nss (2:3.98-0ubuntu0.22.04.2) jammy-security; urgency=medium * SECURITY REGRESSION: failure to open modules (LP: #2060906) - debian/patches/85_security_load.patch: fix broken patch preventing module loading. -- Marc Deslauriers Thu, 11 Apr 2024 10:19:22 -0400 nss (2:3.98-0ubuntu0.22.04.1) jammy-security; urgency=medium * Updated to upstream 3.98 to fix security issues and get a new CA certificate bundle. - CVE-2023-5388: timing issue in RSA operations - CVE-2023-6135: side-channel in multiple NSS NIST curves * Removed patches included in new version: - debian/patches/set-tls1.2-as-minimum.patch - debian/patches/CVE-2022-34480.patch - debian/patches/CVE-2023-0767.patch * Updated patches for new version: - debian/patches/38_hppa.patch - debian/patches/85_security_load.patch - debian/patches/disable_fips_enabled_read.patch - debian/patches/fix-ftbfs-s390x.patch * debian/control: bump libnspr version to 2:4.34. * debian/libnss3.symbols: added new symbols. -- Marc Deslauriers Thu, 21 Mar 2024 09:44:10 -0400 nss (2:3.68.2-0ubuntu1.2) jammy-security; urgency=medium * SECURITY UPDATE: Arbitrary memory write via PKCS 12 in NSS - debian/patches/CVE-2023-0767.patch: improve handling of unknown PKCS#12 safe bag types in nss/lib/pkcs12/p12d.c, nss/lib/pkcs12/p12t.h, nss/lib/pkcs12/p12tmpl.c. - CVE-2023-0767 -- Marc Deslauriers Fri, 17 Feb 2023 09:50:18 -0500 nss (2:3.68.2-0ubuntu1.1) jammy-security; urgency=medium * SECURITY UPDATE: Free of uninitialized pointer in lg_init - debian/patches/CVE-2022-34480.patch: rearrange frees in nss/lib/softoken/legacydb/lginit.c. - CVE-2022-34480 -- Marc Deslauriers Wed, 06 Jul 2022 07:19:37 -0400 nss (2:3.68.2-0ubuntu1) jammy; urgency=medium * New upstream release. (LP: #1959126) * d/p/CVE-2021-43527.patch: drop patch applied upstream. [ Fixed in 3.68.1 ] -- Athos Ribeiro Mon, 21 Feb 2022 14:55:42 -0300 nss (2:3.68-1ubuntu2) jammy; urgency=medium * SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded signatures - debian/patches/CVE-2021-43527.patch: check signature lengths in nss/lib/cryptohi/secvfy.c. - CVE-2021-43527 -- Marc Deslauriers Mon, 29 Nov 2021 07:12:54 -0500 nss (2:3.68-1ubuntu1) impish; urgency=medium * Merge with Debian unstable. Remaining changes: - d/libnss3.links: Make freebl3 available as library. (LP #1744328) - d/control: Add dh-exec to Build-Depends. - d/rules: Make mkdir tolerate debian/tmp existing (due to dh-exec). - d/p/disable_fips_enabled_read.patch: Disable reading fips_enabled flag in FIPS mode as libnss is not a FIPS certified library. (LP #1837734) - d/p/set-tls1.2-as-minimum.patch: Set TLSv1.2 as minimum TLS version. (LP #1856428) - d/libnss3.links.in: Symlink chk files to fix self-verification in FIPS mode. (LP #1885562) - d/p/fix-ftbfs-s390x.patch: Fix some uninitialized variable warnings and format overflows for s390x. - d/p/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error checking on call to getcwd since this results in an erroneous warning that causes the build to fail otherwise. * New changes: - d/rules: Disable LTO on s390x for now. (LP #1931104) -- Paride Legovini Wed, 28 Jul 2021 15:27:12 +0200 nss (2:3.68-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Mon, 19 Jul 2021 06:23:39 +0900 nss (2:3.67-2) unstable; urgency=medium * nss/lib/ssl/sslinfo.c, nss/lib/ssl/sslt.h, nss/cmd/selfserv/selfserv.c, nss/cmd/strsclnt/strsclnt.c, nss/cmd/tstclnt/tstclnt.c: Make SSL_GetChannelInfo ABI compatible with older versions by default. Nothing else than NSS itself currently uses the new field. Closes: #990059. -- Mike Hommey Mon, 05 Jul 2021 07:58:02 +0900 nss (2:3.67-1) unstable; urgency=medium * New upstream release. Fixes: #989410. -- Mike Hommey Fri, 11 Jun 2021 09:58:51 +0900 nss (2:3.66-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3.65/NSS_3.66 symbol versions. -- Mike Hommey Wed, 02 Jun 2021 05:53:44 +0900 nss (2:3.63-1ubuntu1) hirsute; urgency=low * Merge from Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) - Set TLSv1.2 as minimum TLS version. LP #1856428 - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) - debian/patches/fix-ftbfs-s390x.patch: fix some uninitialized variable warnings and format overflows for s390x. - debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error checking on call to getcwd since this results in an erroneous warning that causes the build to fail otherwise -- Gianfranco Costamagna Mon, 29 Mar 2021 20:54:57 +0200 nss (2:3.63-1) unstable; urgency=medium * New upstream release. Fixes: #984657. -- Mike Hommey Wed, 24 Mar 2021 12:51:23 +0900 nss (2:3.61-1ubuntu2) hirsute; urgency=medium * No change rebuild with fixed ownership. -- Dimitri John Ledkov Tue, 16 Feb 2021 15:18:55 +0000 nss (2:3.61-1ubuntu1) hirsute; urgency=low * Merge from Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) - Set TLSv1.2 as minimum TLS version. LP #1856428 - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) - debian/patches/fix-ftbfs-s390x.patch: fix some uninitialized variable warnings and format overflows for s390x. - debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error checking on call to getcwd since this results in an erroneous warning that causes the build to fail otherwise -- Gianfranco Costamagna Tue, 09 Feb 2021 14:26:16 +0100 nss (2:3.61-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Mon, 08 Feb 2021 06:10:24 +0900 nss (2:3.60-1ubuntu1) hirsute; urgency=low * Merge from Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) - Set TLSv1.2 as minimum TLS version. LP #1856428 - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) - debian/patches/fix-ftbfs-s390x.patch: fix some uninitialized variable warnings and format overflows for s390x. - debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error checking on call to getcwd since this results in an erroneous warning that causes the build to fail otherwise -- Gianfranco Costamagna Mon, 21 Dec 2020 09:21:07 +0100 nss (2:3.60-1) unstable; urgency=medium * New upstream release. Fixes: #977723. -- Mike Hommey Sun, 20 Dec 2020 06:36:28 +0900 nss (2:3.59-1ubuntu1) hirsute; urgency=medium * Merge with Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) - Set TLSv1.2 as minimum TLS version. LP #1856428 - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) - debian/patches/fix-ftbfs-s390x.patch: fix some uninitialized variable warnings and format overflows for s390x. - debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error checking on call to getcwd since this results in an erroneous warning that causes the build to fail otherwise -- Gianfranco Costamagna Sat, 28 Nov 2020 13:39:04 +0100 nss (2:3.59-1) unstable; urgency=medium * New upstream release. Fixes: #972713. * debian/libnss3.symbols: Add NSS_3.59/NSSUTIL_3.59 symbol version. -- Mike Hommey Wed, 18 Nov 2020 07:26:57 +0900 nss (2:3.58-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3_58 symbol version. -- Mike Hommey Wed, 21 Oct 2020 08:04:53 +0900 nss (2:3.56-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Thu, 03 Sep 2020 10:55:04 +0900 nss (2:3.55-1ubuntu4) hirsute; urgency=medium * Chmod +x d/libnss3.links, otherwise dh-exec can't do the right job in substituting DEB_HOST_MULTIARCH -- Gianfranco Costamagna Sat, 28 Nov 2020 13:34:53 +0100 nss (2:3.55-1ubuntu3) groovy; urgency=medium * Fix FTBFS due to erroneous glibc out-of-bounds checking with gcc 10 (LP: #1897666) - debian/patches/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error checking on call to getcwd since this results in an erroneous warning that causes the build to fail otherwise -- Alex Murray Tue, 29 Sep 2020 10:39:29 +0930 nss (2:3.55-1ubuntu1) groovy; urgency=medium * Merge with Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) - Set TLSv1.2 as minimum TLS version. LP #1856428 - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) * Added changes: - debian/patches/fix-ftbfs-s390x.patch: fix some uninitialized variable warnings and format overflows for s390x. -- Eduardo Barretto Mon, 17 Aug 2020 16:57:03 -0300 nss (2:3.55-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3_55 symbol version. -- Mike Hommey Wed, 29 Jul 2020 14:00:17 +0900 nss (2:3.53.1-1ubuntu1) groovy; urgency=medium * Merge with Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) - Set TLSv1.2 as minimum TLS version. LP #1856428 - Symlink chk files to fix self-verification in FIPS mode (LP #1885562) * Dropped changes: - SECURITY UPDATE: Timing attack during DSA key generation + debian/patches/CVE-2020-12399.patch: force a fixed length for DSA exponentiation in nss/lib/freebl/dsa.c. [ Incorporated by upstream. ] - SECURITY UPDATE: Side channel vulnerabilities during RSA key generation + debian/patches/CVE-2020-12402.patch: use constant-time GCD and modular inversion in nss/lib/freebl/mpi/mpi.c, nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c. [ Incorporated by upstream. ] -- Sergio Durigan Junior Fri, 17 Jul 2020 10:51:23 -0400 nss (2:3.53.1-1) unstable; urgency=medium * New upstream release. * Fixes CVE-2020-12402. Closes: #963152. -- Mike Hommey Mon, 22 Jun 2020 06:09:24 +0900 nss (2:3.53-1) unstable; urgency=medium * New upstream release. * Fixes CVE-2020-12399. Closes: #961752. * debian/libnss3.symbols: Add NSS_3_53 symbol version. * nss/lib/freebl/Makefile, nss/lib/freebl/manifest.mn: Move seed.o back into freeblpriv3. bz#1642146. * nss/cmd/shlibsign/Makefile: Avoid infinite recursion when CHECKLOC is not set. bz#1642153. -- Mike Hommey Sun, 31 May 2020 06:32:53 +0900 nss (2:3.52-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3_52 symbol version. -- Mike Hommey Wed, 06 May 2020 06:06:43 +0900 nss (2:3.51-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Wed, 08 Apr 2020 11:14:44 +0900 nss (2:3.50-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Wed, 12 Feb 2020 09:06:51 +0900 nss (2:3.49.1-1ubuntu4) groovy; urgency=medium * Symlink chk files to fix self-verification in FIPS mode (LP: #1885562) -- Dariusz Gadomski Wed, 01 Jul 2020 14:48:13 +0200 nss (2:3.49.1-1ubuntu3) groovy; urgency=medium * SECURITY UPDATE: Side channel vulnerabilities during RSA key generation - debian/patches/CVE-2020-12402.patch: use constant-time GCD and modular inversion in nss/lib/freebl/mpi/mpi.c, nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c. - CVE-2020-12402 -- Marc Deslauriers Tue, 30 Jun 2020 10:41:20 -0400 nss (2:3.49.1-1ubuntu2) groovy; urgency=medium * SECURITY UPDATE: Timing attack during DSA key generation - debian/patches/CVE-2020-12399.patch: force a fixed length for DSA exponentiation in nss/lib/freebl/dsa.c. - CVE-2020-12399 -- Marc Deslauriers Wed, 10 Jun 2020 12:54:12 -0400 nss (2:3.49.1-1ubuntu1) focal; urgency=medium * Merge with Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) - Set TLSv1.2 as minimum TLS version. LP #1856428 -- Lucas Kanashiro Wed, 22 Jan 2020 16:24:44 -0300 nss (2:3.49.1-1) unstable; urgency=medium * New upstream release. * nss/lib/freebl/Makefile: Revert change from 2:3.48-1. * nss/coreconf/config.gypi, nss/lib/freebl/Makefile, nss/lib/freebl/aes-armv8.c, nss/lib/freebl/freebl.gyp, nss/lib/freebl/gcm-arm32-neon.c, nss/lib/freebl/gcm.c, nss/lib/freebl/rijndael.c: Fix freebl arm NEON code use, fixing FTBFS on armhf, and enabling runtime detection of NEON on armel. bz#1608327 -- Mike Hommey Wed, 22 Jan 2020 15:13:40 +0900 nss (2:3.49-1) unstable; urgency=medium * New upstream release. * Fixes CVE-2019-17023. -- Mike Hommey Thu, 09 Jan 2020 13:46:11 +0900 nss (2:3.48-1ubuntu1) focal; urgency=low * Merge from Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) * Set TLSv1.2 as minimum TLS version. LP: #1856428 -- Ubuntu Merge-o-Matic Sun, 29 Dec 2019 03:43:36 +0000 nss (2:3.48-1) unstable; urgency=medium * New upstream release. Closes: #947131. * debian/control: Bump nspr build dependency to 4.24. * nss/lib/freebl/Makefile: Disable hardware AES on ARM softfloat to fix FTBFS on armel. Closes: #947246. -- Mike Hommey Sun, 29 Dec 2019 07:40:46 +0900 nss (2:3.47.1-1) unstable; urgency=medium * New upstream release. - Fixes CVE-2019-11745. -- Mike Hommey Wed, 04 Dec 2019 09:00:54 +0900 nss (2:3.47-1ubuntu2) focal; urgency=medium * SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate - debian/patches/CVE-2019-11745.patch: use maxout not block size in nss/lib/softoken/pkcs11c.c. - CVE-2019-11745 -- Marc Deslauriers Tue, 26 Nov 2019 08:31:39 -0500 nss (2:3.47-1ubuntu1) focal; urgency=medium * Merge with Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP #1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP #1837734) -- Lucas Kanashiro Thu, 31 Oct 2019 16:18:35 -0300 nss (2:3.47-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3_47 symbol version. -- Mike Hommey Wed, 23 Oct 2019 11:19:59 +0900 nss (2:3.45-1ubuntu2) eoan; urgency=medium * Disable reading fips_enabled flag in FIPS mode. libnss is not a FIPS certified library. (LP: #1837734) -- Vineetha Kamath Tue, 23 Jul 2019 20:58:12 +0000 nss (2:3.45-1ubuntu1) eoan; urgency=low * Merge from Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP 1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) -- Gianfranco Costamagna Thu, 11 Jul 2019 11:49:44 +0200 nss (2:3.45-1) unstable; urgency=medium * New upstream release. - Fixes CVE-2019-11727 and CVE-2019-11719. * debian/libnss3.symbols: Add NSS_3_45 symbol version. -- Mike Hommey Wed, 10 Jul 2019 07:34:18 +0900 nss (2:3.44+really3.42.1-2) unstable; urgency=medium * debian/rules: Fix version exposed in nss-config and nss.pc. -- Mike Hommey Wed, 05 Jun 2019 06:36:00 +0900 nss (2:3.44.0-1) experimental; urgency=medium * debian/libnss3.symbols: - Update the version needed for SSL_Get{CipherSuite,Channel,PreliminaryChannel}Info. - Adjust versions so that 3.44+really3.42.1-1 is considered older where it matters. -- Mike Hommey Sun, 02 Jun 2019 13:06:26 +0900 nss (2:3.44+really3.42.1-1) unstable; urgency=medium * Reverse to 3.42.1. Building against 3.44 induces some behavior differences when running against older versions, which could normally be solved with updates to the symbols file, but since 3.44 is not meant to ship in Buster, avoid disruption for nss reverse dependencies until Buster is released by going back to previous version. -- Mike Hommey Sun, 02 Jun 2019 12:42:20 +0900 nss (2:3.44-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3_43 and NSS_3_44 symbol versions. -- Mike Hommey Sat, 01 Jun 2019 11:12:17 +0900 nss (2:3.42.1-1) unstable; urgency=medium * New upstream release. - Fixes CVE-2018-18508. Closes: #921614. -- Mike Hommey Wed, 13 Feb 2019 13:19:39 +0900 nss (2:3.42-1ubuntu2) disco; urgency=medium * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions - debian/patches/CVE-2018-18508-1.patch: add null checks in nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c, nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c, nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c. - debian/patches/CVE-2018-18508-2.patch: add null checks in nss/lib/smime/cmsmessage.c. - CVE-2018-18508 -- Marc Deslauriers Tue, 19 Feb 2019 12:04:49 +0100 nss (2:3.42-1ubuntu1) disco; urgency=medium * Merge with Debian unstable (LP: #1813593). Remaining changes: - d/libnss3.links: make freebl3 available as library (LP 1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) -- Karl Stenerud Mon, 04 Feb 2019 11:03:32 +0100 nss (2:3.42-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Wed, 30 Jan 2019 16:47:58 +0900 nss (2:3.41-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Wed, 12 Dec 2018 14:13:39 +0900 nss (2:3.40-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Fri, 02 Nov 2018 14:44:19 +0900 nss (2:3.39-1ubuntu1) disco; urgency=medium * Merge with Debian unstable. Remaining changes (LP: #1803707): - d/libnss3.links: make freebl3 available as library (LP 1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) * Dropped changes: - d/rules: when building with -O3 on ppc64el this FTBFS, build with -Wno-error=maybe-uninitialized to avoid that -- Christian Ehrhardt Fri, 16 Nov 2018 14:27:39 +0100 nss (2:3.39-1) unstable; urgency=medium * New upstream release. - Fixes CVE-2018-12384. Closes: #908332. * debian/libnss3.symbols: Add NSS_3_39 and NSSUTIL_3_39 symbol versions. -- Mike Hommey Sun, 09 Sep 2018 08:03:39 +0900 nss (2:3.38-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSSUTIL_3_38 symbol version. -- Mike Hommey Mon, 25 Jun 2018 07:26:21 +0900 nss (2:3.37.1-1) unstable; urgency=medium * New upstream release. * nss/lib/freebl/Makefile: Build FStar.c when not building with int128 support. bz#1459739. Closes: #900227 -- Mike Hommey Mon, 28 May 2018 07:58:44 +0900 nss (2:3.37-1) unstable; urgency=medium * New upstream release. Fixes: #898496. * debian/control, debian/rules: Generate dbgsym package.AA * debian/copyright: Switch to machine-readable format. * debian/control: Bump Standards-Version to 4.1.4. -- Mike Hommey Mon, 14 May 2018 07:15:21 +0900 nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium * Merge with Debian unstable. Remaining changes: - d/libnss3.links: make freebl3 available as library (LP 1744328) - d/control: add dh-exec to Build-Depends - d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) - d/rules: when building with -O3 on ppc64el this FTBFS, build with -Wno-error=maybe-uninitialized to avoid that * Dropped changes: - revert switching to SQL default format (LP: 1746947) Dropping this adresses (LP: #1747411) and effectively means we now switch to the new default format after we ensured all depending packages are ready. * Added changes: - d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el -- Christian Ehrhardt Mon, 07 May 2018 17:08:46 +0200 nss (2:3.36.1-1) unstable; urgency=medium * New upstream release. * debian/control: Update Maintainer and Vcs fields, moving off alioth. -- Mike Hommey Tue, 10 Apr 2018 14:55:14 +0900 nss (2:3.36-1) unstable; urgency=medium * New upstream release. Closes: #894981. -- Mike Hommey Sun, 08 Apr 2018 06:53:15 +0900 nss (2:3.35-2ubuntu2) bionic; urgency=medium * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the default is still causing too much issues in consumers of nss. So until resolved revert the switched default (LP: #1746947) -- Christian Ehrhardt Mon, 05 Feb 2018 11:36:07 +0100 nss (2:3.35-2ubuntu1) bionic; urgency=medium * Merge with Debian unstable. Remaining changes: - When building with -O3, build with -Wno-error=maybe-uninitialized. * Added Changes: - d/libnss3.links: make freebl3 available as library (LP: #1744328) + d/control: add dh-exec to Build-Depends + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec) -- Christian Ehrhardt Tue, 30 Jan 2018 14:04:20 +0100 nss (2:3.35-2) unstable; urgency=medium * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64. -- Mike Hommey Mon, 29 Jan 2018 13:51:18 +0900 nss (2:3.35-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Mon, 29 Jan 2018 10:59:06 +0900 nss (2:3.34.1-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Fri, 05 Jan 2018 20:15:40 +0900 nss (2:3.34-1ubuntu1) bionic; urgency=medium * Merge with Debian; remaining changes: - When building with -O3, build with -Wno-error=maybe-uninitialized. -- Marc Deslauriers Thu, 14 Dec 2017 09:18:47 -0500 nss (2:3.34-1) unstable; urgency=medium * New upstream release: - Really build without -maes on i386. Closes: #875694. * debian/libnss3.symbols: Add NSS_3_34 symbol version. -- Mike Hommey Sat, 18 Nov 2017 14:58:01 +0900 nss (2:3.33-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3_33 and NSSUTIL_3.33 symbol versions. -- Mike Hommey Fri, 29 Sep 2017 06:49:26 +0900 nss (2:3.32-2) unstable; urgency=medium * nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc: Fix possibly uninitialized value 'curve'. bz#1389263. Closes: #871691. * lib/freebl/Makefile: Only build gcm.c and rijndael.c with -maes. Closes: #871700. -- Mike Hommey Mon, 28 Aug 2017 07:39:59 +0900 nss (2:3.32-1ubuntu3) artful; urgency=medium * SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes - debian/patches/CVE-2017-7805.patch: Simplify handling of CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h. - CVE-2017-7805 -- Marc Deslauriers Fri, 29 Sep 2017 12:17:39 -0400 nss (2:3.32-1ubuntu2) artful; urgency=medium * Initialise curve variable in a test file, resolves FTBFS. -- Dimitri John Ledkov Thu, 24 Aug 2017 07:21:27 -0400 nss (2:3.32-1ubuntu1) artful; urgency=medium * Merge with Debian; remaining changes: - When building with -O3, build with -Wno-error=maybe-uninitialized. -- Marc Deslauriers Wed, 23 Aug 2017 13:09:20 -0400 nss (2:3.32-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Thu, 10 Aug 2017 15:29:40 +0900 nss (2:3.31-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3_31 and NSSUTIL_3.31 symbol versions. -- Mike Hommey Sat, 17 Jun 2017 06:41:41 +0900 nss (2:3.30.2-1) experimental; urgency=medium * New upstream release. -- Mike Hommey Fri, 19 May 2017 14:06:03 +0900 nss (2:3.30.1-1) experimental; urgency=medium * New upstream release. -- Mike Hommey Wed, 19 Apr 2017 20:09:48 +0900 nss (2:3.30-1) experimental; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3.30 and NSS_3.30.0.1 symbol versions. -- Mike Hommey Sat, 18 Mar 2017 15:34:23 +0900 nss (2:3.29.1-1) experimental; urgency=medium * New upstream release. -- Mike Hommey Sat, 25 Feb 2017 09:27:44 +0900 nss (2:3.29-1) experimental; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSSUTIL_3.25 symbol version. -- Mike Hommey Mon, 13 Feb 2017 07:42:36 +0900 nss (2:3.28.1-1) experimental; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3.28 symbol version. -- Mike Hommey Sun, 05 Feb 2017 15:01:47 +0900 nss (2:3.27.1-1) experimental; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3.27 symbol version. -- Mike Hommey Sat, 19 Nov 2016 08:29:17 +0900 nss (2:3.28.4-0ubuntu2) artful; urgency=medium * SECURITY UPDATE: DoS via empty SSLv2 messages - debian/patches/CVE-2017-7502.patch: reject broken v2 records in nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h, added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc, nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn, nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc. - CVE-2017-7502 -- Marc Deslauriers Fri, 16 Jun 2017 08:12:38 -0400 nss (2:3.28.4-0ubuntu1) artful; urgency=medium * Updated to upstream 3.28.4 to fix security issues and get a new CA certificate bundle. * SECURITY UPDATE: DES and Triple DES ciphers birthday attack - CVE-2016-2183 * SECURITY UPDATE: out-of-bounds write in Base64 decoding - CVE-2017-5461 * debian/patches/*.patch: refreshed for new version. * debian/control: bump libnspr4-dev to 4.13.1. * debian/libnss3.symbols: added new symbols. -- Marc Deslauriers Thu, 27 Apr 2017 13:13:44 -0400 nss (2:3.26.2-1ubuntu1) zesty; urgency=medium * Merge with Debian; remaining changes: - When building with -O3, build with -Wno-error=maybe-uninitialized. -- Marc Deslauriers Fri, 02 Dec 2016 08:48:03 -0500 nss (2:3.26.2-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Sun, 30 Oct 2016 07:20:34 +0900 nss (2:3.26-2) unstable; urgency=medium * debian/libnss3.symbols: SSL_GetCipherSuiteInfo and SSL_GetChannelInfo need newer versions despite the symbol versions. -- Mike Hommey Wed, 21 Sep 2016 10:02:23 +0900 nss (2:3.26-1ubuntu1) yakkety; urgency=medium * Merge with Debian; remaining changes: - When building with -O3, build with -Wno-error=maybe-uninitialized. -- Matthias Klose Tue, 06 Sep 2016 14:39:56 +0200 nss (2:3.26-1) unstable; urgency=medium * New upstream release. * debian/watch: Update such that uscan --download-version works. * debian/control, debian/libnss3-1d.*, debian/libnss3.symbols: Remove the libnss3-1d* transitional packages. * debian/rules: - Always set CCC to CXX. Thanks Helmut Grohne. Closes: #806292. - Override KERNEL when cross building for a different OS. Closes: #810579. * debian/control: Split Depends/Build-Depends/Conflicts. Thanks Guido Günther. Closes: #806634. -- Mike Hommey Tue, 16 Aug 2016 16:33:15 +0900 nss (2:3.25-1ubuntu1) yakkety; urgency=medium * When building with -O3, build with -Wno-error=maybe-uninitialized. -- Matthias Klose Thu, 04 Aug 2016 11:36:54 +0200 nss (2:3.25-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols, debian/rules: Add the new libfreeblpriv3 library. * debian/libnss3.symbols: Add NSS_3.24 and NSSUTIL_3.24 symbol versions. -- Mike Hommey Wed, 03 Aug 2016 10:23:13 +0900 nss (2:3.23-2) unstable; urgency=medium * debian/control, debian/rules: Leave it to dh_makeshlibs to do the right thing wrt ldconfig. This requires debhelper 9.20160403. Closes: #811124. -- Mike Hommey Sun, 03 Apr 2016 18:29:02 +0900 nss (2:3.23-1) unstable; urgency=medium * New upstream release. * Fixes mfsa2016-{35-36} also known as CVE-2016-1950 and CVE-2016-1979. * debian/control: Bump nspr build dependency to 2:4.12. * debian/libnss3.symbols: Add NSS_3.22 and NSS_3.23 symbol versions. -- Mike Hommey Wed, 09 Mar 2016 13:52:06 +0900 nss (2:3.21-1.1) unstable; urgency=medium * Non-maintainer upload. * Fix FTBFS on x32. Closes: #699217 * Fix FTBFS on hppa. Closes: #808990 -- Adam Borowski Sun, 14 Feb 2016 14:46:40 +0100 nss (2:3.21-1) unstable; urgency=medium * New upstream release. * nss/lib/ssl/sslsock.c: Disable transitional scheme for SSL renegotiation. 5 years after the transition started, it shouldn't be necessary anymore. * nss/lib/ckfw/builtins/certdata.txt: Remove the SPI CA. * nss/lib/util/secload.c: Fix a warning introduced by our patch to this file. * debian/libnss3.symbols: Add NSS_3.21 symbol versions. -- Mike Hommey Wed, 25 Nov 2015 09:18:30 +0900 nss (2:3.20.1-1) unstable; urgency=high * New upstream release. * Fixes mfsa2015-133. also known as CVE-2015-7181 and CVE-2015-7182. -- Mike Hommey Wed, 04 Nov 2015 09:53:32 +0900 nss (2:3.20-1) unstable; urgency=medium * New upstream release. * Removed patch for __DATE__ and __TIME__ references from 2:3.19.1-1 because the parts that matter were applied upstream. * debian/rules: Move USE_64 to common make flags, and always use DEB_HOST_ARCH_BITS since it's even supported by dpkg in oldstable, now. * debian/libnss3.symbols: Add NSS_3.20 symbol versions. -- Mike Hommey Sat, 22 Aug 2015 09:02:11 +0900 nss (2:3.19.2-1) unstable; urgency=medium * New upstream release. * debian/rules: Force set OS_TEST to DEB_HOST_GNU_CPU to avoid it defaulting to `uname -m`. Thanks Helmut Grohne. Closes: #788452 -- Mike Hommey Sun, 21 Jun 2015 06:30:13 +0900 nss (2:3.19.1-2) unstable; urgency=medium * debian/control: Fix Vcs-Git url. * nss/cmd/shlibsign/manifest.mn: Fix missing LIBRARY_VERSION. * nss/cmd/shlibsign/shlibsign.c: Fix shlibsign on arm64. -- Mike Hommey Mon, 01 Jun 2015 16:25:07 +0900 nss (2:3.19.1-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: - Add NSS_3.19.1 symbol versions. - Reorder and replace *@ with (symver). * debian/rules: - Pass multi-arch dir for NSPR_LIB_DIR. Closes: #722811. - Set umask when calling shlibsign, and rearrange how it's being called. - Build nsinstall separately and set things up for cross-compilations. - Use native shlibsign when cross-compiling. - Do not run FIPS check on cross-builds. * debian/control: Build depend on native libnss3-tools for cross builds. Closes: #682926. * debian/libnss3-tools.manpages, debian/rules: Install the manpages that are now provided upstream. Closes: #505382. * debian/control: Update Vcs-* urls. * debian/control: Bump Standards-Version to 3.9.6.0. No changes required. * nss/lib/ckfw/builtins/binst.c, nss/lib/ckfw/builtins/ckbiver.c, nss/lib/ckfw/builtins/manifest.mn, nss/lib/ckfw/capi/ckcapiver.c, nss/lib/ckfw/capi/manifest.mn, nss/lib/ckfw/nssmkey/ckmkver.c, nss/lib/ckfw/nssmkey/manifest.mn, nss/lib/freebl/freeblver.c, nss/lib/freebl/ldvector.c, nss/lib/freebl/manifest.mn, nss/lib/nss/manifest.mn, nss/lib/nss/nssinit.c, nss/lib/nss/nssver.c, nss/lib/smime/manifest.mn, nss/lib/smime/smimeutil.c, nss/lib/smime/smimever.c, nss/lib/softoken/legacydb/lginit.c, nss/lib/softoken/manifest.mn, nss/lib/softoken/pkcs11.c, nss/lib/softoken/softkver.c, nss/lib/ssl/manifest.mn, nss/lib/ssl/sslcon.c, nss/lib/ssl/sslver.c, nss/lib/util/secoid.c: Remove __DATE__ and __TIME__ references. * nss/cmd/shlibsign/Makefile, nss/cmd/shlibsign/manifest.mn, nss/cmd/shlibsign/shlibsign.c: Fix shlibsign to properly load the sotfoken module. * debian/rules: Remove debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss from LD_LIBRARY_PATH when executing shlibsign, which can be done now with the fix above. -- Mike Hommey Mon, 01 Jun 2015 09:47:58 +0900 nss (2:3.19-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3.19 symbol versions. -- Mike Hommey Wed, 13 May 2015 10:47:10 +0900 nss (2:3.18-1) experimental; urgency=medium * New upstream release. Closes: #782874. * debian/libnss3.symbols: Add NSS_3.18 symbol versions. -- Mike Hommey Mon, 20 Apr 2015 08:50:46 +0900 nss (2:3.17.4-1) experimental; urgency=medium * New upstream release. * Acknowledge NMU. -- Mike Hommey Wed, 25 Feb 2015 16:52:33 +0900 nss (2:3.17.2-1.1) unstable; urgency=medium * Non-maintainer upload. * Fix CVE-2014-1569. Closes: #773625. -- Matt Kraai Sun, 21 Dec 2014 19:46:52 -0800 nss (2:3.17.2-1) unstable; urgency=medium * New upstream release. -- Mike Hommey Sat, 18 Oct 2014 13:22:04 +0900 nss (2:3.17.1-1) unstable; urgency=high * New upstream release. - Fixes CVE-2014-1568. - Add support for ppc64el, with a non-broken patch. Closes: #745757. * debian/libnss3.symbols: Add NSSUTIL_3.17.1 symbol versions. -- Mike Hommey Wed, 24 Sep 2014 22:16:32 +0900 nss (2:3.17-1) unstable; urgency=medium * New upstream release. * nss/coreconf/Linux.mk: Actually add support for ppc64el. Closes: #745757. -- Mike Hommey Sun, 24 Aug 2014 08:41:37 +0900 nss (2:3.16.3-1.1) unstable; urgency=low * Non-maintainer upload to delayed. * Add support for ppc64el. Closes: #745757 -- Andreas Barth Mon, 18 Aug 2014 20:01:00 +0000 nss (2:3.16.3-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3.16.2 symbol versions. -- Mike Hommey Sun, 13 Jul 2014 09:24:12 +0900 nss (2:3.16.1-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3.16.1 symbol versions. -- Mike Hommey Sat, 07 Jun 2014 17:24:57 +0900 nss (2:3.16-1) unstable; urgency=medium * New upstream release. * debian/libnss3.symbols: Add NSS_3.16 symbol versions. * nss/lib/ckfw/builtins/certdata.txt: Remove CACert root certificates. -- Mike Hommey Fri, 21 Mar 2014 08:10:24 +0900 nss (2:3.15.4-2) unstable; urgency=high * Upstream release 3.15.4 fixed MFSA-2014-12, also known as CVE-2014-1490 and CVE-2014-1491. Bumping urgency as such. * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules: Revert changes from 2:3.15.4-1. Reopens: #537866, Closes: #735329, #736061. -- Mike Hommey Wed, 05 Feb 2014 16:26:06 +0900 nss (2:3.15.4-1) unstable; urgency=low * New upstream release. * Acknowledge NMU. * debian/rules: Avoid long one-liner with semi-colons. * debian/patches/*: Refresh patches. * debian/copyright: Update. Closes: #730428. * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules: Add shared cert and key databases. Thanks Timo Aaltonen. Closes: #537866. * debian/rules: Use DEB_HOST_ARCH instead of DEB_BUILD_ARCH. * debian/control: Mark libnss3-dev as Multi-Arch: same. Thanks Shawn Landden. Closes: #682925. * debian/libnss3.symbols: Add NSS_3.15.4 symbol versions. -- Mike Hommey Mon, 13 Jan 2014 10:46:04 +0900 nss (2:3.15.3.1-1.1) unstable; urgency=low * Non-Maintainer Upload - ship extra NSS utilities (Closes: #701141) -- Daniel Kahn Gillmor Sat, 04 Jan 2014 11:34:41 -0500 nss (2:3.15.3.1-1) unstable; urgency=high * New upstream release. - Distrusts AC DG Tresor SSL CA. -- Mike Hommey Sun, 15 Dec 2013 10:09:48 +0900 nss (2:3.15.3-1) unstable; urgency=high * New upstream release. - Fixes CVE-2013-1741, CVE-2013-5605, CVE-2013-5606. -- Mike Hommey Sat, 16 Nov 2013 08:50:45 +0900 nss (2:3.15.2-1) unstable; urgency=low * New upstream release. - Fixes CVE-2013-1739. Closes: #726473. -- Mike Hommey Mon, 21 Oct 2013 08:05:24 +0900 nss (2:3.15.1-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/patches/lower-dhe-priority.patch: Removed, as it was only necessary for Iceweasel 3.5, which is long gone. -- Mike Hommey Mon, 05 Aug 2013 14:41:14 +0900 nss (2:3.15-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches and removed unused ones. * debian/rules: Adjusted to the new source layout. * debian/libnss3.symbols: Add NSS*_3.15 symbol versions. * debian/control: Bump nspr build dependency. -- Mike Hommey Sat, 15 Jun 2013 19:23:12 +0900 nss (2:3.14.3-1) unstable; urgency=high * New upstream release. - Fixes TLS timing attack (luck 13). Closes: #699888. * debian/libnss3.symbols: Add NSS_3.14.3 symbol version. * debian/control: Unbump sqlite3 build dependency, 3.14.3 lifted the need for sqlite 3.7.15. -- Mike Hommey Sun, 17 Mar 2013 15:01:06 +0100 nss (2:3.14.2-1) unstable; urgency=low * New upstream release. * debian/control: Bump sqlite3 build dependency. * debian/rules: Avoid installing freebl, softokn, nssckbi and nssdbm in two places. * debian/libnss3-1d.lintian-overrides.in: Stop preprocessing, it has nothing to preprocess anymore. * debian/libnss3.lintian-overrides.in: Fix not to contain a reference to the libnss3-1d package. -- Mike Hommey Fri, 15 Feb 2013 10:06:59 +0100 nss (2:3.14.1.with.ckbi.1.93-1) unstable; urgency=low * New upstream release. - Explicitly distrust two intermediate CA certificates mis-issued by TURKTRUST. * debian/patches/95_add_spi+cacert_ca_certs.patch: Refreshed. -- Mike Hommey Fri, 04 Jan 2013 11:16:33 +0100 nss (2:3.14.1-1) unstable; urgency=low * New upstream release. * debian/patches: Removed patches applied upstream, and refreshed the others. * debian/libnss3.symbols: Updated for new symbols. -- Mike Hommey Sun, 23 Dec 2012 17:40:21 +0100 nss (2:3.14-2) unstable; urgency=low * debian/nss-config.in: Fix nss-config when version is in the x.y form instead of x.y.z. -- Mike Hommey Fri, 07 Dec 2012 17:07:05 +0100 nss (2:3.14-1) unstable; urgency=low * New upstream release. * debian/patches: Removed patches applied upstream, and refreshed the others. * debian/libnss3.symbols: Updated for new symbols. -- Mike Hommey Thu, 01 Nov 2012 10:37:39 +0100 nss (2:3.13.6-1) unstable; urgency=low * New upstream release. * debian/rules: Use xz compression for binary packages. Thanks Ansgar Burchardt. Closes: #683835. -- Mike Hommey Fri, 31 Aug 2012 09:56:53 +0200 nss (2:3.13.5-1) unstable; urgency=low * New upstream release. -- Mike Hommey Fri, 15 Jun 2012 09:40:00 +0200 nss (2:3.13.4-3) unstable; urgency=low * debian/rules: Skip epoch when getting upstream version number. -- Mike Hommey Sun, 20 May 2012 07:36:11 +0200 nss (2:3.13.4-2) unstable; urgency=low * debian/control, debian/libnss3*, debian/rules, mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn: Move to unversioned library. ABI compatibility is ensured upstream, and the SO version, if it needed a change at any time, would be a change in the library name. There is no reason to keep making compatibility more difficult with other distros and upstream binary releases. While previous versions were one-way compatible (binaries built against other distros or upstream nspr could work on Debian), this approach works both ways. * debian/control: - Bump Standards-Version to 3.9.3.0. No changes required. - Force to build against libnspr4-dev >= 2:4.9 * Removed unapplied patches. * Adding an epoch to match the old libnss3 package that used to be in the Debian archive. -- Mike Hommey Thu, 17 May 2012 09:45:36 +0200 nss (3.13.4-1) unstable; urgency=low * New upstream release. - Changed __GNUC_MINOR__ use in pkcs11n.h. Closes: #650319. * mozilla/security/nss/cmd/certcgi/certcgi.c, mozilla/security/nss/cmd/digest/digest.c, mozilla/security/nss/cmd/signver/pk7print.c: Import patch from Moritz Muehlenhoff for hardened format strings. * debian/make.mk, debian/rules, debian/control: Enable hardening. Closes: #657325. * debian/libnss3-1d.lintian-overrides.in, debian/rules: Use wildcards in lintian override. Closes: #670013. * debian/compat, debian/control: Bump debian/compat to 9. This has the effect of using build-id for debug files, thus Closes: #670015. * debian/libnss3-1d.symbols: Add symbols for /usr/lib/nss/ libraries. -- Mike Hommey Sun, 29 Apr 2012 09:48:58 +0200 nss (3.13.3-1) unstable; urgency=low * New upstream release. * debian/libnss3-1d.symbols: Updated to fit new upstream. -- Mike Hommey Fri, 24 Feb 2012 09:56:10 +0100 nss (3.13.2~beta1-3) experimental; urgency=low * debian/libnss3-1d.symbols: Fix symbol version for the symbol added in -2. -- Mike Hommey Fri, 23 Dec 2011 19:20:23 +0100 nss (3.13.2~beta1-2) experimental; urgency=low * mozilla/security/nss/lib/ssl/*, mozilla/security/nss/cmd/tstclnt/tstclnt.c, mozilla/security/nss/tests/ssl/ssl.sh: Apply patches from bz#542832, required for Iceweasel 11. * debian/libnss3-1d.symbols: Add corresponding symbol. -- Mike Hommey Fri, 23 Dec 2011 17:54:03 +0100 nss (3.13.2~beta1-1) experimental; urgency=low * New upstream snapshot, picked from NSS_3_13_2_BETA1 cvs tag. * debian/libnss3-1d.symbols: Add NSS 3.13.2 symbols. -- Mike Hommey Fri, 23 Dec 2011 16:22:05 +0100 nss (3.13.1.with.ckbi.1.88-1) unstable; urgency=low * New upstream release. - Distrusts malaysian Digicert Sdn. Bhd CA certificate. - Addresses CVE-2011-3640 (Untrusted search path vulnerability). Closes: #647614. * debian/patches/*: Refreshed patches. * debian/libnss3-1d.symbols: Add NSS 3.13 symbols. -- Mike Hommey Sat, 05 Nov 2011 17:05:26 +0100 nss (3.12.11-3) unstable; urgency=high * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Explicitely distrust various DigiNotar CAs: - DigiNotar Root CA - DigiNotar Services 1024 CA - DigiNotar Cyber CA - DigiNotar Cyber CA 2nd - DigiNotar PKIoverheid - DigiNotar PKIoverheid G2 -- Mike Hommey Sat, 03 Sep 2011 09:33:28 +0200 nss (3.12.11-2) unstable; urgency=high * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Remove DigiNotar Root CA. -- Mike Hommey Wed, 31 Aug 2011 08:49:00 +0200 nss (3.12.11-1) unstable; urgency=low * New upstream release. * mozilla/security/nss/lib/ckfw/builtins/certdata.*, * mozilla/security/coreconf/{config,Linux}.mk: Refreshed. * debian/copyright: Update dbm license according to that in the source. Closes: #624310 -- Mike Hommey Fri, 12 Aug 2011 12:45:08 +0200 nss (3.12.10-3) unstable; urgency=low * debian/nss-config.in, debian/nss.pc.in, debian/rules: Return the multiarch path in nss-config and nss.pc. -- Mike Hommey Thu, 21 Jul 2011 18:08:48 +0200 nss (3.12.10-2) unstable; urgency=low * debian/control, debian/libnss3-1d.dirs, debian/libnss3-1d.lintian-overrides.in, debian/libnss3-dev.dirs, debian/libnss3-1d.links.in, debian/libnss3-dev.links.in, debian/rules: Switch to multi-arch while keeping backports easy. Closes: #497088. -- Mike Hommey Mon, 04 Jul 2011 11:24:18 +0200 nss (3.12.10-1) unstable; urgency=low * New upstream release. * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed. * debian/control: Build depend on libnspr4-dev >= 4.8.8. * debian/libnss3-1d.symbols: Add new symbol version. -- Mike Hommey Wed, 25 May 2011 10:20:59 +0200 nss (3.12.9.with.ckbi.1.82-1) unstable; urgency=low * New upstream release. - Marks fraudulent Comodo certificates as untrusted. * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed. -- Mike Hommey Thu, 24 Mar 2011 16:37:46 +0100 nss (3.12.9-2) unstable; urgency=low * Upload to unstable. * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't support DEB_BUILD_ARCH_BITS. * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which was the previous value. * mozilla/security/nss/lib/freebl/unix_rand.c: We don't need to prevent using netstat for entropy seeding. The seeding will stop before netstat if it could get data from /dev/urandom. * mozilla/security/coreconf/Linux.mk: We shouldn't need to special case mips64 anymore. * mozilla/security/nss/cmd/shlibsign/Makefile, debian/rules: Don't rely on patching the source to not create .chk files during build. -- Mike Hommey Sun, 06 Mar 2011 09:58:41 +0100 nss (3.12.9-1) experimental; urgency=low * New upstream release. -- Mike Hommey Sat, 15 Jan 2011 11:33:35 +0100 nss (3.12.9~beta2-1) experimental; urgency=low * New upstream snapshot, picked from NSS_3_12_9_BETA2 cvs tag. * debian/patches/*: Refresh patches. * debian/libnss3-1d.symbols: Add new symbol versions. * debian/rules: Bump shlibs. -- Mike Hommey Fri, 17 Dec 2010 15:01:31 +0100 nss (3.12.8-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/patches/series: + lower-dhe-priority.patch: Upstream patch from bz#583337 to lower DHE priority. Closes: #592315. -- Mike Hommey Thu, 07 Oct 2010 08:50:48 +0200 nss (3.12.8~b2-1) experimental; urgency=low * New upstream snapshot, picked from NSS_3_12_8_BETA2 cvs tag. * debian/patches/*: Refresh patches. -- Mike Hommey Mon, 23 Aug 2010 18:11:12 +0200 nss (3.12.7-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/control: - Bump Standards-Version to 3.9.1.0. - Build depend on libnspr4-dev >= 4.8.6. * debian/libnss3-1d.symbols: Simplify symbols file and add new symbols. * debian/rules: Bump shlibs. -- Mike Hommey Fri, 06 Aug 2010 13:55:14 +0200 nss (3.12.6-3) unstable; urgency=low * debian/rules: + Sign libnssdbm3.so. Closes: #588806. + Test that the FIPS mode can be properly enabled during build. * debian/control: + Remove conflicts with very old packages. + Bump Standards-Version to 3.9.0.0. -- Mike Hommey Mon, 12 Jul 2010 15:12:24 +0200 nss (3.12.6-2) unstable; urgency=low * debian/patches/series: + 00_ckbi_1.79.patch: New patch to update CKBI to 1.79. + 95_add_spi+cacert_ca_certs.patch: Refreshed against CKBI 1.79. -- Mike Hommey Fri, 09 Apr 2010 10:45:01 +0200 nss (3.12.6-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/libnss3-1d.symbols, debian/rules: Update symbols file with new symbols and bump shlibs. * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch, debian/patches/series: Enable transitional scheme for ssl renegotiation. Closes: #561918. * debian/control: + Bump Standards-Version to 3.8.4.0. + Drop libnss3-1d dependency on dpkg. The versions it didn't really like were between oldstable and stable. + Don't allow different versions of libnss3-1d, libnss3-1d-dbg and libnss3-tools to be installed at the same time. + Add ${misc:Depends} to libnss3-1d-dbg dependencies. * debian/rules: Revert workaround for gcc 4.4 bug on powerpc with -Os. * debian/rules, debian/control, debian/compat: Simplify debian/rules by using dh. -- Mike Hommey Wed, 17 Mar 2010 20:33:32 +0100 nss (3.12.5-2) unstable; urgency=low * debian/control: + Remove build dependency on autotools-dev, we don't use it. + libnss3-dev depends on libnspr4-dev >= 4.6.6-1. 4.6.6-1 was the first version where the pkg-config file was nspr.pc instead of xulrunner-nspr.pc. Closes: #567134. * debian/patches/96_NSS_VersionCheck.patch, debian/patches/series: Remove runtime check of NSPR version in NSS_VersionCheck, which seems to be pointless. Closes: #567136. -- Mike Hommey Thu, 28 Jan 2010 12:12:35 +0100 nss (3.12.5-1) unstable; urgency=low * New upstream release. * debian/copyright: Modify with new location for the embedded copy of zlib. * debian/patches/*: + Adapt patches to new upstream. + Switch to quilt format * debian/source/format: Switch to 3.0 (quilt) format. * debian/rules, debian/control: Stop using dpatch. * debian/patches/38_intel_aes_executable_stack.patch: Removed. An upstream change in version 3.12.4 obsoleted it. * debian/rules: + Remove DEB_{BUILD,HOST}_* variables, they are not used. + Use DEB_BUILD_ARCH_BITS to determine whether to build with USE_64 or not. + Ship more tools in libnss3-tools. Closes: #526267. + Work around gcc 4.4 bug on powerpc with -Os. + Force non parallel build. There are too many race conditions in the build system to support parallel builds. Closes: #536248. + Bump shlibs. * debian/control: + Bump Standards-Version to 3.8.3.0. + Build-depend on dpkg-dev (>= 1.15.4) for DEB_BUILD_ARCH_BITS. + Stricter dependency between libnss3-dev and libnss3-1d. * debian/libnss3-1d.symbols: + Add new symbols. + Remove debian revision for symbols added in 3.12.4. * debian/patches/38_hurd.patch: Fix FTBFS on Hurd due to PATH_MAX usage in unix_rand.c. Closes: #550995. -- Mike Hommey Fri, 18 Dec 2009 11:48:14 +0100 nss (3.12.4-1) unstable; urgency=low * New upstream release. * debian/patches/38_kbsd.dpatch: + Use CHECK_FORK_PTHREAD on kfreebsd and hurd. Closes: #547301. + Adapt to upstream changes. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, * debian/patches/81_sonames.dpatch: Adapt to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sun, 11 Oct 2009 01:26:14 +0200 nss (3.12.3.1-1) unstable; urgency=low * New upstream release. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, Adapted to upstream changes. -- Mike Hommey Fri, 21 Aug 2009 23:47:24 +0200 nss (3.12.3-1) unstable; urgency=low * New upstream release. * debian/watch: Updated to catch new upstream .bz2 tarballs. * debian/copyright: Add information about mozilla/security/corecond/mkdepend. * debian/patches/38_hurd.dpatch, debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/patches/85_security_load.dpatch: Load libsoftokn3.so from /usr/lib/nss when unable to load it from standard ld.so paths in shlibsign. * debian/rules: + Add debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH when running shlibsign during build. + Bumped shlibs. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/control: + Bumped Standards-Version to 3.8.1.0. No changes needed. + Put the libnss3-1d-dbg package in the "debug" section. + Correct libnss3-1d-dbg short description. + Remove redundant section on libnss3-1d. + Build-depend on proper version of debhelper for dh_lintian. * debian/*.lintian-overrides, debian/rules: Install some Lintian overrides with dh_lintian. * debian/patches/38_intel_aes_executable_stack.dpatch: Indicate that we don't need executable stack in intel-aes.s. * debian/patches/00list: Updated accordingly. -- Mike Hommey Sat, 18 Apr 2009 09:37:31 +0200 nss (3.12.2.with.ckbi.1.73-2) unstable; urgency=low * mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h: Apply patch from upstream to fix alignment issues on sparc and ia64. Closes: #509930. -- Mike Hommey Mon, 06 Apr 2009 20:24:01 +0200 nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression in previous release that led to FTBFS on i386 only. Closes: #513101. Thanks Steffen Joeris, Sebastian Andrzej Siewior and Petr Salinger. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, debian/patches/80_security_tools.dpatch: Adapted to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sat, 31 Jan 2009 16:41:26 +0100 nss (3.12.1-1) unstable; urgency=low * New upstream release. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, debian/patches/38_mips64_build.dpatch, debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sat, 20 Dec 2008 12:11:28 +0100 nss (3.12.0-5) unstable; urgency=low * debian/control: + Conflict with libnss3-0d >= 3.11.5, that has conflicting files in /usr/lib/nss. Older versions (those from etch) don't conflict. This makes updates from old testing smoother. Closes: #492332. + Build-depend on libsqlite3-dev >= 3.3.9, since API introduced in this version is used. Closes: #493191. -- Mike Hommey Sun, 03 Aug 2008 09:42:03 +0200 nss (3.12.0-4) unstable; urgency=low * debian/control: Remove conflict with libnss3-0d, it was only useful when libnss3-0d was a transitional package. Closes: #490995. -- Mike Hommey Wed, 16 Jul 2008 21:29:19 +0200 nss (3.12.0-3) unstable; urgency=low * debian/rules: + Enable ECC cypher suite. Closes: #490826. + Build with the same optimization level as upstream. -- Mike Hommey Mon, 14 Jul 2008 17:35:25 +0200 nss (3.12.0-2) unstable; urgency=low * debian/patches/95_add_spi+cacert_ca_certs.dpatch: + Add CAcert root and class 3 certificates to nssckbi module. + Add SPI Inc. certificate to nssckbi module. Thanks to Martin F Krafft for these. Closes: #309564. * debian/patches/00list: Updated accordingly. -- Mike Hommey Sat, 12 Jul 2008 18:26:09 +0200 nss (3.12.0-1) unstable; urgency=low * New upstream release. * debian/patches/92_ocsp.dpatch: Removed, as applied upstream. * debian/patches/00list: Updated accordingly. * debian/control: + Bumped Standards-Version to 3.8.0.1. No changes needed. + Added Vcs-Browser and Vcs-Git fields. + libnss3-dev don't need explicit version dependency on libnss3-1d. + libnss3-dev depends on libnspr4-dev. Closes: #488402. + Make the -dbg package less a hassle for manual installations with dpkg. + libnss3-1d depends on version of dpkg that either don't support symbols files or has fix for #474079. * debian/patches/85_security_load.dpatch: Load files from /usr/lib/nss if given reference path is only a filename, which happens when freebl is statically linked in a binary executable, such as signtool, and the executable is run from $PATH. When the executable is run using a full path, we must replace /bin/ in the path with /lib/ to find the libraries. Closes: #483774. * debian/libnss3-1d.symbols: Re-enable symbols file. -- Mike Hommey Sat, 05 Jul 2008 10:19:53 +0200 nss (3.12.0~rc3-3) unstable; urgency=low * debian/control: Make libnss3-0d conflict with old libnss3, which can still be installed on some systems, though it hasn't been in the archive since sarge. Closes: #485080. -- Mike Hommey Sun, 08 Jun 2008 14:11:13 +0200 nss (3.12.0~rc3-2) unstable; urgency=low * debian/patches/92_ocsp.dpatch: Apply patches from bz433594 and bz#433386, which are applied in upstream RC4 (and are the only changes), to fix crashes under some conditions with OCSP checks. * debian/patches/00list: Updated accordingly. * debian/libnss3-dev.links, debian/libnss3-1d.links: Don't install so files in the -dev package but in the library package. It will allow external applications linked against upstream nss to work on Debian with system nss libraries, and will avoid all browsers to have to implement symlinks themselves to allow some external plugins to work properly. * debian/control: Make libnss3-1d conflict with older versions of libnss3-dev and libnss3-dev need newer libnss3-1d accordingly. -- Mike Hommey Sat, 07 Jun 2008 11:57:55 +0200 nss (3.12.0~rc3-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_RC3 cvs tag. -- Mike Hommey Sun, 11 May 2008 16:58:17 +0200 nss (3.12.0~beta3-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_BETA3 cvs tag. * debian/control: Turn Homepage indications in descriptions into a control field. * debian/patches/91_build_pwdecrypt.dpatch: Enable building and installing pwdecrypt. Thanks Paul Wise. Closes: #472303. * debian/patches/00list: Updated accordingly. * debian/libnss3-1d.symbols: Update symbols file with new symbols and rename the file, so that it isn't used, as a workaround to #474079. Closes: #474007. * debian/rules: Bumped shlibs. -- Mike Hommey Tue, 08 Apr 2008 21:23:53 +0200 nss (3.12.0~beta2-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_BETA2 cvs tag. * debian/patches/10_3.11.7_symbol_fix.dpatch: Removed, as applied upstream. * debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/patches/81_sonames.dpatch: Add SO_VERSION to libnssutil3. * debian/libnss3-dev.links: Add link for libnssutil3. * debian/libnss3-1d.symbols: Update symbols file with new symbols. Note that SEC_StringToOID disappeared (well, was moved to nssutil), compared to version 3.12.0~1.9b1, but it was a new symbol, and isn't used anywhere. * debian/nss.pc.in, debian/nss-config.in: Add libnssutil3 support. * debian/rules: + Bumped shlibs. + Don't generate libsoftokn3.so.0d. * debian/control: + Remove transitional libnss3-0d package. + Bumped Standards-Version to 3.7.3.0. No changes needed. + Build depend on libnspr4-dev >= 4.7.0 (we *do* need the RTM version, and not the preceding betas) * debian/libnss3-0d.*: Removed. * debian/patches/85_security_load.dpatch: Load files from $ORIGIN/nss before those of $ORIGIN. Closes: #469079. * debian/patches/38_hurd.dpatch: Fix FTBFS on Hurd because of MAXPATHLEN. Closes: #419529. * debian/patches/00list: Updated accordingly. -- Mike Hommey Fri, 07 Mar 2008 21:27:54 +0100 nss (3.12.0~1.9b1-2) unstable; urgency=low * debian/control: libnss3-1-dbg needs to conflict with older libnss3-0d-dbg, as it overwrites so of its files. Closes: #455875. * debian/patches/90_realpath.dpatch: Use realpath() in loader_GetOriginalPathname, so that symlinks are properly followed when determining where the current library lives. * debian/patches/00list: Updated accordingly. * debian/patches/85_security_load.dpatch: When the module given by the caller contains a directory name, remove it so that the module can be properly loaded. Closes: #456296. -- Mike Hommey Sun, 16 Dec 2007 11:06:03 +0100 nss (3.12.0~1.9b1-1) unstable; urgency=low * New upstream snapshot, picked from FIREFOX_3_0b1_RELEASE cvs tag. * debian/copyright: Add licensing information about the recently added sqlite copy in the source tree. * debian/control: + Build depend on libsqlite3-dev. + Rename all -0d packages to -1d, but keep a transitional -0d package, since all libraries are compatible (except for the removed one). + Make libnss3-1d conflict with older libnss3-0d. * debian/patches/38_kbsd.dpatch, debian/patches/81_sonames.dpatch: Adapted to upstream changes. * debian/patches/81_sonames.dpatch: + Remove SO version from libsoftokn3, now it is not linked against anymore, but dlloaded. + Remove the hacks to have shlibsign and the signature verification code handle the SO version in the file name. + Bump SO version to 1d. * debian/rules: + Add NSS_USE_SYSTEM_SQLITE=1 to the make options. + Install libsoftokn3 and the new libnssdbm3 in /usr/lib/nss. + Run shlibsign on libsoftokn3 in /usr/lib/nss, without a SO version. + For some reason, build-stamp was missing in install-stamp dependencies. + Bumped shlibs because of new symbols, and pass -c4 to dpkg-gensymbols, so that it fails in all cases where the symbols file is not up to date. + Adapt upstream version pattern matching so that the ~1.9b1 part is removed. + Install .1d libraries in -1d packages. + Create a dummy libsoftokn3.so.0d library, installed in the libnss3-0d package. * debian/libnss3-0d.links: + Remove links in /usr/lib/xulrunner. The workaround they were implementing is going to be done another way. + Add .0d links to .1d libraries. * debian/libnss3-dev.links: + Don't put a symlink for libsoftokn3. + .so files now link to .1d libraries. * debian/patches/80_security_build.dpatch: Remove the hack to load libfreebl from /usr/lib/nss. * debian/patches/85_security_load.dpatch: Load modules from $ORIGIN/nss. * debian/patches/10_3.11.7_symbol_fix.dpatch: Fix a symbol version. Stolen from bz#325672. * debian/patches/00list: Updated accordingly. * debian/libnss3-0d.dirs: Renamed to libnss3-1d.dirs. -- Mike Hommey Sat, 08 Dec 2007 10:53:02 +0100 nss (3.11.7-1) unstable; urgency=low * New upstream release, picked from NSS_3_11_7_RTM cvs tag. * debian/patches/38_kbsd.dpatch: Also add support for the Hurd. Closes: #419529. * debian/rules: + Don't fail on clean with unpatched ruleset. Closes: #421542. + Bumped shlibs because of new symbols. * debian/patches/81_sonames.dpatch: Adapted to upstream changes. -- Mike Hommey Sun, 01 Jul 2007 11:29:06 +0200 nss (3.11.5-3) unstable; urgency=low * Upload to unstable. -- Mike Hommey Mon, 09 Apr 2007 20:37:25 +0200 nss (3.11.5-2) experimental; urgency=low * debian/rules: + Cleaner way to set the NSPR location. + Install libcrmf.a files in libnss3-dev. + binary-indep now does nothing. * debian/control: Make libnss3-dev an Arch: any package. * debian/nss.pc.in: + Remove libsoftokn3 from ld libraries. + Improvement in directories setting. * debian/libnss3-dev.dirs: Create /usr/bin. * debian/nss-config.in, debian/rules: Install a nss-config script into libnss3-dev. -- Mike Hommey Tue, 27 Mar 2007 20:41:11 +0200 nss (3.11.5-1) experimental; urgency=low * Initial release. (Closes: #416151) -- Mike Hommey Sun, 25 Mar 2007 23:56:17 +0200