Change logs for nss source package in Precise

  • nss (2:3.28.4-0ubuntu0.12.04.11) precise-security; urgency=medium
    
      * SECURITY UPDATE: Out-of-bounds read
        - debian/patches/CVE-2020-12403-2.patch: fix incorrect call to ChaChaPoly1305 by PKCS11
          in nss/lib/freebl/chacha20poly1305.c.
        - CVE-2020-12403
    
     -- <email address hidden> (Leonidas S. Barbosa)  Mon, 24 Aug 2020 15:58:35 -0300
  • nss (2:3.26.2-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * Updated to upstream 3.26.2 to fix security issues and get a new CA
        certificate bundle.
      * SECURITY UPDATE: denial of service via invalid DH keys
        - CVE-2016-5285
      * SECURITY UPDATE: small subgroup confinement attack
        - CVE-2016-8635
      * SECURITY UPDATE: insufficient mitigation of timing side-channel attack
        - CVE-2016-9074
      * debian/rules: added libfreeblpriv3.so.
      * debian/libnss3.symbols: updated for new version, added
        SSL_GetCipherSuiteInfo and SSL_GetChannelInfo as they are not backwards
        compatible.
      * debian/patches/*.patch: refreshed for new version.
      * debian/rules: disable tests that fail to build with old GCC.
      * debian/patches/disable_chacha_test.patch: removed, no longer required.
    
     -- Marc Deslauriers <email address hidden>  Fri, 02 Dec 2016 13:27:18 -0500
  • nss (2:3.23-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * Updated to upstream 3.23 to fix a security issue and get a new CA
        certificate bundle.
      * SECURITY UPDATE: multiple memory safety issues
        - CVE-2016-2834
      * debian/control: bump libnspr4-dev Build-Depends to 4.12.
      * debian/libnss3.symbols: updated for new version.
      * debian/patches/CVE-2016-1950.patch: dropped, upstream.
      * debian/patches/relax_dh_size.patch: removed, now require a minimum DH
        size of 1023 bits.
      * debian/patches/disable_chacha_test.patch: disable test incompatible
        with precise's old gcc.
      * debian/patches/*.patch: refreshed for new version.
    
     -- Marc Deslauriers <email address hidden>  Thu, 07 Jul 2016 14:46:46 -0400
  • nss (2:3.21-0ubuntu0.12.04.3) precise-security; urgency=medium
    
      * SECURITY UPDATE: buffer overflow during ASN.1 decoding
        - debian/patches/CVE-2016-1950.patch: check lengths in
          nss/lib/util/secasn1d.c.
        - CVE-2016-1950
    
     -- Marc Deslauriers <email address hidden>  Wed, 09 Mar 2016 07:38:47 -0500
  • nss (2:3.21-0ubuntu0.12.04.2) precise-security; urgency=medium
    
      * debian/rules: fix versioning since the last update incorrectly added
        an epoch. (LP: #1547147)
    
     -- Marc Deslauriers <email address hidden>  Mon, 22 Feb 2016 10:10:25 -0500
  • nss (2:3.21-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * Updated to upstream 3.21 to fix a security issue and get a new CA
        certificate bundle.
      * SECURITY UPDATE: improper division in mp_div and mp_exptmod
        - CVE-2016-1938
      * debian/libnss3.symbols: updated for new version.
      * debian/patches/95_add_spi+cacert_ca_certs.patch: dropped, no longer
        want the SPI cert
      * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: dropped, no
        longer needed
      * debian/patches/CVE-2015-7575.patch: dropped, upstream
    
     -- Marc Deslauriers <email address hidden>  Thu, 04 Feb 2016 09:38:27 -0500
  • nss (3.19.2.1-0ubuntu0.12.04.2) precise-security; urgency=medium
    
      * SECURITY UPDATE: incorrect MD5 support with TLS 1.2
        - debian/patches/CVE-2015-7575.patch: remove MD5 in
          nss/lib/ssl/ssl3con.c.
        - CVE-2015-7575
    
     -- Marc Deslauriers <email address hidden>  Thu, 07 Jan 2016 13:24:13 -0500
  • nss (3.19.2.1-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * Updated to upstream 3.19.2.1 to fix two security issues.
      * SECURITY UPDATE: use-after-poison in sec_asn1d_parse_leaf
        - CVE-2015-7181
      * SECURITY UPDATE: ASN.1 decoder heap overflow
        - CVE-2015-7182
    
     -- Marc Deslauriers <email address hidden>  Wed, 04 Nov 2015 11:26:48 -0600
  • nss (3.19.2-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * SECURITY UPDATE: update to upstream 3.19.2 to fix multiple security
        issues and get a new CA certificate bundle.
        - CVE-2015-2721
        - CVE-2015-2730
      * debian/libnss3.symbols: updated for new version.
      * debian/patches/relax_dh_size.patch: relax minimum DH size to 768 bits
        for compatibility reasons. This patch will get reverted in the future
        once servers have upgraded to longer DH sizes.
    
     -- Marc Deslauriers <email address hidden>  Wed, 08 Jul 2015 12:29:51 -0400
  • nss (3.17.4-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
        bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
      * Removed unneeded patches:
        - debian/patches/CVE-2014-1569.patch: included upstream.
     -- Marc Deslauriers <email address hidden>   Thu, 19 Feb 2015 07:45:59 -0500
  • nss (3.17.1-0ubuntu0.12.04.2) precise-security; urgency=medium
    
      * SECURITY UPDATE: arbitrary data smuggling via incorrect ASN.1 DER
        length decoding
        - debian/patches/CVE-2014-1569.patch: properly validate lengths in
          nss/lib/util/quickder.c.
        - CVE-2014-1569
     -- Marc Deslauriers <email address hidden>   Tue, 06 Jan 2015 13:20:03 -0500
  • nss (3.17.1-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * SECURITY UPDATE: update to 3.17.1
        - see USN-2361-1
      * debian/libnss3.symbols: updated for new version.
     -- Marc Deslauriers <email address hidden>   Wed, 24 Sep 2014 07:42:15 -0400
  • nss (3.17-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * SECURITY UPDATE: update to upstream 3.17 to get new CA certificate
        bundle.
      * Removed unneeded patches:
        - debian/patches/CVE-2014-1492.patch: included upstream.
        - debian/patches/CVE-2014-1544.patch: included upstream.
      * Refreshed patches for new version:
        - debian/patches/38_kbsd.patch
        - debian/patches/85_security_load.patch
        - renamed debian/patches/95_add_spi_certs.patch to
          debian/patches/95_add_spi+cacert_ca_certs.patch to match Debian.
      * debian/libnss3.symbols: updated for new version.
     -- Marc Deslauriers <email address hidden>   Fri, 19 Sep 2014 09:21:29 -0400
  • nss (3.15.4-0ubuntu0.12.04.3) precise-security; urgency=medium
    
      * SECURITY UPDATE: possible arbitrary code execution via race condition
        - debian/patches/CVE-2014-1544.patch: prevent
          nssTrustDomain_AddCertsToCache from freeing the CERTCertificate
          associated with the NSSCertificate in nss/lib/pk11wrap/pk11cert.c.
        - CVE-2014-1544
     -- Marc Deslauriers <email address hidden>   Tue, 09 Sep 2014 07:53:48 -0400
  • nss (3.15.4-0ubuntu0.12.04.2) precise-security; urgency=medium
    
      * SECURITY UPDATE: incorrect IDNA wildcard handling
        - debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
          nss/lib/certdb/certdb.c.
        - CVE-2014-1492
      * No longer ship cacert.org certificates. (LP: #1258286)
        - removed debian/patches/95_add_spi+cacert_ca_certs.patch
        - added debian/patches/95_add_spi_certs.patch
     -- Marc Deslauriers <email address hidden>   Wed, 02 Apr 2014 10:22:10 -0400
  • nss (3.15.4-0ubuntu0.12.04.1) precise-security; urgency=medium
    
      * SECURITY UPDATE: MITM attack via TLS False Start
        - CVE-2013-1740
      * Adjusted packaging for new upstream release 3.15.4:
        - debian/patches/*: refreshed.
        - debian/libnss3.symbols: added new symbols.
     -- Marc Deslauriers <email address hidden>   Wed, 22 Jan 2014 15:16:14 -0500
  • nss (3.15.3.1-0ubuntu0.12.04.1) precise-security; urgency=low
    
      * SECURITY UPDATE: New upstream release (LP: #1263135)
        - Distrusts AC DG Tresor SSL CA
     -- Marc Deslauriers <email address hidden>   Fri, 20 Dec 2013 10:52:35 -0500
  • nss (3.15.3-0ubuntu0.12.04.1) precise-security; urgency=low
    
      * SECURITY UPDATE: New upstream release to fix multiple security issues
        and add TLSv1.2 support.
        - CVE-2013-1739
        - CVE-2013-1741
        - CVE-2013-5605
        - CVE-2013-5606
      * Adjusted packaging for 3.15.3:
        - debian/patches/*: refreshed.
        - debian/patches/lower-dhe-priority.patch: removed, no longer needed,
          was a workaround for an old version of firefox.
        - debian/libnss3.symbols: added new symbols.
        - debian/rules: updated for new source layout.
     -- Marc Deslauriers <email address hidden>   Thu, 14 Nov 2013 14:58:07 -0500
  • nss (3.14.3-0ubuntu0.12.04.1) precise-security; urgency=low
    
      * SECURITY UPDATE: New upstream release to fix TLS timing side-channel
        attacks
        - CVE-2013-1620
      * Remaining changes:
        - 94_ckbi-1.93.patch: Dropped (included upstream)
        - 38_hurd.patch: refresh
        - 38_kbsd.patch: refresh/update
        - 80_security_tools.patch
        - 85_security_load.patch
        - 95_add_spi+cacert_ca_certs.patch
        - 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
        - lower-dhe-priority.patch
      * debian/libnss3.symbols: add NSS_3.14.3 symbols
     -- Jamie Strandboge <email address hidden>   Wed, 13 Mar 2013 13:05:23 -0500
  • nss (3.14.1-0ckbi1.93ubuntu.0.12.04.1) precise-security; urgency=low
    
      * New upstream release. Dropped the following patches:
        - debian/patches/90_realpath.patch (included upstream)
        - debian/patches/91_build_pwdecrypt.patch (included upstream)
        - debian/patches/96_NSS_VersionCheck.patch (included upstream)
        - debian/patches/98_fix_header_error.patch (included upstream)
        - debian/patches/protect-against-calls-before-nss_init.patch (included
          upstream)
        - debian/patches/CVE-2012-0441.patch (included upstream)
      * debian/patches/38_hurd.patch: refresh
      * debian/patches/38_kbsd.patch: refresh/update based on Debian
      * debian/patches/80_security_tools.patch: refresh
      * debian/patches/85_security_load.patch: refresh
      * debian/patches/95_add_spi+cacert_ca_certs.patch: updated
      * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: refresh
      * debian/patches/lower-dhe-priority.patch: refresh/update based on Debian
      * SECURITY UPDATE: distrust improperly issued TURKTRUST intermediate CAs
        - debian/patches/94_ckbi-1.9.patch: update to CKBI 1.93 by using
          mozilla/security/nss/lib/ckfw/builtins/certdata.txt from upstream and
          updating mozilla/security/nss/lib/ckfw/builtins/nssckbi.h. Apply this
          before 95_add_spi+cacert_ca_certs.patch since it keeps this patch clean
          and underscores that SPI and CACERT are not part of upstream Roots.
        - CVE-2013-0743
      * debian/libnss3.symbols: add NSS_3.13.2, NSS_3.14, NSS_3.14.1, and
        NSSUTIL_3.14 symbols
     -- Jamie Strandboge <email address hidden>   Fri, 11 Jan 2013 12:22:51 -0600
  • nss (3.13.1.with.ckbi.1.88-1ubuntu6.1) precise-security; urgency=low
    
      * SECURITY UPDATE: denial of service in QuickDER decoder
        - debian/patches/CVE-2012-0441.patch: properly handle zero-length basic
          constraints and zero-length fields in
          nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c,
          nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c,
          nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c,
          nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h,
          nss/mozilla/security/nss/lib/util/quickder.c.
        - CVE-2012-0441
     -- Marc Deslauriers <email address hidden>   Thu, 16 Aug 2012 10:57:28 -0400
  • nss (3.13.1.with.ckbi.1.88-1ubuntu6) precise; urgency=low
    
      * Add protect-against-calls-before-nss_init.patch (RHBZ #784672).
     -- Timo Aaltonen <email address hidden>   Mon, 27 Feb 2012 14:45:29 +0200
  • nss (3.13.1.with.ckbi.1.88-1ubuntu5) precise; urgency=low
    
      * Include libnssckfw.a in the -dev package, also needed by
        mod_revocator.
     -- Timo Aaltonen <email address hidden>   Sun, 19 Feb 2012 15:21:19 +0200
  • nss (3.13.1.with.ckbi.1.88-1ubuntu4) precise; urgency=low
    
      * Include libnssb.a in the -dev package, needed by mod_revocator.
     -- Timo Aaltonen <email address hidden>   Sun, 19 Feb 2012 13:18:09 +0200
  • nss (3.13.1.with.ckbi.1.88-1ubuntu3) precise; urgency=low
    
      * Fix LP: #915069 - Add patch from upstream to fix an error in pkcs11n.h
        - add debian/patches/98_fix_header_error.patch
        - update debian/patches/series
     -- Chris Coulson <email address hidden>   Thu, 12 Jan 2012 11:15:39 +0000
  • nss (3.13.1.with.ckbi.1.88-1ubuntu2) precise; urgency=low
    
      * Fix lintian overrides to just list the soname warning to ignore
        and not list the paths, which would break installing multiarched libs.
     -- Timo Aaltonen <email address hidden>   Mon, 12 Dec 2011 13:06:15 +0200
  • nss (3.13.1.with.ckbi.1.88-1ubuntu1) precise; urgency=low
    
      * Merge from Debian testing. Remaining changes:
        - Ship the main SO files in an unversioned binary, as we don't have
          versioned SO's in Ubuntu. Maintain a transitional versioned binary
          package containing the versioned symlinks, to maintain compatibility
          with Debian
          * update control, rules
          * mass rename libnss3-1d* => libnss3*
        - Fix postinst-must-call-ldconfig - dh_makeshlibs doesn't seem to add
          the maintainer script hooks with the unversioned SO files, so add
          them manually
          * add libnss3.postinst, libnss3.postrm
        - rules: Add support for mozilla-devscripts.
        - control: Change Vcs-* to XS-Debian-Vcs-*.
      * control: Fix typo (LP: #855424)
      * Bugs fixed by the merge:
        - Using dh now (LP: #613477)
        - Adds 85_security_load.patch (LP: #315096)
    
    nss (3.13.1.with.ckbi.1.88-1) unstable; urgency=low
    
      * New upstream release.
        - Distrusts malaysian Digicert Sdn. Bhd CA certificate.
        - Addresses CVE-2011-3640 (Untrusted search path vulnerability).
          Closes: #647614.
      * debian/patches/*: Refreshed patches.
      * debian/libnss3-1d.symbols: Add NSS 3.13 symbols.
    
    nss (3.12.11-3) unstable; urgency=high
    
      * mozilla/security/nss/lib/ckfw/builtins/certdata.*:
        Explicitely distrust various DigiNotar CAs:
        - DigiNotar Root CA
        - DigiNotar Services 1024 CA
        - DigiNotar Cyber CA
        - DigiNotar Cyber CA 2nd
        - DigiNotar PKIoverheid
        - DigiNotar PKIoverheid G2
    
    nss (3.12.11-2) unstable; urgency=high
    
      * mozilla/security/nss/lib/ckfw/builtins/certdata.*:
        Remove DigiNotar Root CA.
    
    nss (3.12.11-1) unstable; urgency=low
    
      * New upstream release.
      * mozilla/security/nss/lib/ckfw/builtins/certdata.*,
      * mozilla/security/coreconf/{config,Linux}.mk: Refreshed.
      * debian/copyright: Update dbm license according to that in the source.
        Closes: #624310
    
    nss (3.12.10-3) unstable; urgency=low
    
      * debian/nss-config.in, debian/nss.pc.in, debian/rules: Return the multiarch
        path in nss-config and nss.pc.
    
    nss (3.12.10-2) unstable; urgency=low
    
      * debian/control, debian/libnss3-1d.dirs,
        debian/libnss3-1d.lintian-overrides.in, debian/libnss3-dev.dirs,
        debian/libnss3-1d.links.in, debian/libnss3-dev.links.in,
        debian/rules: Switch to multi-arch while keeping backports easy.
        Closes: #497088.
    
    nss (3.12.10-1) unstable; urgency=low
    
      * New upstream release.
      * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.
      * debian/control: Build depend on libnspr4-dev >= 4.8.8.
      * debian/libnss3-1d.symbols: Add new symbol version.
    
    nss (3.12.9.with.ckbi.1.82-1) unstable; urgency=low
    
      * New upstream release.
        - Marks fraudulent Comodo certificates as untrusted.
      * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.
     -- Timo Aaltonen <email address hidden>   Wed, 30 Nov 2011 11:16:39 +0200
  • nss (3.12.9+ckbi-1.82-0ubuntu6) oneiric; urgency=low
    
      * No-change rebuild to force a version bump, forcing upgrades,
        and restoring the deleted library that ca-certificates ate.
     -- Adam Conrad <email address hidden>   Wed, 21 Sep 2011 14:42:05 -0600