-
nss (2:3.28.4-0ubuntu0.12.04.11) precise-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds read
- debian/patches/CVE-2020-12403-2.patch: fix incorrect call to ChaChaPoly1305 by PKCS11
in nss/lib/freebl/chacha20poly1305.c.
- CVE-2020-12403
-- <email address hidden> (Leonidas S. Barbosa) Mon, 24 Aug 2020 15:58:35 -0300
-
nss (2:3.26.2-0ubuntu0.12.04.1) precise-security; urgency=medium
* Updated to upstream 3.26.2 to fix security issues and get a new CA
certificate bundle.
* SECURITY UPDATE: denial of service via invalid DH keys
- CVE-2016-5285
* SECURITY UPDATE: small subgroup confinement attack
- CVE-2016-8635
* SECURITY UPDATE: insufficient mitigation of timing side-channel attack
- CVE-2016-9074
* debian/rules: added libfreeblpriv3.so.
* debian/libnss3.symbols: updated for new version, added
SSL_GetCipherSuiteInfo and SSL_GetChannelInfo as they are not backwards
compatible.
* debian/patches/*.patch: refreshed for new version.
* debian/rules: disable tests that fail to build with old GCC.
* debian/patches/disable_chacha_test.patch: removed, no longer required.
-- Marc Deslauriers <email address hidden> Fri, 02 Dec 2016 13:27:18 -0500
-
nss (2:3.23-0ubuntu0.12.04.1) precise-security; urgency=medium
* Updated to upstream 3.23 to fix a security issue and get a new CA
certificate bundle.
* SECURITY UPDATE: multiple memory safety issues
- CVE-2016-2834
* debian/control: bump libnspr4-dev Build-Depends to 4.12.
* debian/libnss3.symbols: updated for new version.
* debian/patches/CVE-2016-1950.patch: dropped, upstream.
* debian/patches/relax_dh_size.patch: removed, now require a minimum DH
size of 1023 bits.
* debian/patches/disable_chacha_test.patch: disable test incompatible
with precise's old gcc.
* debian/patches/*.patch: refreshed for new version.
-- Marc Deslauriers <email address hidden> Thu, 07 Jul 2016 14:46:46 -0400
-
nss (2:3.21-0ubuntu0.12.04.3) precise-security; urgency=medium
* SECURITY UPDATE: buffer overflow during ASN.1 decoding
- debian/patches/CVE-2016-1950.patch: check lengths in
nss/lib/util/secasn1d.c.
- CVE-2016-1950
-- Marc Deslauriers <email address hidden> Wed, 09 Mar 2016 07:38:47 -0500
-
nss (2:3.21-0ubuntu0.12.04.2) precise-security; urgency=medium
* debian/rules: fix versioning since the last update incorrectly added
an epoch. (LP: #1547147)
-- Marc Deslauriers <email address hidden> Mon, 22 Feb 2016 10:10:25 -0500
-
nss (2:3.21-0ubuntu0.12.04.1) precise-security; urgency=medium
* Updated to upstream 3.21 to fix a security issue and get a new CA
certificate bundle.
* SECURITY UPDATE: improper division in mp_div and mp_exptmod
- CVE-2016-1938
* debian/libnss3.symbols: updated for new version.
* debian/patches/95_add_spi+cacert_ca_certs.patch: dropped, no longer
want the SPI cert
* debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: dropped, no
longer needed
* debian/patches/CVE-2015-7575.patch: dropped, upstream
-- Marc Deslauriers <email address hidden> Thu, 04 Feb 2016 09:38:27 -0500
-
nss (3.19.2.1-0ubuntu0.12.04.2) precise-security; urgency=medium
* SECURITY UPDATE: incorrect MD5 support with TLS 1.2
- debian/patches/CVE-2015-7575.patch: remove MD5 in
nss/lib/ssl/ssl3con.c.
- CVE-2015-7575
-- Marc Deslauriers <email address hidden> Thu, 07 Jan 2016 13:24:13 -0500
-
nss (3.19.2.1-0ubuntu0.12.04.1) precise-security; urgency=medium
* Updated to upstream 3.19.2.1 to fix two security issues.
* SECURITY UPDATE: use-after-poison in sec_asn1d_parse_leaf
- CVE-2015-7181
* SECURITY UPDATE: ASN.1 decoder heap overflow
- CVE-2015-7182
-- Marc Deslauriers <email address hidden> Wed, 04 Nov 2015 11:26:48 -0600
-
nss (3.19.2-0ubuntu0.12.04.1) precise-security; urgency=medium
* SECURITY UPDATE: update to upstream 3.19.2 to fix multiple security
issues and get a new CA certificate bundle.
- CVE-2015-2721
- CVE-2015-2730
* debian/libnss3.symbols: updated for new version.
* debian/patches/relax_dh_size.patch: relax minimum DH size to 768 bits
for compatibility reasons. This patch will get reverted in the future
once servers have upgraded to longer DH sizes.
-- Marc Deslauriers <email address hidden> Wed, 08 Jul 2015 12:29:51 -0400
-
nss (3.17.4-0ubuntu0.12.04.1) precise-security; urgency=medium
* SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
* Removed unneeded patches:
- debian/patches/CVE-2014-1569.patch: included upstream.
-- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:45:59 -0500
-
nss (3.17.1-0ubuntu0.12.04.2) precise-security; urgency=medium
* SECURITY UPDATE: arbitrary data smuggling via incorrect ASN.1 DER
length decoding
- debian/patches/CVE-2014-1569.patch: properly validate lengths in
nss/lib/util/quickder.c.
- CVE-2014-1569
-- Marc Deslauriers <email address hidden> Tue, 06 Jan 2015 13:20:03 -0500
-
nss (3.17.1-0ubuntu0.12.04.1) precise-security; urgency=medium
* SECURITY UPDATE: update to 3.17.1
- see USN-2361-1
* debian/libnss3.symbols: updated for new version.
-- Marc Deslauriers <email address hidden> Wed, 24 Sep 2014 07:42:15 -0400
-
nss (3.17-0ubuntu0.12.04.1) precise-security; urgency=medium
* SECURITY UPDATE: update to upstream 3.17 to get new CA certificate
bundle.
* Removed unneeded patches:
- debian/patches/CVE-2014-1492.patch: included upstream.
- debian/patches/CVE-2014-1544.patch: included upstream.
* Refreshed patches for new version:
- debian/patches/38_kbsd.patch
- debian/patches/85_security_load.patch
- renamed debian/patches/95_add_spi_certs.patch to
debian/patches/95_add_spi+cacert_ca_certs.patch to match Debian.
* debian/libnss3.symbols: updated for new version.
-- Marc Deslauriers <email address hidden> Fri, 19 Sep 2014 09:21:29 -0400
-
nss (3.15.4-0ubuntu0.12.04.3) precise-security; urgency=medium
* SECURITY UPDATE: possible arbitrary code execution via race condition
- debian/patches/CVE-2014-1544.patch: prevent
nssTrustDomain_AddCertsToCache from freeing the CERTCertificate
associated with the NSSCertificate in nss/lib/pk11wrap/pk11cert.c.
- CVE-2014-1544
-- Marc Deslauriers <email address hidden> Tue, 09 Sep 2014 07:53:48 -0400
-
nss (3.15.4-0ubuntu0.12.04.2) precise-security; urgency=medium
* SECURITY UPDATE: incorrect IDNA wildcard handling
- debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
nss/lib/certdb/certdb.c.
- CVE-2014-1492
* No longer ship cacert.org certificates. (LP: #1258286)
- removed debian/patches/95_add_spi+cacert_ca_certs.patch
- added debian/patches/95_add_spi_certs.patch
-- Marc Deslauriers <email address hidden> Wed, 02 Apr 2014 10:22:10 -0400
-
nss (3.15.4-0ubuntu0.12.04.1) precise-security; urgency=medium
* SECURITY UPDATE: MITM attack via TLS False Start
- CVE-2013-1740
* Adjusted packaging for new upstream release 3.15.4:
- debian/patches/*: refreshed.
- debian/libnss3.symbols: added new symbols.
-- Marc Deslauriers <email address hidden> Wed, 22 Jan 2014 15:16:14 -0500
-
nss (3.15.3.1-0ubuntu0.12.04.1) precise-security; urgency=low
* SECURITY UPDATE: New upstream release (LP: #1263135)
- Distrusts AC DG Tresor SSL CA
-- Marc Deslauriers <email address hidden> Fri, 20 Dec 2013 10:52:35 -0500
-
nss (3.15.3-0ubuntu0.12.04.1) precise-security; urgency=low
* SECURITY UPDATE: New upstream release to fix multiple security issues
and add TLSv1.2 support.
- CVE-2013-1739
- CVE-2013-1741
- CVE-2013-5605
- CVE-2013-5606
* Adjusted packaging for 3.15.3:
- debian/patches/*: refreshed.
- debian/patches/lower-dhe-priority.patch: removed, no longer needed,
was a workaround for an old version of firefox.
- debian/libnss3.symbols: added new symbols.
- debian/rules: updated for new source layout.
-- Marc Deslauriers <email address hidden> Thu, 14 Nov 2013 14:58:07 -0500
-
nss (3.14.3-0ubuntu0.12.04.1) precise-security; urgency=low
* SECURITY UPDATE: New upstream release to fix TLS timing side-channel
attacks
- CVE-2013-1620
* Remaining changes:
- 94_ckbi-1.93.patch: Dropped (included upstream)
- 38_hurd.patch: refresh
- 38_kbsd.patch: refresh/update
- 80_security_tools.patch
- 85_security_load.patch
- 95_add_spi+cacert_ca_certs.patch
- 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
- lower-dhe-priority.patch
* debian/libnss3.symbols: add NSS_3.14.3 symbols
-- Jamie Strandboge <email address hidden> Wed, 13 Mar 2013 13:05:23 -0500
-
nss (3.14.1-0ckbi1.93ubuntu.0.12.04.1) precise-security; urgency=low
* New upstream release. Dropped the following patches:
- debian/patches/90_realpath.patch (included upstream)
- debian/patches/91_build_pwdecrypt.patch (included upstream)
- debian/patches/96_NSS_VersionCheck.patch (included upstream)
- debian/patches/98_fix_header_error.patch (included upstream)
- debian/patches/protect-against-calls-before-nss_init.patch (included
upstream)
- debian/patches/CVE-2012-0441.patch (included upstream)
* debian/patches/38_hurd.patch: refresh
* debian/patches/38_kbsd.patch: refresh/update based on Debian
* debian/patches/80_security_tools.patch: refresh
* debian/patches/85_security_load.patch: refresh
* debian/patches/95_add_spi+cacert_ca_certs.patch: updated
* debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: refresh
* debian/patches/lower-dhe-priority.patch: refresh/update based on Debian
* SECURITY UPDATE: distrust improperly issued TURKTRUST intermediate CAs
- debian/patches/94_ckbi-1.9.patch: update to CKBI 1.93 by using
mozilla/security/nss/lib/ckfw/builtins/certdata.txt from upstream and
updating mozilla/security/nss/lib/ckfw/builtins/nssckbi.h. Apply this
before 95_add_spi+cacert_ca_certs.patch since it keeps this patch clean
and underscores that SPI and CACERT are not part of upstream Roots.
- CVE-2013-0743
* debian/libnss3.symbols: add NSS_3.13.2, NSS_3.14, NSS_3.14.1, and
NSSUTIL_3.14 symbols
-- Jamie Strandboge <email address hidden> Fri, 11 Jan 2013 12:22:51 -0600
-
nss (3.13.1.with.ckbi.1.88-1ubuntu6.1) precise-security; urgency=low
* SECURITY UPDATE: denial of service in QuickDER decoder
- debian/patches/CVE-2012-0441.patch: properly handle zero-length basic
constraints and zero-length fields in
nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c,
nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c,
nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c,
nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h,
nss/mozilla/security/nss/lib/util/quickder.c.
- CVE-2012-0441
-- Marc Deslauriers <email address hidden> Thu, 16 Aug 2012 10:57:28 -0400
-
nss (3.13.1.with.ckbi.1.88-1ubuntu6) precise; urgency=low
* Add protect-against-calls-before-nss_init.patch (RHBZ #784672).
-- Timo Aaltonen <email address hidden> Mon, 27 Feb 2012 14:45:29 +0200
-
nss (3.13.1.with.ckbi.1.88-1ubuntu5) precise; urgency=low
* Include libnssckfw.a in the -dev package, also needed by
mod_revocator.
-- Timo Aaltonen <email address hidden> Sun, 19 Feb 2012 15:21:19 +0200
-
nss (3.13.1.with.ckbi.1.88-1ubuntu4) precise; urgency=low
* Include libnssb.a in the -dev package, needed by mod_revocator.
-- Timo Aaltonen <email address hidden> Sun, 19 Feb 2012 13:18:09 +0200
-
nss (3.13.1.with.ckbi.1.88-1ubuntu3) precise; urgency=low
* Fix LP: #915069 - Add patch from upstream to fix an error in pkcs11n.h
- add debian/patches/98_fix_header_error.patch
- update debian/patches/series
-- Chris Coulson <email address hidden> Thu, 12 Jan 2012 11:15:39 +0000
-
nss (3.13.1.with.ckbi.1.88-1ubuntu2) precise; urgency=low
* Fix lintian overrides to just list the soname warning to ignore
and not list the paths, which would break installing multiarched libs.
-- Timo Aaltonen <email address hidden> Mon, 12 Dec 2011 13:06:15 +0200
-
nss (3.13.1.with.ckbi.1.88-1ubuntu1) precise; urgency=low
* Merge from Debian testing. Remaining changes:
- Ship the main SO files in an unversioned binary, as we don't have
versioned SO's in Ubuntu. Maintain a transitional versioned binary
package containing the versioned symlinks, to maintain compatibility
with Debian
* update control, rules
* mass rename libnss3-1d* => libnss3*
- Fix postinst-must-call-ldconfig - dh_makeshlibs doesn't seem to add
the maintainer script hooks with the unversioned SO files, so add
them manually
* add libnss3.postinst, libnss3.postrm
- rules: Add support for mozilla-devscripts.
- control: Change Vcs-* to XS-Debian-Vcs-*.
* control: Fix typo (LP: #855424)
* Bugs fixed by the merge:
- Using dh now (LP: #613477)
- Adds 85_security_load.patch (LP: #315096)
nss (3.13.1.with.ckbi.1.88-1) unstable; urgency=low
* New upstream release.
- Distrusts malaysian Digicert Sdn. Bhd CA certificate.
- Addresses CVE-2011-3640 (Untrusted search path vulnerability).
Closes: #647614.
* debian/patches/*: Refreshed patches.
* debian/libnss3-1d.symbols: Add NSS 3.13 symbols.
nss (3.12.11-3) unstable; urgency=high
* mozilla/security/nss/lib/ckfw/builtins/certdata.*:
Explicitely distrust various DigiNotar CAs:
- DigiNotar Root CA
- DigiNotar Services 1024 CA
- DigiNotar Cyber CA
- DigiNotar Cyber CA 2nd
- DigiNotar PKIoverheid
- DigiNotar PKIoverheid G2
nss (3.12.11-2) unstable; urgency=high
* mozilla/security/nss/lib/ckfw/builtins/certdata.*:
Remove DigiNotar Root CA.
nss (3.12.11-1) unstable; urgency=low
* New upstream release.
* mozilla/security/nss/lib/ckfw/builtins/certdata.*,
* mozilla/security/coreconf/{config,Linux}.mk: Refreshed.
* debian/copyright: Update dbm license according to that in the source.
Closes: #624310
nss (3.12.10-3) unstable; urgency=low
* debian/nss-config.in, debian/nss.pc.in, debian/rules: Return the multiarch
path in nss-config and nss.pc.
nss (3.12.10-2) unstable; urgency=low
* debian/control, debian/libnss3-1d.dirs,
debian/libnss3-1d.lintian-overrides.in, debian/libnss3-dev.dirs,
debian/libnss3-1d.links.in, debian/libnss3-dev.links.in,
debian/rules: Switch to multi-arch while keeping backports easy.
Closes: #497088.
nss (3.12.10-1) unstable; urgency=low
* New upstream release.
* mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.
* debian/control: Build depend on libnspr4-dev >= 4.8.8.
* debian/libnss3-1d.symbols: Add new symbol version.
nss (3.12.9.with.ckbi.1.82-1) unstable; urgency=low
* New upstream release.
- Marks fraudulent Comodo certificates as untrusted.
* mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.
-- Timo Aaltonen <email address hidden> Wed, 30 Nov 2011 11:16:39 +0200
-
nss (3.12.9+ckbi-1.82-0ubuntu6) oneiric; urgency=low
* No-change rebuild to force a version bump, forcing upgrades,
and restoring the deleted library that ca-certificates ate.
-- Adam Conrad <email address hidden> Wed, 21 Sep 2011 14:42:05 -0600
