Commit graph

130 commits

Author SHA1 Message Date
ryoon
7d82596450 Update to 3.20.1
Changelog:
The following security-relevant bugs have been resolved in NSS 3.20.1.
Users are encouraged to upgrade immediately.

* Bug 1192028 (CVE-2015-7181) and
  Bug 1202868 (CVE-2015-7182):
  Several issues existed within the ASN.1 decoder used by NSS for handling
  streaming BER data. While the majority of NSS uses a separate, unaffected
  DER decoder, several public routines also accept BER data, and thus are
  affected. An attacker that successfully exploited these issues can overflow
  the heap and may be able to obtain remote code execution.
2015-11-03 16:55:07 +00:00
agc
d9e4cfe05d Add SHA512 digests for distfiles for devel category
Issues found with existing distfiles:
	distfiles/eclipse-sourceBuild-srcIncluded-3.0.1.zip
	distfiles/fortran-utils-1.1.tar.gz
	distfiles/ivykis-0.39.tar.gz
	distfiles/enum-1.11.tar.gz
	distfiles/pvs-3.2-libraries.tgz
	distfiles/pvs-3.2-linux.tgz
	distfiles/pvs-3.2-solaris.tgz
	distfiles/pvs-3.2-system.tgz
No changes made to these distinfo files.

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
2015-11-03 03:27:11 +00:00
jperkin
ee3ca13b12 Support SunOS/clang. 2015-10-26 09:30:18 +00:00
ryoon
b141232e29 Recursive revbump from textproc/icu 2015-10-10 01:57:50 +00:00
ryoon
bf6f3d820d Update to 3.20
Changelog:
The NSS team has released Network Security Services (NSS) 3.20,
which is a minor release.

New functionality:
* The TLS library has been extended to support DHE ciphersuites in
  server applications.

New Functions:
* SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group
  parameters that can be used by NSS for a server socket.
* SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group
  parameters that are smaller than the library default's minimum size.

New Types:
* SSLDHEGroupType - Enumerates the set of DHE parameters embedded in
  NSS that can be used with function SSL_DHEGroupPrefSet.

New Macros:
* SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable
  DHE ciphersuites for a server socket.

Notable Changes:
* The TLS library has been extended to support DHE ciphersuites in
  server applications.
* For backwards compatibility reasons, the server side implementation
  of the TLS library keeps all DHE ciphersuites disabled by default.
  They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE
  and the SSL_OptionSet or the SSL_OptionSetDefault API.
* The server side implementation of the TLS implementation does not
  support session tickets when using a DHE ciphersuite (see bug
  1174677).
* Support for the following ciphersuites has been added:
  - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
* By default, the server side TLS implementation will use DHE
  parameters with a size of 2048 bits when using DHE ciphersuites.
* NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and
  8192 bits, which were copied from version 08 of the Internet-Draft
  "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for
  TLS", Appendix A.
* A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a
  server application to select one or multiple of the embedded DHE
  parameters as the preferred parameters. The current implementation of
  NSS will always use the first entry in the array that is passed as a
  parameter to the SSL_DHEGroupPrefSet API. In future versions of the
  TLS implementation, a TLS client might signal a preference for
  certain DHE parameters, and the NSS TLS server side implementation
  might select a matching entry from the set of parameters that have
  been configured as preferred on the server side.
* NSS optionally supports the use of weak DHE parameters with DHE
  ciphersuites to support legacy clients. In order to enable this
  support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each
  time this API is called for the first time in a process, a fresh set
  of weak DHE parameters will be randomly created, which may take a
  long amount of time. Please refer to the comments in the header file
  that declares the SSL_EnableWeakDHEPrimeGroup API for additional
  details.
* The size of the default PQG parameters used by certutil when
  creating DSA keys has been increased to use 2048 bit parameters.
* The selfserv utility has been enhanced to support the new DHE
  features.
* NSS no longer supports C compilers that predate the ANSI C
  standard (C89).
2015-08-20 10:54:24 +00:00
ryoon
147d8bb3be Update to 3.19.2
* Approved by wiz@.

Changelog:
Network Security Services (NSS) is a patch release for NSS 3.19.

No new functionality is introduced in this release. This release addresses
a backwards compatibility issue with the NSS 3.19.1 release.

Notable Changes:
* In NSS 3.19.1, the minimum key sizes that the freebl cryptographic
implementation (part of the softoken cryptographic module used by default
by NSS) was willing to generate or use was increased - for RSA keys, to
512 bits, and for DH keys, 1023 bits. This was done as part of a security
fix for Bug 1138554 / CVE-2015-4000. Applications that requested or
attempted to use keys smaller then the minimum size would fail. However,
this change in behaviour unintentionally broke existing NSS applications
that need to generate or use such keys, via APIs such as
SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey.

In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix
for Bug 1138554 has been moved to libssl, and will now only affect the
minimum keystrengths used in SSL/TLS.
2015-06-23 13:16:47 +00:00
wiz
0982effce2 Recursive PKGREVISION bump for all packages mentioning 'perl',
having a PKGNAME of p5-*, or depending such a package,
for perl-5.22.0.
2015-06-12 10:48:20 +00:00
ryoon
eb5aa3bc51 Update to 3.19.1
Changelog:
Network Security Services (NSS) 3.19.1 is a patch release
for NSS 3.19.

No new functionality is introduced in this release. This patch
release includes a fix for the recently published logjam attack.

Notable Changes:
* The minimum strength of keys that libssl will accept for
  finite field algorithms (RSA, Diffie-Hellman, and DSA) have
  been increased to 1023 bits (bug 1138554).
* NSS reports the bit length of keys more accurately.  Thus,
  the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits
  functions could report smaller values for values that have
  leading zero values. This affects the key strength values that
  are reported by SSL_GetChannelInfo.

The NSS development team would like to thank Matthew Green and
Karthikeyan Bhargavan for responsibly disclosing the issue in
bug 1138554.

The HG tag is NSS_3_19_1_RTM. NSS 3.19.1 requires NSPR 4.10.8 or newer.
2015-05-29 14:19:25 +00:00
ryoon
3f0de48bfb Update to 3.19
Changelog:
The NSS team has released Network Security Services (NSS) 3.19,
which is a minor release.

New functionality:
* For some certificates, such as root CA certificates, that don't
  embed any constraints, NSS might impose additional constraints,
  such as name constraints. A new API has been added that allows
  to lookup imposed constraints.
* It is possible to override the directory in which the NSS build
  system will look for the sqlite library.

New Functions:
* CERT_GetImposedNameConstraints

Notable Changes:
* The SSL 3 protocol has been disabled by default.
* NSS now more strictly validates TLS extensions and will fail a
  handshake that contains malformed extensions.
* Fixed a bug related to the ordering of TLS handshake messages.
* In TLS 1.2 handshakes, NSS advertises support for the SHA512
  hash algorithm, in order to be compatible with TLS servers
  that use certificates with a SHA512 signature.
2015-05-05 21:42:19 +00:00
ryoon
b78d0e3439 Update to 3.18.1
Changelog:
The NSS Development Team announces the release of NSS 3.18.1

Network Security Services (NSS) 3.18.1 is a patch release
for NSS 3.18 to update the list of root CA certificates.

No new functionality is introduced in this release.

Notable Changes:
* The following CA certificate had the Websites and Code Signing
  trust bits restored to their original state to allow more time
  to develop a better transition strategy for affected sites:
  - OU = Equifax Secure Certificate Authority
* The following CA certificate was removed:
  - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi
* The following intermediate CA certificate has been added as
  actively distrusted because it was mis-used to issue certificates
  for domain names the holder did not own or control:
  - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG
* The version number of the updated root CA list has been set
  to 2.4

The full release notes, including further details and the SHA1
fingerprints of the changed CA certificates, are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes
2015-04-21 11:38:19 +00:00
adam
9071d6b787 Revbump after updating textproc/icu 2015-04-06 08:17:13 +00:00
ryoon
85e8e0acd5 Update to 3.18
Changelog:
The NSS team has released Network Security Services (NSS) 3.18,
which is a minor release.

New functionality:
* When importing certificates and keys from a PKCS#12 source,
  it's now possible to override the nicknames, prior to importing
  them into the NSS database, using new API
  SEC_PKCS12DecoderRenameCertNicknames.
* The tstclnt test utility program has new command-line options
  -C, -D, -b and -R.
  Use -C one, two or three times to print information about the
  certificates received from a server, and information about the
  locally found and trusted issuer certificates, to diagnose
  server side configuration issues. It is possible to run tstclnt
  without providing a database (-D). A PKCS#11 library that
  contains root CA certificates can be loaded by tstclnt, which
  may either be the nssckbi library provided by NSS (-b) or
  another compatible library (-R).

New Functions:
* SEC_CheckCrlTimes
* SEC_GetCrlTimes
* SEC_PKCS12DecoderRenameCertNicknames

New Types
* SEC_PKCS12NicknameRenameCallback

Notable Changes:
* The highest TLS protocol version enabled by default has been
  increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS
  protocol version enabled by default has been increased from
  DTLS 1.0 to DTLS 1.2.
* The default key size used by certutil when creating an RSA key
  pair has been increased from 1024 bits to 2048 bits.
* On Mac OS X, by default the softokn shared library will link
  with the sqlite library installed by the operating system,
  if it is version 3.5 or newer.
* The following CA certificates had the Websites and Code Signing
  trust bits turned off:
  - Equifax Secure Certificate Authority
  - Equifax Secure Global eBusiness CA-1
  - TC TrustCenter Class 3 CA II
* The following CA certificates were Added:
  - Staat der Nederlanden Root CA - G3
  - Staat der Nederlanden EV Root CA
  - IdenTrust Commercial Root CA 1
  - IdenTrust Public Sector Root CA 1
  - S-TRUST Universal Root CA
  - Entrust Root Certification Authority - G2
  - Entrust Root Certification Authority - EC1
  - CFCA EV ROOT
* The version number of the updated root CA list has been set
  to 2.3
2015-04-05 12:51:51 +00:00
ryoon
34cb8c6360 Update to 3.17.4
Changelog:
Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17.

No new functionality is introduced in this release.

Notable Changes:
* If an SSL/TLS connection fails, because client and server don't have
  any common protocol version enabled, NSS has been changed to report
  error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting
  SSL_ERROR_NO_CYPHER_OVERLAP).
* libpkix was fixed to prefer the newest certificate, if multiple
  certificates match.
* fixed a memory corruption issue during failure of keypair generation.
* fixed a failure to reload a PKCS#11 module in FIPS mode.
* fixed interoperability of NSS server code with a LibreSSL client.
2015-01-28 21:12:09 +00:00
ryoon
1b28fd667e Fix build of www/firefox.
The build breakage is caused from inconsistent use of sqlite3
from NetBSD base and pkgsrc.
Bump PKGREVISION.
2014-12-19 14:21:55 +00:00
ryoon
39f2662243 Update to 3.17.3
Changelog:
New functionality:
* Support for TLS_FALLBACK_SCSV has been added to the ssltap and
  tstclnt utilities

Notable Changes:
* The QuickDER decoder now decodes lengths robustly
  (CVE-2014-1569)
* The following 1024-bit CA certificates were Removed:
  - GTE CyberTrust Global Root
  - Thawte Server CA
  - Thawte Premium Server CA
  - America Online Root Certification Authority 1
  - America Online Root Certification Authority 2
* The following CA certificates had the Websites and Code Signing
  trust bits turned off:
  - Class 3 Public Primary Certification Authority - G2
  - Equifax Secure eBusiness CA-1
* The following CA certificates were Added:
  - COMODO RSA Certification Authority
  - USERTrust RSA Certification Authority
  - USERTrust ECC Certification Authority
  - GlobalSign ECC Root CA - R4
  - GlobalSign ECC Root CA - R5
* The version number of the updated root CA list has been set
  to 2.2
2014-12-01 18:23:29 +00:00
ryoon
54f13db0d5 Update to 3.17.2
Changelog:
New in NSS 3.17.2

New Functionality

No new functionality is introduced in this release. This is a patch release to fix a regression and other bugs.

Notable Changes in NSS 3.17.2

    Bug 1049435: Change RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2 that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated by other crypto libraries.
    Bug 1057161: Check that an imported elliptic curve public key is valid. Previously NSS would only validate the peer's public key before performing ECDH key agreement. Now EC public keys are validated at import time.
    Bug 1078669: certutil crashes when an argument is passed to the --certVersion option.

Bugs fixed in NSS 3.17.2

This Bugzilla query returns all the bugs fixed in NSS 3.17.2:

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.2

Compatibility

NSS 3.17.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.17.2 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
2014-10-15 13:04:20 +00:00
adam
243c29c4cc Revbump after updating libwebp and icu 2014-10-07 16:47:10 +00:00
wiz
c297c149f8 Revert unintended part of previous. Discussed with spz. 2014-09-26 15:42:09 +00:00
spz
8209f82e41 security update fixing:
- Incorrect DigestInfo validation in NSS (CVE-2014-1568)
- RSA signature verification vulnerabilities in parsing of DigestInfo
(see https://www.mozilla.org/security/announce/2014/mfsa2014-73.html)
2014-09-26 03:25:22 +00:00
markd
e64841c70a Update to nss 3.16.4
This release consists primarily of CA certificate changes as listed
below, and includes a small number of bug fixes.

Notable Changes:
* The following 1024-bit root CA certificate was restored to allow more
  time to develop a better transition strategy for affected sites. It was
  removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy
  forum led to the decision to keep this root included longer in order to
  give website administrators more time to update their web servers.
  - CN = GTE CyberTrust Global Root
* In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification
  Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit
  intermediate CA certificate has been included, without explicit trust.
  The intention is to mitigate the effects of the previous removal of the
  1024-bit Entrust.net root certificate, because many public Internet
  sites still use the "USERTrust Legacy Secure Server CA" intermediate
  certificate that is signed by the 1024-bit Entrust.net root certificate.
  The inclusion of the intermediate certificate is a temporary measure to
  allow those sites to function, by allowing them to find a trust path to
  another 2048-bit root CA certificate. The temporarily included
  intermediate certificate expires November 1, 2015.
2014-08-12 09:43:06 +00:00
ryoon
5470cb1766 Update to 3.16.2
Changelog:
Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16.

This release consists primarily of CA certificate changes as listed
below, and fixes an issue with a recently added utility function.

New Functions:
* CERT_GetGeneralNameTypeFromString (This function was already added
  in NSS 3.16.2, however, it wasn't declared in a public header file.)

Notable Changes:
* The following 1024-bit CA certificates were Removed
  - Entrust.net Secure Server Certification Authority
  - GTE CyberTrust Global Root
  - ValiCert Class 1 Policy Validation Authority
  - ValiCert Class 2 Policy Validation Authority
  - ValiCert Class 3 Policy Validation Authority
* Additionally, the following CA certificate was Removed as
  requested by the CA:
  - TDC Internet Root CA
* The following CA certificates were Added:
  - Certification Authority of WoSign
  - CA 沃通根证书
  - DigiCert Assured ID Root G2
  - DigiCert Assured ID Root G3
  - DigiCert Global Root G2
  - DigiCert Global Root G3
  - DigiCert Trusted Root G4
  - QuoVadis Root CA 1 G3
  - QuoVadis Root CA 2 G3
  - QuoVadis Root CA 3 G3
* The Trust Bits were changed for the following CA certificates
  - Class 3 Public Primary Certification Authority
  - Class 3 Public Primary Certification Authority
  - Class 2 Public Primary Certification Authority - G2
  - VeriSign Class 2 Public Primary Certification Authority - G3
  - AC Raíz Certicámara S.A.
  - NetLock Uzleti (Class B) Tanusitvanykiado
  - NetLock Expressz (Class C) Tanusitvanykiado
2014-07-05 04:53:39 +00:00
ryoon
3bbc44fc92 Update to 3.16.2
Changelog:
Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16.

New functionality:
* DTLS 1.2 is supported.
* The TLS application layer protocol negotiation (ALPN) extension
  is also supported on the server side.
* RSA-OEAP is supported. Use the new PK11_PrivDecrypt and
  PK11_PubEncrypt functions with the CKM_RSA_PKCS_OAEP mechanism.
* New Intel AES assembly code for 32-bit and 64-bit Windows,
  contributed by Shay Gueron and Vlad Krasnov of Intel.

New Functions:
* CERT_AddExtensionByOID
* PK11_PrivDecrypt
* PK11_PubEncrypt

New Macros
* SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK
* SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL

Notable Changes:
* The btoa command has a new command-line option -w suffix, which
  causes the output to be wrapped in BEGIN/END lines with the
  given suffix
* The certutil commands supports additionals types of subject
  alt name extensions.
* The certutil command supports generic certificate extensions,
  by loading binary data from files, which have been prepared using
  external tools, or which have been extracted from other existing
  certificates and dumped to file.
* The certutil command supports three new certificate usage specifiers.
* The pp command supports printing UTF-8 (-u).
* On Linux, NSS is built with the -ffunction-sections -fdata-sections
  compiler flags and the --gc-sections linker flag to allow unused
  functions to be discarded.
2014-07-02 13:39:25 +00:00
wiz
7eeb51b534 Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
2014-05-29 23:35:13 +00:00
pho
343b80873f Correct wrong install_name for Darwin.
Makefile had a SUBST for this but it wasn't working.
2014-05-25 23:45:58 +00:00
ryoon
396ce68740 Update to 3.16.1
Changelog:
Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16.

New functionality:
* Added the "ECC" flag for modutil to select the module used for
  elliptic curve cryptography (ECC) operations.

New Functions:
* PK11_ExportDERPrivateKeyInfo
* PK11_ExportPrivKeyInfo
* SECMOD_InternalToPubMechFlags

New Types:
* ssl_padding_xtn

New Macros
* PUBLIC_MECH_ECC_FLAG
* SECMOD_ECC_FLAG

Notable Changes:
* Imposed name constraints on the French government root CA ANSSI
  (DCISS).
2014-05-16 13:59:17 +00:00
ryoon
2e30dfd7bf Reduce PLIST divergence for OpenBSD 2014-05-16 12:38:01 +00:00
obache
d8fc20e0b0 recursive bump from icu shlib major bump. 2014-04-09 07:26:56 +00:00
richard
4c5bb562c5 fixup nss fetch location 2014-03-23 07:48:03 +00:00
ryoon
6a97b02308 Update to 3.16
* Improve 3.16 like 2 number version support (firefox etc. requires 3 number
  version string)

Changelog:
From https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes

The following security-relevant bug has been resolved.
Users are encouraged to upgrade immediately.
* Bug 903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard
  character should not be embedded within the U-label of an
  internationalized domain name. See the last bullet point in RFC 6125,
  Section 7.2.

New functionality:
* Supports the Linux x32 ABI. To build for the Linux x32 target, set
  the environment variable USE_X32=1 when building NSS.

New Functions:
* NSS_CMSSignerInfo_Verify

New Macros
* TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.,
  cipher suites that were first defined in SSL 3.0 can now be referred
  to with their official IANA names in TLS, with the TLS_ prefix.
  Previously, they had to be referred to with their names in SSL 3.0,
  with the SSL_ prefix.

Notable Changes:
* ECC is enabled by default. It is no longer necessary to set the
  environment variable NSS_ENABLE_ECC=1 when building NSS. To disable
  ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS.
* libpkix should not include the common name of CA as DNS names when
  evaluating name constraints.
* AESKeyWrap_Decrypt should not return SECSuccess for invalid keys.
* Fix a memory corruption in sec_pkcs12_new_asafe.
* If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime
  test sdb_measureAccess.
* The built-in roots module has been updated to version 1.97, which
  adds, removes, and distrusts several certificates.
* The atob utility has been improved to automatically ignore lines of
  text that aren't in base64 format.
* The certutil utility has been improved to support creation of
  version 1 and version 2 certificates, in addition to the existing
  version 3 support.
2014-03-22 23:32:46 +00:00
jperkin
9e7a1ba4b9 Set USE_GCC_RUNTIME=yes for packages which build shared libraries but do
not use libtool to do so.  This is required to correctly depend upon a
gcc runtime package (e.g. gcc47-libs) when using USE_PKGSRC_GCC_RUNTIME.
2014-03-13 11:08:49 +00:00
ryoon
a00e056bac Update to 3.15.5
Changelog:
From: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.5_release_notes

Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15.

New functionality:
* Added support for the TLS application layer protocol negotiation
  (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and
  SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both)
  should be used for application layer protocol negotiation.
* Added the TLS padding extension. The extension type value is 35655,
  which may change when an official extension type value is assigned
  by IANA. NSS automatically adds the padding extension to ClientHello
  when necessary.
* Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting
  the tail of a CERTCertList.

Notable Changes:
* Bug 950129: Improve the OCSP fetching policy when verifying OCSP
  responses
* Bug 949060: Validate the iov input argument (an array of PRIOVec
  structures) of ssl_WriteV (called via PR_Writev). Applications should
  still take care when converting struct iov to PRIOVec because the
  iov_len members of the two structures have different types
  (size_t vs. int). size_t is unsigned and may be larger than int.
2014-03-10 18:42:34 +00:00
ryoon
c4002e2c41 Update to 3.15.4
Changelog:
from: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes

Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.4.
Users are encouraged to upgrade immediately.

Bug 919877 - (CVE-2013-1740) When false start is enabled, libssl will
sometimes return unencrypted, unauthenticated data from PR_Recv


New in NSS 3.15.4
New Functionality
    Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method.
    Implemented OCSP server functionality for testing purposes (httpserv utility).
    Support SHA-1 signatures with TLS 1.2 client authentication.
    Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database.
    Added the -w command-line option to pp: don't wrap long output lines.

New Functions
    CERT_ForcePostMethodForOCSP
    CERT_GetSubjectNameDigest
    CERT_GetSubjectPublicKeyDigest
    SSL_PeerCertificateChain
    SSL_RecommendedCanFalseStart
    SSL_SetCanFalseStartCallback

New Types
    CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.

New PKCS #11 Mechanisms
None.

Notable Changes in NSS 3.15.4

    Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices.
    Updated the set of root CA certificates (version 1.96).
    Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function.
    When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT.

Bugs fixed in NSS 3.15.4

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS

Compatibility
NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.4 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
2014-01-15 14:38:53 +00:00
ryoon
6d0f404030 whitespace 2013-12-22 13:42:01 +00:00
ryoon
d73c4bf4c5 Update to 3.15.3.1
Changelog:
New in NSS 3.15.3.1

New Functionality

No new major functionality is introduced in this release. This is
a patch release to revoke trust of a subordinate CA certificate
that was mis-used to generate a certificate used by a network
appliance.

Bugs fixed in NSS 3.15.3.1

    Bug 946351 - Misissued Google certificates from DCSSI

A complete list of all bugs resolved in this release can be obtained
at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3.1&product=NSS

Compatibility

NSS 3.15.3.1 shared libraries are backward compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with NSS 3.15.3.1 shared libraries
without recompiling or relinking. Furthermore, applications that
restrict their use of NSS APIs to the functions listed in NSS Public
Functions will remain compatible with future versions of the NSS
shared libraries.
2013-12-15 14:21:01 +00:00
ryoon
dcc3ff2921 Update to 3.15.3
Changelog:
Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.3. Users are encouraged to upgrade immediately.

    Bug 925100 - (CVE-2013-1741) Ensure a size is <= half of the maximum PRUint32 value
    Bug 934016 - (CVE-2013-5605) Handle invalid handshake packets
    Bug 910438 - (CVE-2013-5606) Return the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used

New in NSS 3.15.3
New Functionality

No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1741, CVE-2013-5605 and CVE-2013-5606.
Bugs fixed in NSS 3.15.3

    Bug 850478 - List RC4_128 cipher suites after AES_128 cipher suites
    Bug 919677 - Don't advertise TLS 1.2-only ciphersuites in a TLS 1.1 ClientHello

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3&product=NSS


Compatibility

NSS 3.15.3 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.3 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
2013-11-21 15:23:47 +00:00
adam
63c018902c Revbump after updating textproc/icu 2013-10-19 09:06:55 +00:00
ryoon
922bd83d4b Update to 3.15.2
Changelog:
Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.2. Users are encouraged to upgrade immediately.

    Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure.

New in NSS 3.15.2
New Functionality

    AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported:
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_RSA_WITH_AES_128_GCM_SHA256

New Functions

PK11_CipherFinal has been introduced, which is a simple alias for PK11_DigestFinal.
New Types

No new types have been introduced.
New PKCS #11 Mechanisms

No new PKCS#11 mechanisms have been introduced
Notable Changes in NSS 3.15.2

    Bug 880543 - Support for AES-GCM ciphersuites that use the SHA-256 PRF
    Bug 663313 - MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general certificate signatures.
    Bug 884178 - Add PK11_CipherFinal macro

Bugs fixed in NSS 3.15.2

    Bug 734007 - sizeof() used incorrectly
    Bug 900971 - nssutil_ReadSecmodDB() leaks memory
    Bug 681839 - Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished.
    Bug 848384 - Deprecate the SSL cipher policy code, as it's no longer relevant. It is no longer necessary to call NSS_SetDomesticPolicy because all cipher suites are now allowed by default.

A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.2&product=NSS&list_id=7982238
Compatibility

NSS 3.15.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.2 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
2013-10-15 16:10:33 +00:00
ryoon
a1d2f9d36d Fix misc/rpm build.
* Buildlink include files.
2013-09-14 10:29:22 +00:00
ryoon
bb2adbf401 Update to 3.15.1
Changelog:
NSS 3.15.1 release notes

Introduction

Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below.
Distribution Information

NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download:

    Source tarballs:
    https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/

New in NSS 3.15.1
New Functionality

    TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations.
        The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1.
        AES GCM cipher suites are not yet supported.

New Functions

None.
New Types

    in sslprot.h
        SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the wire, value 0x0303.
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites.
    in sslerr.h
        SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2.
    in sslt.h
        ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type.
        ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum type.

New PKCS #11 Mechanisms

None.
Notable Changes in NSS 3.15.1

    Bug 856060 - Enforce name constraints on the common name in libpkix  when no subjectAltName is present.
    Bug 875156 - Add const to the function arguments of SEC_CertNicknameConflict.
    Bug 877798 - Fix ssltap to print the certificate_status handshake message correctly.
    Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the RtlGenRandom function.
    Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious failures.
    Bug 884072 - Fix a typo in the header include guard macro of secmod.h.
    Bug 876352 - certutil now warns if importing a PEM file that contains a private key.
    Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it failed.
    The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed.

Bugs fixed in NSS 3.15.1

    https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS

Compatibility

NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.



NSS 3.15 release notes

Introduction

The NSS team has released Network Security Services (NSS) 3.15, which is a minor release.
Distribution Information

The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.

NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download:

    Source tarballs:
    https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/

New in NSS 3.15
New Functionality

    Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
    Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete.
    Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
    certutil has been updated to support creating name constraints extensions.

New Functions

    in ssl.h
        SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension.
        SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension.
    in ocsp.h
        CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses.
    in secpkcs7.h
        SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time.
    in xconst.h
        CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
    in secitem.h
        SECITEM_AllocArray
        SECITEM_DupArray
        SECITEM_FreeArray
        SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays
        SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938.
    in pk11pub.h
        PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.
        PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.

New Types

    in secitem.h
        SECItemArray - Represents a variable-length array of SECItems.

New Macros

    in ssl.h
        SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE

Notable Changes in NSS 3.15

    SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code.

    NSS has migrated from CVS to the Mercurial source control management system.

    Updated build instructions are available at Migration to HG

    As part of this migration, the source code directory layout has been re-organized.

    The list of root CA certificates in the nssckbi module has been updated.

    The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache.

    Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel.
    Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour.
    Bug 853285: Fixed bugs in AES GCM.
    Bug 341127: Fix the invalid read in rc4_wordconv.
    Faster NIST curve P-256 implementation.
    Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced.

Bugs fixed in NSS 3.15

This Bugzilla query returns all the bugs fixed in NSS 3.15:

https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15
2013-07-20 09:28:11 +00:00
wiz
d2ca14a3f1 Bump all packages for perl-5.18, that
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package

Like last time, where this caused no complaints.
2013-05-31 12:39:57 +00:00
adam
1ab43a036f Massive revbump after updating graphics/ilmbase, graphics/openexr, textproc/icu. 2013-05-09 07:39:04 +00:00
ryoon
816e588843 Update to 3.14.3
Changelog:
* Bugfixes
* Fix CVE-2013-1620.
2013-02-20 19:49:17 +00:00
wiz
bd06e1cb46 Reset MAINTAINER/OWNER (became observers) 2013-02-01 22:21:05 +00:00
adam
f4c3b89da7 Revbump after graphics/jpeg and textproc/icu 2013-01-26 21:36:13 +00:00
ryoon
6595541c03 Udate to 3.14.1
Changelog unknown.
2013-01-05 19:02:45 +00:00
ryoon
d3372da589 Set LICENSE as MPL 2.0. 2012-12-15 09:51:51 +00:00
ryoon
30219e9a7b Bump BUILDLINK_ABI_DEPENDS. 2012-12-15 09:51:16 +00:00
ryoon
5a7460719a Update to 3.14.0
Changelog:
The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the following new features:

    Support for TLS 1.1 (RFC 4346)
    Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
    Support for AES-CTR, AES-CTS, and AES-GCM
    Support for Keying Material Exporters for TLS (RFC 5705)

In addition to the above new features, the following major changes have been introduced:

    Support for certificate signatures using the MD5 hash algorithm is now disabled by default.
    The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL  2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explantation on GPL/LGPL compatibility, see security/nss/COPYING in the source code.
    Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default.
2012-12-15 09:48:00 +00:00
asau
e1ab7079b6 Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days. 2012-10-31 11:16:30 +00:00
wiz
8b5d49eb78 Bump all packages that use perl, or depend on a p5-* package, or
are called p5-*.

I hope that's all of them.
2012-10-03 21:53:53 +00:00