Skip to content

Changelog nss (2:3.49.1-1ubuntu1+9.0trisquel1)

2020

nss (2:3.49.1-1ubuntu1+9.0trisquel1) etiona-backports; urgency=medium

   * Backported from Focal

nss (2:3.49.1-1ubuntu1) focal; urgency=medium

   * Merge with Debian unstable. Remaining changes:
     - d/libnss3.links: make freebl3 available as library (LP #1744328)
     - d/control: add dh-exec to Build-Depends
     - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
     - Disable reading fips_enabled flag in FIPS mode. libnss is
       not a FIPS certified library. (LP #1837734)
     - Set TLSv1.2 as minimum TLS version. LP #1856428

nss (2:3.49.1-1) unstable; urgency=medium

   * New upstream release.
   * nss/lib/freebl/Makefile: Revert change from 2:3.48-1.
   * nss/coreconf/config.gypi, nss/lib/freebl/Makefile,
     nss/lib/freebl/aes-armv8.c, nss/lib/freebl/freebl.gyp,
     nss/lib/freebl/gcm-arm32-neon.c, nss/lib/freebl/gcm.c,
     nss/lib/freebl/rijndael.c: Fix freebl arm NEON code use, fixing FTBFS
     on armhf, and enabling runtime detection of NEON on armel. bz#1608327

nss (2:3.49-1) unstable; urgency=medium

   * New upstream release.
   * Fixes CVE-2019-17023.

2019

nss (2:3.48-1ubuntu1) focal; urgency=low

   * Merge from Debian unstable.  Remaining changes:
     - d/libnss3.links: make freebl3 available as library (LP #1744328)
     - d/control: add dh-exec to Build-Depends
     - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
     - Disable reading fips_enabled flag in FIPS mode. libnss is
       not a FIPS certified library. (LP #1837734)
   * Set TLSv1.2 as minimum TLS version. LP: #1856428

nss (2:3.48-1) unstable; urgency=medium

   * New upstream release. Closes: #947131.
   * debian/control: Bump nspr build dependency to 4.24.
   * nss/lib/freebl/Makefile: Disable hardware AES on ARM softfloat to fix
     FTBFS on armel. Closes: #947246.

nss (2:3.47.1-1) unstable; urgency=medium

   * New upstream release.
     - Fixes CVE-2019-11745.

nss (2:3.47-1ubuntu2) focal; urgency=medium

   * SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate
     - debian/patches/CVE-2019-11745.patch: use maxout not block size in
       nss/lib/softoken/pkcs11c.c.
     - CVE-2019-11745

nss (2:3.47-1ubuntu1) focal; urgency=medium

   * Merge with Debian unstable. Remaining changes:
     - d/libnss3.links: make freebl3 available as library (LP #1744328)
     - d/control: add dh-exec to Build-Depends
     - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
     - Disable reading fips_enabled flag in FIPS mode. libnss is
       not a FIPS certified library. (LP #1837734)

nss (2:3.47-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3_47 symbol version.

nss (2:3.45-1ubuntu2) eoan; urgency=medium

   * Disable reading fips_enabled flag in FIPS mode. libnss is
     not a FIPS certified library. (LP: #1837734)

nss (2:3.45-1ubuntu1) eoan; urgency=low

   * Merge from Debian unstable.  Remaining changes:
     - d/libnss3.links: make freebl3 available as library (LP 1744328)
     - d/control: add dh-exec to Build-Depends
     - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)

nss (2:3.45-1) unstable; urgency=medium

   * New upstream release.
     - Fixes CVE-2019-11727 and CVE-2019-11719.
   * debian/libnss3.symbols: Add NSS_3_45 symbol version.

nss (2:3.44+really3.42.1-2) unstable; urgency=medium

   * debian/rules: Fix version exposed in nss-config and nss.pc.

nss (2:3.44.0-1) experimental; urgency=medium

   * debian/libnss3.symbols:
     - Update the version needed for
     SSL_Get{CipherSuite,Channel,PreliminaryChannel}Info.
     - Adjust versions so that 3.44+really3.42.1-1 is considered older where it
     matters.

nss (2:3.44+really3.42.1-1) unstable; urgency=medium

   * Reverse to 3.42.1. Building against 3.44 induces some behavior
     differences when running against older versions, which could normally
     be solved with updates to the symbols file, but since 3.44 is not meant
     to ship in Buster, avoid disruption for nss reverse dependencies until
     Buster is released by going back to previous version.

nss (2:3.44-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3_43 and NSS_3_44 symbol versions.

nss (2:3.42.1-1) unstable; urgency=medium

   * New upstream release.
     - Fixes CVE-2018-18508. Closes: #921614.

nss (2:3.42-1ubuntu2) disco; urgency=medium

   * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
     - debian/patches/CVE-2018-18508-1.patch: add null checks in
       nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
       nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
       nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
     - debian/patches/CVE-2018-18508-2.patch: add null checks in
       nss/lib/smime/cmsmessage.c.
     - CVE-2018-18508

nss (2:3.42-1ubuntu1) disco; urgency=medium

   * Merge with Debian unstable (LP: #1813593). Remaining changes:
     - d/libnss3.links: make freebl3 available as library (LP 1744328)
     - d/control: add dh-exec to Build-Depends
     - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)

nss (2:3.42-1) unstable; urgency=medium

   * New upstream release.

2018

nss (2:3.41-1) unstable; urgency=medium

   * New upstream release.

nss (2:3.40-1) unstable; urgency=medium

   * New upstream release.

nss (2:3.39-1ubuntu1) disco; urgency=medium

   * Merge with Debian unstable. Remaining changes (LP: #1803707):
     - d/libnss3.links: make freebl3 available as library (LP 1744328)
       - d/control: add dh-exec to Build-Depends
       - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
   * Dropped changes:
     - d/rules: when building with -O3 on ppc64el this FTBFS, build with
       -Wno-error=maybe-uninitialized to avoid that

nss (2:3.39-1) unstable; urgency=medium

   * New upstream release.
     - Fixes CVE-2018-12384. Closes: #908332.
   * debian/libnss3.symbols: Add NSS_3_39 and NSSUTIL_3_39 symbol versions.

nss (2:3.38-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSSUTIL_3_38 symbol version.

nss (2:3.37.1-1) unstable; urgency=medium

   * New upstream release.
   * nss/lib/freebl/Makefile: Build FStar.c when not building with int128
     support. bz#1459739. Closes: #900227

nss (2:3.37-1) unstable; urgency=medium

   * New upstream release. Fixes: #898496.
   * debian/control, debian/rules: Generate dbgsym package.AA
   * debian/copyright: Switch to machine-readable format.
   * debian/control: Bump Standards-Version to 4.1.4.

nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium

   * Merge with Debian unstable. Remaining changes:
     - d/libnss3.links: make freebl3 available as library (LP 1744328)
       - d/control: add dh-exec to Build-Depends
       - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
     - d/rules: when building with -O3 on ppc64el this FTBFS, build with
       -Wno-error=maybe-uninitialized to avoid that
   * Dropped changes:
     - revert switching to SQL default format (LP: 1746947) Dropping this
       adresses (LP: #1747411) and effectively means we now switch to the new
       default format after we ensured all depending packages are ready.
   * Added changes:
     - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el

nss (2:3.36.1-1) unstable; urgency=medium

   * New upstream release.
   * debian/control: Update Maintainer and Vcs fields, moving off alioth.

nss (2:3.36-1) unstable; urgency=medium

   * New upstream release. Closes: #894981.

nss (2:3.35-2ubuntu2) bionic; urgency=medium

   * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
     default is still causing too much issues in consumers of nss.
     So until resolved revert the switched default (LP: #1746947)

nss (2:3.35-2ubuntu1) bionic; urgency=medium

   * Merge with Debian unstable. Remaining changes:
     - When building with -O3, build with -Wno-error=maybe-uninitialized.
   * Added Changes:
     - d/libnss3.links: make freebl3 available as library (LP: #1744328)
       + d/control: add dh-exec to Build-Depends
       + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)

nss (2:3.35-2) unstable; urgency=medium

   * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.

nss (2:3.35-1) unstable; urgency=medium

   * New upstream release.

nss (2:3.34.1-1) unstable; urgency=medium

   * New upstream release.

2017

nss (2:3.34-1ubuntu1) bionic; urgency=medium

   * Merge with Debian; remaining changes:
     - When building with -O3, build with -Wno-error=maybe-uninitialized.

nss (2:3.34-1) unstable; urgency=medium

   * New upstream release:
     - Really build without -maes on i386. Closes: #875694.
   * debian/libnss3.symbols: Add NSS_3_34 symbol version.

nss (2:3.33-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3_33 and NSSUTIL_3.33 symbol versions.

nss (2:3.32-2) unstable; urgency=medium

   * nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc: Fix possibly uninitialized
     value 'curve'. bz#1389263. Closes: #871691.
   * lib/freebl/Makefile: Only build gcm.c and rijndael.c with -maes.
     Closes: #871700.

nss (2:3.32-1ubuntu3) artful; urgency=medium

   * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
     - debian/patches/CVE-2017-7805.patch: Simplify handling of
       CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
     - CVE-2017-7805

nss (2:3.32-1ubuntu2) artful; urgency=medium

   * Initialise curve variable in a test file, resolves FTBFS.

nss (2:3.32-1ubuntu1) artful; urgency=medium

   * Merge with Debian; remaining changes:
     - When building with -O3, build with -Wno-error=maybe-uninitialized.

nss (2:3.32-1) unstable; urgency=medium

   * New upstream release.

nss (2:3.31-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3_31 and NSSUTIL_3.31 symbol versions.

nss (2:3.30.2-1) experimental; urgency=medium

   * New upstream release.

nss (2:3.30.1-1) experimental; urgency=medium

   * New upstream release.

nss (2:3.30-1) experimental; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3.30 and NSS_3.30.0.1 symbol versions.

nss (2:3.29.1-1) experimental; urgency=medium

   * New upstream release.

nss (2:3.29-1) experimental; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSSUTIL_3.25 symbol version.

nss (2:3.28.1-1) experimental; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3.28 symbol version.

2016

nss (2:3.27.1-1) experimental; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3.27 symbol version.

nss (2:3.28.4-0ubuntu2) artful; urgency=medium

   * SECURITY UPDATE: DoS via empty SSLv2 messages
     - debian/patches/CVE-2017-7502.patch: reject broken v2 records in
       nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
       added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
       nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
       nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
     - CVE-2017-7502

nss (2:3.28.4-0ubuntu1) artful; urgency=medium

   * Updated to upstream 3.28.4 to fix security issues and get a new CA
     certificate bundle.
   * SECURITY UPDATE: DES and Triple DES ciphers birthday attack
     - CVE-2016-2183
   * SECURITY UPDATE: out-of-bounds write in Base64 decoding
     - CVE-2017-5461
   * debian/patches/*.patch: refreshed for new version.
   * debian/control: bump libnspr4-dev to 4.13.1.
   * debian/libnss3.symbols: added new symbols.

nss (2:3.26.2-1ubuntu1) zesty; urgency=medium

   * Merge with Debian; remaining changes:
     - When building with -O3, build with -Wno-error=maybe-uninitialized.

nss (2:3.26.2-1) unstable; urgency=medium

   * New upstream release.

nss (2:3.26-2) unstable; urgency=medium

   * debian/libnss3.symbols: SSL_GetCipherSuiteInfo and SSL_GetChannelInfo need
     newer versions despite the symbol versions.

nss (2:3.26-1ubuntu1) yakkety; urgency=medium

   * Merge with Debian; remaining changes:
     - When building with -O3, build with -Wno-error=maybe-uninitialized.

nss (2:3.26-1) unstable; urgency=medium

   * New upstream release.
   * debian/watch: Update such that uscan --download-version works.
   * debian/control, debian/libnss3-1d.*, debian/libnss3.symbols: Remove the
     libnss3-1d* transitional packages.
   * debian/rules:
     - Always set CCC to CXX. Thanks Helmut Grohne. Closes: #806292.
     - Override KERNEL when cross building for a different OS. Closes: #810579.
   * debian/control: Split Depends/Build-Depends/Conflicts. Thanks Guido Günther.
     Closes: #806634.

nss (2:3.25-1ubuntu1) yakkety; urgency=medium

   * When building with -O3, build with -Wno-error=maybe-uninitialized.

nss (2:3.25-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols, debian/rules: Add the new libfreeblpriv3 library.
   * debian/libnss3.symbols: Add NSS_3.24 and NSSUTIL_3.24 symbol versions.

nss (2:3.23-2) unstable; urgency=medium

   * debian/control, debian/rules: Leave it to dh_makeshlibs to do the right
     thing wrt ldconfig. This requires debhelper 9.20160403. Closes: #811124.

nss (2:3.23-1) unstable; urgency=medium

   * New upstream release.
   * Fixes mfsa2016-{35-36} also known as CVE-2016-1950 and CVE-2016-1979.
   * debian/control: Bump nspr build dependency to 2:4.12.
   * debian/libnss3.symbols: Add NSS_3.22 and NSS_3.23 symbol versions.

nss (2:3.21-1.1) unstable; urgency=medium

   * Non-maintainer upload.
   * Fix FTBFS on x32. Closes: #699217
   * Fix FTBFS on hppa. Closes: #808990

2015

nss (2:3.21-1) unstable; urgency=medium

   * New upstream release.
   * nss/lib/ssl/sslsock.c: Disable transitional scheme for SSL renegotiation.
     5 years after the transition started, it shouldn't be necessary anymore.
   * nss/lib/ckfw/builtins/certdata.txt: Remove the SPI CA.
   * nss/lib/util/secload.c: Fix a warning introduced by our patch to this file.
   * debian/libnss3.symbols: Add NSS_3.21 symbol versions.

nss (2:3.20.1-1) unstable; urgency=high

   * New upstream release.
   * Fixes mfsa2015-133. also known as CVE-2015-7181 and CVE-2015-7182.

nss (2:3.20-1) unstable; urgency=medium

   * New upstream release.
   * Removed patch for __DATE__ and __TIME__ references from 2:3.19.1-1 because
     the parts that matter were applied upstream.
   * debian/rules: Move USE_64 to common make flags, and always use
     DEB_HOST_ARCH_BITS since it's even supported by dpkg in oldstable, now.
   * debian/libnss3.symbols: Add NSS_3.20 symbol versions.

nss (2:3.19.2-1) unstable; urgency=medium

   * New upstream release.
   * debian/rules: Force set OS_TEST to DEB_HOST_GNU_CPU to avoid it defaulting
     to `uname -m`. Thanks Helmut Grohne. Closes: #788452

nss (2:3.19.1-2) unstable; urgency=medium

   * debian/control: Fix Vcs-Git url.
   * nss/cmd/shlibsign/manifest.mn: Fix missing LIBRARY_VERSION.
   * nss/cmd/shlibsign/shlibsign.c: Fix shlibsign on arm64.

nss (2:3.19.1-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols:
     - Add NSS_3.19.1 symbol versions.
     - Reorder and replace *@ with (symver).
   * debian/rules:
     - Pass multi-arch dir for NSPR_LIB_DIR. Closes: #722811.
     - Set umask when calling shlibsign, and rearrange how it's being called.
     - Build nsinstall separately and set things up for cross-compilations.
     - Use native shlibsign when cross-compiling.
     - Do not run FIPS check on cross-builds.
   * debian/control: Build depend on native libnss3-tools for cross builds.
     Closes: #682926.
   * debian/libnss3-tools.manpages, debian/rules: Install the manpages that
     are now provided upstream. Closes: #505382.
   * debian/control: Update Vcs-* urls.
   * debian/control: Bump Standards-Version to 3.9.6.0. No changes required.
   * nss/lib/ckfw/builtins/binst.c, nss/lib/ckfw/builtins/ckbiver.c,
     nss/lib/ckfw/builtins/manifest.mn, nss/lib/ckfw/capi/ckcapiver.c,
     nss/lib/ckfw/capi/manifest.mn, nss/lib/ckfw/nssmkey/ckmkver.c,
     nss/lib/ckfw/nssmkey/manifest.mn, nss/lib/freebl/freeblver.c,
     nss/lib/freebl/ldvector.c, nss/lib/freebl/manifest.mn,
     nss/lib/nss/manifest.mn, nss/lib/nss/nssinit.c, nss/lib/nss/nssver.c,
     nss/lib/smime/manifest.mn, nss/lib/smime/smimeutil.c,
     nss/lib/smime/smimever.c, nss/lib/softoken/legacydb/lginit.c,
     nss/lib/softoken/manifest.mn, nss/lib/softoken/pkcs11.c,
     nss/lib/softoken/softkver.c, nss/lib/ssl/manifest.mn,
     nss/lib/ssl/sslcon.c, nss/lib/ssl/sslver.c, nss/lib/util/secoid.c: Remove
     __DATE__ and __TIME__ references.
   * nss/cmd/shlibsign/Makefile, nss/cmd/shlibsign/manifest.mn,
     nss/cmd/shlibsign/shlibsign.c: Fix shlibsign to properly load the sotfoken
     module.
   * debian/rules: Remove debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss from
     LD_LIBRARY_PATH when executing shlibsign, which can be done now with the
     fix above.

nss (2:3.19-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3.19 symbol versions.

nss (2:3.18-1) experimental; urgency=medium

   * New upstream release. Closes: #782874.
   * debian/libnss3.symbols: Add NSS_3.18 symbol versions.

nss (2:3.17.4-1) experimental; urgency=medium

   * New upstream release.
   * Acknowledge NMU.

2014

nss (2:3.17.2-1.1) unstable; urgency=medium

   * Non-maintainer upload.
   * Fix CVE-2014-1569. Closes: #773625.

nss (2:3.17.2-1) unstable; urgency=medium

   * New upstream release.

nss (2:3.17.1-1) unstable; urgency=high

   * New upstream release.
     - Fixes CVE-2014-1568.
     - Add support for ppc64el, with a non-broken patch. Closes: #745757.
   * debian/libnss3.symbols: Add NSSUTIL_3.17.1 symbol versions.

nss (2:3.17-1) unstable; urgency=medium

   * New upstream release.
   * nss/coreconf/Linux.mk: Actually add support for ppc64el. Closes: #745757.

nss (2:3.16.3-1.1) unstable; urgency=low

   * Non-maintainer upload to delayed.
   * Add support for ppc64el. Closes: #745757

nss (2:3.16.3-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3.16.2 symbol versions.

nss (2:3.16.1-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3.16.1 symbol versions.

nss (2:3.16-1) unstable; urgency=medium

   * New upstream release.
   * debian/libnss3.symbols: Add NSS_3.16 symbol versions.
   * nss/lib/ckfw/builtins/certdata.txt: Remove CACert root certificates.

nss (2:3.15.4-2) unstable; urgency=high

   * Upstream release 3.15.4 fixed MFSA-2014-12, also known as CVE-2014-1490
     and CVE-2014-1491. Bumping urgency as such.
   * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules:
     Revert changes from 2:3.15.4-1. Reopens: #537866, Closes: #735329, #736061.

nss (2:3.15.4-1) unstable; urgency=low

   * New upstream release.
   * Acknowledge NMU.
   * debian/rules: Avoid long one-liner with semi-colons.
   * debian/patches/*:  Refresh patches.
   * debian/copyright: Update. Closes: #730428.
   * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules:
     Add shared cert and key databases. Thanks Timo Aaltonen. Closes: #537866.
   * debian/rules: Use DEB_HOST_ARCH instead of DEB_BUILD_ARCH.
   * debian/control: Mark libnss3-dev as Multi-Arch: same. Thanks Shawn
     Landden. Closes: #682925.
   * debian/libnss3.symbols: Add NSS_3.15.4 symbol versions.

nss (2:3.15.3.1-1.1) unstable; urgency=low

   * Non-Maintainer Upload
    - ship extra NSS utilities (Closes: #701141)

2013

nss (2:3.15.3.1-1) unstable; urgency=high

   * New upstream release.
     - Distrusts AC DG Tresor SSL CA.

nss (2:3.15.3-1) unstable; urgency=high

   * New upstream release.
     - Fixes CVE-2013-1741, CVE-2013-5605, CVE-2013-5606.

nss (2:3.15.2-1) unstable; urgency=low

   * New upstream release.
     - Fixes CVE-2013-1739. Closes: #726473.

nss (2:3.15.1-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/*:  Refresh patches.
   * debian/patches/lower-dhe-priority.patch: Removed, as it was only necessary
     for Iceweasel 3.5, which is long gone.

nss (2:3.15-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/*: Refresh patches and removed unused ones.
   * debian/rules: Adjusted to the new source layout.
   * debian/libnss3.symbols: Add NSS*_3.15 symbol versions.
   * debian/control: Bump nspr build dependency.

nss (2:3.14.3-1) unstable; urgency=high

   * New upstream release.
     - Fixes TLS timing attack (luck 13). Closes: #699888.
   * debian/libnss3.symbols: Add NSS_3.14.3 symbol version.
   * debian/control: Unbump sqlite3 build dependency, 3.14.3 lifted the need
     for sqlite 3.7.15.

nss (2:3.14.2-1) unstable; urgency=low

   * New upstream release.
   * debian/control: Bump sqlite3 build dependency.
   * debian/rules: Avoid installing freebl, softokn, nssckbi and nssdbm in two
     places.
   * debian/libnss3-1d.lintian-overrides.in: Stop preprocessing, it has nothing
     to preprocess anymore.
   * debian/libnss3.lintian-overrides.in: Fix not to contain a reference to the
     libnss3-1d package.

nss (2:3.14.1.with.ckbi.1.93-1) unstable; urgency=low

   * New upstream release.
     - Explicitly distrust two intermediate CA certificates mis-issued by
       TURKTRUST.
   * debian/patches/95_add_spi+cacert_ca_certs.patch: Refreshed.

2012

nss (2:3.14.1-1) unstable; urgency=low

   * New upstream release.
   * debian/patches: Removed patches applied upstream, and refreshed
     the others.
   * debian/libnss3.symbols: Updated for new symbols.

nss (2:3.14-2) unstable; urgency=low

   * debian/nss-config.in: Fix nss-config when version is in the x.y form
     instead of x.y.z.

nss (2:3.14-1) unstable; urgency=low

   * New upstream release.
   * debian/patches: Removed patches applied upstream, and refreshed
     the others.
   * debian/libnss3.symbols: Updated for new symbols.

nss (2:3.13.6-1) unstable; urgency=low

   * New upstream release.
   * debian/rules: Use xz compression for binary packages.
     Thanks Ansgar Burchardt. Closes: #683835.

nss (2:3.13.5-1) unstable; urgency=low

   * New upstream release.

nss (2:3.13.4-3) unstable; urgency=low

   * debian/rules: Skip epoch when getting upstream version number.

nss (2:3.13.4-2) unstable; urgency=low

   * debian/control, debian/libnss3*, debian/rules,
     mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn:
     Move to unversioned library. ABI compatibility is ensured upstream, and
     the SO version, if it needed a change at any time, would be a change in
     the library name. There is no reason to keep making compatibility more
     difficult with other distros and upstream binary releases. While previous
     versions were one-way compatible (binaries built against other distros or
     upstream nspr could work on Debian), this approach works both ways.
   * debian/control:
     - Bump Standards-Version to 3.9.3.0. No changes required.
     - Force to build against libnspr4-dev >= 2:4.9
   * Removed unapplied patches.
   * Adding an epoch to match the old libnss3 package that used to be in
     the Debian archive.

nss (3.13.4-1) unstable; urgency=low

   * New upstream release.
     - Changed __GNUC_MINOR__ use in pkcs11n.h. Closes: #650319.
   * mozilla/security/nss/cmd/certcgi/certcgi.c,
     mozilla/security/nss/cmd/digest/digest.c,
     mozilla/security/nss/cmd/signver/pk7print.c: Import patch from Moritz
     Muehlenhoff for hardened format strings.
   * debian/make.mk, debian/rules, debian/control: Enable hardening.
     Closes: #657325.
   * debian/libnss3-1d.lintian-overrides.in, debian/rules: Use wildcards in
     lintian override. Closes: #670013.
   * debian/compat, debian/control: Bump debian/compat to 9. This has the
     effect of using build-id for debug files, thus Closes: #670015.
   * debian/libnss3-1d.symbols: Add symbols for /usr/lib/nss/ libraries.

nss (3.13.3-1) unstable; urgency=low

   * New upstream release.
   * debian/libnss3-1d.symbols: Updated to fit new upstream.

2011

nss (3.13.2~beta1-3) experimental; urgency=low

   * debian/libnss3-1d.symbols: Fix symbol version for the symbol added in
     -2.

nss (3.13.2~beta1-2) experimental; urgency=low

   * mozilla/security/nss/lib/ssl/*,
     mozilla/security/nss/cmd/tstclnt/tstclnt.c,
     mozilla/security/nss/tests/ssl/ssl.sh: Apply patches from bz#542832,
     required for Iceweasel 11.
   * debian/libnss3-1d.symbols: Add corresponding symbol.

nss (3.13.2~beta1-1) experimental; urgency=low

   * New upstream snapshot, picked from NSS_3_13_2_BETA1 cvs tag.
   * debian/libnss3-1d.symbols: Add NSS 3.13.2 symbols.

nss (3.13.1.with.ckbi.1.88-1) unstable; urgency=low

   * New upstream release.
     - Distrusts malaysian Digicert Sdn. Bhd CA certificate.
     - Addresses CVE-2011-3640 (Untrusted search path vulnerability).
       Closes: #647614.
   * debian/patches/*: Refreshed patches.
   * debian/libnss3-1d.symbols: Add NSS 3.13 symbols.

nss (3.12.11-3) unstable; urgency=high

   * mozilla/security/nss/lib/ckfw/builtins/certdata.*:
     Explicitely distrust various DigiNotar CAs:
     - DigiNotar Root CA
     - DigiNotar Services 1024 CA
     - DigiNotar Cyber CA
     - DigiNotar Cyber CA 2nd
     - DigiNotar PKIoverheid
     - DigiNotar PKIoverheid G2

nss (3.12.11-2) unstable; urgency=high

   * mozilla/security/nss/lib/ckfw/builtins/certdata.*:
     Remove DigiNotar Root CA.

nss (3.12.11-1) unstable; urgency=low

   * New upstream release.
   * mozilla/security/nss/lib/ckfw/builtins/certdata.*,
   * mozilla/security/coreconf/{config,Linux}.mk: Refreshed.
   * debian/copyright: Update dbm license according to that in the source.
     Closes: #624310

nss (3.12.10-3) unstable; urgency=low

   * debian/nss-config.in, debian/nss.pc.in, debian/rules: Return the multiarch
     path in nss-config and nss.pc.

nss (3.12.10-2) unstable; urgency=low

   * debian/control, debian/libnss3-1d.dirs,
     debian/libnss3-1d.lintian-overrides.in, debian/libnss3-dev.dirs,
     debian/libnss3-1d.links.in, debian/libnss3-dev.links.in,
     debian/rules: Switch to multi-arch while keeping backports easy.
     Closes: #497088.

nss (3.12.10-1) unstable; urgency=low

   * New upstream release.
   * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.
   * debian/control: Build depend on libnspr4-dev >= 4.8.8.
   * debian/libnss3-1d.symbols: Add new symbol version.

nss (3.12.9.with.ckbi.1.82-1) unstable; urgency=low

   * New upstream release.
     - Marks fraudulent Comodo certificates as untrusted.
   * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.

nss (3.12.9-2) unstable; urgency=low

   * Upload to unstable.
   * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't
     support DEB_BUILD_ARCH_BITS.
   * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which
     was the previous value.
   * mozilla/security/nss/lib/freebl/unix_rand.c: We don't need to prevent
     using netstat for entropy seeding. The seeding will stop before netstat
     if it could get data from /dev/urandom.
   * mozilla/security/coreconf/Linux.mk: We shouldn't need to special case
     mips64 anymore.
   * mozilla/security/nss/cmd/shlibsign/Makefile, debian/rules: Don't rely
     on patching the source to not create .chk files during build.

nss (3.12.9-1) experimental; urgency=low

   * New upstream release.

2010

nss (3.12.9~beta2-1) experimental; urgency=low

   * New upstream snapshot, picked from NSS_3_12_9_BETA2 cvs tag.
   * debian/patches/*: Refresh patches.
   * debian/libnss3-1d.symbols: Add new symbol versions.
   * debian/rules: Bump shlibs.

nss (3.12.8-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/*: Refresh patches.
   * debian/patches/series:
     + lower-dhe-priority.patch: Upstream patch from bz#583337 to lower DHE
       priority. Closes: #592315.

nss (3.12.8~b2-1) experimental; urgency=low

   * New upstream snapshot, picked from NSS_3_12_8_BETA2 cvs tag.
   * debian/patches/*: Refresh patches.

nss (3.12.7-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/*: Refresh patches.
   * debian/control:
     - Bump Standards-Version to 3.9.1.0.
     - Build depend on libnspr4-dev >= 4.8.6.
   * debian/libnss3-1d.symbols: Simplify symbols file and add new symbols.
   * debian/rules: Bump shlibs.

nss (3.12.6-3) unstable; urgency=low

   * debian/rules:
     + Sign libnssdbm3.so. Closes: #588806.
     + Test that the FIPS mode can be properly enabled during build.
   * debian/control:
     + Remove conflicts with very old packages.
     + Bump Standards-Version to 3.9.0.0.

nss (3.12.6-2) unstable; urgency=low

   * debian/patches/series:
     + 00_ckbi_1.79.patch: New patch to update CKBI to 1.79.
     + 95_add_spi+cacert_ca_certs.patch: Refreshed against CKBI 1.79.

nss (3.12.6-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/*: Refresh patches.
   * debian/libnss3-1d.symbols, debian/rules: Update symbols file with new
     symbols and bump shlibs.
   * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch,
     debian/patches/series: Enable transitional scheme for ssl renegotiation.
     Closes: #561918.
   * debian/control:
     + Bump Standards-Version to 3.8.4.0.
     + Drop libnss3-1d dependency on dpkg. The versions it didn't really like
       were between oldstable and stable.
     + Don't allow different versions of libnss3-1d, libnss3-1d-dbg and
       libnss3-tools to be installed at the same time.
     + Add ${misc:Depends} to libnss3-1d-dbg dependencies.
   * debian/rules: Revert workaround for gcc 4.4 bug on powerpc with -Os.
   * debian/rules, debian/control, debian/compat: Simplify debian/rules by
     using dh.

nss (3.12.5-2) unstable; urgency=low

   * debian/control:
     + Remove build dependency on autotools-dev, we don't use it.
     + libnss3-dev depends on libnspr4-dev >= 4.6.6-1. 4.6.6-1 was the first
       version where the pkg-config file was nspr.pc instead of
       xulrunner-nspr.pc. Closes: #567134.
   * debian/patches/96_NSS_VersionCheck.patch, debian/patches/series:
     Remove runtime check of NSPR version in NSS_VersionCheck, which seems to
     be pointless. Closes: #567136.

2009

nss (3.12.5-1) unstable; urgency=low

   * New upstream release.
   * debian/copyright: Modify with new location for the embedded copy of zlib.
   * debian/patches/*:
     + Adapt patches to new upstream.
     + Switch to quilt format
   * debian/source/format: Switch to 3.0 (quilt) format.
   * debian/rules, debian/control: Stop using dpatch.
   * debian/patches/38_intel_aes_executable_stack.patch: Removed. An upstream
     change in version 3.12.4 obsoleted it.
   * debian/rules:
     + Remove DEB_{BUILD,HOST}_* variables, they are not used.
     + Use DEB_BUILD_ARCH_BITS to determine whether to build with USE_64 or not.
     + Ship more tools in libnss3-tools. Closes: #526267.
     + Work around gcc 4.4 bug on powerpc with -Os.
     + Force non parallel build. There are too many race conditions in the
       build system to support parallel builds. Closes: #536248.
     + Bump shlibs.
   * debian/control:
     + Bump Standards-Version to 3.8.3.0.
     + Build-depend on dpkg-dev (>= 1.15.4) for DEB_BUILD_ARCH_BITS.
     + Stricter dependency between libnss3-dev and libnss3-1d.
   * debian/libnss3-1d.symbols:
     + Add new symbols.
     + Remove debian revision for symbols added in 3.12.4.
   * debian/patches/38_hurd.patch: Fix FTBFS on Hurd due to PATH_MAX usage in
     unix_rand.c. Closes: #550995.

nss (3.12.4-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/38_kbsd.dpatch:
     + Use CHECK_FORK_PTHREAD on kfreebsd and hurd. Closes: #547301.
     + Adapt to upstream changes.
   * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
   * debian/patches/81_sonames.dpatch: Adapt to upstream changes.
   * debian/libnss3-1d.symbols: Update symbols file with new symbols.
   * debian/rules: Bumped shlibs.

nss (3.12.3.1-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/95_add_spi+cacert_ca_certs.dpatch, Adapted to upstream
     changes.

nss (3.12.3-1) unstable; urgency=low

   * New upstream release.
   * debian/watch: Updated to catch new upstream .bz2 tarballs.
   * debian/copyright: Add information about
     mozilla/security/corecond/mkdepend.
   * debian/patches/38_hurd.dpatch, debian/patches/38_kbsd.dpatch: Adapted
     to upstream changes.
   * debian/patches/85_security_load.dpatch: Load libsoftokn3.so from
     /usr/lib/nss when unable to load it from standard ld.so paths in
     shlibsign.
   * debian/rules:
     + Add debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH when running
       shlibsign during build.
     + Bumped shlibs.
   * debian/libnss3-1d.symbols: Update symbols file with new symbols.
   * debian/control:
     + Bumped Standards-Version to 3.8.1.0. No changes needed.
     + Put the libnss3-1d-dbg package in the "debug" section.
     + Correct libnss3-1d-dbg short description.
     + Remove redundant section on libnss3-1d.
     + Build-depend on proper version of debhelper for dh_lintian.
   * debian/*.lintian-overrides, debian/rules: Install some Lintian
     overrides with dh_lintian.
   * debian/patches/38_intel_aes_executable_stack.dpatch: Indicate that
     we don't need executable stack in intel-aes.s.
   * debian/patches/00list: Updated accordingly.

nss (3.12.2.with.ckbi.1.73-2) unstable; urgency=low

   * mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h:
     Apply patch from upstream to fix alignment issues on sparc and ia64.
     Closes: #509930.

nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low

   * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression
     in previous release that led to FTBFS on i386 only. Closes: #513101.
     Thanks Steffen Joeris, Sebastian Andrzej Siewior and Petr Salinger.
   * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
     debian/patches/80_security_tools.dpatch: Adapted to upstream changes.
   * debian/libnss3-1d.symbols: Update symbols file with new symbols.
   * debian/rules: Bumped shlibs.

2008

nss (3.12.1-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
     debian/patches/38_mips64_build.dpatch,
     debian/patches/38_kbsd.dpatch: Adapted to upstream changes.
   * debian/libnss3-1d.symbols: Update symbols file with new symbols.
   * debian/rules: Bumped shlibs.

nss (3.12.0-5) unstable; urgency=low

   * debian/control:
     + Conflict with libnss3-0d >= 3.11.5, that has conflicting files in
       /usr/lib/nss. Older versions (those from etch) don't conflict.
       This makes updates from old testing smoother. Closes: #492332.
     + Build-depend on libsqlite3-dev >= 3.3.9, since API introduced in this
       version is used. Closes: #493191.

nss (3.12.0-4) unstable; urgency=low

   * debian/control: Remove conflict with libnss3-0d, it was only useful when
     libnss3-0d was a transitional package. Closes: #490995.

nss (3.12.0-3) unstable; urgency=low

   * debian/rules:
     + Enable ECC cypher suite. Closes: #490826.
     + Build with the same optimization level as upstream.

nss (3.12.0-2) unstable; urgency=low

   * debian/patches/95_add_spi+cacert_ca_certs.dpatch:
     + Add CAcert root and class 3 certificates to nssckbi module.
     + Add SPI Inc. certificate to nssckbi module.
     Thanks to Martin F Krafft for these. Closes: #309564.
   * debian/patches/00list: Updated accordingly.

nss (3.12.0-1) unstable; urgency=low

   * New upstream release.
   * debian/patches/92_ocsp.dpatch: Removed, as applied upstream.
   * debian/patches/00list: Updated accordingly.
   * debian/control:
     + Bumped Standards-Version to 3.8.0.1. No changes needed.
     + Added Vcs-Browser and Vcs-Git fields.
     + libnss3-dev don't need explicit version dependency on libnss3-1d.
     + libnss3-dev depends on libnspr4-dev. Closes: #488402.
     + Make the -dbg package less a hassle for manual installations with dpkg.
     + libnss3-1d depends on version of dpkg that either don't support symbols
       files or has fix for #474079.
   * debian/patches/85_security_load.dpatch: Load files from /usr/lib/nss if
     given reference path is only a filename, which happens when freebl is
     statically linked in a binary executable, such as signtool, and the
     executable is run from $PATH. When the executable is run using a full
     path, we must replace /bin/ in the path with /lib/ to find the libraries.
     Closes: #483774.
   * debian/libnss3-1d.symbols: Re-enable symbols file.

nss (3.12.0~rc3-3) unstable; urgency=low

   * debian/control: Make libnss3-0d conflict with old libnss3, which can
     still be installed on some systems, though it hasn't been in the archive
     since sarge. Closes: #485080.

nss (3.12.0~rc3-2) unstable; urgency=low

   * debian/patches/92_ocsp.dpatch: Apply patches from bz433594 and bz#433386,
     which are applied in upstream RC4 (and are the only changes), to fix
     crashes under some conditions with OCSP checks.
   * debian/patches/00list: Updated accordingly.
   * debian/libnss3-dev.links, debian/libnss3-1d.links: Don't install so
     files in the -dev package but in the library package. It will allow
     external applications linked against upstream nss to work on Debian with
     system nss libraries, and will avoid all browsers to have to implement
     symlinks themselves to allow some external plugins to work properly.
   * debian/control: Make libnss3-1d conflict with older versions of
     libnss3-dev and libnss3-dev need newer libnss3-1d accordingly.

nss (3.12.0~rc3-1) unstable; urgency=low

   * New upstream snapshot, picked from NSS_3_12_RC3 cvs tag.

nss (3.12.0~beta3-1) unstable; urgency=low

   * New upstream snapshot, picked from NSS_3_12_BETA3 cvs tag.
   * debian/control: Turn Homepage indications in descriptions into a
     control field.
   * debian/patches/91_build_pwdecrypt.dpatch: Enable building and installing
     pwdecrypt. Thanks Paul Wise. Closes: #472303.
   * debian/patches/00list: Updated accordingly.
   * debian/libnss3-1d.symbols: Update symbols file with new symbols and rename
     the file, so that it isn't used, as a workaround to #474079.
     Closes: #474007.
   * debian/rules: Bumped shlibs.

nss (3.12.0~beta2-1) unstable; urgency=low

   * New upstream snapshot, picked from NSS_3_12_BETA2 cvs tag.
   * debian/patches/10_3.11.7_symbol_fix.dpatch: Removed, as applied upstream.
   * debian/patches/38_kbsd.dpatch: Adapted to upstream changes.
   * debian/patches/81_sonames.dpatch: Add SO_VERSION to libnssutil3.
   * debian/libnss3-dev.links: Add link for libnssutil3.
   * debian/libnss3-1d.symbols: Update symbols file with new symbols. Note that
     SEC_StringToOID disappeared (well, was moved to nssutil), compared to
     version 3.12.0~1.9b1, but it was a new symbol, and isn't used anywhere.
   * debian/nss.pc.in, debian/nss-config.in: Add libnssutil3 support.
   * debian/rules:
     + Bumped shlibs.
     + Don't generate libsoftokn3.so.0d.
   * debian/control:
     + Remove transitional libnss3-0d package.
     + Bumped Standards-Version to 3.7.3.0. No changes needed.
     + Build depend on libnspr4-dev >= 4.7.0 (we do need the RTM version, and
       not the preceding betas)
   * debian/libnss3-0d.*: Removed.
   * debian/patches/85_security_load.dpatch: Load files from $ORIGIN/nss before
     those of $ORIGIN. Closes: #469079.
   * debian/patches/38_hurd.dpatch: Fix FTBFS on Hurd because of MAXPATHLEN.
     Closes: #419529.
   * debian/patches/00list: Updated accordingly.

2007

nss (3.12.0~1.9b1-2) unstable; urgency=low

   * debian/control: libnss3-1-dbg needs to conflict with older libnss3-0d-dbg,
     as it overwrites so of its files. Closes: #455875.
   * debian/patches/90_realpath.dpatch: Use realpath() in
     loader_GetOriginalPathname, so that symlinks are properly followed when
     determining where the current library lives.
   * debian/patches/00list: Updated accordingly.
   * debian/patches/85_security_load.dpatch: When the module given by the
     caller contains a directory name, remove it so that the module can be
     properly loaded. Closes: #456296.

nss (3.12.0~1.9b1-1) unstable; urgency=low

   * New upstream snapshot, picked from FIREFOX_3_0b1_RELEASE cvs tag.
   * debian/copyright: Add licensing information about the recently added
     sqlite copy in the source tree.
   * debian/control:
     + Build depend on libsqlite3-dev.
     + Rename all -0d packages to -1d, but keep a transitional -0d package,
       since all libraries are compatible (except for the removed one).
     + Make libnss3-1d conflict with older libnss3-0d.
   * debian/patches/38_kbsd.dpatch, debian/patches/81_sonames.dpatch:
     Adapted to upstream changes.
   * debian/patches/81_sonames.dpatch:
     + Remove SO version from libsoftokn3, now it is not linked against
       anymore, but dlloaded.
     + Remove the hacks to have shlibsign and the signature verification code
       handle the SO version in the file name.
     + Bump SO version to 1d.
   * debian/rules:
     + Add NSS_USE_SYSTEM_SQLITE=1 to the make options.
     + Install libsoftokn3 and the new libnssdbm3 in /usr/lib/nss.
     + Run shlibsign on libsoftokn3 in /usr/lib/nss, without a SO version.
     + For some reason, build-stamp was missing in install-stamp dependencies.
     + Bumped shlibs because of new symbols, and pass -c4 to dpkg-gensymbols,
       so that it fails in all cases where the symbols file is not up to date.
     + Adapt upstream version pattern matching so that the ~1.9b1 part is
       removed.
     + Install .1d libraries in -1d packages.
     + Create a dummy libsoftokn3.so.0d library, installed in the libnss3-0d
       package.
   * debian/libnss3-0d.links:
     + Remove links in /usr/lib/xulrunner. The workaround they were
       implementing is going to be done another way.
     + Add .0d links to .1d libraries.
   * debian/libnss3-dev.links:
     + Don't put a symlink for libsoftokn3.
     + .so files now link to .1d libraries.
   * debian/patches/80_security_build.dpatch: Remove the hack to load libfreebl
     from /usr/lib/nss.
   * debian/patches/85_security_load.dpatch: Load modules from $ORIGIN/nss.
   * debian/patches/10_3.11.7_symbol_fix.dpatch: Fix a symbol version. Stolen
     from bz#325672.
   * debian/patches/00list: Updated accordingly.
   * debian/libnss3-0d.dirs: Renamed to libnss3-1d.dirs.

nss (3.11.7-1) unstable; urgency=low

   * New upstream release, picked from NSS_3_11_7_RTM cvs tag.
   * debian/patches/38_kbsd.dpatch: Also add support for the Hurd.
     Closes: #419529.
   * debian/rules:
     + Don't fail on clean with unpatched ruleset. Closes: #421542.
     + Bumped shlibs because of new symbols.
   * debian/patches/81_sonames.dpatch: Adapted to upstream changes.

nss (3.11.5-3) unstable; urgency=low

   * Upload to unstable.

nss (3.11.5-2) experimental; urgency=low

   * debian/rules:
     + Cleaner way to set the NSPR location.
     + Install libcrmf.a files in libnss3-dev.
     + binary-indep now does nothing.
   * debian/control: Make libnss3-dev an Arch: any package.
   * debian/nss.pc.in:
     + Remove libsoftokn3 from ld libraries.
     + Improvement in directories setting.
   * debian/libnss3-dev.dirs: Create /usr/bin.
   * debian/nss-config.in, debian/rules: Install a nss-config script into
     libnss3-dev.

nss (3.11.5-1) experimental; urgency=low

   * Initial release. (Closes: #416151)