Revisions of mozilla-nss
Dominique Leuenberger (dimstar_suse)
accepted
request 421041
from
Wolfgang Rosenauer (wrosenauer)
(revision 117)
- fix build on certain toolchains (nss-uninitialized.patch) jarfile.c:805:13: error: 'it' may be used uninitialized in this function [-Werror=maybe-uninitialized]
Dominique Leuenberger (dimstar_suse)
accepted
request 417032
from
Wolfgang Rosenauer (wrosenauer)
(revision 116)
- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236) - update to NSS 3.24 New functionality: * NSS softoken has been updated with the latest National Institute of Standards and Technology (NIST) guidance (as of 2015): - Software integrity checks and POST functions are executed on shared library load. These checks have been disabled by default, as they can cause a performance regression. To enable these checks, you must define symbol NSS_FORCE_FIPS when building NSS. - Counter mode and Galois/Counter Mode (GCM) have checks to prevent counter overflow. - Additional CSPs are zeroed in the code. - NSS softoken uses new guidance for how many Rabin-Miller tests are needed to verify a prime based on prime size. * NSS softoken has also been updated to allow NSS to run in FIPS Level 1 (no password). This mode is triggered by setting the database password to the empty string. In FIPS mode, you may move from Level 1 to Level 2 (by setting an appropriate password), but not the reverse. * A SSL_ConfigServerCert function has been added for configuring SSL/TLS server sockets with a certificate and private key. Use this new function in place of SSL_ConfigSecureServer, SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically determines the certificate type from the certificate and private key. The caller is no longer required to use SSLKEAType explicitly to select a "slot" into which the certificate is configured (which incorrectly identifies a key agreement type rather than a certificate). Separate functions for configuring Online Certificate Status Protocol
Dominique Leuenberger (dimstar_suse)
accepted
request 400680
from
Wolfgang Rosenauer (wrosenauer)
(revision 115)
1
Dominique Leuenberger (dimstar_suse)
accepted
request 397829
from
Wolfgang Rosenauer (wrosenauer)
(revision 114)
Dominique Leuenberger (dimstar_suse)
accepted
request 384318
from
Wolfgang Rosenauer (wrosenauer)
(revision 113)
- update to NSS 3.22.3 * required for Firefox 46.0 * Increase compatibility of TLS extended master secret, don't send an empty TLS extension last in the handshake (bmo#1243641) - update to NSS 3.22.2 New functionality: * RSA-PSS signatures are now supported (bmo#1215295) * Pseudorandom functions based on hashes other than SHA-1 are now supported * Enforce an External Policy on NSS from a config file (bmo#1009429) New functions: * PK11_SignWithMechanism - an extended version PK11_Sign() * PK11_VerifyWithMechanism - an extended version of PK11_Verify() * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp TLS extension data * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp TLS extension data New types: * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType * Constants for several object IDs are added to SECOidTag New macros: * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS * NSS_USE_ALG_IN_SSL * NSS_USE_POLICY_IN_SSL * NSS_RSA_MIN_KEY_SIZE * NSS_DH_MIN_KEY_SIZE * NSS_DSA_MIN_KEY_SIZE * NSS_TLS_VERSION_MIN_POLICY * NSS_TLS_VERSION_MAX_POLICY
Dominique Leuenberger (dimstar_suse)
accepted
request 368766
from
Wolfgang Rosenauer (wrosenauer)
(revision 112)
- update to NSS 3.21.1 (bmo#969894) * required for Firefox 45.0 * MFSA 2016-35/CVE-2016-1950 (bmo#1245528) Buffer overflow during ASN.1 decoding in NSS (fixed by requiring 3.21.1) * MFSA 2016-36/CVE-2016-1979 (bmo#1185033) Use-after-free during processing of DER encoded keys in NSS (fixed by requiring 3.21.1)
Dominique Leuenberger (dimstar_suse)
accepted
request 356139
from
Wolfgang Rosenauer (wrosenauer)
(revision 111)
- update to NSS 3.21 * required for Firefox 44.0 New functionality: * certutil now supports a --rename option to change a nickname (bmo#1142209) * TLS extended master secret extension (RFC 7627) is supported (bmo#1117022) * New info functions added for use during mid-handshake callbacks (bmo#1084669) New Functions: * NSS_OptionSet - sets NSS global options * NSS_OptionGet - gets the current value of NSS global options * SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name string, module parameters string, NSS specific parameters string, and NSS configuration parameter string. The module represented by the module structure is not loaded. The difference with SECMOD_CreateModule is the new function handles NSS configuration parameter strings. * SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior to the handshake being completed, for use with the callbacks that are invoked during the handshake * SSL_SignaturePrefSet - configures the enabled signature and hash algorithms for TLS * SSL_SignaturePrefGet - retrieves the currently configured signature and hash algorithms * SSL_SignatureMaxCount - obtains the maximum number signature algorithms that can be configured with SSL_SignaturePrefSet * NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared library string, module name string, module parameters string, NSS specific parameters string, and NSS configuration parameter strings. The returned strings must be freed by the caller. The difference with NSS_ArgParseModuleSpec is the new function handles NSS configuration parameter strings. * NSSUTIL_MkModuleSpecEx - take a shared library string, module name string,
Dominique Leuenberger (dimstar_suse)
accepted
request 351733
from
Factory Maintainer (factory-maintainer)
(revision 110)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 350520
from
Wolfgang Rosenauer (wrosenauer)
(revision 109)
- update to NSS 3.20.2 (bnc#959888) - update to NSS 3.20.1 (bnc#952810)
Dominique Leuenberger (dimstar_suse)
accepted
request 342323
from
Wolfgang Rosenauer (wrosenauer)
(revision 108)
- update to NSS 4.20.1 (bnc#952810) * requires NSPR 4.10.10 * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028, bmo#1202868) memory corruption issues
Stephan Kulow (coolo)
accepted
request 335620
from
Factory Maintainer (factory-maintainer)
(revision 107)
Automatic submission by obs-autosubmit
Stephan Kulow (coolo)
accepted
request 315776
from
Factory Maintainer (factory-maintainer)
(revision 106)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 313607
from
Wolfgang Rosenauer (wrosenauer)
(revision 105)
Dominique Leuenberger (dimstar_suse)
accepted
request 309532
from
Wolfgang Rosenauer (wrosenauer)
(revision 104)
- update to 3.19.1 No new functionality is introduced in this release. This patch release includes a fix for the recently published logjam attack. Notable Changes: * The minimum strength of keys that libssl will accept for finite field algorithms (RSA, Diffie-Hellman, and DSA) have been increased to 1023 bits (bmo#1138554). * NSS reports the bit length of keys more accurately. Thus, the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits functions could report smaller values for values that have leading zero values. This affects the key strength values that are reported by SSL_GetChannelInfo.
Dominique Leuenberger (dimstar_suse)
accepted
request 309327
from
Factory Maintainer (factory-maintainer)
(revision 103)
Automatic submission by obs-autosubmit
Stephan Kulow (coolo)
accepted
request 303844
from
Wolfgang Rosenauer (wrosenauer)
(revision 102)
- update to 3.18.1 * Firefox target release 38 * No new functionality is introduced in this release. Notable Changes: * The following CA certificate had the Websites and Code Signing trust bits restored to their original state to allow more time to develop a better transition strategy for affected sites: - OU = Equifax Secure Certificate Authority * The following CA certificate was removed: - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi * The following intermediate CA certificate has been added as actively distrusted because it was mis-used to issue certificates for domain names the holder did not own or control: - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG * The version number of the updated root CA list has been set to 2.4
Dominique Leuenberger (dimstar_suse)
accepted
request 294348
from
Wolfgang Rosenauer (wrosenauer)
(revision 101)
Dominique Leuenberger (dimstar_suse)
accepted
request 284702
from
Factory Maintainer (factory-maintainer)
(revision 100)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 267102
from
Factory Maintainer (factory-maintainer)
(revision 99)
Automatic submission by obs-autosubmit
Stephan Kulow (coolo)
accepted
request 258176
from
Factory Maintainer (factory-maintainer)
(revision 98)
Automatic submission by obs-autosubmit
Displaying revisions 101 - 120 of 217