Revisions of mozilla-nss
Dominique Leuenberger (dimstar_suse)
accepted
request 810949
from
Wolfgang Rosenauer (wrosenauer)
(revision 158)
Dominique Leuenberger (dimstar_suse)
accepted
request 799040
from
Wolfgang Rosenauer (wrosenauer)
(revision 157)
Dominique Leuenberger (dimstar_suse)
accepted
request 793077
from
Wolfgang Rosenauer (wrosenauer)
(revision 156)
Dominique Leuenberger (dimstar_suse)
accepted
request 790238
from
Wolfgang Rosenauer (wrosenauer)
(revision 155)
Dominique Leuenberger (dimstar_suse)
accepted
request 783555
from
Factory Maintainer (factory-maintainer)
(revision 154)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 780186
from
Wolfgang Rosenauer (wrosenauer)
(revision 153)
Oliver Kurz (okurz-factory)
accepted
request 772451
from
Wolfgang Rosenauer (wrosenauer)
(revision 152)
Update in preparation for Firefox 73 - update to NSS 3.49.2 Fixed bugs: * Fix compilation problems with NEON-specific code in freebl (bmo#1608327) * Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895) - update to NSS 3.49.1 3.49.1 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49.1_release_notes * Cache the most recent PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts (bmo#1606992) 3.49 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes * The legacy DBM database, libnssdbm, is no longer built by default when using gyp builds (bmo#1594933) * several bugfixes
Dominique Leuenberger (dimstar_suse)
accepted
request 761944
from
Wolfgang Rosenauer (wrosenauer)
(revision 151)
- update to NSS 3.48 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes Notable Changes * TLS 1.3 is the default maximum TLS version (bmo#1573118) * TLS extended master secret is enabled by default, where possible (bmo#1575411) * The master password PBE now uses 10,000 iterations by default when using the default sql (key4.db) storage (bmo#1562671) Certificate Authority Changes * Added Entrust Root Certification Authority - G4 Cert (bmo#1591178) Bugfixes - requires NSPR 4.24 * CVE-2019-17006 Add length checks for cryptographic primitives (bmo#1539788)
Dominique Leuenberger (dimstar_suse)
accepted
request 754368
from
Wolfgang Rosenauer (wrosenauer)
(revision 150)
changelog addition
Dominique Leuenberger (dimstar_suse)
accepted
request 750687
from
Wolfgang Rosenauer (wrosenauer)
(revision 149)
- update to NSS 3.47.1 * CVE-2019-11745 - EncryptUpdate should use maxout, not block size * Fix a crash that could be caused by client certificates during startup (bmo#1590495) * Fix compile-time warnings from uninitialized variables in a perl script (bmo#1589810) - update to NSS 3.47 * required by Firefox 71.0 Notable changes * Support AES HW acceleration on ARMv8 (bmo#1152625) * Allow per-socket run-time ordering of the cipher suites presented in ClientHello (bmo#1267894) * Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501) Bugfixes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes - requires NSPR 4.23
Dominique Leuenberger (dimstar_suse)
accepted
request 742855
from
Wolfgang Rosenauer (wrosenauer)
(revision 148)
- update to NSS 3.46.1 * required by Firefox 70.0 Notable changes in 3.46 * The following CA certificates were Removed: expired Class 2 Primary root certificate expired UTN-USERFirst-Client root certificate expired Deutsche Telekom Root CA 2 root certificate Swisscom Root CA 2 root certificate * Significant improvements to AES-GCM performance on ARM Many bugfixes Bug fixes in 3.46.1 * Soft token MAC verification not constant time (bmo#1582343) * Remove arbitrary HKDF output limit by allocating space as needed (bmo#1577953) - requires NSPR 4.22
Dominique Leuenberger (dimstar_suse)
accepted
request 733663
from
Factory Maintainer (factory-maintainer)
(revision 147)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 720828
from
Wolfgang Rosenauer (wrosenauer)
(revision 146)
- update to NSS 3.45 (bsc#1141322) * required by Firefox 69.0 New functions * PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets *results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and *results will be NULL. Notable changes * bmo#1540403 - Implement Delegated Credentials * bmo#1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto * bmo#1551129 - Support static linking on Windows * bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot * bmo#1546229 - Add IPSEC IKE support to softoken * bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23) * bmo#1543874 - Expose an external clock for SSL * bmo#1546477 - Various changes in response to the ongoing FIPS review Certificate Authority Changes * The following CA certificates were Removed: bmo#1552374 - CN = Certinomis - Root CA Bugs fixed * bmo#1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719) * bmo#1515342 - More thorough input checking (CVE-2019-11729) * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727) * bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed
Dominique Leuenberger (dimstar_suse)
accepted
request 713969
from
Wolfgang Rosenauer (wrosenauer)
(revision 145)
- update to NSS 3.44.1 * required by Firefox 68.0 Bugs fixed * bmo#1554336 - Optimize away unneeded loop in mpi.c * bmo#1515342 - More thorough input checking * bmo#1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import * bmo#1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh * bmo#1546229 - Add IPSEC IKE support to softoken * bmo#1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys * bmo#1546477 - Updates to testing for FIPS validation * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 * bmo#1551041 - Unbreak build on GCC < 4.3 big-endian - update to NSS 3.44 * required by Firefox 68.0 New functions * CERT_GetCertificateDer - Access the DER-encoded form of a CERTCertificate Notable changes * It is now possible to build NSS as a static library (bmo#1543545) * Initial support for building for iOS Bugs fixed * full list https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44_release_notes - merge some baselibs fixes from SLE
Dominique Leuenberger (dimstar_suse)
accepted
request 702840
from
Wolfgang Rosenauer (wrosenauer)
(revision 144)
- update to NSS 3.43 * required by Firefox 67.0 New functions * HASH_GetHashOidTagByHashType - convert type HASH_HashType to type SECOidTag * SSL_SendCertificateRequest - allow server to request post-handshake client authentication. To use this both peers need to enable the SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism is present, post-handshake authentication is currently not TLS 1.3 compliant due to bug 1532312 Notable changes * The following CA certificates were Added: - emSign Root CA - G1 - emSign ECC Root CA - G3 - emSign Root CA - C1 - emSign ECC Root CA - C3 - Hongkong Post Root CA 3 Bugs fixed * Improve Gyp build system handling (bmo#1528669, bmo#1529308) * Improve NSS S/MIME tests for Thunderbird (bmo#1529950, bmo#1521174) * If Docker isn't installed, try running a local clang-format as a fallback (bmo#1530134) * Enable FIPS mode automatically if the system FIPS mode flag is set (bmo#1531267) * Add a -J option to the strsclnt command to specify sigschemes (bmo#1528262) * Add manual for nss-policy-check (bmo#1513909) * Fix a deref after a null check in SECKEY_SetPublicValue (bmo#1531074) * Properly handle ESNI with HRR (bmo#1517714) * Expose HKDF-Expand-Label with mechanism (bmo#1529813) * Align TLS 1.3 HKDF trace levels (bmo#1535122)
Dominique Leuenberger (dimstar_suse)
accepted
request 686019
from
Wolfgang Rosenauer (wrosenauer)
(revision 143)
will be required by FF66 to be submitted soon - update to NSS 3.42.1 * required by Firefox 66.0 New functionality * Support XDG basedir specification (bmo#818686) Notable changes * added some testcases from the Wycheproof project Bugs fixed * Reject invalid CH.legacy_version in TLS 1.3 (bmo#1490006) * A fix for Solaris where Firefox 60 core dumps during start when using profile from version 52 (bmo#1513913)
Stephan Kulow (coolo)
accepted
request 669997
from
Wolfgang Rosenauer (wrosenauer)
(revision 142)
- update to NSS 3.41.1 * (3.41) required by Firefox 65.0 New functionality * Implemented EKU handling for IPsec IKE. (bmo#1252891) * Enable half-closed states for TLS. (bmo#1423043) * Enabled the following ciphersuites by default: (bmo#1493215) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 Notable changes * The following CA certificates were added: CN = Certigna Root CA CN = GTS Root R1 CN = GTS Root R2 CN = GTS Root R3 CN = GTS Root R4 CN = UCA Global G2 Root CN = UCA Extended Validation Root * The following CA certificates were removed: CN = AC Raíz Certicámara S.A. CN = Certplus Root CA G1 CN = Certplus Root CA G2 CN = OpenTrust Root CA G1 CN = OpenTrust Root CA G2 CN = OpenTrust Root CA G3 Bugs fixed * Reject empty supported_signature_algorithms in Certificate Request in TLS 1.2 (bmo#1412829) * Cache side-channel variant of the Bleichenbacher attack (bmo#1485864)
Dominique Leuenberger (dimstar_suse)
accepted
request 657061
from
Wolfgang Rosenauer (wrosenauer)
(revision 141)
- update to NSS 3.40.1 * required by Firefox 64.0 * patch release fixes CVE-2018-12404 Notable bug fixes * FFDHE key exchange sometimes fails with decryption failure (bmo#1478698) New functionality * The draft-00 version of encrypted SNI support is implemented * tstclnt now takes -N option to specify encrypted SNI key Notable changes * The mozilla::pkix library has been ported from Mozilla PSM to NSS. This is a C++ library for building certification paths. mozilla::pkix APIs are not exposed in the libraries NSS builds. * It is easier to build NSS on Windows in mozilla-build environments * The following CA certificates were Removed: CN = Visa eCommerce Root
Dominique Leuenberger (dimstar_suse)
accepted
request 644083
from
Wolfgang Rosenauer (wrosenauer)
(revision 140)
in preparation of Firefox 63 - update to NSS 3.39 * required by Firefox 63.0 Notable bug fixes * NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) (bmo#1483128) New functionality * The tstclnt and selfserv utilities added support for configuring the enabled TLS signature schemes using the -J parameter. * NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by default but can be enabled using SSL_SignatureSchemePrefSet(). * certutil added the ability to delete an orphan private key from an NSS key database. * Added the nss-policy-check utility, which can be used to check an NSS policy configuration for problems. * A PKCS#11 URI can be used as an identifier for a PKCS#11 token. Notable changes * The TLS 1.3 implementation uses the final version number from RFC 8446. * Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature where the DigestInfo structure was missing the NULL parameter. Starting with version 3.39, NSS requires the encoding to contain the NULL parameter. * The tstclnt and selfserv test utilities no longer accept the -z parameter, as support for TLS compression was removed in a previous NSS version. * The CA certificates list was updated to version 2.26. * The following CA certificates were Added: - OU = GlobalSign Root CA - R6 - CN = OISTE WISeKey Global Root GC CA
Dominique Leuenberger (dimstar_suse)
accepted
request 641946
from
Wolfgang Rosenauer (wrosenauer)
(revision 139)
Displaying revisions 61 - 80 of 218