Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
apache2-mod_nss
apache2-mod_nss.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File apache2-mod_nss.changes of Package apache2-mod_nss
------------------------------------------------------------------- Mon May 11 09:16:25 UTC 2020 - Vítězslav Čížek <vcizek@suse.com> - Update to 1.0.17 (jsc#ECO-1907, bsc#1167322) * Add TLSv1.3 support * Update documentation for TLS 1.3 * Add TLS 1.3 support to the cipher tests * PEP-8 fixups * Change the default certificate database format to SQLite. * Try to auto-detect the NSS database format if not specified * Update nss_pcache.8 man page to drop directory and prefix * When a token is configured in password file only authenticate once * Return an error when NSSPassPhraseDialog is invalid * Move 3DES ciphers down from HIGH to MEDIUM to match OpenSSL 1.0.2k+ * Add -Werror=implicit-function-declaration to CFLAGS * Handle group membership when testing for file permissions * NSS system-wide policy now disables SSLv3, don't use it in tests * Add missing error messages for libssl errors * Fix doc typo in SSL_[SERVER|CLIENT]_SAN_IPaddr env variable name * When including additional test config use specific extension * Fix the TLS Session ID cache * Make an invalid protocol setting fatal * Don't use same NSS db in nss_pcache as mod_nss, use NSS_NoDB_Init() * Add info log message when FIPS is enabled * Add AES-256 and drop DES, CAST128, SKIPJACK as wrapping key types * Fix removal of CR from PEM certificates * Add OCSP caching and timeout tuning knobs * Check the NSS database directory permissions as well as the files inside it for read access on startup. * Add in simple aliases for ciphers to fix those that don't follow the pattern (dhe_rsa_aes_128_sha256, dhe_rsa_aes_256_sha256) and those with typos (camelia_128_sha, camelia_256_sha) * Fix semaphore leak * Don't set remote user in fixup hook * Drop SSLv2 tests because it is completely disabled now - Drop upstreamed patches: * 0001-Change-the-default-certificate-database-format-to-SQ.patch * 0001-Enhance-checking-on-NSS-database-permissions-to-incl.patch * 0001-Handle-group-membership-when-testing-for-file-permis.patch * 0001-Try-to-auto-detect-the-NSS-database-format-if-not-sp.patch ------------------------------------------------------------------- Tue Sep 10 11:01:45 UTC 2019 - Vítězslav Čížek <vcizek@suse.com> - Use a stronger password in gencert to pass the stricter tests in FIPS mode (bsc#1150133) * mod_nss-gencert_stronger_password.patch ------------------------------------------------------------------- Tue Sep 18 12:44:26 UTC 2018 - Vítězslav Čížek <vcizek@suse.com> - Change to the SQLite certificate database, which is the default since NSS 3.35 (bsc#1108771) Added upstream patches: * 0001-Change-the-default-certificate-database-format-to-SQ.patch * 0001-Enhance-checking-on-NSS-database-permissions-to-incl.patch * 0001-Handle-group-membership-when-testing-for-file-permis.patch * 0001-Try-to-auto-detect-the-NSS-database-format-if-not-sp.patch - cleanup of the .spec file ------------------------------------------------------------------- Thu Dec 7 16:48:29 UTC 2017 - vcizek@suse.com - bump up minimal NSS version to 3.25, because 3.24 breaks mod_nss because of SSLv2 changes (bsc#993642) - rebuild against the recently updated NSS (3.29) adds support for SHA384 TLS ciphers (bsc#863035) ------------------------------------------------------------------- Thu Sep 15 10:44:06 UTC 2016 - vcizek@suse.com - remove deprecated NSSSessionCacheTimeout option from mod_nss.conf.in (bsc#998176) - change ownership of the gencert generated NSS database so apache can read it (bsc#998180) * add mod_nss-gencert-correct-ownership.patch - use correct configuration path in mod_nss.conf.in (bsc#996282) - remove %post migration code from the old alias directory - generate dummy certificates if there aren't any in mod_nss.d (bsc#998183) ------------------------------------------------------------------- Fri Jul 29 14:37:50 UTC 2016 - vcizek@suse.com - update to 1.0.14 (fate#320764, bsc#979688) OpenSSL ciphers stopped parsing at +, CVE-2016-3099 Created valgrind suppression files to ease debugging Implement SSL_PPTYPE_FILTER to call executables to get the key password pins. Can be used to prompt with systemd. Improvements to migrate.pl Update default ciphers to something more modern and secure Check for host and netstat commands in gencert before trying to use them Add server support for DHE ciphers Extract SAN from server/client certificates into env Fix memory leaks and other coding issues caught by clang analyzer Add support for Server Name Indication (SNI) (#1010751) Add support for SNI for reverse proxy connections Add RenegBufferSize? option Add support for TLS Session Tickets (RFC 5077) Fix logical AND support in OpenSSL cipher compatibility Correctly handle disabled ciphers (CVE-2015-5244) Implement a slew more OpenSSL cipher macros Fix a number of illegal memory accesses and memory leaks Support for SHA384 ciphers if they are available in NSS Add compatibility for mod_ssl-style cipher definitions (#862938) Add TLSv1.2-specific ciphers Completely remove support for SSLv2 Add support for sqlite NSS databases (#1057650) Compare subject CN and VS hostname during server start up Add support for enabling TLS v1.2 Don't enable SSL 3 by default (CVE-2014-3566) Fix CVE-2013-4566 Move nss_pcache to /usr/libexec Support httpd 2.4+ - drop mod_nss_migrate.pl and use upstream migrate script instead * add mod_nss-migrate.patch - drop almost all our patches (upstream) * 0001-SNI-check-with-NameVirtualHosts.patch * mod_nss-CVE-2013-4566-NSSVerifyClient.diff * mod_nss-PK11_ListCerts_2.patch * mod_nss-add_support_for_enabling_TLS_v1.2.patch * mod_nss-array_overrun.patch * mod_nss-cipherlist_update_for_tls12-doc.diff * mod_nss-cipherlist_update_for_tls12.diff * mod_nss-clientauth.patch * mod_nss-compare_subject_CN_and_VS_hostname.patch * mod_nss-gencert.patch * mod_nss-httpd24.patch * mod_nss-lockpcache.patch * mod_nss-negotiate.patch * mod_nss-no_shutdown_if_not_init_2.patch * mod_nss-overlapping_memcpy.patch * mod_nss-pcachesignal.h * mod_nss-proxyvariables.patch * mod_nss-reseterror.patch * mod_nss-reverse_proxy_send_SNI.patch * mod_nss-reverseproxy.patch * mod_nss-sslmultiproxy.patch * mod_nss-tlsv1_1.patch * mod_nss-wouldblock.patch * update-ciphers.patch - add automake and libtool to BuildRequires ------------------------------------------------------------------- Thu Mar 31 11:56:43 UTC 2016 - vcizek@suse.com - use systemd-ask-password to prompt for a certificate passphrase (bsc#972968) * drop obsolete mod_nss-bnc863518-reopen_dev_tty.diff ------------------------------------------------------------------- Tue Nov 10 15:02:36 UTC 2015 - vcizek@suse.com - add more ciphers to mod_nss.conf.in (bsc#952691) * ecdhe_rsa_aes_128_sha256 * rsa_aes_128_sha256 * rsa_aes_256_sha256 - add support for DHE ciphers (bsc#954447) * dhe_rsa_3des_sha * dhe_rsa_aes_128_sha * dhe_rsa_aes_256_sha * dhe_rsa_camellia_128_sha * dhe_rsa_camellia_256_sha * dhe_rsa_aes_128_sha_256 * dhe_rsa_aes_256_sha_256 * dhe_rsa_aes_128_gcm_sha_256 0001-Add-server-support-for-DHE-ciphers.patch - use whitelist for keeping directives in migrate.pl (bsc#961907) * change mod_nss_migrate.pl ------------------------------------------------------------------- Mon Sep 7 08:25:03 UTC 2015 - vcizek@suse.com - unified ciphers with SLE-11 * modified patches: mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff update-ciphers.patch ------------------------------------------------------------------- Mon Sep 7 08:03:31 UTC 2015 - vcizek@suse.com - send TLS server name extension on proxy connections (bsc#933832) * added mod_nss-reverse_proxy_send_SNI.patch ------------------------------------------------------------------- Fri Jul 17 09:23:23 UTC 2015 - pgajdos@suse.com - buildrequire apache-rpm-macros, require %{apache_suse_maintenance_mmn} [bnc#915666] ------------------------------------------------------------------- Sun Jun 28 21:36:39 CEST 2015 - stokos@suse.de - update-ciphers.patch (bsc#928039) merge changes from the mod_nss-SNI_support.patch to: 0001-SNI-check-with-NameVirtualHosts.patch (bnc#927402) abstract hash for NSSNickname and ServerName, add ServerAliases and Wild Cards for vhost (bsc#927402, bsc#928039, bsc#930922) replace SSL_SNI_SEND_ALERT by nss_die (cleaner solution for virtual hosts) (bsc#930186) add alert about permission on the certificate database (bsc#933265) ------------------------------------------------------------------- Tue Mar 3 10:38:18 UTC 2015 - kstreitova@suse.com - add mod_nss-SNI_support.patch that brings Server Name Indication support that allows to have multiple HTTPS websites with multiple certificates on the same IP address and port. [fate#318404], [bnc#897712] - add mod_nss-add_support_for_enabling_TLS_v1.2.patch that adding small fixes for support of TLS v1.2 [bnc#902068] ------------------------------------------------------------------- Wed Oct 29 12:56:26 UTC 2014 - kstreitova@suse.com - bnc#897712: added mod_nss-compare_subject_CN_and_VS_hostname.patch that compare CN and VS hostname (use NSS library). Removed following patches: * mod_nss-SNI-checks.patch * mod_nss-SNI-callback.patch ------------------------------------------------------------------- Thu Jul 24 12:49:29 CEST 2014 - draht@suse.de - mod_nss-bnc863518-reopen_dev_tty.diff: close(0) and open("/dev/tty", ...) to make sure that stdin can be read from. startproc may inherit wrongly opened file descriptors to httpd. (Note: An analogous fix exists in startproc(8), too.) [bnc#863518] - VirtualHost part in /etc/apache2/conf.d/mod_nss.conf is now externalized to /etc/apache2/conf.d/vhost-nss.template and not activated/read by default. [bnc#878681] - NSSCipherSuite update following additional ciphers of Feb 18 change. [bnc#878681] ------------------------------------------------------------------- Fri Jun 27 16:13:01 CEST 2014 - draht@suse.de - mod_nss-SNI-callback.patch, mod_nss-SNI-checks.patch: server side SNI was not implemented when mod_nss was made; patches implement SNI with checks if SNI provided hostname equals Host: field in http request header. ------------------------------------------------------------------- Tue Feb 18 16:31:45 CET 2014 - draht@suse.de - mod_nss-cipherlist_update_for_tls12-doc.diff mod_nss-cipherlist_update_for_tls12.diff GCM mode and Camellia ciphers added to the supported ciphers list. The additional ciphers are: rsa_aes_128_gcm_sha == TLS_RSA_WITH_AES_128_GCM_SHA256 rsa_camellia_128_sha == TLS_RSA_WITH_CAMELLIA_128_CBC_SHA rsa_camellia_256_sha == TLS_RSA_WITH_CAMELLIA_256_CBC_SHA ecdh_ecdsa_aes_128_gcm_sha == TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ecdhe_ecdsa_aes_128_gcm_sha == TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ecdh_rsa_aes_128_gcm_sha == TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ecdhe_rsa_aes_128_gcm_sha == TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 [bnc#863035] ------------------------------------------------------------------- Fri Nov 29 16:30:07 CET 2013 - draht@suse.de - mod_nss-CVE-2013-4566-NSSVerifyClient.diff fixes CVE-2013-4566: If 'NSSVerifyClient none' is set in the server / vhost context (i.e. when server is configured to not request or require client certificate authentication on the initial connection), and client certificate authentication is expected to be required for a specific directory via 'NSSVerifyClient require' setting, mod_nss fails to properly require certificate authentication. Remote attacker can use this to access content of the restricted directories. [bnc#853039] ------------------------------------------------------------------- Fri Nov 8 20:46:07 CET 2013 - draht@suse.de - glue documentation added to /etc/apache2/conf.d/mod_nss.conf: * simultaneaous usage of mod_ssl and mod_nss * SNI concurrency * SUSE framework for apache configuration, Listen directive * module initialization - mod_nss-conf.patch obsoleted by scratch-version of nss.conf.in or mod_nss.conf, respectively. This also leads to the removal of nss.conf.in specific chunks in mod_nss-negotiate.patch and mod_nss-tlsv1_1.patch . - mod_nss_migrate.pl conversion script added; not patched from source, but partially rewritten. - README-SUSE.txt added with step-by-step instructions on how to convert and manage certificates and keys, as well as a rationale about why mod_nss was included in SLES. - package ready for submission [bnc#847216] ------------------------------------------------------------------- Tue Nov 5 15:45:08 CET 2013 - draht@suse.de - generic cleanup of the package: - explicit Requires: to mozilla-nss >= 3.15.1, as TLS-1.2 support came with this version - this is the objective behind this version update of apache2-mod_nss. Tracker bug [bnc#847216] - change path /etc/apache2/alias to /etc/apache2/mod_nss.d to avoid ambiguously interpreted name of directory. - merge content of /etc/apache2/alias to /etc/apache2/mod_nss.d if /etc/apache2/alias exists. - set explicit filemodes 640 for %post generated *.db files in /etc/apache2/mod_nss.d ------------------------------------------------------------------- Fri Aug 2 08:29:35 UTC 2013 - meissner@suse.com - mod_nss-tlsv1_1.patch: nss.conf.in missed for TLSv1.2 default. - mod_nss-clientauth.patch: merged from RHEL6 pkg - mod_nss-PK11_ListCerts_2.patch: merged from RHEL6 pkg - mod_nss-no_shutdown_if_not_init_2.patch: merged from RHEL6 pkg - mod_nss-sslmultiproxy.patch: merged from RHEL6 pkg - make it build on both Apache2 2.4 and 2.2 systems ------------------------------------------------------------------- Thu Aug 1 15:06:55 UTC 2013 - meissner@suse.com - Add support for TLS v1.1 and TLS v1.2 (TLS v1.2 requires mozilla nss 3.15.1 or newer.) - merged in mod_nss-proxyvariables.patch and mod_nss-tlsv1_1.patch from redhat to allow tls v1.1 too. - ported the tls v1.1 patch to be tls v1.2 aware - added mod_nss-proxyvariables.patch (from RHEL6 package) - added mod_nss-tlsv1_1.patch (from RHEL6 package, enhanced with TLS 1.2) - mod_nss-array_overrun.patch: from RHEL6 package, fixed a array index overrun ------------------------------------------------------------------- Fri Jul 12 10:42:06 UTC 2013 - aj@ajaissle.de - Changed source to original tar.gz ------------------------------------------------------------------- Thu Jul 11 14:50:42 UTC 2013 - aj@ajaissle.de - Added mod_nns-httpd24.patch to support build with apache 2.4 ------------------------------------------------------------------- Tue Jan 22 09:35:41 UTC 2013 - aj@ajaissle.de - Changed mod_nss-conf.patch to adjust mod_nss.conf to match SUSE dir layout [bnc#799483] - Cleaned up license tag ------------------------------------------------------------------- Sun Apr 15 14:17:19 UTC 2012 - wr@rosenauer.org - import some patches from Fedora - removed autoreconf call ------------------------------------------------------------------- Wed Feb 17 13:30:47 UTC 2010 - nix@opensuse.org - Fix mod_nss-conf.patch to work on SUSE - Rename package from mod_nss to apache2-mod_nss
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor