nss (3.12.8-1+squeeze14) squeeze-lts; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Add CVE-2016-1938.patch: CVE-2016-1938: The s_mp_div function improperly divides numbers -- Guido Günther Tue, 23 Feb 2016 21:21:28 +0100 nss (3.12.8-1+squeeze13) squeeze-lts; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Add CVE-2015-7182.patch: CVE-2015-7182: Heap-based buffer overflow in the ASN.1 decoder * Add CVE-2015-7181.patch: * CVE-2015-7181: The sec_asn1d_parse_leaf function improperly restricts access to an unspecified data structure * Add autopkgtest for certificate generation/signing and library linking * Add gbp.conf for LTS -- Guido Günther Sat, 28 Nov 2015 12:42:04 +0100 nss (3.12.8-1+squeeze12) squeeze-lts; urgency=medium * Non-maintainer upload by the Debian LTS Team. * Add CVE-2015-2730.patch: CVE-2015-2730: ECDSA signature validation fails to handle some signatures correctly. * Add CVE-2015-2721.patch: CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange. -- Guido Günther Sat, 26 Sep 2015 14:29:48 +0200 nss (3.12.8-1+squeeze11) squeeze-lts; urgency=medium * Non-maintainer upload by the Debian LTS team. * Fix CVE-2011-3389 by backporting the upstream patch: https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab * Fix CVE-2014-1569 by backporting the upstream patch: https://hg.mozilla.org/projects/nss/rev/a163e09dc4d5 Closes: #773625 -- Raphaël Hertzog Mon, 16 Feb 2015 14:49:54 +0100 nss (3.12.8-1+squeeze10) squeeze-lts; urgency=low * Non-maintainer upload by the Squeeze LTS Team. * Fix CVE-2014-1544: improper removal of an NSSCertificate structure from a trust domain. -- Thorsten Alteholz Sat, 22 Nov 2014 14:56:39 +0100 nss (3.12.8-1+squeeze9) squeeze-lts; urgency=low * Non-maintainer upload by the Squeeze LTS Team. * Fix CVE-2014-1568: RSA signature verification bypass. -- Holger Levsen Thu, 25 Sep 2014 07:56:39 +0000 nss (3.12.8-1+squeeze8) squeeze-lts; urgency=high * Non-maintainer upload by the Security Team. * Fix CVE-2014-1492: Incorrect IDNA domain name matching for wildcard certificates. * Fix CVE-2014-1491: Do not allow p-1 as a public DH value. * Fix CVE-2013-5606: Properly return a certificate validation error when using the verifylog mode. * Fix CVE-2013-1741: Runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls. -- Raphael Geissert Tue, 29 Jul 2014 10:20:05 +0200 nss (3.12.8-1+squeeze7) squeeze-security; urgency=high * Non-maintainer upload by the Security Team. * Add CVE-2013-5605.patch. CVE-2013-5605: Null_Cipher() does not respect maxOutputLen; allowing remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets. -- Salvatore Bonaccorso Sat, 23 Nov 2013 07:33:29 +0100 nss (3.12.8-1+squeeze6) stable-security; urgency=low * Explicitly distrust two intermediate CA certificates mis-issued by TURKTRUST. -- Mike Hommey Fri, 04 Jan 2013 10:32:09 +0100 nss (3.12.8-1+squeeze5) stable-security; urgency=low * Address CVE-2012-0441 (Insufficient length checking in QuickDER decoder) * debian/rules: Work around NSS not building on Linux 3.x kernels. -- Mike Hommey Sat, 02 Jun 2012 09:46:21 +0200 nss (3.12.8-1+squeeze4) stable-security; urgency=low * Explicitly distrust malaysian Digicert Sdn. Bhd CA certificate. * Address CVE-2011-3640 (Untrusted search path vulnerability). Closes: #647614. -- Mike Hommey Sun, 06 Nov 2011 09:01:08 +0100 nss (3.12.8-1+squeeze3) stable-security; urgency=low * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Explicitly distrust various DigiNotar CAs: - DigiNotar Root CA - DigiNotar Services 1024 CA - DigiNotar Cyber CA - DigiNotar Cyber CA 2nd - DigiNotar PKIoverheid - DigiNotar PKIoverheid G2 -- Mike Hommey Sat, 03 Sep 2011 09:32:46 +0200 nss (3.12.8-1+squeeze2) stable-security; urgency=low * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Remove DigiNotar Root CA. -- Mike Hommey Wed, 31 Aug 2011 08:54:44 +0200 nss (3.12.8-1+squeeze1) stable-security; urgency=low * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't support DEB_BUILD_ARCH_BITS. * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which was the value before starting to use DEB_BUILD_ARCH_BITS. * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Mark fraudulent Comodo certificates as untrusted. -- Mike Hommey Thu, 24 Mar 2011 17:09:25 +0100 nss (3.12.8-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/patches/series: + lower-dhe-priority.patch: Upstream patch from bz#583337 to lower DHE priority. Closes: #592315. -- Mike Hommey Thu, 07 Oct 2010 08:50:48 +0200 nss (3.12.8~b2-1) experimental; urgency=low * New upstream snapshot, picked from NSS_3_12_8_BETA2 cvs tag. * debian/patches/*: Refresh patches. -- Mike Hommey Mon, 23 Aug 2010 18:11:12 +0200 nss (3.12.7-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/control: - Bump Standards-Version to 3.9.1.0. - Build depend on libnspr4-dev >= 4.8.6. * debian/libnss3-1d.symbols: Simplify symbols file and add new symbols. * debian/rules: Bump shlibs. -- Mike Hommey Fri, 06 Aug 2010 13:55:14 +0200 nss (3.12.6-3) unstable; urgency=low * debian/rules: + Sign libnssdbm3.so. Closes: #588806. + Test that the FIPS mode can be properly enabled during build. * debian/control: + Remove conflicts with very old packages. + Bump Standards-Version to 3.9.0.0. -- Mike Hommey Mon, 12 Jul 2010 15:12:24 +0200 nss (3.12.6-2) unstable; urgency=low * debian/patches/series: + 00_ckbi_1.79.patch: New patch to update CKBI to 1.79. + 95_add_spi+cacert_ca_certs.patch: Refreshed against CKBI 1.79. -- Mike Hommey Fri, 09 Apr 2010 10:45:01 +0200 nss (3.12.6-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/libnss3-1d.symbols, debian/rules: Update symbols file with new symbols and bump shlibs. * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch, debian/patches/series: Enable transitional scheme for ssl renegotiation. Closes: #561918. * debian/control: + Bump Standards-Version to 3.8.4.0. + Drop libnss3-1d dependency on dpkg. The versions it didn't really like were between oldstable and stable. + Don't allow different versions of libnss3-1d, libnss3-1d-dbg and libnss3-tools to be installed at the same time. + Add ${misc:Depends} to libnss3-1d-dbg dependencies. * debian/rules: Revert workaround for gcc 4.4 bug on powerpc with -Os. * debian/rules, debian/control, debian/compat: Simplify debian/rules by using dh. -- Mike Hommey Wed, 17 Mar 2010 20:33:32 +0100 nss (3.12.5-2) unstable; urgency=low * debian/control: + Remove build dependency on autotools-dev, we don't use it. + libnss3-dev depends on libnspr4-dev >= 4.6.6-1. 4.6.6-1 was the first version where the pkg-config file was nspr.pc instead of xulrunner-nspr.pc. Closes: #567134. * debian/patches/96_NSS_VersionCheck.patch, debian/patches/series: Remove runtime check of NSPR version in NSS_VersionCheck, which seems to be pointless. Closes: #567136. -- Mike Hommey Thu, 28 Jan 2010 12:12:35 +0100 nss (3.12.5-1) unstable; urgency=low * New upstream release. * debian/copyright: Modify with new location for the embedded copy of zlib. * debian/patches/*: + Adapt patches to new upstream. + Switch to quilt format * debian/source/format: Switch to 3.0 (quilt) format. * debian/rules, debian/control: Stop using dpatch. * debian/patches/38_intel_aes_executable_stack.patch: Removed. An upstream change in version 3.12.4 obsoleted it. * debian/rules: + Remove DEB_{BUILD,HOST}_* variables, they are not used. + Use DEB_BUILD_ARCH_BITS to determine whether to build with USE_64 or not. + Ship more tools in libnss3-tools. Closes: #526267. + Work around gcc 4.4 bug on powerpc with -Os. + Force non parallel build. There are too many race conditions in the build system to support parallel builds. Closes: #536248. + Bump shlibs. * debian/control: + Bump Standards-Version to 3.8.3.0. + Build-depend on dpkg-dev (>= 1.15.4) for DEB_BUILD_ARCH_BITS. + Stricter dependency between libnss3-dev and libnss3-1d. * debian/libnss3-1d.symbols: + Add new symbols. + Remove debian revision for symbols added in 3.12.4. * debian/patches/38_hurd.patch: Fix FTBFS on Hurd due to PATH_MAX usage in unix_rand.c. Closes: #550995. -- Mike Hommey Fri, 18 Dec 2009 11:48:14 +0100 nss (3.12.4-1) unstable; urgency=low * New upstream release. * debian/patches/38_kbsd.dpatch: + Use CHECK_FORK_PTHREAD on kfreebsd and hurd. Closes: #547301. + Adapt to upstream changes. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, * debian/patches/81_sonames.dpatch: Adapt to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sun, 11 Oct 2009 01:26:14 +0200 nss (3.12.3.1-1) unstable; urgency=low * New upstream release. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, Adapted to upstream changes. -- Mike Hommey Fri, 21 Aug 2009 23:47:24 +0200 nss (3.12.3-1) unstable; urgency=low * New upstream release. * debian/watch: Updated to catch new upstream .bz2 tarballs. * debian/copyright: Add information about mozilla/security/corecond/mkdepend. * debian/patches/38_hurd.dpatch, debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/patches/85_security_load.dpatch: Load libsoftokn3.so from /usr/lib/nss when unable to load it from standard ld.so paths in shlibsign. * debian/rules: + Add debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH when running shlibsign during build. + Bumped shlibs. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/control: + Bumped Standards-Version to 3.8.1.0. No changes needed. + Put the libnss3-1d-dbg package in the "debug" section. + Correct libnss3-1d-dbg short description. + Remove redundant section on libnss3-1d. + Build-depend on proper version of debhelper for dh_lintian. * debian/*.lintian-overrides, debian/rules: Install some Lintian overrides with dh_lintian. * debian/patches/38_intel_aes_executable_stack.dpatch: Indicate that we don't need executable stack in intel-aes.s. * debian/patches/00list: Updated accordingly. -- Mike Hommey Sat, 18 Apr 2009 09:37:31 +0200 nss (3.12.2.with.ckbi.1.73-2) unstable; urgency=low * mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h: Apply patch from upstream to fix alignment issues on sparc and ia64. Closes: #509930. -- Mike Hommey Mon, 06 Apr 2009 20:24:01 +0200 nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression in previous release that led to FTBFS on i386 only. Closes: #513101. Thanks Steffen Joeris, Sebastian Andrzej Siewior and Petr Salinger. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, debian/patches/80_security_tools.dpatch: Adapted to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sat, 31 Jan 2009 16:41:26 +0100 nss (3.12.1-1) unstable; urgency=low * New upstream release. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, debian/patches/38_mips64_build.dpatch, debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sat, 20 Dec 2008 12:11:28 +0100 nss (3.12.0-5) unstable; urgency=low * debian/control: + Conflict with libnss3-0d >= 3.11.5, that has conflicting files in /usr/lib/nss. Older versions (those from etch) don't conflict. This makes updates from old testing smoother. Closes: #492332. + Build-depend on libsqlite3-dev >= 3.3.9, since API introduced in this version is used. Closes: #493191. -- Mike Hommey Sun, 03 Aug 2008 09:42:03 +0200 nss (3.12.0-4) unstable; urgency=low * debian/control: Remove conflict with libnss3-0d, it was only useful when libnss3-0d was a transitional package. Closes: #490995. -- Mike Hommey Wed, 16 Jul 2008 21:29:19 +0200 nss (3.12.0-3) unstable; urgency=low * debian/rules: + Enable ECC cypher suite. Closes: #490826. + Build with the same optimization level as upstream. -- Mike Hommey Mon, 14 Jul 2008 17:35:25 +0200 nss (3.12.0-2) unstable; urgency=low * debian/patches/95_add_spi+cacert_ca_certs.dpatch: + Add CAcert root and class 3 certificates to nssckbi module. + Add SPI Inc. certificate to nssckbi module. Thanks to Martin F Krafft for these. Closes: #309564. * debian/patches/00list: Updated accordingly. -- Mike Hommey Sat, 12 Jul 2008 18:26:09 +0200 nss (3.12.0-1) unstable; urgency=low * New upstream release. * debian/patches/92_ocsp.dpatch: Removed, as applied upstream. * debian/patches/00list: Updated accordingly. * debian/control: + Bumped Standards-Version to 3.8.0.1. No changes needed. + Added Vcs-Browser and Vcs-Git fields. + libnss3-dev don't need explicit version dependency on libnss3-1d. + libnss3-dev depends on libnspr4-dev. Closes: #488402. + Make the -dbg package less a hassle for manual installations with dpkg. + libnss3-1d depends on version of dpkg that either don't support symbols files or has fix for #474079. * debian/patches/85_security_load.dpatch: Load files from /usr/lib/nss if given reference path is only a filename, which happens when freebl is statically linked in a binary executable, such as signtool, and the executable is run from $PATH. When the executable is run using a full path, we must replace /bin/ in the path with /lib/ to find the libraries. Closes: #483774. * debian/libnss3-1d.symbols: Re-enable symbols file. -- Mike Hommey Sat, 05 Jul 2008 10:19:53 +0200 nss (3.12.0~rc3-3) unstable; urgency=low * debian/control: Make libnss3-0d conflict with old libnss3, which can still be installed on some systems, though it hasn't been in the archive since sarge. Closes: #485080. -- Mike Hommey Sun, 08 Jun 2008 14:11:13 +0200 nss (3.12.0~rc3-2) unstable; urgency=low * debian/patches/92_ocsp.dpatch: Apply patches from bz433594 and bz#433386, which are applied in upstream RC4 (and are the only changes), to fix crashes under some conditions with OCSP checks. * debian/patches/00list: Updated accordingly. * debian/libnss3-dev.links, debian/libnss3-1d.links: Don't install so files in the -dev package but in the library package. It will allow external applications linked against upstream nss to work on Debian with system nss libraries, and will avoid all browsers to have to implement symlinks themselves to allow some external plugins to work properly. * debian/control: Make libnss3-1d conflict with older versions of libnss3-dev and libnss3-dev need newer libnss3-1d accordingly. -- Mike Hommey Sat, 07 Jun 2008 11:57:55 +0200 nss (3.12.0~rc3-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_RC3 cvs tag. -- Mike Hommey Sun, 11 May 2008 16:58:17 +0200 nss (3.12.0~beta3-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_BETA3 cvs tag. * debian/control: Turn Homepage indications in descriptions into a control field. * debian/patches/91_build_pwdecrypt.dpatch: Enable building and installing pwdecrypt. Thanks Paul Wise. Closes: #472303. * debian/patches/00list: Updated accordingly. * debian/libnss3-1d.symbols: Update symbols file with new symbols and rename the file, so that it isn't used, as a workaround to #474079. Closes: #474007. * debian/rules: Bumped shlibs. -- Mike Hommey Tue, 08 Apr 2008 21:23:53 +0200 nss (3.12.0~beta2-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_BETA2 cvs tag. * debian/patches/10_3.11.7_symbol_fix.dpatch: Removed, as applied upstream. * debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/patches/81_sonames.dpatch: Add SO_VERSION to libnssutil3. * debian/libnss3-dev.links: Add link for libnssutil3. * debian/libnss3-1d.symbols: Update symbols file with new symbols. Note that SEC_StringToOID disappeared (well, was moved to nssutil), compared to version 3.12.0~1.9b1, but it was a new symbol, and isn't used anywhere. * debian/nss.pc.in, debian/nss-config.in: Add libnssutil3 support. * debian/rules: + Bumped shlibs. + Don't generate libsoftokn3.so.0d. * debian/control: + Remove transitional libnss3-0d package. + Bumped Standards-Version to 3.7.3.0. No changes needed. + Build depend on libnspr4-dev >= 4.7.0 (we *do* need the RTM version, and not the preceding betas) * debian/libnss3-0d.*: Removed. * debian/patches/85_security_load.dpatch: Load files from $ORIGIN/nss before those of $ORIGIN. Closes: #469079. * debian/patches/38_hurd.dpatch: Fix FTBFS on Hurd because of MAXPATHLEN. Closes: #419529. * debian/patches/00list: Updated accordingly. -- Mike Hommey Fri, 07 Mar 2008 21:27:54 +0100 nss (3.12.0~1.9b1-2) unstable; urgency=low * debian/control: libnss3-1-dbg needs to conflict with older libnss3-0d-dbg, as it overwrites so of its files. Closes: #455875. * debian/patches/90_realpath.dpatch: Use realpath() in loader_GetOriginalPathname, so that symlinks are properly followed when determining where the current library lives. * debian/patches/00list: Updated accordingly. * debian/patches/85_security_load.dpatch: When the module given by the caller contains a directory name, remove it so that the module can be properly loaded. Closes: #456296. -- Mike Hommey Sun, 16 Dec 2007 11:06:03 +0100 nss (3.12.0~1.9b1-1) unstable; urgency=low * New upstream snapshot, picked from FIREFOX_3_0b1_RELEASE cvs tag. * debian/copyright: Add licensing information about the recently added sqlite copy in the source tree. * debian/control: + Build depend on libsqlite3-dev. + Rename all -0d packages to -1d, but keep a transitional -0d package, since all libraries are compatible (except for the removed one). + Make libnss3-1d conflict with older libnss3-0d. * debian/patches/38_kbsd.dpatch, debian/patches/81_sonames.dpatch: Adapted to upstream changes. * debian/patches/81_sonames.dpatch: + Remove SO version from libsoftokn3, now it is not linked against anymore, but dlloaded. + Remove the hacks to have shlibsign and the signature verification code handle the SO version in the file name. + Bump SO version to 1d. * debian/rules: + Add NSS_USE_SYSTEM_SQLITE=1 to the make options. + Install libsoftokn3 and the new libnssdbm3 in /usr/lib/nss. + Run shlibsign on libsoftokn3 in /usr/lib/nss, without a SO version. + For some reason, build-stamp was missing in install-stamp dependencies. + Bumped shlibs because of new symbols, and pass -c4 to dpkg-gensymbols, so that it fails in all cases where the symbols file is not up to date. + Adapt upstream version pattern matching so that the ~1.9b1 part is removed. + Install .1d libraries in -1d packages. + Create a dummy libsoftokn3.so.0d library, installed in the libnss3-0d package. * debian/libnss3-0d.links: + Remove links in /usr/lib/xulrunner. The workaround they were implementing is going to be done another way. + Add .0d links to .1d libraries. * debian/libnss3-dev.links: + Don't put a symlink for libsoftokn3. + .so files now link to .1d libraries. * debian/patches/80_security_build.dpatch: Remove the hack to load libfreebl from /usr/lib/nss. * debian/patches/85_security_load.dpatch: Load modules from $ORIGIN/nss. * debian/patches/10_3.11.7_symbol_fix.dpatch: Fix a symbol version. Stolen from bz#325672. * debian/patches/00list: Updated accordingly. * debian/libnss3-0d.dirs: Renamed to libnss3-1d.dirs. -- Mike Hommey Sat, 08 Dec 2007 10:53:02 +0100 nss (3.11.7-1) unstable; urgency=low * New upstream release, picked from NSS_3_11_7_RTM cvs tag. * debian/patches/38_kbsd.dpatch: Also add support for the Hurd. Closes: #419529. * debian/rules: + Don't fail on clean with unpatched ruleset. Closes: #421542. + Bumped shlibs because of new symbols. * debian/patches/81_sonames.dpatch: Adapted to upstream changes. -- Mike Hommey Sun, 01 Jul 2007 11:29:06 +0200 nss (3.11.5-3) unstable; urgency=low * Upload to unstable. -- Mike Hommey Mon, 09 Apr 2007 20:37:25 +0200 nss (3.11.5-2) experimental; urgency=low * debian/rules: + Cleaner way to set the NSPR location. + Install libcrmf.a files in libnss3-dev. + binary-indep now does nothing. * debian/control: Make libnss3-dev an Arch: any package. * debian/nss.pc.in: + Remove libsoftokn3 from ld libraries. + Improvement in directories setting. * debian/libnss3-dev.dirs: Create /usr/bin. * debian/nss-config.in, debian/rules: Install a nss-config script into libnss3-dev. -- Mike Hommey Tue, 27 Mar 2007 20:41:11 +0200 nss (3.11.5-1) experimental; urgency=low * Initial release. (Closes: #416151) -- Mike Hommey Sun, 25 Mar 2007 23:56:17 +0200