-
nss (2:3.42-1ubuntu2.5) disco-security; urgency=medium
* SECURITY UPDATE: Possible wrong length for cryptographic primitives input
- debian/patches/CVE-2019-17006.patch: adds checks for length of crypto
primitives in nss/lib/freebl/chacha20poly1305.c,
nss/lib/freebl/ctr.c, nss/lib/freebl/gcm.c,
nss/lib/freebl/intel-gcm-wrap.c,
nss/lib/freebl/rsapkcs.c.
- CVE-2019-17006
-- <email address hidden> (Leonidas S. Barbosa) Tue, 07 Jan 2020 15:11:00 -0300
-
nss (2:3.42-1ubuntu2.4) disco-security; urgency=medium
* SECURITY UPDATE: Denial of service
- debian/patches/CVE-2019-17007.patch: check got some certs in
collect_certs r=jcj in nss/lib/pkcs7/certread.c,
gtests/certdb_gtest/certdb_gtest.gyp,
gtests/certdb_gtest/decode_certs_unittest.cc,
gtests/certdb_gtest/manifest.mn.
- CVE-2019-17007
-- <email address hidden> (Leonidas S. Barbosa) Thu, 05 Dec 2019 13:46:12 -0300
-
nss (2:3.42-1ubuntu2.3) disco-security; urgency=medium
* SECURITY UPDATE: out-of-bounds write in NSC_EncryptUpdate
- debian/patches/CVE-2019-11745.patch: use maxout not block size in
nss/lib/softoken/pkcs11c.c.
- CVE-2019-11745
* Note: this does _not_ contain the changes from 2:3.42-1ubuntu2.2 in
disco-proposed.
-- Marc Deslauriers <email address hidden> Tue, 26 Nov 2019 08:51:03 -0500
-
nss (2:3.42-1ubuntu2.2) disco; urgency=medium
* Disable reading fips_enabled flag on a FIPS enabled system. libnss
is not a FIPS certified library. (LP: #1837734)
-- Vineetha Kamath <email address hidden> Wed, 24 Jul 2019 13:19:43 +0000
-
nss (2:3.42-1ubuntu2.1) disco-security; urgency=medium
* SECURITY UPDATE: OOB read when importing a curve25519 private key
- debian/patches/CVE-2019-11719.patch: don't unnecessarily strip
leading 0's from key material during PKCS11 import in
nss/lib/freebl/ecl/ecp_25519.c, nss/lib/pk11wrap/pk11akey.c,
nss/lib/pk11wrap/pk11cert.c, nss/lib/pk11wrap/pk11pk12.c,
nss/lib/softoken/legacydb/lgattr.c, nss/lib/softoken/pkcs11c.c.
- CVE-2019-11719
* SECURITY UPDATE: incorrect use of PKCS#1 v1.5 signatures with TLSv1.3
- debian/patches/CVE-2019-11727.patch: prohibit use of
RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 in
nss/gtests/ssl_gtest/ssl_auth_unittest.cc,
nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
nss/gtests/ssl_gtest/ssl_extension_unittest.cc,
nss/lib/ssl/ssl3con.c.
- CVE-2019-11727
* SECURITY UPDATE: segfault via empty or malformed p256-ECDH public keys
- debian/patches/CVE-2019-11729-1.patch: more thorough input checking
in nss/lib/cryptohi/seckey.c, nss/lib/freebl/dh.c,
nss/lib/freebl/ec.c, nss/lib/util/quickder.c.
- debian/patches/CVE-2019-11729-2.patch: ignore spki decode failures on
negative tests in nss/gtests/pk11_gtest/pk11_curve25519_unittest.cc.
- CVE-2019-11729
-- Marc Deslauriers <email address hidden> Fri, 12 Jul 2019 07:48:06 -0400
-
nss (2:3.42-1ubuntu2) disco; urgency=medium
* SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
- debian/patches/CVE-2018-18508-1.patch: add null checks in
nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
- debian/patches/CVE-2018-18508-2.patch: add null checks in
nss/lib/smime/cmsmessage.c.
- CVE-2018-18508
-- Marc Deslauriers <email address hidden> Tue, 19 Feb 2019 12:04:49 +0100
-
nss (2:3.42-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable (LP: #1813593). Remaining changes:
- d/libnss3.links: make freebl3 available as library (LP 1744328)
- d/control: add dh-exec to Build-Depends
- d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
nss (2:3.42-1) unstable; urgency=medium
* New upstream release.
nss (2:3.41-1) unstable; urgency=medium
* New upstream release.
nss (2:3.40-1) unstable; urgency=medium
* New upstream release.
-- Karl Stenerud <email address hidden> Mon, 04 Feb 2019 11:03:32 +0100
-
nss (2:3.39-1ubuntu1) disco; urgency=medium
* Merge with Debian unstable. Remaining changes (LP: #1803707):
- d/libnss3.links: make freebl3 available as library (LP 1744328)
- d/control: add dh-exec to Build-Depends
- d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
* Dropped changes:
- d/rules: when building with -O3 on ppc64el this FTBFS, build with
-Wno-error=maybe-uninitialized to avoid that
nss (2:3.39-1) unstable; urgency=medium
* New upstream release.
- Fixes CVE-2018-12384. Closes: #908332.
* debian/libnss3.symbols: Add NSS_3_39 and NSSUTIL_3_39 symbol versions.
nss (2:3.38-1) unstable; urgency=medium
* New upstream release.
* debian/libnss3.symbols: Add NSSUTIL_3_38 symbol version.
nss (2:3.37.1-1) unstable; urgency=medium
* New upstream release.
* nss/lib/freebl/Makefile: Build FStar.c when not building with int128
support. bz#1459739. Closes: #900227
nss (2:3.37-1) unstable; urgency=medium
* New upstream release. Fixes: #898496.
* debian/control, debian/rules: Generate dbgsym package.AA
* debian/copyright: Switch to machine-readable format.
* debian/control: Bump Standards-Version to 4.1.4.
-- Christian Ehrhardt <email address hidden> Fri, 16 Nov 2018 14:27:39 +0100
-
nss (2:3.36.1-1ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable. Remaining changes:
- d/libnss3.links: make freebl3 available as library (LP 1744328)
- d/control: add dh-exec to Build-Depends
- d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
- d/rules: when building with -O3 on ppc64el this FTBFS, build with
-Wno-error=maybe-uninitialized to avoid that
* Dropped changes:
- revert switching to SQL default format (LP: 1746947) Dropping this
adresses (LP: #1747411) and effectively means we now switch to the new
default format after we ensured all depending packages are ready.
* Added changes:
- d/rules: extended the FTBFS to -O3 on ppc64el to only apply on ppc64el
nss (2:3.36.1-1) unstable; urgency=medium
* New upstream release.
* debian/control: Update Maintainer and Vcs fields, moving off alioth.
nss (2:3.36-1) unstable; urgency=medium
* New upstream release. Closes: #894981.
-- Christian Ehrhardt <email address hidden> Mon, 07 May 2018 17:08:46 +0200
