-
nss (2:3.98-0ubuntu0.22.04.2) jammy-security; urgency=medium
* SECURITY REGRESSION: failure to open modules (LP: #2060906)
- debian/patches/85_security_load.patch: fix broken patch preventing
module loading.
-- Marc Deslauriers <email address hidden> Thu, 11 Apr 2024 10:19:22 -0400
-
nss (2:3.98-0ubuntu0.22.04.1) jammy-security; urgency=medium
* Updated to upstream 3.98 to fix security issues and get a new CA
certificate bundle.
- CVE-2023-5388: timing issue in RSA operations
- CVE-2023-6135: side-channel in multiple NSS NIST curves
* Removed patches included in new version:
- debian/patches/set-tls1.2-as-minimum.patch
- debian/patches/CVE-2022-34480.patch
- debian/patches/CVE-2023-0767.patch
* Updated patches for new version:
- debian/patches/38_hppa.patch
- debian/patches/85_security_load.patch
- debian/patches/disable_fips_enabled_read.patch
- debian/patches/fix-ftbfs-s390x.patch
* debian/control: bump libnspr version to 2:4.34.
* debian/libnss3.symbols: added new symbols.
-- Marc Deslauriers <email address hidden> Thu, 21 Mar 2024 09:44:10 -0400
-
nss (2:3.68.2-0ubuntu1.2) jammy-security; urgency=medium
* SECURITY UPDATE: Arbitrary memory write via PKCS 12 in NSS
- debian/patches/CVE-2023-0767.patch: improve handling of unknown
PKCS#12 safe bag types in nss/lib/pkcs12/p12d.c,
nss/lib/pkcs12/p12t.h, nss/lib/pkcs12/p12tmpl.c.
- CVE-2023-0767
-- Marc Deslauriers <email address hidden> Fri, 17 Feb 2023 09:50:18 -0500
-
nss (2:3.68.2-0ubuntu1.1) jammy-security; urgency=medium
* SECURITY UPDATE: Free of uninitialized pointer in lg_init
- debian/patches/CVE-2022-34480.patch: rearrange frees in
nss/lib/softoken/legacydb/lginit.c.
- CVE-2022-34480
-- Marc Deslauriers <email address hidden> Wed, 06 Jul 2022 07:19:37 -0400
-
nss (2:3.68.2-0ubuntu1) jammy; urgency=medium
* New upstream release. (LP: #1959126)
* d/p/CVE-2021-43527.patch: drop patch applied upstream.
[ Fixed in 3.68.1 ]
-- Athos Ribeiro <email address hidden> Mon, 21 Feb 2022 14:55:42 -0300
-
nss (2:3.68-1ubuntu2) jammy; urgency=medium
* SECURITY UPDATE: heap overflow when verifying DSA/RSA-PSS DER-encoded
signatures
- debian/patches/CVE-2021-43527.patch: check signature lengths in
nss/lib/cryptohi/secvfy.c.
- CVE-2021-43527
-- Marc Deslauriers <email address hidden> Mon, 29 Nov 2021 07:12:54 -0500
-
nss (2:3.68-1ubuntu1) impish; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/libnss3.links: Make freebl3 available as library. (LP #1744328)
- d/control: Add dh-exec to Build-Depends.
- d/rules: Make mkdir tolerate debian/tmp existing (due to dh-exec).
- d/p/disable_fips_enabled_read.patch: Disable reading fips_enabled flag
in FIPS mode as libnss is not a FIPS certified library. (LP #1837734)
- d/p/set-tls1.2-as-minimum.patch: Set TLSv1.2 as minimum TLS version.
(LP #1856428)
- d/libnss3.links.in: Symlink chk files to fix self-verification in
FIPS mode. (LP #1885562)
- d/p/fix-ftbfs-s390x.patch: Fix some uninitialized variable warnings
and format overflows for s390x.
- d/p/fix-ftbfs-glibc-invalid-oob-error.patch: Disable non-null error
checking on call to getcwd since this results in an erroneous warning
that causes the build to fail otherwise.
* New changes:
- d/rules: Disable LTO on s390x for now. (LP #1931104)
-- Paride Legovini <email address hidden> Wed, 28 Jul 2021 15:27:12 +0200
