-
nss (2:3.98-0ubuntu0.20.04.2) focal-security; urgency=medium
* SECURITY REGRESSION: failure to open modules (LP: #2060906)
- debian/patches/85_security_load.patch: fix broken patch preventing
module loading.
-- Marc Deslauriers <email address hidden> Thu, 11 Apr 2024 10:23:19 -0400
-
nss (2:3.98-0ubuntu0.20.04.1) focal-security; urgency=medium
* Updated to upstream 3.98 to fix security issues and get a new CA
certificate bundle.
- CVE-2023-4421: PKCS#1 v1.5 Bleichenbacher-like attack
- CVE-2023-5388: timing issue in RSA operations
- CVE-2023-6135: side-channel in multiple NSS NIST curves
* Removed patches included in new version:
- debian/patches/set-tls1.2-as-minimum.patch
- debian/patches/bz1608327-freebl-arm
- debian/patches/CVE-*.patch
* Updated patches for new version:
- debian/patches/38_hppa.patch
- debian/patches/85_security_load.patch
- debian/patches/disable_fips_enabled_read.patch
* debian/control: bump libnspr version to 2:4.34.
* debian/libnss3.symbols: added new symbols.
-- Marc Deslauriers <email address hidden> Thu, 21 Mar 2024 09:44:10 -0400
-
nss (2:3.49.1-1ubuntu1.9) focal-security; urgency=medium
* SECURITY UPDATE: Arbitrary memory write via PKCS 12 in NSS
- debian/patches/CVE-2023-0767.patch: improve handling of unknown
PKCS#12 safe bag types in nss/lib/pkcs12/p12d.c,
nss/lib/pkcs12/p12t.h, nss/lib/pkcs12/p12tmpl.c.
- CVE-2023-0767
-- Marc Deslauriers <email address hidden> Fri, 17 Feb 2023 09:50:54 -0500
-
nss (2:3.49.1-1ubuntu1.8) focal-security; urgency=medium
* SECURITY UPDATE: Crash when handling empty pkcs7 sequence
- debian/patches/CVE-2022-22747.patch: check for missing signedData
field in nss/gtests/certdb_gtest/decode_certs_unittest.cc,
nss/lib/pkcs7/certread.c.
- CVE-2022-22747
* SECURITY UPDATE: Free of uninitialized pointer in lg_init
- debian/patches/CVE-2022-34480.patch: rearrange frees in
nss/lib/softoken/legacydb/lginit.c.
- CVE-2022-34480
-- Marc Deslauriers <email address hidden> Wed, 06 Jul 2022 07:23:47 -0400
-
nss (2:3.49.1-1ubuntu1.7) focal-security; urgency=medium
* SECURITY UPDATE: Denial of service through ChangeCipherSpec
- debian/patches/CVE-2020-25648-1.patch: reject CCS when
compatibility is not specify or if many CCS in a row in
nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
nss/lib/ssl/ssl3con.c and nss/lib/ssl/sslimpl.h.
- debian/patches/CVE-2020-25648-2.patch: reject multiple CCS
packages but allow the first one in
nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
nss/lib/ssl/ssl3con.c and nss/lib/ssl/sslimpl.h.
- CVE-2020-25648
-- David Fernandez Gonzalez <email address hidden> Mon, 09 May 2022 15:35:11 +0200
-
nss (2:3.49.1-1ubuntu1.6) focal-security; urgency=medium
* SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded
signatures
- debian/patches/CVE-2021-43527.patch: check signature lengths in
nss/lib/cryptohi/secvfy.c.
- CVE-2021-43527
-- Marc Deslauriers <email address hidden> Mon, 29 Nov 2021 07:15:58 -0500
-
nss (2:3.49.1-1ubuntu1.5) focal-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2020-12403-*.patch: disable PKCS11 incremental
mode for ChaCha20 and fix incorrect call to ChaChaPoly1305 by PKCS11
in nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc,
nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
nss/lib/softoken/pkcs11c.c, nss/lib/freebl/chacha20poly1305.c.
- CVE-2020-12403
-- <email address hidden> (Leonidas S. Barbosa) Thu, 20 Aug 2020 12:02:04 -0300
-
nss (2:3.49.1-1ubuntu1.4) focal-security; urgency=medium
* SECURITY UPDATE: Side-channel attack
- debian/patches/CVE-2020-12400-and-6829-*.patch: use constant-time
P-384 and P-521 in nss/lib/freebl/ecl/ecl-priv.h, nss/lib/freebl/ecl/ecl.c,
nss/lib/freebl/ecl/ecl_spec384r1.c, nss/lib/freebl/freebl_base.gypi,
nss/lib/freebl/manifest.mn, nss/test/ec/ectest.sh.
- CVE-2020-12400
- CVE-2020-6829
* SECURITY UPDATE: Timing attack mitigation bypass
- debian/patches/CVE-2020-12401.patch: remove unnecessary scalar
padding in nss/lib/freebl/ec.c.
- CVE-2020-12401
-- <email address hidden> (Leonidas S. Barbosa) Wed, 05 Aug 2020 15:28:48 -0300
-
nss (2:3.49.1-1ubuntu1.3) focal; urgency=medium
* Symlink chk files to fix self-verification in FIPS mode (LP: #1885562)
-- Dariusz Gadomski <email address hidden> Tue, 21 Jul 2020 09:33:20 +0200
-
nss (2:3.49.1-1ubuntu1.2) focal-security; urgency=medium
* SECURITY UPDATE: Side channel vulnerabilities during RSA key generation
- debian/patches/CVE-2020-12402.patch: use constant-time GCD and
modular inversion in nss/lib/freebl/mpi/mpi.c,
nss/lib/freebl/mpi/mpi.h, nss/lib/freebl/mpi/mplogic.c.
- CVE-2020-12402
-- Marc Deslauriers <email address hidden> Mon, 22 Jun 2020 13:29:53 -0400
-
nss (2:3.49.1-1ubuntu1.1) focal-security; urgency=medium
* SECURITY UPDATE: Timing attack during DSA key generation
- debian/patches/CVE-2020-12399.patch: force a fixed length for DSA
exponentiation in nss/lib/freebl/dsa.c.
- CVE-2020-12399
-- Marc Deslauriers <email address hidden> Wed, 10 Jun 2020 12:54:12 -0400
-
nss (2:3.49.1-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/libnss3.links: make freebl3 available as library (LP #1744328)
- d/control: add dh-exec to Build-Depends
- d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
- Disable reading fips_enabled flag in FIPS mode. libnss is
not a FIPS certified library. (LP #1837734)
- Set TLSv1.2 as minimum TLS version. LP #1856428
nss (2:3.49.1-1) unstable; urgency=medium
* New upstream release.
* nss/lib/freebl/Makefile: Revert change from 2:3.48-1.
* nss/coreconf/config.gypi, nss/lib/freebl/Makefile,
nss/lib/freebl/aes-armv8.c, nss/lib/freebl/freebl.gyp,
nss/lib/freebl/gcm-arm32-neon.c, nss/lib/freebl/gcm.c,
nss/lib/freebl/rijndael.c: Fix freebl arm NEON code use, fixing FTBFS
on armhf, and enabling runtime detection of NEON on armel. bz#1608327
nss (2:3.49-1) unstable; urgency=medium
* New upstream release.
* Fixes CVE-2019-17023.
-- Lucas Kanashiro <email address hidden> Wed, 22 Jan 2020 16:24:44 -0300
-
nss (2:3.48-1ubuntu1) focal; urgency=low
* Merge from Debian unstable. Remaining changes:
- d/libnss3.links: make freebl3 available as library (LP #1744328)
- d/control: add dh-exec to Build-Depends
- d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
- Disable reading fips_enabled flag in FIPS mode. libnss is
not a FIPS certified library. (LP #1837734)
* Set TLSv1.2 as minimum TLS version. LP: #1856428
nss (2:3.48-1) unstable; urgency=medium
* New upstream release. Closes: #947131.
* debian/control: Bump nspr build dependency to 4.24.
* nss/lib/freebl/Makefile: Disable hardware AES on ARM softfloat to fix
FTBFS on armel. Closes: #947246.
nss (2:3.47.1-1) unstable; urgency=medium
* New upstream release.
- Fixes CVE-2019-11745.
-- Ubuntu Merge-o-Matic <email address hidden> Sun, 29 Dec 2019 03:43:36 +0000
-
nss (2:3.47-1ubuntu2) focal; urgency=medium
* SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate
- debian/patches/CVE-2019-11745.patch: use maxout not block size in
nss/lib/softoken/pkcs11c.c.
- CVE-2019-11745
-- Marc Deslauriers <email address hidden> Tue, 26 Nov 2019 08:31:39 -0500
-
nss (2:3.47-1ubuntu1) focal; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/libnss3.links: make freebl3 available as library (LP #1744328)
- d/control: add dh-exec to Build-Depends
- d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
- Disable reading fips_enabled flag in FIPS mode. libnss is
not a FIPS certified library. (LP #1837734)
nss (2:3.47-1) unstable; urgency=medium
* New upstream release.
* debian/libnss3.symbols: Add NSS_3_47 symbol version.
-- Lucas Kanashiro <email address hidden> Thu, 31 Oct 2019 16:18:35 -0300
-
nss (2:3.45-1ubuntu2) eoan; urgency=medium
* Disable reading fips_enabled flag in FIPS mode. libnss is
not a FIPS certified library. (LP: #1837734)
-- Vineetha Kamath <email address hidden> Tue, 23 Jul 2019 20:58:12 +0000
