LogoopenSUSE Build Service > Projects
Sign Up | Log In

View File apache2-mod_nss.changes of Package apache2-mod_nss (Project mozilla)

-------------------------------------------------------------------
Thu Sep 29 15:26:39 UTC 2016 - jengelh@inai.de

- Avoid changing permissions through symlinks

-------------------------------------------------------------------
Thu Sep 15 10:44:06 UTC 2016 - vcizek@suse.com

- don't disable SSLV2, because it doesn't work with NSS 3.24
  (boo#993642)
  * add mod_nss-dont_disable_SSLV2.patch
- remove deprecated NSSSessionCacheTimeout option from mod_nss.conf.in
  (bsc#998176)
- change ownership of the gencert generated NSS database so apache
  can read it (bsc#998180)
  * add mod_nss-gencert-correct-ownership.patch
- use correct configuration path in mod_nss.conf.in (bsc#996282)
- remove %post migration code from the old alias directory
- generate dummy certificates if there aren't any in mod_nss.d

-------------------------------------------------------------------
Fri Jul 29 18:04:55 UTC 2016 - vcizek@suse.com

- use systemd-ask-password to prompt for a certificate passphrase
  (bsc#972968)
  * drop obsolete mod_nss-bnc863518-reopen_dev_tty.diff

-------------------------------------------------------------------
Sat Apr 16 09:12:29 UTC 2016 - vcizek@suse.com

- update to 1.0.14 (fixes boo#973996)
  * OpenSSL ciphers stopped parsing at +, CVE-2016-3099
  * Created valgrind suppression files to ease debugging
  * Implement SSL_PPTYPE_FILTER to call executables to get
    the key password pins. Can be used to prompt with systemd.
  * Improvements to migrate.pl
- drop mod_nss_migrate.pl and use upstream migrate script instead
  * add mod_nss-migrate.patch

-------------------------------------------------------------------
Thu Mar 17 16:27:13 UTC 2016 - vcizek@suse.com

- use a whitelist approach for keeping directives in the migration
  script (bsc#961907)
  * modify mod_nss_migrate.pl

-------------------------------------------------------------------
Wed Mar 16 14:45:24 UTC 2016 - pgajdos@suse.com

- fix test: add NSSPassPhraseDialog, point it to plain file

-------------------------------------------------------------------
Mon Mar 14 12:27:37 UTC 2016 - vcizek@suse.com

- update to 1.0.13
  Update default ciphers to something more modern and secure
  Check for host and netstat commands in gencert before trying to use them
  Add server support for DHE ciphers
  Extract SAN from server/client certificates into env
  Fix memory leaks and other coding issues caught by clang analyzer
  Add support for Server Name Indication (SNI) (#1010751)
  Add support for SNI for reverse proxy connections
  Add RenegBufferSize? option
  Add support for TLS Session Tickets (RFC 5077)
  Fix logical AND support in OpenSSL cipher compatibility
  Correctly handle disabled ciphers (CVE-2015-5244)
  Implement a slew more OpenSSL cipher macros
  Fix a number of illegal memory accesses and memory leaks
  Support for SHA384 ciphers if they are available in NSS
  Add compatibility for mod_ssl-style cipher definitions (#862938)
  Add TLSv1.2-specific ciphers
  Completely remove support for SSLv2
  Add support for sqlite NSS databases (#1057650)
  Compare subject CN and VS hostname during server start up
  Add support for enabling TLS v1.2
  Don't enable SSL 3 by default (CVE-2014-3566)
  Fix CVE-2013-4566
  Move nss_pcache to /usr/libexec
  Support httpd 2.4+
- drop almost all our patches (upstream)
  * 0001-SNI-check-with-NameVirtualHosts.patch
  * mod_nss-CVE-2013-4566-NSSVerifyClient.diff
  * mod_nss-PK11_ListCerts_2.patch
  * mod_nss-add_support_for_enabling_TLS_v1.2.patch
  * mod_nss-array_overrun.patch
  * mod_nss-cipherlist_update_for_tls12-doc.diff
  * mod_nss-cipherlist_update_for_tls12.diff
  * mod_nss-clientauth.patch
  * mod_nss-compare_subject_CN_and_VS_hostname.patch
  * mod_nss-gencert.patch
  * mod_nss-httpd24.patch
  * mod_nss-lockpcache.patch
  * mod_nss-negotiate.patch
  * mod_nss-no_shutdown_if_not_init_2.patch
  * mod_nss-overlapping_memcpy.patch
  * mod_nss-pcachesignal.h
  * mod_nss-proxyvariables.patch
  * mod_nss-reseterror.patch
  * mod_nss-reverse_proxy_send_SNI.patch
  * mod_nss-reverseproxy.patch
  * mod_nss-sslmultiproxy.patch
  * mod_nss-tlsv1_1.patch
  * mod_nss-wouldblock.patch
  * update-ciphers.patch
- add automake and libtool to BuildRequires
- temporarily comment out %check

-------------------------------------------------------------------
Tue Jan 12 08:31:19 UTC 2016 - pgajdos@suse.com

- %check: access syntax depends on %{apache_branch}

-------------------------------------------------------------------
Fri Dec 11 12:08:09 UTC 2015 - pgajdos@suse.com

- %{apache_branch} converted to number

-------------------------------------------------------------------
Wed Oct 14 09:23:18 UTC 2015 - pgajdos@suse.com

- mod_nss-httpd24.patch applied depending on %{apache_branch} 
  instead of %{suse_version}, fixes build for sle11 with new apache

-------------------------------------------------------------------
Fri Oct  2 14:35:41 UTC 2015 - pgajdos@suse.com

- test module with %apache_test_module_curl

-------------------------------------------------------------------
Mon Sep  7 08:25:03 UTC 2015 - vcizek@suse.com

- unified ciphers with SLE-12
  * modified patches:
    mod_nss-cipherlist_update_for_tls12-doc.diff
    mod_nss-cipherlist_update_for_tls12.diff
    update-ciphers.patch

-------------------------------------------------------------------
Mon Sep  7 08:03:31 UTC 2015 - vcizek@suse.com

- send TLS server name extension on proxy connections (bsc#933832)
  * added mod_nss-reverse_proxy_send_SNI.patch
- updates to the SNI code (from Stanislav Tokos):
  update update-ciphers.patch
  (bsc#928039)
  merge changes from the mod_nss-SNI_support.patch to:
  0001-SNI-check-with-NameVirtualHosts.patch
  (bnc#927402)
  abstract hash for NSSNickname and ServerName, add ServerAliases and Wild
  Cards for vhost
  (bsc#927402, bsc#928039, bsc#930922)
  replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts)
  (bsc#930186)
  add alert about permission on the certificate database
  (bsc#933265)

-------------------------------------------------------------------
Thu Jul 16 07:22:02 UTC 2015 - pgajdos@suse.com

- Requries: %{apache_suse_maintenance_mmn}
  This will pull this module to the update (in released distribution) 
  when apache maintainer thinks it is good (due api/abi changes).

-------------------------------------------------------------------
Mon May 18 10:32:12 UTC 2015 - hguo@suse.com

- The package does not carry any .conf files underneath /etc/apache2/mod_nss.d,
  therefore use 'IncludeOptional' instead of 'Include' directory in mod_nss.conf.

-------------------------------------------------------------------
Thu May  7 12:27:40 UTC 2015 - kstreitova@suse.com

- change of url and source address 

-------------------------------------------------------------------
Wed Apr  1 10:13:40 UTC 2015 - kstreitova@suse.com

- remove "ecdhe_rsa_aes_256_sha256" cipher from the mod_nss.conf.in
  file as this cipher is not supported and it was listed here
  incorrectly [bnc#921182]

-------------------------------------------------------------------
Tue Mar  3 10:25:27 UTC 2015 - kstreitova@suse.com

- add mod_nss-SNI_support.patch that brings Server Name Indication
  support that allows to have multiple HTTPS websites with multiple
  certificates on the same IP address and port.
  [fate#318331], [bnc#897712]

-------------------------------------------------------------------
Tue Nov  4 14:13:46 UTC 2014 - kstreitova@suse.com

- bnc#902068: added mod_nss-add_support_for_enabling_TLS_v1.2.patch
  that adding small fixes for support of TLS v1.2 

-------------------------------------------------------------------
Wed Oct 29 14:59:06 UTC 2014 - kstreitova@suse.com

- bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch
  that compare CN and VS hostname (use NSS library). Removed
  following patches:
  * mod_nss-SNI-checks.patch
  * mod_nss-SNI-callback.patch 

-------------------------------------------------------------------
Thu Aug 21 07:50:57 UTC 2014 - meissner@suse.com

- mod_nss-cipherlist_update_for_tls12-doc.diff,
  mod_nss-cipherlist_update_for_tls12.diff,
  mod_nss.conf.in: Added more TLS 1.2 ciphers, the CBC with SHA256.

-------------------------------------------------------------------
Thu Jul 24 12:49:29 CEST 2014 - draht@suse.de

- mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and 
  open("/dev/tty", ...) to make sure that stdin can be read from.
  startproc may inherit wrongly opened file descriptors to httpd.
  (Note: An analogous fix exists in startproc(8), too.)
  [bnc#863518]
- VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now
  externalized to /etc/apache2/conf.d/vhost-nss.template and not
  activated/read by default. [bnc#878681]
- NSSCipherSuite update following additional ciphers of Feb 18
  change. [bnc#878681]

-------------------------------------------------------------------
Fri Jun 27 16:13:01 CEST 2014 - draht@suse.de

- mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch:
  server side SNI was not implemented when mod_nss was made;
  patches implement SNI with checks if SNI provided hostname
  equals Host: field in http request header.

-------------------------------------------------------------------
Tue Feb 18 16:31:45 CET 2014 - draht@suse.de

- mod_nss-cipherlist_update_for_tls12-doc.diff
  mod_nss-cipherlist_update_for_tls12.diff
  GCM mode and Camellia ciphers added to the supported ciphers list.
  The additional ciphers are: 
  rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256
  rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  [bnc#863035]

-------------------------------------------------------------------
Fri Nov 29 16:30:07 CET 2013 - draht@suse.de

- mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566:
  If 'NSSVerifyClient none' is set in the server / vhost context
  (i.e. when server is configured to not request or require client
  certificate authentication on the initial connection), and client
  certificate authentication is expected to be required for a 
  specific directory via 'NSSVerifyClient require' setting, 
  mod_nss fails to properly require certificate authentication.
  Remote attacker can use this to access content of the restricted
  directories. [bnc#853039]

-------------------------------------------------------------------
Fri Nov  8 20:46:07 CET 2013 - draht@suse.de

- glue documentation added to /etc/apache2/conf.d/mod_nss.conf:
  * simultaneaous usage of mod_ssl and mod_nss
  * SNI concurrency
  * SUSE framework for apache configuration, Listen directive
  * module initialization
- mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in
  or mod_nss.conf, respectively. This also leads to the removal of
  nss.conf.in specific chunks in mod_nss-negotiate.patch and
  mod_nss-tlsv1_1.patch .
- mod_nss_migrate.pl conversion script added; not patched from
  source, but partially rewritten.
- README-SUSE.txt added with step-by-step instructions on how to
  convert and manage certificates and keys, as well as a rationale
  about why mod_nss was included in SLES.
- package ready for submission [bnc#847216]

-------------------------------------------------------------------
Tue Nov  5 15:45:08 CET 2013 - draht@suse.de

- generic cleanup of the package:
- explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support
  came with this version - this is the objective behind this
  version update of apache2-mod_nss. Tracker bug [bnc#847216]
- change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid
  ambiguously interpreted name of directory.
- merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if 
  /etc/apache2/alias exists.
- set explicit filemodes 640 for %post generated *.db files in
  /etc/apache2/mod_nss.d

-------------------------------------------------------------------
Fri Aug  2 08:29:35 UTC 2013 - meissner@suse.com

- mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default.
- mod_nss-clientauth.patch: merged from RHEL6 pkg
- mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg
- mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg
- mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg
- make it build on both Apache2 2.4 and 2.2 systems

-------------------------------------------------------------------
Thu Aug  1 15:06:55 UTC 2013 - meissner@suse.com

- Add support for TLS v1.1 and TLS v1.2 
  (TLS v1.2 requires mozilla nss 3.15.1 or newer.)
  - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch
    from redhat to allow tls v1.1 too.
  - ported the tls v1.1 patch to be tls v1.2 aware
  - added mod_nss-proxyvariables.patch (from RHEL6 package)
  - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2)
- mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun

-------------------------------------------------------------------
Fri Jul 12 10:42:06 UTC 2013 - aj@ajaissle.de

- Changed source to original tar.gz 

-------------------------------------------------------------------
Thu Jul 11 14:50:42 UTC 2013 - aj@ajaissle.de

- Added mod_nns-httpd24.patch to support build with apache 2.4

-------------------------------------------------------------------
Tue Jan 22 09:35:41 UTC 2013 - aj@ajaissle.de

-  Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE 
   dir layout [bnc#799483]
-  Cleaned up license tag

-------------------------------------------------------------------
Sun Apr 15 14:17:19 UTC 2012 - wr@rosenauer.org

- import some patches from Fedora
- removed autoreconf call

-------------------------------------------------------------------
Wed Feb 17 13:30:47 UTC 2010 - nix@opensuse.org

- Fix mod_nss-conf.patch to work on SUSE
- Rename package from mod_nss to apache2-mod_nss