-
nss (2:3.23-0ubuntu0.15.10.1) wily-security; urgency=medium
* Updated to upstream 3.23 to fix a security issue and get a new CA
certificate bundle.
* SECURITY UPDATE: multiple memory safety issues
- CVE-2016-2834
* debian/control: bump libnspr4-dev Build-Depends to 2:4.12.
* debian/libnss3.symbols: updated for new version.
* debian/patches/CVE-2016-1950.patch: dropped, upstream.
* debian/patches/ftbfs_ppc64el.patch: dropped, no longer needed.
* debian/patches/relax_dh_size.patch: removed, now require a minimum DH
size of 1023 bits.
* debian/patches/*.patch: refreshed for new version.
-- Marc Deslauriers <email address hidden> Thu, 07 Jul 2016 13:14:23 -0400
-
nss (2:3.21-0ubuntu0.15.10.2) wily-security; urgency=medium
* SECURITY UPDATE: buffer overflow during ASN.1 decoding
- debian/patches/CVE-2016-1950.patch: check lengths in
nss/lib/util/secasn1d.c.
- CVE-2016-1950
-- Marc Deslauriers <email address hidden> Wed, 09 Mar 2016 07:37:48 -0500
-
nss (2:3.21-0ubuntu0.15.10.1) wily-security; urgency=medium
* Updated to upstream 3.21 to fix a security issue and get a new CA
certificate bundle.
* SECURITY UPDATE: improper division in mp_div and mp_exptmod
- CVE-2016-1938
* debian/libnss3.symbols: updated for new version.
* debian/patches/95_add_spi+cacert_ca_certs.patch: dropped, no longer
want the SPI cert
* debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: dropped, no
longer needed
* debian/patches/99_reproducible: dropped, no longer needed
* debian/patches/CVE-2015-7575.patch: dropped, upstream
* debian/patches/ftbfs_ppc64el.patch: don't enable -Werror on ppc64el,
there are too many uninitialized variable false positives.
-- Marc Deslauriers <email address hidden> Thu, 04 Feb 2016 09:38:27 -0500
-
nss (2:3.19.2.1-0ubuntu0.15.10.2) wily-security; urgency=medium
* SECURITY UPDATE: incorrect MD5 support with TLS 1.2
- debian/patches/CVE-2015-7575.patch: remove MD5 in
nss/lib/ssl/ssl3con.c.
- CVE-2015-7575
-- Marc Deslauriers <email address hidden> Thu, 07 Jan 2016 13:21:10 -0500
-
nss (2:3.19.2.1-0ubuntu0.15.10.1) wily-security; urgency=medium
* Updated to upstream 3.19.2.1 to fix two security issues.
* SECURITY UPDATE: use-after-poison in sec_asn1d_parse_leaf
- CVE-2015-7181
* SECURITY UPDATE: ASN.1 decoder heap overflow
- CVE-2015-7182
-- Marc Deslauriers <email address hidden> Wed, 04 Nov 2015 10:33:01 -0600
-
nss (2:3.19.2-1ubuntu1) wily; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/rules:
+ Add x32 support.
+ Also ship blapi.h and alghmac.h in libnss3-dev.
- debian/control, debian/libnss3-nssdb.*, debian/libnss3.symbols,
debian/pkcs11.txt, debian/rules:
+ Add back support for shared cert and key databases.
* debian/patches/relax_dh_size.patch: relax minimum DH size to 768 bits
for compatibility reasons. This patch will get reverted in the future
once servers have upgraded to longer DH sizes.
* debian/control: remove cross Build Profile from Build-Depends, as it
doesn't seem to be supported by launchpad yet.
nss (2:3.19.2-1) unstable; urgency=medium
* New upstream release.
* debian/rules: Force set OS_TEST to DEB_HOST_GNU_CPU to avoid it defaulting
to `uname -m`. Thanks Helmut Grohne. Closes: #788452
nss (2:3.19.1-2) unstable; urgency=medium
* debian/control: Fix Vcs-Git url.
* nss/cmd/shlibsign/manifest.mn: Fix missing LIBRARY_VERSION.
* nss/cmd/shlibsign/shlibsign.c: Fix shlibsign on arm64.
nss (2:3.19.1-1) unstable; urgency=medium
* New upstream release.
* debian/libnss3.symbols:
- Add NSS_3.19.1 symbol versions.
- Reorder and replace *@ with (symver).
* debian/rules:
- Pass multi-arch dir for NSPR_LIB_DIR. Closes: #722811.
- Set umask when calling shlibsign, and rearrange how it's being called.
- Build nsinstall separately and set things up for cross-compilations.
- Use native shlibsign when cross-compiling.
- Do not run FIPS check on cross-builds.
* debian/control: Build depend on native libnss3-tools for cross builds.
Closes: #682926.
* debian/libnss3-tools.manpages, debian/rules: Install the manpages that
are now provided upstream. Closes: #505382.
* debian/control: Update Vcs-* urls.
* debian/control: Bump Standards-Version to 3.9.6.0. No changes required.
* nss/lib/ckfw/builtins/binst.c, nss/lib/ckfw/builtins/ckbiver.c,
nss/lib/ckfw/builtins/manifest.mn, nss/lib/ckfw/capi/ckcapiver.c,
nss/lib/ckfw/capi/manifest.mn, nss/lib/ckfw/nssmkey/ckmkver.c,
nss/lib/ckfw/nssmkey/manifest.mn, nss/lib/freebl/freeblver.c,
nss/lib/freebl/ldvector.c, nss/lib/freebl/manifest.mn,
nss/lib/nss/manifest.mn, nss/lib/nss/nssinit.c, nss/lib/nss/nssver.c,
nss/lib/smime/manifest.mn, nss/lib/smime/smimeutil.c,
nss/lib/smime/smimever.c, nss/lib/softoken/legacydb/lginit.c,
nss/lib/softoken/manifest.mn, nss/lib/softoken/pkcs11.c,
nss/lib/softoken/softkver.c, nss/lib/ssl/manifest.mn,
nss/lib/ssl/sslcon.c, nss/lib/ssl/sslver.c, nss/lib/util/secoid.c: Remove
__DATE__ and __TIME__ references.
* nss/cmd/shlibsign/Makefile, nss/cmd/shlibsign/manifest.mn,
nss/cmd/shlibsign/shlibsign.c: Fix shlibsign to properly load the sotfoken
module.
* debian/rules: Remove debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss from
LD_LIBRARY_PATH when executing shlibsign, which can be done now with the
fix above.
-- Marc Deslauriers <email address hidden> Wed, 08 Jul 2015 09:29:03 -0400
-
nss (2:3.19-1ubuntu1) wily; urgency=medium
* Merge from Debian unstable. Remaining changes:
- debian/rules:
+ Add x32 support.
+ Also ship blapi.h and alghmac.h in libnss3-dev.
- debian/control, debian/libnss3-nssdb.*, debian/libnss3.symbols,
debian/pkcs11.txt, debian/rules:
+ Add back support for shared cert and key databases.
nss (2:3.19-1) unstable; urgency=medium
* New upstream release.
* debian/libnss3.symbols: Add NSS_3.19 symbol versions.
nss (2:3.18-1) experimental; urgency=medium
* New upstream release. Closes: #782874.
* debian/libnss3.symbols: Add NSS_3.18 symbol versions.
nss (2:3.17.4-1) experimental; urgency=medium
* New upstream release.
* Acknowledge NMU.
-- Marc Deslauriers <email address hidden> Thu, 21 May 2015 09:51:47 -0400
-
nss (2:3.17.4-0ubuntu1) vivid; urgency=medium
* SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
* Removed unneeded patches:
- debian/patches/98_CVE-2014-1569.patch: included upstream.
-- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:32:50 -0500
