSL

Like SHA1_Update, define another name, NSS_MD5_Update and
use via CPP macto.
This change fixes PDF export of misc/libreoffice.

And make pkglint happier.

Revision 1.94 / (download) - annotate - [select for diffs], Fri Mar 22 15:50:34 2019 UTC (3 years, 4 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.93: +5 -5 lines
Diff to previous 1.93 (colored)

Update to 3.43

Changelog:
New Functionality:
 * in sechash.h
    HASH_GetHashOidTagByHashType - convert type HASH_HashType to type
SECOidTag

 * in sslexp.h
    SSL_SendCertificateRequest - allow server to request post-handshake client
    authentication. To use this both peers need to enable the
    SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism is
    present, post-handshake authentication is currently not TLS 1.3 compliant
    due to Bug 1532312

Notable changes:
 * The following CA certificates were Added:
  - CN = emSign Root CA - G1
    SHA-256 Fingerprint:
40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367

  - CN = emSign ECC Root CA - G3
    SHA-256 Fingerprint:
86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B

  - CN = emSign Root CA - C1
    SHA-256 Fingerprint:
125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F

  - CN = emSign ECC Root CA - C3
    SHA-256 Fingerprint:
BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3

  - CN = Hongkong Post Root CA 3
    SHA-256 Fingerprint:
5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6

Bugs fixed in NSS 3.43
 * Bug 1528669 and Bug 1529308 - Improve Gyp build system handling

 * Bug 1529950 and Bug 1521174 - Improve NSS S/MIME tests for Thunderbird

 * Bug 1530134 - If Docker isn't installed, try running a local clang-format
		 as a fallback

 * Bug 1531267 - Enable FIPS mode automatically if the system FIPS mode flag
		 is set

 * Bug 1528262 - Add a -J option to the strsclnt command to specify sigschemes

 * Bug 1513909 - Add manual for nss-policy-check

 * Bug 1531074 - Fix a deref after a null check in SECKEY_SetPublicValue

 * Bug 1517714 - Properly handle ESNI with HRR

 * Bug 1529813 - Expose HKDF-Expand-Label with mechanism

 * Bug 1535122 - Align TLS 1.3 HKDF trace levels

 * Bug 1530102 - Use getentropy on compatible versions of FreeBSD

Revision 1.93 / (download) - annotate - [select for diffs], Tue Jan 29 13:07:36 2019 UTC (3 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.92: +5 -5 lines
Diff to previous 1.92 (colored)

Update to 3.42

Changelog:
New Functionality:
 * Bug 818686 - Support XDG basedir specification

Notable changes:
 * Added support for some of the testcases from the Wycheproof project:
   - Bug 1508666 - Added AES-GCM test cases
   - Bug 1508673 - Added ChaCha20-Poly1305 test cases
   - Bug 1514999 - Added the Curve25519 test cases
   - Thanks to Jonas Allmann for adapting these tests.

Bugs fixed in NSS 3.42:
 * Bug 1490006 - Reject invalid CH.legacy_version in TLS 1.3
 * Bug 1507135 and Bug 1507174 - Add additional null checks to several CMS
   functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak
   for the discovery and fixes.
 * Bug 1513913 - A fix for Solaris where Firefox 60 core dumps during start when
   using profile from version 52

Revision 1.92 / (download) - annotate - [select for diffs], Wed Dec 12 14:02:01 2018 UTC (3 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base, pkgsrc-2018Q4
Changes since 1.91: +5 -5 lines
Diff to previous 1.91 (colored)

Update to 3.41

New functionality:
* Bug 1252891 - Implemented EKU handling for IPsec IKE.
* Bug 1423043 - Enable half-closed states for TLS.
* Bug 1493215 - Enabled the following ciphersuites by default:
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_256_GCM_SHA384

Notable changes:
* The following CA certificates were added:
    CN = Certigna Root CA
    CN = GTS Root R1
    CN = GTS Root R2
    CN = GTS Root R3
    CN = GTS Root R4
    CN = UCA Global G2 Root
    CN = UCA Extended Validation Root

* The following CA certificates were removed:
    CN = AC Raíz Certicámara S.A.
    CN = Certplus Root CA G1
    CN = Certplus Root CA G2
    CN = OpenTrust Root CA G1
    CN = OpenTrust Root CA G2
    CN = OpenTrust Root CA G3

Bugs fixed in NSS 3.41:
* Bug 1412829, Reject empty supported_signature_algorithms in Certificate
  Request in TLS 1.2
* Bug 1485864 - Cache side-channel variant of the Bleichenbacher attack
  (CVE-2018-12404)
* Bug 1481271 - Resend the same ticket in ClientHello after HelloRetryRequest
* Bug 1493769 - Set session_id for external resumption tokens
* Bug 1507179 - Reject CCS after handshake is complete in TLS 1.3

Revision 1.91 / (download) - annotate - [select for diffs], Sun Nov 4 00:33:27 2018 UTC (3 years, 9 months ago) by ryoon
Branch: MAIN
Changes since 1.90: +5 -5 lines
Diff to previous 1.90 (colored)

Update to 3.40

Changelog:
Notable bug fixes:
* Bug 1478698 - FFDHE key exchange sometimes fails with decryption failure

New functionality:
* The draft-00 version of encrypted SNI support is implemented
* tstclnt now takes -N option to specify encrypted SNI key

Notable changes:
* The mozilla::pkix library has been ported from Mozilla PSM to NSS.
  This is a C++ library for building certification paths.
  mozilla::pkix APIs are not exposed in the libraries NSS builds.
* It is easier to build NSS on Windows in mozilla-build environments.
* The following CA certificates were Removed:
    CN = Visa eCommerce Root

Revision 1.90 / (download) - annotate - [select for diffs], Wed Sep 5 15:19:03 2018 UTC (3 years, 11 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3
Changes since 1.89: +5 -5 lines
Diff to previous 1.89 (colored)

Update to 3.39

Changelog:
Notable bug fixes:
* Bug 1483128 - NSS responded to an SSLv2-compatible ClientHello
  with a ServerHello that had an all-zero random (CVE-2018-12384)

New functionality:
* The tstclnt and selfserv utilities added support for configuring
  the enabled TLS signature schemes using the -J parameter.
* NSS will use RSA-PSS keys to authenticate in TLS. Support for
  these keys is disabled by default but can be enabled using
  SSL_SignatureSchemePrefSet().
* certutil added the ability to delete an orphan private key from
  an NSS key database.
* Added the nss-policy-check utility, which can be used to check
  an NSS policy configuration for problems.
* A PKCS#11 URI can be used as an identifier for a PKCS#11 token.

Notable changes:
* The TLS 1.3 implementation uses the final version number from
  RFC 8446.
* Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature
  where the DigestInfo structure was missing the NULL parameter.
  Starting with version 3.39, NSS requires the encoding to contain
  the NULL parameter.
* The tstclnt and selfserv test utilities no longer accept the -z
  parameter, as support for TLS compression was removed in a
  previous NSS version.
* The CA certificates list was updated to version 2.26.
* The following CA certificates were Added:
  - OU = GlobalSign Root CA - R6
  - CN = OISTE WISeKey Global Root GC CA
  The following CA certificate was Removed:
  - CN = ComSign
  The following CA certificates had the Websites trust bit disabled:
  - CN = Certplus Root CA G1
  - CN = Certplus Root CA G2
  - CN = OpenTrust Root CA G1
  - CN = OpenTrust Root CA G2
  - CN = OpenTrust Root CA G3

Revision 1.89 / (download) - annotate - [select for diffs], Thu Jun 7 19:04:59 2018 UTC (4 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.88: +5 -5 lines
Diff to previous 1.88 (colored)

Update to 3.37.3

Changelog:
No new functionality is introduced in these releases.

The following compatibility fixes are included. Users are encouraged to upgrade.

* Bug 1462303 - Connecting to a server that was recently upgraded to
  TLS 1.3 would result in a SSL_RX_MALFORMED_SERVER_HELLO error.
* Bug 1460673 - Fix a rare bug with PKCS#12 files.

Revision 1.88 / (download) - annotate - [select for diffs], Fri Jun 1 12:18:03 2018 UTC (4 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.87: +5 -5 lines
Diff to previous 1.87 (colored)

Update to 3.37.1

Changelog:
No new functionality is introduced in these releases.

The following compatibility fixes are included. Users are encouraged
to upgrade.

* Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3
  would result in a SSL_RX_MALFORMED_SERVER_HELLO error.
* Bug 1460673 - Fix a rare bug with PKCS#12 files.

Revision 1.87 / (download) - annotate - [select for diffs], Thu May 10 20:20:41 2018 UTC (4 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.86: +5 -5 lines
Diff to previous 1.86 (colored)

Update to 3.37

Changelog:
* The TLS 1.3 implementation was updated to Draft 28.
* An issue where NSS erroneously accepted HRR requests was resolved.
* Added HACL* Poly1305 32-bit
* The code to support the NPN protocol has been fully removed.
* NSS allows servers now to register ALPN handling callbacks to
  select a protocol.
* NSS supports opening SQL databases in read-only mode.
* On Linux, some build configurations can use glibc's function
  getentropy(), which uses the kernel's getrandom() function.
* The CA list was updated to version 2.24, which removed the
  following CA certificates:
  - CN = S-TRUST Universal Root CA
  - CN = TC TrustCenter Class 3 CA II
  - CN = TRKTRUST Elektronik Sertifika Hizmet Salayıcısı H5

Revision 1.86 / (download) - annotate - [select for diffs], Thu Apr 12 14:32:51 2018 UTC (4 years, 4 months ago) by bouyer
Branch: MAIN
Changes since 1.85: +2 -2 lines
Diff to previous 1.85 (colored)

Ajust patch for 3.36.1

Revision 1.85 / (download) - annotate - [select for diffs], Thu Apr 12 10:37:11 2018 UTC (4 years, 4 months ago) by bouyer
Branch: MAIN
Changes since 1.84: +2 -1 lines
Diff to previous 1.84 (colored)

!defined(__ANDROID__) doens't mean this is a linux host.
Check defined(__linux__) instead.

XXX do other systems have <sys/auxv.h> ?

Revision 1.83.2.1 / (download) - annotate - [select for diffs], Wed Apr 11 11:48:59 2018 UTC (4 years, 4 months ago) by bsiegert
Branch: pkgsrc-2018Q1
Changes since 1.83: +5 -5 lines
Diff to previous 1.83 (colored) next main 1.84 (colored)

Pullup ticket #5735 - requested by maya
devel/nss: bugfix

Revisions pulled up:
- devel/nss/Makefile                                            1.149
- devel/nss/distinfo                                            1.84

---
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Tue Apr 10 15:21:30 UTC 2018

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo

   Log Message:
   nss: update to 3.36.1

   No new functionality is introduced in this release.  This is a patch release to fix regression bugs.

   In NSS version 3.35 the iteration count in optimized builds, which is used for password based encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million
   iterations. That change had caused an interoperability regression with operating systems that are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit.

   Certain smartcard operations could result in a deadlock

   This Bugzilla query returns all the bugs fixed in NSS 3.36.1:

   https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.1

Revision 1.84 / (download) - annotate - [select for diffs], Tue Apr 10 15:21:29 2018 UTC (4 years, 4 months ago) by maya
Branch: MAIN
Changes since 1.83: +5 -5 lines
Diff to previous 1.83 (colored)

nss: update to 3.36.1

No new functionality is introduced in this release.  This is a patch release to fix regression bugs.

In NSS version 3.35 the iteration count in optimized builds, which is used for password based encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million iterations. That change had caused an interoperability regression with operating systems that are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit.

Certain smartcard operations could result in a deadlock

This Bugzilla query returns all the bugs fixed in NSS 3.36.1:

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.1

Revision 1.79.2.1 / (download) - annotate - [select for diffs], Thu Mar 22 06:56:21 2018 UTC (4 years, 4 months ago) by spz
Branch: pkgsrc-2017Q4
Changes since 1.79: +5 -7 lines
Diff to previous 1.79 (colored) next main 1.80 (colored)

Pullup ticket #5728 - requested by maya
devel/nspr: dependency update
devel/nss: dependency update
www/firefox-l10n: dependent update
www/firefox: security update

Revisions pulled up:
- devel/nspr/Makefile                                           1.94-1.95
- devel/nspr/distinfo                                           1.48-1.49
- devel/nspr/patches/patch-az                                   deleted
- devel/nspr/patches/patch-nspr_pr_include_md___pth.h           1.1
- devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c      1.1
- devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h         deleted
- devel/nss/Makefile                                            1.146,1.148
- devel/nss/PLIST                                               1.24
- devel/nss/distinfo                                            1.81,1.83
- devel/nss/patches/patch-nss_lib_freebl_config.mk              deleted
- devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h     deleted
- www/firefox-l10n/Makefile                                     1.121-1.123
- www/firefox-l10n/distinfo                                     1.111-1.113
- www/firefox/Makefile                                          1.320-1.321,1.324
- www/firefox/PLIST                                             1.127
- www/firefox/distinfo                                          1.307-1.309
- www/firefox/mozilla-common.mk                                 1.105-1.106
- www/firefox/patches/patch-aa                                  1.56
- www/firefox/patches/patch-build_gyp.mozbuild                  1.8
- www/firefox/patches/patch-build_moz.configure_keyfiles.configure 1.5
- www/firefox/patches/patch-build_moz.configure_memory.configure deleted
- www/firefox/patches/patch-config_baseconfig.mk                deleted
- www/firefox/patches/patch-config_external_moz.build           1.17
- www/firefox/patches/patch-dom_media_moz.build                 1.9
- www/firefox/patches/patch-gfx_skia_generate__mozbuild.py      1.8
- www/firefox/patches/patch-gfx_skia_moz.build                  1.15
- www/firefox/patches/patch-gfx_thebes_moz.build                1.9
- www/firefox/patches/patch-media_libcubeb_gtest_moz.build      1.2
- www/firefox/patches/patch-media_libtheora_moz.build           1.8
- www/firefox/patches/patch-media_libvorbis_moz.build           1.4
- www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc 1.1
- www/firefox/patches/patch-modules_libpref_init_all.js         1.7
- www/firefox/patches/patch-modules_pdfium_update.sh            1.2
- www/firefox/patches/patch-netwerk_dns_moz.build               1.8
- www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c deleted
- www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c deleted
- www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs deleted
- www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json 1.1
- www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs 1.1
- www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h deleted
- www/firefox/patches/patch-toolkit_moz.configure               1.10
- www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp    deleted
- www/firefox/patches/patch-xpcom_build_BinaryPath.h            1.3-1.4

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Jan 24 16:21:43 UTC 2018

   Modified Files:
           pkgsrc/devel/nspr: Makefile distinfo
   Added Files:
           pkgsrc/devel/nspr/patches: patch-nspr_pr_include_md___pth.h
               patch-nspr_pr_src_pthreads_ptthread.c
   Removed Files:
           pkgsrc/devel/nspr/patches: patch-az patch-nsprpub_pr_include_md__pth.h

   Log Message:
   Update to 4.18

   Changelog:
   NSPR 4.18 contains the following changes:
   - removed HP-UX DCE threads support
   - improvements for the Windows implementation of PR_SetCurrentThreadName
   - fixes for the Windows implementation of TCP Fast Open


   To generate a diff of this commit:
   cvs rdiff -u -r1.93 -r1.94 pkgsrc/devel/nspr/Makefile
   cvs rdiff -u -r1.47 -r1.48 pkgsrc/devel/nspr/distinfo
   cvs rdiff -u -r1.4 -r0 pkgsrc/devel/nspr/patches/patch-az
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/devel/nspr/patches/patch-nspr_pr_include_md___pth.h \
       pkgsrc/devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c
   cvs rdiff -u -r1.3 -r0 \
       pkgsrc/devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar 17 01:06:18 UTC 2018

   Modified Files:
           pkgsrc/devel/nspr: Makefile distinfo

   Log Message:
   Update to 4.29

   Changelog:
   NSPR 4.19 contains the following changes:
   - changed order of shutdown cleanup to avoid a crash on Mac OSX
   - build compatibility with Android NDK r16 and glibc 2.26


   To generate a diff of this commit:
   cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/nspr/Makefile
   cvs rdiff -u -r1.48 -r1.49 pkgsrc/devel/nspr/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Jan 24 16:23:52 UTC 2018

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo
   Removed Files:
           pkgsrc/devel/nss/patches: patch-nss_lib_freebl_config.mk
               patch-nss_lib_freebl_verified_kremlib.h

   Log Message:
   Update to 3.35

   Changelog:
   The NSS team has released Network Security Services (NSS) 3.35,
   which is a minor release.

   Summary of the major changes included in this release:
   - The default database storage format has been changed to SQL,
     using filenames cert9.db, key4.db, pkcs11.txt.
   - TLS 1.3 support has been updated to draft -23, along with
     additional significant changes.
   - Support for TLS compression was removed.
   - Added formally verified implementations of non-vectorized Chacha20
     and non-vectorized Poly1305 64-bit.
   - When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a
     higher iteration count for stronger security.
   - The CA trust list was updated to version 2.22.


   To generate a diff of this commit:
   cvs rdiff -u -r1.145 -r1.146 pkgsrc/devel/nss/Makefile
   cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/nss/distinfo
   cvs rdiff -u -r1.2 -r0 \
       pkgsrc/devel/nss/patches/patch-nss_lib_freebl_config.mk
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar 17 01:07:15 UTC 2018

   Modified Files:
           pkgsrc/devel/nss: Makefile PLIST distinfo

   Log Message:
   Update to 3.36

   * Require devel/nspr-4.19

   Changelog:
   The NSS team has released Network Security Services (NSS) 3.36,
   which is a minor release.

   Summary of the major changes included in this release:
   - Replaced existing vectorized ChaCha20 code with verified
     HACL* implementation.
   - Experimental APIs for TLS session cache handling.


   To generate a diff of this commit:
   cvs rdiff -u -r1.147 -r1.148 pkgsrc/devel/nss/Makefile
   cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/nss/PLIST
   cvs rdiff -u -r1.82 -r1.83 pkgsrc/devel/nss/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Jan 31 14:02:18 UTC 2018

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo
   Added Files:
           pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h

   Log Message:
   Update to 58.0.1

   * Fix build under netbsd-7, PR pkg/52956

   Changelog:
   Fix Mozilla Foundation Security Advisory 2018-05:
   Arbitrary code execution through unsanitized browser UI

   When using certain non-default security policies on Windows (for
   example with Windows Defender Exploit Protection or Webroot security
   products), Firefox 58.0 would fail to load pages (bug 1433065).


   To generate a diff of this commit:
   cvs rdiff -u -r1.319 -r1.320 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.306 -r1.307 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r0 -r1.3 \
       pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Feb 10 07:02:47 UTC 2018

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo mozilla-common.mk
           pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h

   Log Message:
   Update to 58.0.2

   * Fix segfault on netbsd-7

   Changelog:
   Fix
       Avoid a signature validation issue during update on macOS

       Blocklisted graphics drivers related to off main thread painting crashes

       Tab crash during printing

       Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook
         (OWA) webmail


   To generate a diff of this commit:
   cvs rdiff -u -r1.320 -r1.321 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.307 -r1.308 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.104 -r1.105 pkgsrc/www/firefox/mozilla-common.mk
   cvs rdiff -u -r1.3 -r1.4 \
       pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar 17 00:59:03 UTC 2018

   Modified Files:
           pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk
           pkgsrc/www/firefox/patches: patch-aa patch-build_gyp.mozbuild
               patch-config_external_moz.build patch-dom_media_moz.build
               patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build
               patch-gfx_thebes_moz.build patch-media_libcubeb_gtest_moz.build
               patch-media_libtheora_moz.build patch-media_libvorbis_moz.build
               patch-modules_pdfium_update.sh patch-netwerk_dns_moz.build
               patch-toolkit_moz.configure
   Added Files:
           pkgsrc/www/firefox/patches:
               patch-build_moz.configure_keyfiles.configure
               patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc
               patch-modules_libpref_init_all.js
               patch-third__party_rust_simd_.cargo-checksum.json
               patch-third__party_rust_simd_src_x86_avx2.rs
   Removed Files:
           pkgsrc/www/firefox/patches: patch-build_moz.configure_memory.configure
               patch-config_baseconfig.mk
               patch-netwerk_srtp_src_crypto_hash_hmac.c
               patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c
               patch-servo_components_style_properties_helpers_animated__properties.mako.rs
               patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h
               patch-toolkit_xre_nsEmbedFunctions.cpp

   Log Message:
   Update to 59.0.1

   Changelog:
   59.0.1
   Security fix
   #CVE-2018-5146: Out of bounds memory write in libvorbis

   59.0
   New
       Performance enhancements:
       - Faster load times for content on the Firefox Home page
       - Faster page load times by loading either from the networked cache
           or the cache on the user's hard drive (Race Cache With Network)
       - Improved graphics rendering using Off-Main-Thread Painting (OMTP)
           for Mac users (OMTP for Windows was released in Firefox 58)

       Drag-and-drop to rearrange Top Sites on the Firefox Home page, and
         customize new windows and tabs in other ways

       Added features for Firefox Screenshots:
       - Basic annotation lets the user draw on and highlight saved screenshots
       - Recropping to change the viewable area of saved screenshots

       Enhanced WebExtensions API including better support for decentralized
         protocols and the ability to dynamically register content scripts

       Improved Real-Time Communications (RTC) capabilities.
       - Implemented RTP Transceiver to give pages more fine grained control
           over calls
       - Implemented features to support large scale conferences

       Added support for W3C specs for pointer events and improved platform
         integration with added device support for mouse, pen, and touch
         screen pointer input

       Added the Ecosia search engine as an option for German Firefox

       Added the Qwant search engine as an option for French Firefox

       Added settings in about:preferences to stop websites from asking to
         send notifications or access your device's camera, microphone, and
         location, while still allowing trusted websites to use these features

   Fixed
       Various security fixes

   Changed
       Firefox Private Browsing Mode will remove path information from
         referrers to prevent cross-site tracking

   Security fixes:
   #CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
   #CVE-2018-5128: Use-after-free manipulating editor selection ranges
   #CVE-2018-5129: Out-of-bounds write with malformed IPC messages
   #CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
   #CVE-2018-5131: Fetch API improperly returns cached copies of
     no-store/no-cache resources
   #CVE-2018-5132: WebExtension Find API can search privileged pages
   #CVE-2018-5133: Value of the app.support.baseURL preference is not properly
     sanitized
   #CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content
     restrictions
   #CVE-2018-5135: WebExtension browserAction can inject scripts into
     unintended contexts
   #CVE-2018-5136: Same-origin policy violation with data: URL shared workers
   #CVE-2018-5137: Script content can access legacy extension
     non-contentaccessible resources
   #CVE-2018-5138: Android Custom Tab address spoofing through long domain names
   #CVE-2018-5140: Moz-icon images accessible to web content through moz-icon:
     protocol
   #CVE-2018-5141: DOS attack through notifications Push API
   #CVE-2018-5142: Media Capture and Streams API permissions display
     incorrect origin with data: and blob: URLs
   #CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into
     addressbar
   #CVE-2018-5126: Memory safety bugs fixed in Firefox 59
   #CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7


   To generate a diff of this commit:
   cvs rdiff -u -r1.323 -r1.324 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.126 -r1.127 pkgsrc/www/firefox/PLIST
   cvs rdiff -u -r1.308 -r1.309 pkgsrc/www/firefox/distinfo
   cvs rdiff -u -r1.105 -r1.106 pkgsrc/www/firefox/mozilla-common.mk
   cvs rdiff -u -r1.55 -r1.56 pkgsrc/www/firefox/patches/patch-aa
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox/patches/patch-build_gyp.mozbuild \
       pkgsrc/www/firefox/patches/patch-gfx_skia_generate__mozbuild.py \
       pkgsrc/www/firefox/patches/patch-media_libtheora_moz.build \
       pkgsrc/www/firefox/patches/patch-netwerk_dns_moz.build
   cvs rdiff -u -r0 -r1.5 \
       pkgsrc/www/firefox/patches/patch-build_moz.configure_keyfiles.configure
   cvs rdiff -u -r1.2 -r0 \
       pkgsrc/www/firefox/patches/patch-build_moz.configure_memory.configure \
       pkgsrc/www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h
   cvs rdiff -u -r1.10 -r0 pkgsrc/www/firefox/patches/patch-config_baseconfig.mk
   cvs rdiff -u -r1.16 -r1.17 \
       pkgsrc/www/firefox/patches/patch-config_external_moz.build
   cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/firefox/patches/patch-dom_media_moz.build \
       pkgsrc/www/firefox/patches/patch-gfx_thebes_moz.build
   cvs rdiff -u -r1.14 -r1.15 \
       pkgsrc/www/firefox/patches/patch-gfx_skia_moz.build
   cvs rdiff -u -r1.1 -r1.2 \
       pkgsrc/www/firefox/patches/patch-media_libcubeb_gtest_moz.build \
       pkgsrc/www/firefox/patches/patch-modules_pdfium_update.sh
   cvs rdiff -u -r1.3 -r1.4 \
       pkgsrc/www/firefox/patches/patch-media_libvorbis_moz.build
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc \
       pkgsrc/www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json \
       pkgsrc/www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs
   cvs rdiff -u -r0 -r1.7 \
       pkgsrc/www/firefox/patches/patch-modules_libpref_init_all.js
   cvs rdiff -u -r1.4 -r0 \
       pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c
   cvs rdiff -u -r1.3 -r0 \
       pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c
   cvs rdiff -u -r1.1 -r0 \
       pkgsrc/www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs
   cvs rdiff -u -r1.9 -r1.10 \
       pkgsrc/www/firefox/patches/patch-toolkit_moz.configure
   cvs rdiff -u -r1.7 -r0 \
       pkgsrc/www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Wed Jan 31 14:03:25 UTC 2018

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   Update to 58.0.1

   * Sync with www/firefox-58.0.1


   To generate a diff of this commit:
   cvs rdiff -u -r1.120 -r1.121 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.110 -r1.111 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Feb 10 07:05:20 UTC 2018

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   Update to 58.0.2

   * Sync with www/firefox-58.0.2


   To generate a diff of this commit:
   cvs rdiff -u -r1.121 -r1.122 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.111 -r1.112 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Mar 17 01:00:20 UTC 2018

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   Update to 59.0.1

   * Sync with www/firefox-59.0.1


   To generate a diff of this commit:
   cvs rdiff -u -r1.122 -r1.123 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/firefox-l10n/distinfo

Revision 1.83 / (download) - annotate - [select for diffs], Sat Mar 17 01:07:15 2018 UTC (4 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base
Branch point for: pkgsrc-2018Q1
Changes since 1.82: +5 -5 lines
Diff to previous 1.82 (colored)

Update to 3.36

* Require devel/nspr-4.19

Changelog:
The NSS team has released Network Security Services (NSS) 3.36,
which is a minor release.

Summary of the major changes included in this release:
- Replaced existing vectorized ChaCha20 code with verified
  HACL* implementation.
- Experimental APIs for TLS session cache handling.

Revision 1.82 / (download) - annotate - [select for diffs], Sat Feb 24 11:35:48 2018 UTC (4 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.81: +4 -1 lines
Diff to previous 1.81 (colored)

Change default file type back to DBM from SQL. Bump PKGREVISION

This back out fixes XML-based files open of misc/libreoffice.
The problem is reported by Mustafa Dogan via private e-mail.

Revision 1.81 / (download) - annotate - [select for diffs], Wed Jan 24 16:23:52 2018 UTC (4 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.80: +5 -7 lines
Diff to previous 1.80 (colored)

Update to 3.35

Changelog:
The NSS team has released Network Security Services (NSS) 3.35,
which is a minor release.

Summary of the major changes included in this release:
- The default database storage format has been changed to SQL,
  using filenames cert9.db, key4.db, pkcs11.txt.
- TLS 1.3 support has been updated to draft -23, along with
  additional significant changes.
- Support for TLS compression was removed.
- Added formally verified implementations of non-vectorized Chacha20
  and non-vectorized Poly1305 64-bit.
- When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a
  higher iteration count for stronger security.
- The CA trust list was updated to version 2.22.

Revision 1.80 / (download) - annotate - [select for diffs], Mon Jan 22 11:43:14 2018 UTC (4 years, 6 months ago) by jperkin
Branch: MAIN
Changes since 1.79: +3 -3 lines
Diff to previous 1.79 (colored)

nss: Fix build on SunOS with clang.

Revision 1.79 / (download) - annotate - [select for diffs], Mon Nov 27 23:49:06 2017 UTC (4 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base
Branch point for: pkgsrc-2017Q4
Changes since 1.78: +5 -5 lines
Diff to previous 1.78 (colored)

Update to 3.34.1

Changelog:
    The following CA certificate was Re-Added. It was removed in
    NSS 3.34, but has been re-added with only the Email trust bit
    set. (bug 1418678)
        CN = Certum CA, O=Unizeto Sp. z o.o.
            SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24

    Removed entries from certdata.txt for actively distrusted
    certificates that have expired (bug 1409872).

    The version of the CA list was set to 2.20.

Revision 1.78 / (download) - annotate - [select for diffs], Thu Nov 16 01:15:57 2017 UTC (4 years, 9 months ago) by ryoon
Branch: MAIN
Changes since 1.77: +5 -5 lines
Diff to previous 1.77 (colored)

Update to 3.34

The following CA certificates were Added:

CN = GDCA TrustAUTH R5 ROOT
SHA-256 Fingerprint: BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93
Trust Flags: Websites

CN = SSL.com Root Certification Authority RSA
SHA-256 Fingerprint: 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69
Trust Flags: Websites, Email

CN = SSL.com Root Certification Authority ECC
SHA-256 Fingerprint: 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65
Trust Flags: Websites, Email

CN = SSL.com EV Root Certification Authority RSA R2
SHA-256 Fingerprint: 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C
Trust Flags: Websites

CN = SSL.com EV Root Certification Authority ECC
SHA-256 Fingerprint: 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8
Trust Flags: Websites

CN = TrustCor RootCert CA-1
SHA-256 Fingerprint: D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C
Trust Flags: Websites, Email

CN = TrustCor RootCert CA-2
SHA-256 Fingerprint: 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65
Trust Flags: Websites, Email

CN = TrustCor ECA-1
SHA-256 Fingerprint: 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C
Trust Flags: Websites, Email

The following CA certificates were Removed:

CN = Certum CA, O=Unizeto Sp. z o.o.
SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24

CN = StartCom Certification Authority
SHA-256 Fingerprint: C7:66:A9:BE:F2:D4:07:1C:86:3A:31:AA:49:20:E8:13:B2:D1:98:60:8C:B7:B7:CF:E2:11:43:B8:36:DF:09:EA

CN = StartCom Certification Authority
SHA-256 Fingerprint: E1:78:90:EE:09:A3:FB:F4:F4:8B:9C:41:4A:17:D6:37:B7:A5:06:47:E9:BC:75:23:22:72:7F:CC:17:42:A9:11

CN = StartCom Certification Authority G2
SHA-256 Fingerprint: C7:BA:65:67:DE:93:A7:98:AE:1F:AA:79:1E:71:2D:37:8F:AE:1F:93:C4:39:7F:EA:44:1B:B7:CB:E6:FD:59:95

CN = TBİTAK UEKAE Kök Sertifika Hizmet Salayıcısı - Sürüm 3
SHA-256 Fingerprint: E4:C7:34:30:D7:A5:B5:09:25:DF:43:37:0A:0D:21:6E:9A:79:B9:D6:DB:83:73:A0:C6:9E:B1:CC:31:C7:C5:2A

CN = ACEDICOM Root
SHA-256 Fingerprint: 03:95:0F:B4:9A:53:1F:3E:19:91:94:23:98:DF:A9:E0:EA:32:D7:BA:1C:DD:9B:C8:5D:B5:7E:D9:40:0B:43:4A

CN = Certinomis - Autorité Racine
SHA-256 Fingerprint: FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17

CN = TRKTRUST Elektronik Sertifika Hizmet Salayıcısı
SHA-256 Fingerprint: 97:8C:D9:66:F2:FA:A0:7B:A7:AA:95:00:D9:C0:2E:9D:77:F2:CD:AD:A6:AD:6B:A7:4A:F4:B9:1C:66:59:3C:50

CN = PSCProcert
SHA-256 Fingerprint: 3C:FC:3C:14:D1:F6:84:FF:17:E3:8C:43:CA:44:0C:00:B9:67:EC:93:3E:8B:FE:06:4C:A1:D7:2C:90:F2:AD:B0

CN = CA 沦좹书 O=WoSign CA Limited
SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54

CN = Certification Authority of WoSign
SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08

CN = Certification Authority of WoSign G2
SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16

CN = CA WoSign ECC Root
SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02

libfreebl no longer requires SSE2 instructions.

New in NSS 3.34

New Functionality
When listing an NSS database using certutil -L, but the database
hasn't yet been initialized with any non-empty or empty password,
the text "Database needs user init" will be included in the listing.

When using certutil to set an inacceptable password in FIPS mode,
a correct explanation of acceptable passwords will be printed.

SSLKEYLOGFILE is now supported with TLS 1.3, see Bug 1287711 for details.

SSLChannelInfo has two new fields (Bug 1396525)

  SSLNamedGroup originalKeaGroup holds the key exchange group of the
  original handshake when the session was resumed.

  PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE
  otherwise.

RSA-PSS signatures are now supported on certificates.  Certificates
with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS
signature on a certificate using the --pss-sign argument to certutil.

New Functions
Compatibility

NSS 3.34 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries
will work with NSS 3.34 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with
future versions of the NSS shared libraries.

Revision 1.77 / (download) - annotate - [select for diffs], Thu Oct 19 15:28:45 2017 UTC (4 years, 9 months ago) by jperkin
Branch: MAIN
Changes since 1.76: +2 -1 lines
Diff to previous 1.76 (colored)

nss: Support SunOS byteswap macros.

Revision 1.76 / (download) - annotate - [select for diffs], Tue Sep 26 10:59:39 2017 UTC (4 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.75: +6 -6 lines
Diff to previous 1.75 (colored)

Update to 3.33

Changelog:
Notable Changes in NSS 3.33

    TLS compression is no longer supported. API calls that attempt to enable compression are accepted without failure. However, TLS compression will remain disabled.
    This version of NSS uses a formally verified implementation of Curve25519 on 64-bit systems.
    The compile time flag DISABLE_ECC has been removed.
    When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are not performed anymore.
    Various minor improvements and correctness fixes.

Revision 1.75 / (download) - annotate - [select for diffs], Tue Aug 1 12:15:15 2017 UTC (5 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3
Changes since 1.74: +5 -5 lines
Diff to previous 1.74 (colored)

Update to 3.32

Changelog:
Notable Changes:
================
* Various minor improvements and correctness fixes.
* The Code Signing trust bit was turned off for all included root certificates.
* The Websites (TLS/SSL) trust bit was turned off for the following root
  certificates:
  - CN = AddTrust Class 1 CA Root
  - CN = Swisscom Root CA 2
* The following CA certificates were Removed:
  - CN = AddTrust Public CA Root
  - CN = AddTrust Qualified CA Root
  - CN = China Internet Network Information Center EV Certificates Root
  - CN = CNNIC ROOT
  - CN = ComSign Secured CA
  - CN = GeoTrust Global CA 2
  - CN = Secure Certificate Services
  - CN = Swisscom Root CA 1
  - CN = Swisscom Root EV CA 2
  - CN = Trusted Certificate Services
  - CN = UTN-USERFirst-Hardware
  - CN = UTN-USERFirst-Object

Revision 1.74 / (download) - annotate - [select for diffs], Wed Jun 14 11:18:55 2017 UTC (5 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.73: +5 -5 lines
Diff to previous 1.73 (colored)

Update to 3.31

Changelog:
New functionality:
==================
* Allow certificates to be specified by RFC7512 PKCS#11 URIs.
* Allow querying a certificate object for its temporary or permanent storage
  status in a thread safe way.

New Functions:
==============
* CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a
  certificate in a thread safe way.
* CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a
  certificate in a thread safe way.
* PK11_FindCertFromURI - find a certificate identified by the given URI.
* PK11_FindCertsFromURI - find a list of certificates identified by the given
  URI.
* PK11_GetModuleURI - retrieve the URI of the given module.
* PK11_GetTokenURI - retrieve the URI of a token based on the given slot
  information.
* PK11URI_CreateURI - create a new PK11URI object from a set of attributes.
* PK11URI_DestroyURI - destroy a PK11URI object.
* PK11URI_FormatURI - format a PK11URI object to a string.
* PK11URI_GetPathAttribute - retrieve a path attribute with the given name.
* PK11URI_GetQueryAttribute - retrieve a query attribute with the given name.
* PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object.

New Macros:
===========
* Several new macros that start with PK11URI_PATTR_ for path attributes defined
  in RFC7512.
* Several new macros that start with PK11URI_QATTR_ for query attributes defined
  in RFC7512.

Notable Changes:
================
* The APIs that set a TLS version range have been changed to trim the requested
  range to the overlap with a systemwide crypto policy, if configured.
  SSL_VersionRangeGetSupported can be used to query the overlap between the
  library's supported range of TLS versions and the systemwide policy.
* Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a
  failure if the requested version range wasn't fully allowed by the systemwide
  crypto policy. They have been changed to return success, if at least one TLS
  version overlaps between the requested range and the systemwide policy. An
  application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to
  query the TLS version range that was effectively activated.
* Corrected the encoding of Domain Name Constraints extensions created by
  certutil.
* NSS supports a clean seeding mechanism for *NIX systems now using only
  /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile
  time.
* CERT_AsciiToName can handle OIDs in dotted decimal form now.

The HG tag is NSS_3_31_RTM. NSS 3.31 requires NSPR 4.15 or newer.

Revision 1.73 / (download) - annotate - [select for diffs], Thu Apr 27 01:47:21 2017 UTC (5 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.72: +5 -5 lines
Diff to previous 1.72 (colored)

Update to 3.30.2

Changelog:
The NSS team has released Network Security Services (NSS) 3.30.2,
which is a patch release to update the list of root CA certificates.

Below is a summary of the changes.
Please refer to the full release notes for additional details,
including the SHA256 fingerprints of the changed CA certificates.

Notable Changes:
* The following CA certificates were Removed
- O = Japanese Government, OU = ApplicationCA 
- CN = WellsSecure Public Root Certificate Authority 
- CN = TRKTRUST Elektronik Sertifika Hizmet Salayıcısı H6
- CN = Microsec e-Szigno Root 
* The following CA certificates were Added
- CN = D-TRUST Root CA 3 2013 
- CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 
* The version number of the updated root CA list has been set to 2.14
  (Bug 1350859)
* Domain name constraints for one of the new CAs have been added to the
  NSS code (Bug 1349705)

Revision 1.72 / (download) - annotate - [select for diffs], Thu Apr 13 03:21:05 2017 UTC (5 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.71: +5 -5 lines
Diff to previous 1.71 (colored)

Update to 3.30.1

Changelog:
Not available.

Revision 1.71 / (download) - annotate - [select for diffs], Fri Mar 31 23:39:52 2017 UTC (5 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.70: +5 -5 lines
Diff to previous 1.70 (colored)

Update to 3.30

Changelog:
New in NSS 3.30:
================
* In the PKCS#11 root CA module (nssckbi), CAs with positive trust are
marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY, set to
true. Applications that need to distinguish them from other other root CAs
may use the exported function PK11_HasAttributeSet.
* Support for callback functions that can be used to monitor SSL/TLS alerts
that are sent or received.

Notable Changes:
================
* The TLS server code has been enhanced to support session tickets when no
RSA certificate is configured.
* RSA-PSS signatures produced by key pairs with a modulus bit length that
is not a multiple of 8 are now supported.
* The pk12util tool now supports importing and exporting data encrypted in
the AES based schemes defined in PKCS#5 v2.1.

Revision 1.70 / (download) - annotate - [select for diffs], Tue Mar 7 20:53:22 2017 UTC (5 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.69: +5 -5 lines
Diff to previous 1.69 (colored)

Update to 3.29.3

Changelog:
The NSS team has released Network Security Services (NSS) 3.29.3

No new functionality is introduced in this release.
This is a patch release to fix a rare crash when initializing an SSL socket
fails.


The NSS team has released Network Security Services (NSS) 3.29.2

No new functionality is introduced in this release.
This is a patch release to fix an issue with TLS session tickets.

Revision 1.69 / (download) - annotate - [select for diffs], Mon Feb 20 12:30:50 2017 UTC (5 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.68: +5 -5 lines
Diff to previous 1.68 (colored)

Update to 3.29.1

Changelog:
Fix binary compatibility issues in 3.29

Revision 1.68 / (download) - annotate - [select for diffs], Sat Feb 11 07:24:55 2017 UTC (5 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.67: +5 -5 lines
Diff to previous 1.67 (colored)

Update to 3.29

Changelog:
Notable Changes:
================
* Fixed a NSS 3.28 regression in the signature scheme flexibility that
causes connectivity issues between iOS 8 clients and NSS servers with ECDSA
certificates (bug1334114
<https://bugzilla.mozilla.org/show_bug.cgi?id=1334114>).

Revision 1.67 / (download) - annotate - [select for diffs], Sun Feb 5 02:41:13 2017 UTC (5 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.66: +1 -2 lines
Diff to previous 1.66 (colored)

Disable internal sqlite3. Bump PKGREVISION

It is my mistake.
Builds confirmed on NetBSD/amd64 current and macOS Sierra.

Revision 1.66 / (download) - annotate - [select for diffs], Thu Feb 2 07:25:44 2017 UTC (5 years, 6 months ago) by yyamano
Branch: MAIN
Changes since 1.65: +2 -1 lines
Diff to previous 1.65 (colored)

Always use the sqlite3 library in NSS to avoid installation error on Mac OS X,
just like other platforms.

Revision 1.65 / (download) - annotate - [select for diffs], Fri Jan 20 15:01:23 2017 UTC (5 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.64: +5 -5 lines
Diff to previous 1.64 (colored)

Update to 3.28.1

* Bump nspr requirement

Changelog:
3.28.1:
The NSS team has released Network Security Services (NSS) 3.28.1,
which is a patch release.

Below is a summary of the changes.
Please refer to the full release notes for additional details,
including the SHA256 fingerprints of the changed CA certificates.

No new functionality is introduced in this release. This is a patch release to
update the list of root CA certificates and address a minor TLS compatibility
issue that some applications experienced with NSS 3.28.

Notable Changes:
* The following CA certificates were Removed
- CN = Buypass Class 2 CA 1
- CN = Root CA Generalitat Valenciana
- OU = RSA Security 2048 V3
* The following CA certificates were Added
- OU = AC RAIZ FNMT-RCM
- CN = Amazon Root CA 1
- CN = Amazon Root CA 2
- CN = Amazon Root CA 3
- CN = Amazon Root CA 4
- CN = LuxTrust Global Root 2
- CN = Symantec Class 1 Public Primary Certification Authority - G4
- CN = Symantec Class 1 Public Primary Certification Authority - G6
- CN = Symantec Class 2 Public Primary Certification Authority - G4
- CN = Symantec Class 2 Public Primary Certification Authority - G6
* The version number of the updated root CA list has been set to 2.11
* A misleading assertion/alert has been removed when NSS tries to flush data
  to the peer but the connection was already reset.


3.28:
The NSS team has released Network Security Services (NSS) 3.28,
which is a minor release.

Below is a summary of the changes.

Please refer to the full release notes for additional details:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes


Request to test and prepare for TLS 1.3 (draft):
================================================
To prepare for a change of default build options, which is
planned for
the future NSS 3.29 release, we'd like to encourage all users of NSS
3.28
to override the standard NSS build configuration to enable support for
(draft
) TLS 1.3 by defining NSS_ENABLE_TLS_1_3=1 at build time.
We'd like to ask you to
please give feedback to the NSS developers for any
compatibility issues that you
might encounter in your tests.

For providing feedback, you may send a message to this mailing list, see:
  https://lists.mozilla.org/listinfo/dev-tech-crypto
or please report a bug here:
  https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS


New functionality:
==================
* NSS includes support for TLS 1.3 draft -18. This includes a number 
  of
improvements to TLS 1.3:
  - The signed certificate timestamp, used in
certificate transparency, 
    is supported in TLS 1.3.
  - Key exporters for TLS
1.3 are supported. This includes the early key
    exporter, which can be used if
0-RTT is enabled. Note that there is a
    difference between TLS 1.3 and key
exporters in older versions of TLS.
    TLS 1.3 does not distinguish between an
empty context and no context.
  - The TLS 1.3 (draft) protocol can be enabled, by
defining
    NSS_ENABLE_TLS_1_3=1 when building NSS.
* NSS includes support for
the X25519 key exchange algorithm, which is
  supported and enabled by default in
all versions of TLS.

New Functions:
==============
* SSL_ExportEarlyKeyingMaterial
* SSL_SendAdditionalKeyShares
* SSL_SignatureSchemePrefSet
* SSL_SignatureSchemePrefGet

Notable Changes:
================
* NSS can no longer be compiled with support for additional elliptic curves.
  This was previously possible by replacing certain NSS source files.
* NSS will now detect the presence of tokens that support additional
  elliptic curves and enable those curves for use in TLS.
  Note that this detection has a one-off performance cost, which can be
  avoided by using the SSL_NamedGroupConfig function to limit supported
  groups to those that NSS provides.
* PKCS#11 bypass for TLS is no longer supported and has been removed.
* Support for "export" grade SSL/TLS cipher suites has been removed.
* NSS now uses the signature schemes definition in TLS 1.3.
  This also affects TLS 1.2. NSS will now only generate signatures with the
  combinations of hash and signature scheme that are defined in TLS 1.3,
  even when negotiating TLS 1.2.
  - This means that SHA-256 will only be used with P-256 ECDSA certificates,
    SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates.
    SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward
    compatibility reasons.
  - New functions to configure signature schemes are provided:
    SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet.
    The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are
    now deprecated.
  - NSS will now no longer assume that default signature schemes are 
    supported by a peer if there was no commonly supported signature scheme.
* NSS will now check if RSA-PSS signing is supported by the token that holds
  the private key prior to using it for TLS.
* The certificate validation code contains checks to no longer trust
  certificates that are issued by old WoSign and StartCom CAs after 
  October 21, 2016. This is equivalent to the behavior that Mozilla will
  release with Firefox 51.

Revision 1.64 / (download) - annotate - [select for diffs], Tue Nov 29 22:51:12 2016 UTC (5 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4
Changes since 1.63: +5 -5 lines
Diff to previous 1.63 (colored)

Update to 3.27.2

Changelog:
The NSS Development Team announces the release of NSS 3.27.2, which is a
patch release to address a memory leak in the TLS implementation.

No new functionality is introduced in this release.

Notable Changes:
* Bug 1318561 - SSL_SetTrustAnchors leaks

Revision 1.63 / (download) - annotate - [select for diffs], Sat Oct 8 10:26:12 2016 UTC (5 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.62: +5 -5 lines
Diff to previous 1.62 (colored)

Update to 3.27.1

Changelog:
The NSS team has released Network Security Services (NSS) 3.27.1.

This is a patch release to address a TLS compatibility issue 
that some applications experienced with NSS 3.27.

Notable Changes:
Availability of the TLS 1.3 (draft) implementation has been re-disabled
in the default build.

Previous versions of NSS made TLS 1.3 (draft) available only when compiled
with NSS_ENABLE_TLS_1_3. NSS 3.27 set this value on by default, allowing
TLS 1.3 (draft) to be disabled using NSS_DISABLE_TLS_1_3, although the
maximum version used by default remained TLS 1.2.

However, some applications query the list of protocol versions that are
supported by the NSS library, and enable all supported TLS protocol versions.
Because NSS 3.27 enabled compilation of TLS 1.3 (draft) by default, it caused
those applications to enable TLS 1.3 (draft). This resulted in connectivity
failures, as some TLS servers are version 1.3 intolerant, and failed to
negotiate an earlier TLS version with NSS 3.27 clients.

Revision 1.62 / (download) - annotate - [select for diffs], Fri Sep 30 11:59:12 2016 UTC (5 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.61: +7 -7 lines
Diff to previous 1.61 (colored)

Update to 3.27

Changelog:
The NSS team has released Network Security Services (NSS) 3.27,
which is a minor release.

Below is a summary of the changes.
Please refer to the full release notes for additional details,
including the SHA256 fingerprints of the changed CA certificates.

New functionality:
* Allow custom named group priorities for TLS key exchange handshake
  (SSL_NamedGroupConfig).
* Added support for RSA-PSS signatures in TLS 1.2 and TLS 1.3

New Functions:
* SSL_NamedGroupConfig

Notable Changes:
* NPN can not be enabled anymore.
* Hard limits on the maximum number of TLS records encrypted with the same 
  key are enforced.
* Disabled renegotiation in DTLS.
* The following CA certificates were Removed
- CN = IGC/A, O = PM/SGDN, OU = DCSSI
- CN = Juur-SK, O = AS Sertifitseerimiskeskus
- CN = EBG Elektronik Sertifika Hizmet Salayıcısı
- CN = S-TRUST Authentication and Encryption Root CA 2005:PN
- O = VeriSign, Inc., OU = Class 1 Public Primary Certification Authority
- O = VeriSign, Inc., OU = Class 2 Public Primary Certification Authority - G2
- O = VeriSign, Inc., OU = Class 3 Public Primary Certification Authority
- O = Equifax, OU = Equifax Secure Certificate Authority
- CN = Equifax Secure eBusiness CA-1
- CN = Equifax Secure Global eBusiness CA-1

The full release notes are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27_release_notes

Revision 1.61 / (download) - annotate - [select for diffs], Sat Jul 2 12:22:47 2016 UTC (6 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.60: +5 -5 lines
Diff to previous 1.60 (colored)

Update to 3.25

Changelog:
The NSS team has released Network Security Services (NSS) 3.25, which is a minor
release.

Below is a short summary of the changes.
Please refer to the full release notes for additional details.

New functionality:
* Implemented DHE key agreement for TLS 1.3
* Added support for ChaCha with TLS 1.3
* Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF
* In previous versions, when using client authentication with TLS 1.2, 
  NSS only supported certificate_verify messages that used the same
  signature hash algorithm as used by the PRF. 
  This limitation has been removed.
* Several functions have been added to the public API of the NSS
  Cryptoki Framework.

New Functions:
* NSSCKFWSlot_GetSlotID
* NSSCKFWSession_GetFWSlot
* NSSCKFWInstance_DestroySessionHandle
* NSSCKFWInstance_FindSessionHandle

Notable Changes:
* An SSL socket can no longer be configured to allow both TLS 1.3 and SSL v3
* Regression fix: NSS no longer reports a failure if an application attempts
  to disable the SSL v2 protocol.
* The list of trusted CA certificates has been updated to version 2.8
* The following CA certificate was Removed
- CN = Sonera Class1 CA
* The following CA certificates were Added 
- CN = Hellenic Academic and Research Institutions RootCA 2015
- CN = Hellenic Academic and Research Institutions ECC RootCA 2015
- CN = Certplus Root CA G1
- CN = Certplus Root CA G2
- CN = OpenTrust Root CA G1
- CN = OpenTrust Root CA G2
- CN = OpenTrust Root CA G3

Revision 1.60 / (download) - annotate - [select for diffs], Wed May 25 13:17:13 2016 UTC (6 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2
Changes since 1.59: +6 -6 lines
Diff to previous 1.59 (colored)

Update to 3.24

* Require nspr 4.12 or later, from he@. Thank you.

Changelog:
The NSS team has released Network Security Services (NSS) 3.24, which is
a minor release.

Below is a short summary of the changes.
Please refer to the full release notes for additional details.

New functionality:
* NSS softoken has been updated with the latest NIST guidance (as of 2015)
* NSS softoken has also been updated to allow NSS to run in FIPS level-1
  (no password).
* SSL_ConfigServerCert function has been added for configuring SSL/TLS
  server sockets with a certificate and private key. This method should be
  used in preference to SSL_ConfigSecureServer,
  SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and
  SSL_SetSignedCertTimestamps.
* Added PORTCheapArena for temporary arenas allocated on the stack.

New Functions:
* SSL_ConfigServerCert - Configures an SSL/TLS socket with a certificate,
  private key and other information.
* PORT_InitCheapArena - This initializes an arena that was created on
  the stack. See PORTCheapArenaPool.
* PORT_DestroyCheapArena - This destroys an arena that was created on
  the stack. See PORTCheapArenaPool.

New Types
* SSLExtraServerCertData - This struct is optionally passed as an argument
  to SSL_ConfigServerCert. It contains supplementary information about a
  certificate, such as the intended type of the certificate, stapled OCSP
  responses, or signed certificate timestamps (used for certificate
  transparency).
* PORTCheapArenaPool - A stack-allocated arena pool, to be used for
  temporary arena allocations.

New Macros
* CKM_TLS12_MAC
* SEC_OID_TLS_ECDHE_PSK - This OID is used to govern use of the
  TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is only
  used for session resumption in TLS 1.3.

Notable Changes:
* The following functions have been deprecated (applications should use the
  new SSL_ConfigServerCert function instead):
  * SSL_SetStapledOCSPResponses
  * SSL_SetSignedCertTimestamps
  * SSL_ConfigSecureServer
  * SSL_ConfigSecureServerWithCertChain
* Function NSS_FindCertKEAType is now deprecated, as it reports a misleading
  value for certificates that might be used for signing rather than key
  exchange.
* SSLAuthType has been updated to define a larger number of authentication
  key types.
* The member attribute authAlgorithm of type SSLCipherSuiteInfo has been
  deprecated. Instead, applications should use the newly added attribute
  authType.
* ssl_auth_rsa has been renamed to ssl_auth_rsa_decrypt.
* On Linux platforms that define FREEBL_LOWHASH, a shared library has been
  added: libfreeblpriv3
* Most code related to the SSL v2 has been removed, including the ability to
  actively send a SSL v2 compatible client hello.
  However, the server side implementation of the SSL/TLS protocol continues to
  support processing of received v2 compatible client hello messages.
* NSS supports a mechanism to log SSL/TLS key material to a logfile if the
  environment variable named SSLKEYLOGFILE is set. NSS has been changed to
  disable this functionality in optimized builds by default. In order to enable
  the functionality in optimized builds, the symbol NSS_ALLOW_SSLKEYLOGFILE
  must be defined when building NSS.
* NSS has been updated to be protected against the Cachebleed attack.
* Support for DTLS compression has been disabled.
* Support for TLS 1.3 has been improved. This includes support for DTLS 1.3.
  Note that TLS 1.3 support is experimental and is not suitable for production
  use.

Revision 1.59 / (download) - annotate - [select for diffs], Sun Apr 17 19:27:10 2016 UTC (6 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.58: +7 -7 lines
Diff to previous 1.58 (colored)

Update to 3.23

Changelog:
The NSS team has released Network Security Services (NSS) 3.23, which is a minor
release.

The following security-relevant bug has been resolved in NSS 3.23.
Users are encouraged to upgrade immediately.

* Bug 1245528 (CVE-2016-1950):
  Fixed a heap-based buffer overflow related to the parsing of certain ASN.1
  structures. An attacker could create a specially-crafted certificate which,
  when parsed by NSS, would cause a crash or execution of arbitrary code with
  the permissions of the user.

New functionality:
* ChaCha20/Poly1305 cipher and TLS cipher suites now supported
  (bug 917571, bug 1227905)
* Experimental-only support TLS 1.3 1-RTT mode (draft-11).
  This code is not ready for production use.

New Functions:
* SSL_SetDowngradeCheckVersion - Set maximum version for new ServerRandom
  anti-downgrade mechanism

Notable Changes:
* The copy of SQLite shipped with NSS has been updated to version 3.10.2
  (bug 1234698)
* The list of TLS extensions sent in the TLS handshake has been reordered
  to improve compatibility of the Extended Master Secret feature
  with servers (bug 1243641)
* The build time environment variable NSS_ENABLE_ZLIB has been renamed
  to NSS_SSL_ENABLE_ZLIB (Bug 1243872).
* The build time environment variable NSS_DISABLE_CHACHAPOLY was added,
  which can be used to prevent compilation of the ChaCha20/Poly1305 code.
* The following CA certificates were Removed
- Staat der Nederlanden Root CA
- NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
- NetLock Kozjegyzoi (Class A) Tanusitvanykiado
- NetLock Uzleti (Class B) Tanusitvanykiado
- NetLock Expressz (Class C) Tanusitvanykiado
- VeriSign Class 1 Public PCA G2
- VeriSign Class 3 Public PCA
- VeriSign Class 3 Public PCA G2
- CA Disig
* The following CA certificates were Added
- SZAFIR ROOT CA2
- Certum Trusted Network CA 2
* The following CA certificate had the Email trust bit turned on
- Actalis Authentication Root CA

The full release notes, including the SHA256 fingerprints of the changed
CA certificates, are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes

Revision 1.54.2.1 / (download) - annotate - [select for diffs], Sun Apr 3 21:02:56 2016 UTC (6 years, 4 months ago) by spz
Branch: pkgsrc-2015Q4
Changes since 1.54: +5 -5 lines
Diff to previous 1.54 (colored) next main 1.55 (colored)

Pullup ticket #4952 - requested by bsiegert
devel/nss: security update

Revisions pulled up:
- devel/nss/Makefile                                            1.106
- devel/nss/distinfo                                            1.55

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   ryoon
   Date:           Sat Feb  6 22:09:56 UTC 2016

   Modified Files:
           pkgsrc/devel/nss: Makefile distinfo

   Log Message:
   Update to 3.22

   Changelog:
   The NSS team has released Network Security Services (NSS) 3.22,
   which is a minor release.

   New functionality:
   * RSA-PSS signatures are now supported (bug 1215295)
   * Pseudorandom functions based on hashes other than SHA-1 are now supported
   * Enforce an External Policy on NSS from a config file (bug 1009429)

   New Functions:
   * PK11_SignWithMechanism - an extended version PK11_Sign()
   * PK11_VerifyWithMechanism - an extended version of PK11_Verify()
   * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp
     TLS extension data
   * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
     TLS extension data

   New Types:
   * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
   * Constants for several object IDs are added to SECOidTag

   New Macros:
   * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
   * NSS_USE_ALG_IN_SSL
   * NSS_USE_POLICY_IN_SSL
   * NSS_RSA_MIN_KEY_SIZE
   * NSS_DH_MIN_KEY_SIZE
   * NSS_DSA_MIN_KEY_SIZE
   * NSS_TLS_VERSION_MIN_POLICY
   * NSS_TLS_VERSION_MAX_POLICY
   * NSS_DTLS_VERSION_MIN_POLICY
   * NSS_DTLS_VERSION_MAX_POLICY
   * CKP_PKCS5_PBKD2_HMAC_SHA224
   * CKP_PKCS5_PBKD2_HMAC_SHA256
   * CKP_PKCS5_PBKD2_HMAC_SHA384
   * CKP_PKCS5_PBKD2_HMAC_SHA512
   * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported)
   * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported)
   * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported)

   table Changes:
   * NSS C++ tests are built by default, requiring a C++11 compiler.
     Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.

   The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.


   To generate a diff of this commit:
   cvs rdiff -u -r1.105 -r1.106 pkgsrc/devel/nss/Makefile
   cvs rdiff -u -r1.54 -r1.55 pkgsrc/devel/nss/distinfo

Revision 1.58 / (download) - annotate - [select for diffs], Tue Mar 15 03:12:06 2016 UTC (6 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2016Q1-base, pkgsrc-2016Q1
Changes since 1.57: +5 -5 lines
Diff to previous 1.57 (colored)

Update to 3.22.3

Changelog:
The NSS Development Team announces the release of NSS 3.22.3,
which is a patch release for NSS 3.22.

No new functionality is introduced in this release.

The following bugs have been resolved in NSS 3.22.3

* Bug 1243641 - Increase compatibility of TLS extended master secret,
  don't send an empty TLS extension last in the handshake

Revision 1.57 / (download) - annotate - [select for diffs], Mon Mar 7 12:31:17 2016 UTC (6 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.56: +5 -5 lines
Diff to previous 1.56 (colored)

Update to 3.22.2

Changelog:
New root certificates backported from 3.23.

Revision 1.56 / (download) - annotate - [select for diffs], Wed Feb 17 22:00:14 2016 UTC (6 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.55: +5 -5 lines
Diff to previous 1.55 (colored)

Update to 3.22.1

Changelog:
The NSS Development Team announces the release of NSS 3.22.1

No new functionality is introduced in this release.

Notable Changes:
* NSS has been changed to use the PR_GetEnvSecure function that
  was made available in NSPR 4.12

Revision 1.55 / (download) - annotate - [select for diffs], Sat Feb 6 22:09:55 2016 UTC (6 years, 6 months ago) by ryoon
Branch: MAIN
Changes since 1.54: +5 -5 lines
Diff to previous 1.54 (colored)

Update to 3.22

Changelog:
The NSS team has released Network Security Services (NSS) 3.22,
which is a minor release.

New functionality:
* RSA-PSS signatures are now supported (bug 1215295)
* Pseudorandom functions based on hashes other than SHA-1 are now supported
* Enforce an External Policy on NSS from a config file (bug 1009429)

New Functions:
* PK11_SignWithMechanism - an extended version PK11_Sign()
* PK11_VerifyWithMechanism - an extended version of PK11_Verify()
* SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp
  TLS extension data
* SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
  TLS extension data

New Types:
* ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
* Constants for several object IDs are added to SECOidTag

New Macros:
* SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
* NSS_USE_ALG_IN_SSL
* NSS_USE_POLICY_IN_SSL
* NSS_RSA_MIN_KEY_SIZE
* NSS_DH_MIN_KEY_SIZE
* NSS_DSA_MIN_KEY_SIZE
* NSS_TLS_VERSION_MIN_POLICY
* NSS_TLS_VERSION_MAX_POLICY
* NSS_DTLS_VERSION_MIN_POLICY
* NSS_DTLS_VERSION_MAX_POLICY
* CKP_PKCS5_PBKD2_HMAC_SHA224
* CKP_PKCS5_PBKD2_HMAC_SHA256
* CKP_PKCS5_PBKD2_HMAC_SHA384
* CKP_PKCS5_PBKD2_HMAC_SHA512
* CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported)
* CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported)
* CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported)

table Changes:
* NSS C++ tests are built by default, requiring a C++11 compiler.
  Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.

The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.

Revision 1.54 / (download) - annotate - [select for diffs], Thu Dec 17 13:39:59 2015 UTC (6 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q4-base
Branch point for: pkgsrc-2015Q4
Changes since 1.53: +2 -1 lines
Diff to previous 1.53 (colored)

Fix build under GCC 4.5.3 (NetBSD 6)

Revision 1.53 / (download) - annotate - [select for diffs], Fri Nov 20 18:54:50 2015 UTC (6 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.52: +5 -5 lines
Diff to previous 1.52 (colored)

Update to 3.21

* Disable gtest option

Changelog:
The NSS team has released Network Security Services (NSS) 3.21,
which is a minor release.

New functionality:
* certutil now supports a --rename option to change a nickname (bug 1142209)
* TLS extended master secret extension (RFC 7627) is supported (bug 1117022)
* New info functions added for use during mid-handshake callbacks (bug 1084669)

New Functions:
* NSS_OptionSet - sets NSS global options
* NSS_OptionGet - gets the current value of NSS global options
* SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name
  string, module parameters string, NSS specific parameters string, and NSS
  configuration parameter string. The module represented by the module
  structure is not loaded. The difference with SECMOD_CreateModule is the new
  function handles NSS configuration parameter strings.
* SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior
  to the handshake being completed, for use with the callbacks that are invoked
  during the handshake
* SSL_SignaturePrefSet - configures the enabled signature and hash algorithms
  for TLS
* SSL_SignaturePrefGet - retrieves the currently configured signature and hash
  algorithms
* SSL_SignatureMaxCount - obtains the maximum number signature algorithms that
  can be configured with SSL_SignaturePrefSet
* NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared
  library string, module name string, module parameters string, NSS specific
  parameters string, and NSS configuration parameter strings. The returned
  strings must be freed by the caller. The difference with
  NSS_ArgParseModuleSpec is the new function handles NSS configuration
  parameter strings.
* NSSUTIL_MkModuleSpecEx - take a shared library string, module name string,
  module parameters string, NSS specific parameters string, and NSS
  configuration parameter string and returns a module string which the caller
  must free when it is done. The difference with NSS_MkModuleSpec is the new
  function handles NSS configuration parameter strings.

New Types:
* CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for
  CKM_TLS12_MASTER_KEY_DERIVE
* CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for
  CKM_TLS12_KEY_AND_MAC_DERIVE
* CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF
* CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC
* SSLHashType - identifies a hash function
* SSLSignatureAndHashAlg - identifies a signature and hash function
* SSLPreliminaryChannelInfo - provides information about the session state
  prior to handshake completion

New Macros:
* NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
  get the minimum RSA key size
* NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
  get the minimum DH key size
* NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
  get the minimum DSA key size
* CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret
* CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV
* CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and
  ECDH) cipher suites
* CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional
  PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS.
* CKM_TLS_MAC - computes TLS Finished MAC
* NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key
  exchange
* SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete
  DTLS record in a UDP packet
* SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid
  signature and hash algorithm is available
* SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an
  unsupported signature and hash algorithm is configured
* SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended
  master secret is missing after having been negotiated
* SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an
  extended master secret when previously not negotiated
* SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended
  master secret extension (RFC 7627)
* ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a
  TLS version has been selected
* ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate
  that a TLS cipher suite has been selected
* ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all
  preliminary information has been set

Notable Changes:
* NSS now builds with elliptic curve ciphers enabled by default (bug 1205688)
* NSS now builds with warnings as errors (bug 1182667)
* The following CA certificates were Removed
- CN = VeriSign Class 4 Public Primary Certification Authority - G3
- CN = UTN-USERFirst-Network Applications
- CN = TC TrustCenter Universal CA III
- CN = A-Trust-nQual-03
- CN = USERTrust Legacy Secure Server CA
- Friendly Name: Digital Signature Trust Co. Global CA 1
- Friendly Name: Digital Signature Trust Co. Global CA 3
- CN = UTN - DATACorp SGC
- O = TRKTRUST Bilgi İletiim ve Biliim Güvenlii Hizmetleri A.. (c) Kasım 2\
005
* The following CA certificate had the Websites trust bit turned off
- OU = Equifax Secure Certificate Authority
* The following CA certificates were Added
- CN = Certification Authority of WoSign G2
- CN = CA WoSign ECC Root
- CN = OISTE WISeKey Global Root GB CA

Revision 1.50.2.1 / (download) - annotate - [select for diffs], Thu Nov 19 20:39:15 2015 UTC (6 years, 9 months ago) by bsiegert
Branch: pkgsrc-2015Q3
Changes since 1.50: +5 -4 lines
Diff to previous 1.50 (colored) next main 1.51 (colored)

Pullup ticket #4853 - requested by he
devel/nss: security fix

Revisions pulled up:
- devel/nss/Makefile                                            1.103
- devel/nss/distinfo                                            1.52

---
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Tue Nov  3 16:55:07 UTC 2015

   Modified Files:
   	pkgsrc/devel/nss: Makefile distinfo

   Log Message:
   Update to 3.20.1

   Changelog:
   The following security-relevant bugs have been resolved in NSS 3.20.1.
   Users are encouraged to upgrade immediately.

   * Bug 1192028 (CVE-2015-7181) and
     Bug 1202868 (CVE-2015-7182):
     Several issues existed within the ASN.1 decoder used by NSS for handling
     streaming BER data. While the majority of NSS uses a separate, unaffected
     DER decoder, several public routines also accept BER data, and thus are
     affected. An attacker that successfully exploited these issues can overflow
     the heap and may be able to obtain remote code execution.

Revision 1.52 / (download) - annotate - [select for diffs], Tue Nov 3 16:55:07 2015 UTC (6 years, 9 months ago) by ryoon
Branch: MAIN
Changes since 1.51: +5 -5 lines
Diff to previous 1.51 (colored)

Update to 3.20.1

Changelog:
The following security-relevant bugs have been resolved in NSS 3.20.1.
Users are encouraged to upgrade immediately.

* Bug 1192028 (CVE-2015-7181) and
  Bug 1202868 (CVE-2015-7182):
  Several issues existed within the ASN.1 decoder used by NSS for handling
  streaming BER data. While the majority of NSS uses a separate, unaffected
  DER decoder, several public routines also accept BER data, and thus are
  affected. An attacker that successfully exploited these issues can overflow
  the heap and may be able to obtain remote code execution.

Revision 1.51 / (download) - annotate - [select for diffs], Tue Nov 3 03:27:51 2015 UTC (6 years, 9 months ago) by agc
Branch: MAIN
Changes since 1.50: +2 -1 lines
Diff to previous 1.50 (colored)

Add SHA512 digests for distfiles for devel category

Issues found with existing distfiles:
	distfiles/eclipse-sourceBuild-srcIncluded-3.0.1.zip
	distfiles/fortran-utils-1.1.tar.gz
	distfiles/ivykis-0.39.tar.gz
	distfiles/enum-1.11.tar.gz
	distfiles/pvs-3.2-libraries.tgz
	distfiles/pvs-3.2-linux.tgz
	distfiles/pvs-3.2-solaris.tgz
	distfiles/pvs-3.2-system.tgz
No changes made to these distinfo files.

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.

Revision 1.50 / (download) - annotate - [select for diffs], Thu Aug 20 10:54:24 2015 UTC (7 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q3-base
Branch point for: pkgsrc-2015Q3
Changes since 1.49: +4 -4 lines
Diff to previous 1.49 (colored)

Update to 3.20

Changelog:
The NSS team has released Network Security Services (NSS) 3.20,
which is a minor release.

New functionality:
* The TLS library has been extended to support DHE ciphersuites in
  server applications.

New Functions:
* SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group
  parameters that can be used by NSS for a server socket.
* SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group
  parameters that are smaller than the library default's minimum size.

New Types:
* SSLDHEGroupType - Enumerates the set of DHE parameters embedded in
  NSS that can be used with function SSL_DHEGroupPrefSet.

New Macros:
* SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable
  DHE ciphersuites for a server socket.

Notable Changes:
* The TLS library has been extended to support DHE ciphersuites in
  server applications.
* For backwards compatibility reasons, the server side implementation
  of the TLS library keeps all DHE ciphersuites disabled by default.
  They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE
  and the SSL_OptionSet or the SSL_OptionSetDefault API.
* The server side implementation of the TLS implementation does not
  support session tickets when using a DHE ciphersuite (see bug
  1174677).
* Support for the following ciphersuites has been added:
  - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* By default, the server side TLS implementation will use DHE
  parameters with a size of 2048 bits when using DHE ciphersuites.
* NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and
  8192 bits, which were copied from version 08 of the Internet-Draft
  "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
  TLS", Appendix A.
* A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a
  server application to select one or multiple of the embedded DHE
  parameters as the preferred parameters. The current implementation of
  NSS will always use the first entry in the array that is passed as a
  parameter to the SSL_DHEGroupPrefSet API. In future versions of the
  TLS implementation, a TLS client might signal a preference for
  certain DHE parameters, and the NSS TLS server side implementation
  might select a matching entry from the set of parameters that have
  been configured as preferred on the server side.
* NSS optionally supports the use of weak DHE parameters with DHE
  ciphersuites to support legacy clients. In order to enable this
  support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each
  time this API is called for the first time in a process, a fresh set
  of weak DHE parameters will be randomly created, which may take a
  long amount of time. Please refer to the comments in the header file
  that declares the SSL_EnableWeakDHEPrimeGroup API for additional
  details.
* The size of the default PQG parameters used by certutil when
  creating DSA keys has been increased to use 2048 bit parameters.
* The selfserv utility has been enhanced to support the new DHE
  features.
* NSS no longer supports C compilers that predate the ANSI C
  standard (C89).

Revision 1.49 / (download) - annotate - [select for diffs], Tue Jun 23 13:16:47 2015 UTC (7 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q2-base, pkgsrc-2015Q2
Changes since 1.48: +4 -4 lines
Diff to previous 1.48 (colored)

Update to 3.19.2

* Approved by wiz@.

Changelog:
Network Security Services (NSS) is a patch release for NSS 3.19.

No new functionality is introduced in this release. This release addresses
a backwards compatibility issue with the NSS 3.19.1 release.

Notable Changes:
* In NSS 3.19.1, the minimum key sizes that the freebl cryptographic
implementation (part of the softoken cryptographic module used by default
by NSS) was willing to generate or use was increased - for RSA keys, to
512 bits, and for DH keys, 1023 bits. This was done as part of a security
fix for Bug 1138554 / CVE-2015-4000. Applications that requested or
attempted to use keys smaller then the minimum size would fail. However,
this change in behaviour unintentionally broke existing NSS applications
that need to generate or use such keys, via APIs such as
SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey.

In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix
for Bug 1138554 has been moved to libssl, and will now only affect the
minimum keystrengths used in SSL/TLS.

Revision 1.48 / (download) - annotate - [select for diffs], Fri May 29 14:19:25 2015 UTC (7 years, 2 months ago) by ryoon
Branch: MAIN
Changes since 1.47: +4 -4 lines
Diff to previous 1.47 (colored)

Update to 3.19.1

Changelog:
Network Security Services (NSS) 3.19.1 is a patch release
for NSS 3.19.

No new functionality is introduced in this release. This patch
release includes a fix for the recently published logjam attack.

Notable Changes:
* The minimum strength of keys that libssl will accept for
  finite field algorithms (RSA, Diffie-Hellman, and DSA) have
  been increased to 1023 bits (bug 1138554).
* NSS reports the bit length of keys more accurately.  Thus,
  the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits
  functions could report smaller values for values that have
  leading zero values. This affects the key strength values that
  are reported by SSL_GetChannelInfo.

The NSS development team would like to thank Matthew Green and
Karthikeyan Bhargavan for responsibly disclosing the issue in
bug 1138554.

The HG tag is NSS_3_19_1_RTM. NSS 3.19.1 requires NSPR 4.10.8 or newer.

Revision 1.47 / (download) - annotate - [select for diffs], Tue May 5 21:42:19 2015 UTC (7 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.46: +6 -5 lines
Diff to previous 1.46 (colored)

Update to 3.19

Changelog:
The NSS team has released Network Security Services (NSS) 3.19,
which is a minor release.

New functionality:
* For some certificates, such as root CA certificates, that don't
  embed any constraints, NSS might impose additional constraints,
  such as name constraints. A new API has been added that allows
  to lookup imposed constraints.
* It is possible to override the directory in which the NSS build
  system will look for the sqlite library.

New Functions:
* CERT_GetImposedNameConstraints

Notable Changes:
* The SSL 3 protocol has been disabled by default.
* NSS now more strictly validates TLS extensions and will fail a
  handshake that contains malformed extensions.
* Fixed a bug related to the ordering of TLS handshake messages.
* In TLS 1.2 handshakes, NSS advertises support for the SHA512
  hash algorithm, in order to be compatible with TLS servers
  that use certificates with a SHA512 signature.

Revision 1.46 / (download) - annotate - [select for diffs], Tue Apr 21 11:38:19 2015 UTC (7 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.45: +4 -4 lines
Diff to previous 1.45 (colored)

Update to 3.18.1

Changelog:
The NSS Development Team announces the release of NSS 3.18.1

Network Security Services (NSS) 3.18.1 is a patch release
for NSS 3.18 to update the list of root CA certificates.

No new functionality is introduced in this release.

Notable Changes:
* The following CA certificate had the Websites and Code Signing
  trust bits restored to their original state to allow more time
  to develop a better transition strategy for affected sites:
  - OU = Equifax Secure Certificate Authority
* The following CA certificate was removed:
  - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
* The following intermediate CA certificate has been added as
  actively distrusted because it was mis-used to issue certificates
  for domain names the holder did not own or control:
  - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG
* The version number of the updated root CA list has been set
  to 2.4

The full release notes, including further details and the SHA1
fingerprints of the changed CA certificates, are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes

Revision 1.45 / (download) - annotate - [select for diffs], Sun Apr 5 12:51:51 2015 UTC (7 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.44: +4 -4 lines
Diff to previous 1.44 (colored)

Update to 3.18

Changelog:
The NSS team has released Network Security Services (NSS) 3.18,
which is a minor release.

New functionality:
* When importing certificates and keys from a PKCS#12 source,
  it's now possible to override the nicknames, prior to importing
  them into the NSS database, using new API
  SEC_PKCS12DecoderRenameCertNicknames.
* The tstclnt test utility program has new command-line options
  -C, -D, -b and -R.
  Use -C one, two or three times to print information about the
  certificates received from a server, and information about the
  locally found and trusted issuer certificates, to diagnose
  server side configuration issues. It is possible to run tstclnt
  without providing a database (-D). A PKCS#11 library that
  contains root CA certificates can be loaded by tstclnt, which
  may either be the nssckbi library provided by NSS (-b) or
  another compatible library (-R).

New Functions:
* SEC_CheckCrlTimes
* SEC_GetCrlTimes
* SEC_PKCS12DecoderRenameCertNicknames

New Types
* SEC_PKCS12NicknameRenameCallback

Notable Changes:
* The highest TLS protocol version enabled by default has been
  increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS
  protocol version enabled by default has been increased from
  DTLS 1.0 to DTLS 1.2.
* The default key size used by certutil when creating an RSA key
  pair has been increased from 1024 bits to 2048 bits.
* On Mac OS X, by default the softokn shared library will link
  with the sqlite library installed by the operating system,
  if it is version 3.5 or newer.
* The following CA certificates had the Websites and Code Signing
  trust bits turned off:
  - Equifax Secure Certificate Authority
  - Equifax Secure Global eBusiness CA-1
  - TC TrustCenter Class 3 CA II
* The following CA certificates were Added:
  - Staat der Nederlanden Root CA - G3
  - Staat der Nederlanden EV Root CA
  - IdenTrust Commercial Root CA 1
  - IdenTrust Public Sector Root CA 1
  - S-TRUST Universal Root CA
  - Entrust Root Certification Authority - G2
  - Entrust Root Certification Authority - EC1
  - CFCA EV ROOT
* The version number of the updated root CA list has been set
  to 2.3

Revision 1.44 / (download) - annotate - [select for diffs], Wed Jan 28 21:12:09 2015 UTC (7 years, 6 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2015Q1-base, pkgsrc-2015Q1
Changes since 1.43: +4 -4 lines
Diff to previous 1.43 (colored)

Update to 3.17.4

Changelog:
Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17.

No new functionality is introduced in this release.

Notable Changes:
* If an SSL/TLS connection fails, because client and server don't have
  any common protocol version enabled, NSS has been changed to report
  error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting
  SSL_ERROR_NO_CYPHER_OVERLAP).
* libpkix was fixed to prefer the newest certificate, if multiple
  certificates match.
* fixed a memory corruption issue during failure of keypair generation.
* fixed a failure to reload a PKCS#11 module in FIPS mode.
* fixed interoperability of NSS server code with a LibreSSL client.

Revision 1.43 / (download) - annotate - [select for diffs], Mon Dec 1 18:23:29 2014 UTC (7 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4
Changes since 1.42: +4 -4 lines
Diff to previous 1.42 (colored)

Update to 3.17.3

Changelog:
New functionality:
* Support for TLS_FALLBACK_SCSV has been added to the ssltap and
  tstclnt utilities

Notable Changes:
* The QuickDER decoder now decodes lengths robustly
  (CVE-2014-1569)
* The following 1024-bit CA certificates were Removed:
  - GTE CyberTrust Global Root
  - Thawte Server CA
  - Thawte Premium Server CA
  - America Online Root Certification Authority 1
  - America Online Root Certification Authority 2
* The following CA certificates had the Websites and Code Signing
  trust bits turned off:
  - Class 3 Public Primary Certification Authority - G2
  - Equifax Secure eBusiness CA-1
* The following CA certificates were Added:
  - COMODO RSA Certification Authority
  - USERTrust RSA Certification Authority
  - USERTrust ECC Certification Authority
  - GlobalSign ECC Root CA - R4
  - GlobalSign ECC Root CA - R5
* The version number of the updated root CA list has been set
  to 2.2

Revision 1.42 / (download) - annotate - [select for diffs], Wed Oct 15 13:04:20 2014 UTC (7 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.41: +4 -4 lines
Diff to previous 1.41 (colored)

Update to 3.17.2

Changelog:
New in NSS 3.17.2

New Functionality

No new functionality is introduced in this release. This is a patch release to fix a regression and other bugs.

Notable Changes in NSS 3.17.2

    Bug 1049435: Change RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2 that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated by other crypto libraries.
    Bug 1057161: Check that an imported elliptic curve public key is valid. Previously NSS would only validate the peer's public key before performing ECDH key agreement. Now EC public keys are validated at import time.
    Bug 1078669: certutil crashes when an argument is passed to the --certVersion option.

Bugs fixed in NSS 3.17.2

This Bugzilla query returns all the bugs fixed in NSS 3.17.2:

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.2

Compatibility

NSS 3.17.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.17.2 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.

Revision 1.41 / (download) - annotate - [select for diffs], Fri Sep 26 03:25:22 2014 UTC (7 years, 10 months ago) by spz
Branch: MAIN
CVS Tags: pkgsrc-2014Q3-base, pkgsrc-2014Q3
Changes since 1.40: +4 -4 lines
Diff to previous 1.40 (colored)

security update fixing:
- Incorrect DigestInfo validation in NSS (CVE-2014-1568)
- RSA signature verification vulnerabilities in parsing of DigestInfo
(see https://www.mozilla.org/security/announce/2014/mfsa2014-73.html)

Revision 1.40 / (download) - annotate - [select for diffs], Tue Aug 12 09:43:06 2014 UTC (8 years ago) by markd
Branch: MAIN
Changes since 1.39: +4 -4 lines
Diff to previous 1.39 (colored)

Update to nss 3.16.4

This release consists primarily of CA certificate changes as listed
below, and includes a small number of bug fixes.

Notable Changes:
* The following 1024-bit root CA certificate was restored to allow more
  time to develop a better transition strategy for affected sites. It was
  removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy
  forum led to the decision to keep this root included longer in order to
  give website administrators more time to update their web servers.
  - CN = GTE CyberTrust Global Root
* In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification
  Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit
  intermediate CA certificate has been included, without explicit trust.
  The intention is to mitigate the effects of the previous removal of the
  1024-bit Entrust.net root certificate, because many public Internet
  sites still use the "USERTrust Legacy Secure Server CA" intermediate
  certificate that is signed by the 1024-bit Entrust.net root certificate.
  The inclusion of the intermediate certificate is a temporary measure to
  allow those sites to function, by allowing them to find a trust path to
  another 2048-bit root CA certificate. The temporarily included
  intermediate certificate expires November 1, 2015.

Revision 1.39 / (download) - annotate - [select for diffs], Sat Jul 5 04:53:39 2014 UTC (8 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.38: +4 -4 lines
Diff to previous 1.38 (colored)

Update to 3.16.2

Changelog:
Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16.

This release consists primarily of CA certificate changes as listed
below, and fixes an issue with a recently added utility function.

New Functions:
* CERT_GetGeneralNameTypeFromString (This function was already added
  in NSS 3.16.2, however, it wasn't declared in a public header file.)

Notable Changes:
* The following 1024-bit CA certificates were Removed
  - Entrust.net Secure Server Certification Authority
  - GTE CyberTrust Global Root
  - ValiCert Class 1 Policy Validation Authority
  - ValiCert Class 2 Policy Validation Authority
  - ValiCert Class 3 Policy Validation Authority
* Additionally, the following CA certificate was Removed as
  requested by the CA:
  - TDC Internet Root CA
* The following CA certificates were Added:
  - Certification Authority of WoSign
  - CA 沦좹  - DigiCert Assured ID Root G2
  - DigiCert Assured ID Root G3
  - DigiCert Global Root G2
  - DigiCert Global Root G3
  - DigiCert Trusted Root G4
  - QuoVadis Root CA 1 G3
  - QuoVadis Root CA 2 G3
  - QuoVadis Root CA 3 G3
* The Trust Bits were changed for the following CA certificates
  - Class 3 Public Primary Certification Authority
  - Class 3 Public Primary Certification Authority
  - Class 2 Public Primary Certification Authority - G2
  - VeriSign Class 2 Public Primary Certification Authority - G3
  - AC Raíz Certicámara S.A.
  - NetLock Uzleti (Class B) Tanusitvanykiado
  - NetLock Expressz (Class C) Tanusitvanykiado

Revision 1.38 / (download) - annotate - [select for diffs], Wed Jul 2 13:39:25 2014 UTC (8 years, 1 month ago) by ryoon
Branch: MAIN
Changes since 1.37: +4 -4 lines
Diff to previous 1.37 (colored)

Update to 3.16.2

Changelog:
Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16.

New functionality:
* DTLS 1.2 is supported.
* The TLS application layer protocol negotiation (ALPN) extension
  is also supported on the server side.
* RSA-OEAP is supported. Use the new PK11_PrivDecrypt and
  PK11_PubEncrypt functions with the CKM_RSA_PKCS_OAEP mechanism.
* New Intel AES assembly code for 32-bit and 64-bit Windows,
  contributed by Shay Gueron and Vlad Krasnov of Intel.

New Functions:
* CERT_AddExtensionByOID
* PK11_PrivDecrypt
* PK11_PubEncrypt

New Macros
* SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK
* SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL

Notable Changes:
* The btoa command has a new command-line option -w suffix, which
  causes the output to be wrapped in BEGIN/END lines with the
  given suffix
* The certutil commands supports additionals types of subject
  alt name extensions.
* The certutil command supports generic certificate extensions,
  by loading binary data from files, which have been prepared using
  external tools, or which have been extracted from other existing
  certificates and dumped to file.
* The certutil command supports three new certificate usage specifiers.
* The pp command supports printing UTF-8 (-u).
* On Linux, NSS is built with the -ffunction-sections -fdata-sections
  compiler flags and the --gc-sections linker flag to allow unused
  functions to be discarded.

Revision 1.37 / (download) - annotate - [select for diffs], Sun May 25 23:45:58 2014 UTC (8 years, 2 months ago) by pho
Branch: MAIN
CVS Tags: pkgsrc-2014Q2-base, pkgsrc-2014Q2
Changes since 1.36: +2 -1 lines
Diff to previous 1.36 (colored)

Correct wrong install_name for Darwin.

Makefile had a SUBST for this but it wasn't working.

Revision 1.36 / (download) - annotate - [select for diffs], Fri May 16 13:59:17 2014 UTC (8 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.35: +4 -4 lines
Diff to previous 1.35 (colored)

Update to 3.16.1

Changelog:
Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16.

New functionality:
* Added the "ECC" flag for modutil to select the module used for
  elliptic curve cryptography (ECC) operations.

New Functions:
* PK11_ExportDERPrivateKeyInfo
* PK11_ExportPrivKeyInfo
* SECMOD_InternalToPubMechFlags

New Types:
* ssl_padding_xtn

New Macros
* PUBLIC_MECH_ECC_FLAG
* SECMOD_ECC_FLAG

Notable Changes:
* Imposed name constraints on the French government root CA ANSSI
  (DCISS).

Revision 1.35 / (download) - annotate - [select for diffs], Fri May 16 12:38:01 2014 UTC (8 years, 3 months ago) by ryoon
Branch: MAIN
Changes since 1.34: +2 -1 lines
Diff to previous 1.34 (colored)

Reduce PLIST divergence for OpenBSD

Revision 1.34 / (download) - annotate - [select for diffs], Sat Mar 22 23:32:46 2014 UTC (8 years, 4 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2014Q1-base, pkgsrc-2014Q1
Changes since 1.33: +4 -4 lines
Diff to previous 1.33 (colored)

Update to 3.16

* Improve 3.16 like 2 number version support (firefox etc. requires 3 number
  version string)

Changelog:
From https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes

The following security-relevant bug has been resolved.
Users are encouraged to upgrade immediately.
* Bug 903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard
  character should not be embedded within the U-label of an
  internationalized domain name. See the last bullet point in RFC 6125,
  Section 7.2.

New functionality:
* Supports the Linux x32 ABI. To build for the Linux x32 target, set
  the environment variable USE_X32=1 when building NSS.

New Functions:
* NSS_CMSSignerInfo_Verify

New Macros
* TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.,
  cipher suites that were first defined in SSL 3.0 can now be referred
  to with their official IANA names in TLS, with the TLS_ prefix.
  Previously, they had to be referred to with their names in SSL 3.0,
  with the SSL_ prefix.

Notable Changes:
* ECC is enabled by default. It is no longer necessary to set the
  environment variable NSS_ENABLE_ECC=1 when building NSS. To disable
  ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS.
* libpkix should not include the common name of CA as DNS names when
  evaluating name constraints.
* AESKeyWrap_Decrypt should not return SECSuccess for invalid keys.
* Fix a memory corruption in sec_pkcs12_new_asafe.
* If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime
  test sdb_measureAccess.
* The built-in roots module has been updated to version 1.97, which
  adds, removes, and distrusts several certificates.
* The atob utility has been improved to automatically ignore lines of
  text that aren't in base64 format.
* The certutil utility has been improved to support creation of
  version 1 and version 2 certificates, in addition to the existing
  version 3 support.

Revision 1.33 / (download) - annotate - [select for diffs], Mon Mar 10 18:42:34 2014 UTC (8 years, 5 months ago) by ryoon
Branch: MAIN
Changes since 1.32: +4 -4 lines
Diff to previous 1.32 (colored)

Update to 3.15.5

Changelog:
From: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.5_release_notes

Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15.

New functionality:
* Added support for the TLS application layer protocol negotiation
  (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and
  SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both)
  should be used for application layer protocol negotiation.
* Added the TLS padding extension. The extension type value is 35655,
  which may change when an official extension type value is assigned
  by IANA. NSS automatically adds the padding extension to ClientHello
  when necessary.
* Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting
  the tail of a CERTCertList.

Notable Changes:
* Bug 950129: Improve the OCSP fetching policy when verifying OCSP
  responses
* Bug 949060: Validate the iov input argument (an array of PRIOVec
  structures) of ssl_WriteV (called via PR_Writev). Applications should
  still take care when converting struct iov to PRIOVec because the
  iov_len members of the two structures have different types
  (size_t vs. int). size_t is unsigned and may be larger than int.

Revision 1.31.2.1 / (download) - annotate - [select for diffs], Wed Jan 15 21:44:09 2014 UTC (8 years, 7 months ago) by tron
Branch: pkgsrc-2013Q4
Changes since 1.31: +4 -4 lines
Diff to previous 1.31 (colored) next main 1.32 (colored)

Pullup ticket #4301 - requested by ryoon
devel/nss: security update

Revisions pulled up:
- devel/nss/Makefile                                            1.75
- devel/nss/distinfo                                            1.32

---
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Wed Jan 15 14:38:53 UTC 2014

   Modified Files:
   	pkgsrc/devel/nss: Makefile distinfo

   Log Message:
   Update to 3.15.4

   Changelog:
   from: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes

   Security Advisories

   The following security-relevant bugs have been resolved in NSS 3.15.4.
   Users are encouraged to upgrade immediately.

   Bug 919877 - (CVE-2013-1740) When false start is enabled, libssl will
   sometimes return unencrypted, unauthenticated data from PR_Recv

   New in NSS 3.15.4
   New Functionality
       Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method.
       Implemented OCSP server functionality for testing purposes (httpserv utility).
       Support SHA-1 signatures with TLS 1.2 client authentication.
       Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database.
       Added the -w command-line option to pp: don't wrap long output lines.

   New Functions
       CERT_ForcePostMethodForOCSP
       CERT_GetSubjectNameDigest
       CERT_GetSubjectPublicKeyDigest
       SSL_PeerCertificateChain
       SSL_RecommendedCanFalseStart
       SSL_SetCanFalseStartCallback

   New Types
       CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.

   New PKCS #11 Mechanisms
   None.

   Notable Changes in NSS 3.15.4

       Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices.
       Updated the set of root CA certificates (version 1.96).
       Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function.
       When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT.

   Bugs fixed in NSS 3.15.4

   A complete list of all bugs resolved in this release can be obtained at
   https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS

   Compatibility
   NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x
   shared libraries. A program linked with older NSS 3.x shared libraries will
   work with NSS 3.15.4 shared libraries without recompiling or relinking.
   Furthermore, applications that restrict their use of NSS APIs to the
   functions listed in NSS Public Functions will remain compatible with future
   versions of the NSS shared libraries.

Revision 1.32 / (download) - annotate - [select for diffs], Wed Jan 15 14:38:53 2014 UTC (8 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.31: +4 -4 lines
Diff to previous 1.31 (colored)

Update to 3.15.4

Changelog:
from: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes

Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.4.
Users are encouraged to upgrade immediately.

Bug 919877 - (CVE-2013-1740) When false start is enabled, libssl will
sometimes return unencrypted, unauthenticated data from PR_Recv


New in NSS 3.15.4
New Functionality
    Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method.
    Implemented OCSP server functionality for testing purposes (httpserv utility).
    Support SHA-1 signatures with TLS 1.2 client authentication.
    Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database.
    Added the -w command-line option to pp: don't wrap long output lines.

New Functions
    CERT_ForcePostMethodForOCSP
    CERT_GetSubjectNameDigest
    CERT_GetSubjectPublicKeyDigest
    SSL_PeerCertificateChain
    SSL_RecommendedCanFalseStart
    SSL_SetCanFalseStartCallback

New Types
    CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.

New PKCS #11 Mechanisms
None.

Notable Changes in NSS 3.15.4

    Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices.
    Updated the set of root CA certificates (version 1.96).
    Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function.
    When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT.

Bugs fixed in NSS 3.15.4

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS

Compatibility
NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.4 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.

Revision 1.31 / (download) - annotate - [select for diffs], Sun Dec 15 14:21:01 2013 UTC (8 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q4-base
Branch point for: pkgsrc-2013Q4
Changes since 1.30: +4 -4 lines
Diff to previous 1.30 (colored)

Update to 3.15.3.1

Changelog:
New in NSS 3.15.3.1

New Functionality

No new major functionality is introduced in this release. This is
a patch release to revoke trust of a subordinate CA certificate
that was mis-used to generate a certificate used by a network
appliance.

Bugs fixed in NSS 3.15.3.1

    Bug 946351 - Misissued Google certificates from DCSSI

A complete list of all bugs resolved in this release can be obtained
at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3.1&product=NSS

Compatibility

NSS 3.15.3.1 shared libraries are backward compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with NSS 3.15.3.1 shared libraries
without recompiling or relinking. Furthermore, applications that
restrict their use of NSS APIs to the functions listed in NSS Public
Functions will remain compatible with future versions of the NSS
shared libraries.

Revision 1.30 / (download) - annotate - [select for diffs], Thu Nov 21 15:23:47 2013 UTC (8 years, 8 months ago) by ryoon
Branch: MAIN
Changes since 1.29: +4 -4 lines
Diff to previous 1.29 (colored)

Update to 3.15.3

Changelog:
Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.3. Users are encouraged to upgrade immediately.

    Bug 925100 - (CVE-2013-1741) Ensure a size is <= half of the maximum PRUint32 value
    Bug 934016 - (CVE-2013-5605) Handle invalid handshake packets
    Bug 910438 - (CVE-2013-5606) Return the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used

New in NSS 3.15.3
New Functionality

No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1741, CVE-2013-5605 and CVE-2013-5606.
Bugs fixed in NSS 3.15.3

    Bug 850478 - List RC4_128 cipher suites after AES_128 cipher suites
    Bug 919677 - Don't advertise TLS 1.2-only ciphersuites in a TLS 1.1 ClientHello

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3&product=NSS


Compatibility

NSS 3.15.3 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.3 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.

Revision 1.29 / (download) - annotate - [select for diffs], Tue Oct 15 16:10:33 2013 UTC (8 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.28: +4 -4 lines
Diff to previous 1.28 (colored)

Update to 3.15.2

Changelog:
Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.2. Users are encouraged to upgrade immediately.

    Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure.

New in NSS 3.15.2
New Functionality

    AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported:
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_RSA_WITH_AES_128_GCM_SHA256

New Functions

PK11_CipherFinal has been introduced, which is a simple alias for PK11_DigestFinal.
New Types

No new types have been introduced.
New PKCS #11 Mechanisms

No new PKCS#11 mechanisms have been introduced
Notable Changes in NSS 3.15.2

    Bug 880543 - Support for AES-GCM ciphersuites that use the SHA-256 PRF
    Bug 663313 - MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general certificate signatures.
    Bug 884178 - Add PK11_CipherFinal macro

Bugs fixed in NSS 3.15.2

    Bug 734007 - sizeof() used incorrectly
    Bug 900971 - nssutil_ReadSecmodDB() leaks memory
    Bug 681839 - Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished.
    Bug 848384 - Deprecate the SSL cipher policy code, as it's no longer relevant. It is no longer necessary to call NSS_SetDomesticPolicy because all cipher suites are now allowed by default.

A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.2&product=NSS&list_id=7982238
Compatibility

NSS 3.15.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.2 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.

Revision 1.28 / (download) - annotate - [select for diffs], Sat Jul 20 09:28:11 2013 UTC (9 years, 1 month ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q3-base, pkgsrc-2013Q3
Changes since 1.27: +14 -14 lines
Diff to previous 1.27 (colored)

Update to 3.15.1

Changelog:
NSS 3.15.1 release notes

Introduction

Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below.
Distribution Information

NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download:

    Source tarballs:
    https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/

New in NSS 3.15.1
New Functionality

    TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations.
        The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1.
        AES GCM cipher suites are not yet supported.

New Functions

None.
New Types

    in sslprot.h
        SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the wire, value 0x0303.
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites.
    in sslerr.h
        SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2.
    in sslt.h
        ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type.
        ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum type.

New PKCS #11 Mechanisms

None.
Notable Changes in NSS 3.15.1

    Bug 856060 - Enforce name constraints on the common name in libpkix  when no subjectAltName is present.
    Bug 875156 - Add const to the function arguments of SEC_CertNicknameConflict.
    Bug 877798 - Fix ssltap to print the certificate_status handshake message correctly.
    Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the RtlGenRandom function.
    Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious failures.
    Bug 884072 - Fix a typo in the header include guard macro of secmod.h.
    Bug 876352 - certutil now warns if importing a PEM file that contains a private key.
    Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it failed.
    The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed.

Bugs fixed in NSS 3.15.1

    https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS

Compatibility

NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.



NSS 3.15 release notes

Introduction

The NSS team has released Network Security Services (NSS) 3.15, which is a minor release.
Distribution Information

The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.

NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download:

    Source tarballs:
    https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/

New in NSS 3.15
New Functionality

    Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
    Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete.
    Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
    certutil has been updated to support creating name constraints extensions.

New Functions

    in ssl.h
        SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension.
        SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension.
    in ocsp.h
        CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses.
    in secpkcs7.h
        SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time.
    in xconst.h
        CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
    in secitem.h
        SECITEM_AllocArray
        SECITEM_DupArray
        SECITEM_FreeArray
        SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays
        SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938.
    in pk11pub.h
        PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.
        PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.

New Types

    in secitem.h
        SECItemArray - Represents a variable-length array of SECItems.

New Macros

    in ssl.h
        SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE

Notable Changes in NSS 3.15

    SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code.

    NSS has migrated from CVS to the Mercurial source control management system.

    Updated build instructions are available at Migration to HG

    As part of this migration, the source code directory layout has been re-organized.

    The list of root CA certificates in the nssckbi module has been updated.

    The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache.

    Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel.
    Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour.
    Bug 853285: Fixed bugs in AES GCM.
    Bug 341127: Fix the invalid read in rc4_wordconv.
    Faster NIST curve P-256 implementation.
    Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced.

Bugs fixed in NSS 3.15

This Bugzilla query returns all the bugs fixed in NSS 3.15:

https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15

Revision 1.27 / (download) - annotate - [select for diffs], Wed Feb 20 19:49:17 2013 UTC (9 years, 5 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2013Q2-base, pkgsrc-2013Q2, pkgsrc-2013Q1-base, pkgsrc-2013Q1
Changes since 1.26: +5 -6 lines
Diff to previous 1.26 (colored)

Update to 3.14.3

Changelog:
* Bugfixes
* Fix CVE-2013-1620.

Revision 1.26 / (download) - annotate - [select for diffs], Sat Jan 5 19:02:45 2013 UTC (9 years, 7 months ago) by ryoon
Branch: MAIN
Changes since 1.25: +5 -5 lines
Diff to previous 1.25 (colored)

Udate to 3.14.1

Changelog unknown.

Revision 1.25 / (download) - annotate - [select for diffs], Sat Dec 15 09:48:00 2012 UTC (9 years, 8 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q4-base, pkgsrc-2012Q4
Changes since 1.24: +4 -6 lines
Diff to previous 1.24 (colored)

Update to 3.14.0

Changelog:
The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the following new features:

    Support for TLS 1.1 (RFC 4346)
    Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
    Support for AES-CTR, AES-CTS, and AES-GCM
    Support for Keying Material Exporters for TLS (RFC 5705)

In addition to the above new features, the following major changes have been introduced:

    Support for certificate signatures using the MD5 hash algorithm is now disabled by default.
    The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL  2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explantation on GPL/LGPL compatibility, see security/nss/COPYING in the source code.
    Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default.

Revision 1.24 / (download) - annotate - [select for diffs], Mon Oct 1 11:29:35 2012 UTC (9 years, 10 months ago) by ryoon
Branch: MAIN
Changes since 1.23: +3 -1 lines
Diff to previous 1.23 (colored)

Fix build on OS X/Darwin.
Fix embedding @executable_path, and make package errors.

Revision 1.23 / (download) - annotate - [select for diffs], Sun Aug 12 15:29:16 2012 UTC (10 years ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q3-base, pkgsrc-2012Q3
Changes since 1.22: +4 -4 lines
Diff to previous 1.22 (colored)

Update to 3.13.6

* No API and ABI changes

Changelog:
unknown

Revision 1.22 / (download) - annotate - [select for diffs], Thu Jun 7 13:49:11 2012 UTC (10 years, 2 months ago) by ryoon
Branch: MAIN
CVS Tags: pkgsrc-2012Q2-base, pkgsrc-2012Q2
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (colored)

Update to 3.13.5

No ChangeLog is provided.

Revision 1.21 / (download) - annotate - [select for diffs], Wed Apr 18 21:01:42 2012 UTC (10 years, 4 months ago) by ryoon
Branch: MAIN
Changes since 1.20: +15 -15 lines
Diff to previous 1.20 (colored)

Update 3.13.4

* Change distfile to separated source.

Changelog is not shown.
Probably some bugs are fixed.

Tested on NetBSD/i386 6.99.4 and DragonFly/i386 3.0.1.

Revision 1.20, Sat Jan 16 14:41:25 2010 UTC (12 years, 7 months ago) by tnn
Branch: MAIN
CVS Tags: pkgsrc-2011Q4-base, pkgsrc-2011Q4, pkgsrc-2011Q2-base, pkgsrc-2011Q2
Changes since 1.19: +1 -1 lines
FILE REMOVED

- update to 3.12.4.5
- reach over to xulrunner, track the stable gecko release
- use external sqlite3
- cleanup
- take maintainership

This is the second part of PR pkg/42277.

Revision 1.19 / (download) - annotate - [select for diffs], Sun Oct 11 07:51:48 2009 UTC (12 years, 10 months ago) by sno
Branch: MAIN
CVS Tags: pkgsrc-2009Q4-base, pkgsrc-2009Q4
Changes since 1.18: +3 -1 lines
Diff to previous 1.18 (colored)

Fix nss build on FreeBSD

Revision 1.18 / (download) - annotate - [select for diffs], Wed Mar 21 06:53:25 2007 UTC (15 years, 5 months ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2009Q3-base, pkgsrc-2009Q3, pkgsrc-2009Q2-base, pkgsrc-2009Q2, pkgsrc-2009Q1-base, pkgsrc-2009Q1, pkgsrc-2008Q4-base, pkgsrc-2008Q4, pkgsrc-2008Q3-base, pkgsrc-2008Q3, pkgsrc-2008Q2-base, pkgsrc-2008Q2, pkgsrc-2008Q1-base, pkgsrc-2008Q1, pkgsrc-2007Q4-base, pkgsrc-2007Q4, pkgsrc-2007Q3-base, pkgsrc-2007Q3, pkgsrc-2007Q2-base, pkgsrc-2007Q2, pkgsrc-2007Q1-base, pkgsrc-2007Q1, cwrapper, cube-native-xorg-base, cube-native-xorg
Changes since 1.17: +4 -4 lines
Diff to previous 1.17 (colored)

Update to 3.11.5, security fix.

Revision 1.17 / (download) - annotate - [select for diffs], Sat Jan 20 18:55:09 2007 UTC (15 years, 7 months ago) by wiz
Branch: MAIN
Changes since 1.16: +10 -11 lines
Diff to previous 1.16 (colored)

Update to 3.11.4:

The following bugs have been fixed in NSS 3.11.4.

    * Bug 115951: freebl dynamic library is never unloaded by
      libsoftoken or libssl. Also tiny one-time leak in freebl's
      loader.c.
    * Bug 127960: SSL force handshake function should take a timeout.
    * Bug 335454: Unable to find library 'libsoftokn3.sl' on HP-UX 64 bit.
    * Bug 350200: Implement DHMAC based POP (ProofOfPossession).
    * Bug 351482: audit_log_user_message doesn't exist in all
      versions of libaudit.so.0. (the "paranoia patch")
    * Bug 352041: oom [@ CERT_DecodeDERCrlWithFlags] "extended"
      tracked as NULL was dereferenced.
    * Bug 353422: Klocwork bugs in nss/lib/crmf.
    * Bug 353475: Cannot run cmd tools compiled with VC++ 2005.
    * Bug 353572: leak in sftk_OpenCertDB.
    * Bug 353608: NSS_RegisterShutdown may fail, and appData argument
      to callbacks is always NULL.
    * Bug 353749: PowerUpSelf tests update for DSA and ECDSA KAT.
    * Bug 353896: Building tip with NSS_ECC_MORE_THAN_SUITE_B causes
      crashes in all.sh.
    * Bug 353910: memory leak in RNG_RNGInit.
    * Bug 354313: STAN_GetCERTCertificateName leaks "instance" struct.
    * Bug 354384: vfyserv shutdown failure when client auth requested.
    * Bug 354900: Audit modifications, accesses, deletions, and
      additions of cryptographic keys.
    * Bug 355297: Improve the very first RNG_RandomUpdate call.
    * Bug 356073: C_GetTokenInfo should return CKR_CRYPTOKI_NOT_INITIALIZED
      if not initialized.
    * Bug 356309: CertVerifyLog in CERT_VerifyCertificate terminates
      early on expired certs.
    * Bug 357197: OCSP response code fails to match CERTIds. (hot fix only)
    * Bug 359484: FireFox 2 tries to negotiate ECC cipher suites
      using ssl2 client hello. (hot fix only)
    * Bug 360818: No RPATH set for signtool and signver.

Revision 1.16 / (download) - annotate - [select for diffs], Mon Nov 20 17:06:03 2006 UTC (15 years, 9 months ago) by riz
Branch: MAIN
CVS Tags: pkgsrc-2006Q4-base, pkgsrc-2006Q4
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)

Fix up DYLD_LIBRARY_PATH so that MacOS X looks for nspr in the correct
place.

Revision 1.15 / (download) - annotate - [select for diffs], Sun Oct 22 15:32:47 2006 UTC (15 years, 9 months ago) by dmcmahill
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)

Various solaris fixes.  In particular:
- when building with gcc, the solaris /usr/ccs/bin/as assembler is still
  used in a couple of places but the correct flags aren't set.
- The object directory has a different name when building with gcc instead
  of the sun studio compilers.
- There are a couple of libs which are installed that aren't part of the install
  for other systems (freebl).

Revision 1.14 / (download) - annotate - [select for diffs], Wed Jul 12 16:32:00 2006 UTC (16 years, 1 month ago) by rillig
Branch: MAIN
CVS Tags: pkgsrc-2006Q3-base, pkgsrc-2006Q3
Changes since 1.13: +1 -2 lines
Diff to previous 1.13 (colored)

Removed patch-am, which had been added accidentally. The problem that it
tried to solve is properly fixed by patch-an.

Revision 1.13 / (download) - annotate - [select for diffs], Wed Jul 12 16:30:03 2006 UTC (16 years, 1 month ago) by rillig
Branch: MAIN
Changes since 1.12: +10 -11 lines
Diff to previous 1.12 (colored)

Updated nss to 3.11.

No ChangeLog available, but some libraries have changed:
- removed libfort
- added libfreebl3
- removed libswft

Revision 1.12 / (download) - annotate - [select for diffs], Wed Jul 12 15:38:28 2006 UTC (16 years, 1 month ago) by rillig
Branch: MAIN
Changes since 1.11: +13 -13 lines
Diff to previous 1.11 (colored)

Fixed most pkglint warnings.

Revision 1.11 / (download) - annotate - [select for diffs], Tue Jul 4 22:27:43 2006 UTC (16 years, 1 month ago) by rillig
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)

Oops. I had better not removed the leading "@" from a line in the
Makefile. It resulted in some output being re-read by make, which in
turn resulted in damaged shell commands. Thanks to wiz for notifying me.

Revision 1.10 / (download) - annotate - [select for diffs], Sun Jul 2 12:40:41 2006 UTC (16 years, 1 month ago) by rillig
Branch: MAIN
Changes since 1.9: +2 -1 lines
Diff to previous 1.9 (colored)

Added a patch so that the package works with GNU Make 3.81 again.

Revision 1.9 / (download) - annotate - [select for diffs], Sun Jun 25 15:25:35 2006 UTC (16 years, 1 month ago) by wiz
Branch: MAIN
CVS Tags: pkgsrc-2006Q2-base, pkgsrc-2006Q2
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)

Better fix for gcc4 build problem, suggested by martin@.

Revision 1.8 / (download) - annotate - [select for diffs], Sun Jun 25 14:53:00 2006 UTC (16 years, 1 month ago) by wiz
Branch: MAIN
Changes since 1.7: +4 -3 lines
Diff to previous 1.7 (colored)

Add patch to fix compilation on NetBSD-current.

Revision 1.7 / (download) - annotate - [select for diffs], Sun Jan 15 16:09:21 2006 UTC (16 years, 7 months ago) by joerg
Branch: MAIN
CVS Tags: pkgsrc-2006Q1-base, pkgsrc-2006Q1
Changes since 1.6: +3 -1 lines
Diff to previous 1.6 (colored)

Strip everything after the first hyphen to match OS_VERSION in
pkgsrc for DragonFly. Inspired by PR 32230.

Revision 1.6 / (download) - annotate - [select for diffs], Thu Aug 25 00:11:01 2005 UTC (16 years, 11 months ago) by reed
Branch: MAIN
CVS Tags: pkgsrc-2005Q4-base, pkgsrc-2005Q4, pkgsrc-2005Q3-base, pkgsrc-2005Q3
Changes since 1.5: +1 -2 lines
Diff to previous 1.5 (colored)

Only for Linux, FreeBSD, DragonFly and NetBSD for now.  NSS will
build and run on other platforms when MAINTAINER knows what magic
Makefile glue is required.  This is from maintainer's discussion
on tech-pkg.

Remove patch-af. Use LD_LIBS instead, which the build already knows
about.

Add custom settings for above platforms so they install correctly.
Idea provided by maintainer on tech-pkg. I tweaked it more.
I tested on NetBSD 2.0.2, Linux and DragonFly.

Also remove blank line from end of Makefile.

Revision 1.5 / (download) - annotate - [select for diffs], Fri Aug 12 20:11:26 2005 UTC (17 years ago) by reed
Branch: MAIN
Changes since 1.4: +4 -2 lines
Diff to previous 1.4 (colored)

Add patch-ah and patch-ai and update patch-ae for DragonFly support.

This is from PR #30711.

Note that I didn't test on DragonFly.

Also note that this is still incomplete for DragonFly -- it needs
the mk file too.

Revision 1.4 / (download) - annotate - [select for diffs], Wed Feb 23 22:24:22 2005 UTC (17 years, 5 months ago) by agc
Branch: MAIN
CVS Tags: pkgsrc-2005Q2-base, pkgsrc-2005Q2, pkgsrc-2005Q1-base, pkgsrc-2005Q1
Changes since 1.3: +2 -1 lines
Diff to previous 1.3 (colored)

Add RMD160 digests.

Revision 1.3 / (download) - annotate - [select for diffs], Wed Feb 9 16:19:35 2005 UTC (17 years, 6 months ago) by jschauma
Branch: MAIN
Changes since 1.2: +2 -1 lines
Diff to previous 1.2 (colored)

Add a patch needed on OS/versions that don't have native pthreads.
Patch provided by Matthew Luckie
Bump PKGREVISION.

Revision 1.2 / (download) - annotate - [select for diffs], Thu Feb 3 18:05:40 2005 UTC (17 years, 6 months ago) by jschauma
Branch: MAIN
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

We can't install these libraries into ${PREFIX}/lib, since mozilla
browsers might then falsely load these instead of their own.
So: Install the libraries into their own directory.
Bump PKGREVISION.

Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Tue Feb 1 21:51:12 2005 UTC (17 years, 6 months ago) by jschauma
Branch: TNF
CVS Tags: pkgsrc-base
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)

Initial import of devel/nss from pkgsrc-wip, provided by matthewluckie:

Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled server applications.
Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7,
PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security
standards.

Revision 1.1 / (download) - annotate - [select for diffs], Tue Feb 1 21:51:12 2005 UTC (17 years, 6 months ago) by jschauma
Branch: MAIN

Initial revision

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>