RPM Search

Changelog for mozilla-nss-3.15.1-1.1.i586.rpm :
Fri Jul 5 14:00:00 2013 lnusselAATTsuse.de
- fix 32bit requirement, it\'s without () actually

Wed Jul 3 14:00:00 2013 wrAATTrosenauer.org
- update to 3.15.1

* TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites
(RFC 5246 and RFC 5289) are supported, allowing TLS to be used
without MD5 and SHA-1.
Note the following limitations:
The hash function used in the signature for TLS 1.2 client
authentication must be the hash function of the TLS 1.2 PRF,
which is always SHA-256 in NSS 3.15.1.
AES GCM cipher suites are not yet supported.

* some bugfixes and improvements

Fri Jun 28 14:00:00 2013 lnusselAATTsuse.de
- require libnssckbi instead of mozilla-nss-certs so p11-kit can
conflict with the latter (fate#314991)

Tue Jun 11 14:00:00 2013 wrAATTrosenauer.org
- update to 3.15

* Packaging
+ removed obsolete patches

* nss-disable-expired-testcerts.patch

* bug-834091.patch

* New Functionality
+ Support for OCSP Stapling (RFC 6066, Certificate Status
Request) has been added for both client and server sockets.
TLS client applications may enable this via a call to
SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
+ Added function SECITEM_ReallocItemV2. It replaces function
SECITEM_ReallocItem, which is now declared as obsolete.
+ Support for single-operation (eg: not multi-part) symmetric
key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
+ certutil has been updated to support creating name constraints
extensions.

* New Functions
in ssl.h
SSL_PeerStapledOCSPResponse - Returns the server\'s stapled
OCSP response, when used with a TLS client socket that
negotiated the status_request extension.
SSL_SetStapledOCSPResponses - Set\'s a stapled OCSP response
for a TLS server socket to return when clients send the
status_request extension.
in ocsp.h
CERT_PostOCSPRequest - Primarily intended for testing, permits
the sending and receiving of raw OCSP request/responses.
in secpkcs7.h
SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7
signature at a specific time other than the present time.
in xconst.h
CERT_EncodeNameConstraintsExtension - Matching function for
CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
in secitem.h
SECITEM_AllocArray
SECITEM_DupArray
SECITEM_FreeArray
SECITEM_ZfreeArray - Utility functions to handle the
allocation and deallocation of SECItemArrays
SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is
now obsolete. SECITEM_ReallocItemV2 better matches caller
expectations, in that it updates item->len on allocation.
For more details of the issues with SECITEM_ReallocItem,
see Bug 298649 and Bug 298938.
in pk11pub.h
PK11_Decrypt - Performs decryption as a single PKCS#11
operation (eg: not multi-part). This is necessary for AES-GCM.
PK11_Encrypt - Performs encryption as a single PKCS#11
operation (eg: not multi-part). This is necessary for AES-GCM.

* New Types
in secitem.h
SECItemArray - Represents a variable-length array of SECItems.

* New Macros
in ssl.h
SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure
TLS client sockets to request the certificate_status extension
(eg: OCSP stapling) when set to PR_TRUE

* Notable changes
+ SECITEM_ReallocItem is now deprecated. Please consider using
SECITEM_ReallocItemV2 in all future code.
+ The list of root CA certificates in the nssckbi module has
been updated.
+ The default implementation of SSL_AuthCertificate has been
updated to add certificate status responses stapled by the TLS
server to the OCSP cache.

* a lot of bugfixes

Tue Apr 16 14:00:00 2013 idonmezAATTsuse.com
- Add Source URL, see https://en.opensuse.org/SourceUrls

Sun Mar 24 13:00:00 2013 wrAATTrosenauer.org
- disable tests with expired certificates
(nss-disable-expired-testcerts.patch)
- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from
mozilla tree to fulfill Firefox 21 requirements
(bug-834091.patch; bmo#834091)

Thu Feb 28 13:00:00 2013 wrAATTrosenauer.org
- update to 3.14.3

* No new major functionality is introduced in this release. This
release is a patch release to address CVE-2013-1620 (bmo#822365)

* \"certutil -a\" was not correctly producing ASCII output as
requested. (bmo#840714)

* NSS 3.14.2 broke compilation with older versions of sqlite that
lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now
properly compiles when used with older versions of sqlite
(bmo#837799) - remove system-sqlite.patch
- add aarch64 support

Tue Feb 5 13:00:00 2013 wrAATTrosenauer.org
- added system-sqlite.patch (bmo#837799)

* do not depend on latest sqlite just for a #define
- enable system sqlite usage again

Sat Feb 2 13:00:00 2013 wrAATTrosenauer.org
- update to 3.14.2

* required for Firefox >= 20

* removed obsolete nssckbi update patch

* MFSA 2013-40/CVE-2013-0791 (bmo#629816)
Out-of-bounds array read in CERT_DecodeCertPackage
- disable system sqlite usage since we depend on 3.7.15 which is
not provided in any openSUSE distribution

* add nss-sqlitename.patch to avoid any name clash

Sun Dec 30 13:00:00 2012 wrAATTrosenauer.org
- updated CA database (nssckbi-1.93.patch)

* MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628)
revoke mis-issued intermediate certificates from TURKTRUST

Tue Dec 18 13:00:00 2012 wrAATTrosenauer.org
- update to 3.14.1 RTM

* minimal requirement for Gecko 20

* several bugfixes

Thu Oct 25 14:00:00 2012 wrAATTrosenauer.org
- update to 3.14 RTM

* Support for TLS 1.1 (RFC 4346)

* Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)

* Support for AES-CTR, AES-CTS, and AES-GCM

* Support for Keying Material Exporters for TLS (RFC 5705)

* Support for certificate signatures using the MD5 hash algorithm
is now disabled by default

* The NSS license has changed to MPL 2.0. Previous releases were
released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more
information about MPL 2.0, please see
http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional
explanation on GPL/LGPL compatibility, see security/nss/COPYING
in the source code.

* Export and DES cipher suites are disabled by default. Non-ECC
AES and Triple DES cipher suites are enabled by default
- disabled OCSP testcases since they need external network
(nss-disable-ocsp-test.patch)

Wed Aug 15 14:00:00 2012 wrAATTrosenauer.org
- update to 3.13.6 RTM

* root CA update

* other bugfixes

Fri Jun 1 14:00:00 2012 wrAATTrosenauer.org
- update to 3.13.5 RTM

Fri Apr 13 14:00:00 2012 wrAATTrosenauer.org
- update to 3.13.4 RTM

* fixed some bugs

* fixed cert verification regression in PKIX mode (bmo#737802)
introduced in 3.13.2

Thu Feb 23 13:00:00 2012 wrAATTrosenauer.org
- update to 3.13.3 RTM
- distrust Trustwave\'s MITM certificates (bmo#724929)
- fix generic blacklisting mechanism (bmo#727204)

Thu Feb 16 13:00:00 2012 wrAATTrosenauer.org
- update to 3.13.2 RTM

* requirement with Gecko >= 11
- removed obsolete patches

* ckbi-1.88

* pkcs11n-header-fix.patch

Sun Dec 18 13:00:00 2011 adrianAATTsuse.de
- fix spec file syntax for qemu-workaround

Mon Nov 14 13:00:00 2011 johnAATTredux.org.uk
- Added a patch to fix errors in the pkcs11n.h header file.
(bmo#702090)

Sat Nov 5 13:00:00 2011 wolfgangAATTrosenauer.org
- update to 3.13.1 RTM

* better SHA-224 support (bmo#647706)

* fixed a regression (causing hangs in some situations)
introduced in 3.13 (bmo#693228)
- update to 3.13.0 RTM

* SSL 2.0 is disabled by default

* A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext
attack demonstrated by Rizzo and Duong (CVE-2011-3389) is
enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to
PR_FALSE to disable it.

* SHA-224 is supported

* Ported to iOS. (Requires NSPR 4.9.)

* Added PORT_ErrorToString and PORT_ErrorToName to return the
error message and symbolic name of an NSS error code

* Added NSS_GetVersion to return the NSS version string

* Added experimental support of RSA-PSS to the softoken only

* NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db
anymore (bmo#641052, bnc#726096)

Sat Nov 5 13:00:00 2011 wrAATTrosenauer.org
- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753)
- make sure NSS_NoDB_Init does not try to use wrong certificate
databases (CVE-2011-3640, bnc#726096, bmo#641052)

Fri Sep 30 14:00:00 2011 crrodriguezAATTopensuse.org
- Workaround qemu-arm bugs.

Fri Sep 9 14:00:00 2011 wrAATTrosenauer.org
- explicitely distrust/override DigiNotar certs (bmo#683261)
(trustdb version 1.87)

Fri Sep 2 14:00:00 2011 pcernyAATTsuse.com
- removed DigiNotar root certificate from trusted db
(bmo#682927, bnc#714931)

Wed Aug 24 14:00:00 2011 andrea.turriniAATTgmail.com
- fixed typo in summary of mozilla-nss (libsoftokn3)

Fri Aug 12 14:00:00 2011 wrAATTrosenauer.org
- update to 3.12.11 RTM

* no upstream release notes available

Wed Jul 13 14:00:00 2011 meissnerAATTsuse.de
- Linux3.0 is the new Linux2.6 (make it build)

Mon May 23 14:00:00 2011 crrodriguezAATTopensuse.org
- Do not include build dates in binaries, messes up
build compare

Thu May 19 14:00:00 2011 wrAATTrosenauer.org
- update to 3.12.10 RTM

* no changes except internal release information

Thu Apr 28 14:00:00 2011 wrAATTrosenauer.org
- update to 3.12.10beta1

* root CA changes

* filter certain bogus certs (bmo#642815)

* fix minor memory leaks

* other bugfixes

Sun Jan 9 13:00:00 2011 wrAATTrosenauer.org
- update to 3.12.9rc0

* fix minor memory leaks (bmo#619268)

* fix crash in nss_cms_decoder_work_data (bmo#607058)

* fix crash in certutil (bmo#620908)

* handle invalid argument in JPAKE (bmo#609068)

Thu Dec 9 13:00:00 2010 wrAATTrosenauer.org
- update to 3.12.9beta2

* J-PAKE support (API requirement for Firefox >= 4.0b8)

Tue Nov 9 13:00:00 2010 wrAATTrosenauer.org
- replaced expired PayPal test certificate (fixing testsuite)

Sat Sep 25 14:00:00 2010 wrAATTrosenauer.org
- update to 3.12.8 RTM release

* support TLS false start (needed for Firefox4) (bmo#525092)

* fix wildcard matching for IP addresses (bnc#637290, bmo#578697)
(CVE-2010-3170)

* bugfixes

Fri Jul 23 14:00:00 2010 wrAATTrosenauer.org
- update to 3.12.7 RTM release

* bugfix release

* updated root CA list
- removed obsolete patches

Fri Jul 9 14:00:00 2010 jengelhAATTmedozas.de
- Disable testsuite on SPARC. Some tests fails, probably due to
just bad timing/luck.

Thu Jun 3 14:00:00 2010 wrAATTrosenauer.org
- Use preloaded empty system database since creating with
modutil leaves database in nonusable state

Sat Apr 24 14:00:00 2010 cooloAATTnovell.com
- buildrequire pkg-config to fix provides

Sun Apr 4 14:00:00 2010 wrAATTrosenauer.org
- disabled a test using an expired cert (bmo#557071)

Sat Mar 20 13:00:00 2010 wrAATTrosenauer.org
- fixed builds for older dists where internal sqlite3 is used
(nss-sqlitename.patch was not refreshed correctly)
- fixed baselibs.conf as is not a valid identifier

Tue Mar 9 13:00:00 2010 wrAATTrosenauer.org
- update to 3.12.6 RTM release

* added mozilla-nss-sysinit subpackage
- change renegotiation behaviour to the old default for a
transition phase

Tue Mar 9 13:00:00 2010 wrAATTrosenauer.org
- split off libsoftokn3 subpackage to allow mixed NSS installation

Sat Dec 26 13:00:00 2009 wrAATTrosenauer.org
- added mozilla-nss-certs baselibs (bnc#567322)

Fri Dec 18 13:00:00 2009 wrAATTrosenauer.org
- split mozilla-nss-certs from main package
- added rpmlintrc to ignore expected warnings
- added baselibs.conf as source

Mon Dec 14 13:00:00 2009 wrAATTrosenauer.org
- updated builtin certs (version 1.77)

Mon Nov 23 13:00:00 2009 wrAATTrosenauer.org
- rebased patches to apply w/o fuzz

Fri Aug 14 14:00:00 2009 wrAATTrosenauer.org
- update to 3.12.4 RTM release

Fri Aug 7 14:00:00 2009 wrAATTrosenauer.org
- update to recent snapshot (20090806)
- libnssdbm3.so has to be signed starting with 3.12.4

Mon Aug 3 14:00:00 2009 wrAATTrosenauer.org
- update to NSS 3.12.4pre snapshot
- rebased existing patches
- enable testsuite again (was disabled accidentally before)

Wed Jul 29 14:00:00 2009 wrAATTrosenauer.org
- update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611)

* RNG_SystemInfoForRNG called twice by nsc_CommonInitialize
(bmo#489811; other changes are unrelated to Linux)
- moved shlibsign to tools package again (as it\'s not needed at
library install time anymore)
- use %{_libexecdir} for the tools

Sat Jun 6 14:00:00 2009 wrAATTrosenauer.org
- Temporary testsuite fix for Factory (bnc#509308) (malloc.patch)
- remove the post scriptlet which created the
*.chk files and
use a RPM feature to create them after debuginfo stuff

Tue Jun 2 14:00:00 2009 wrAATTrosenauer.org
- updated builtin root certs by updating to
NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the
base for Firefox 3.5.0
- PreReq coreutils in the main package already as \"rm\" is used
in its %post script
- disable testsuite for this moment as it crashes on Factory
currently for an unknown reason

Thu May 21 14:00:00 2009 wrAATTrosenauer.org
- renew Paypal certs to fix testsuite errors (bmo#491163)

Mon Apr 20 14:00:00 2009 wrAATTrosenauer.org
- update to version 3.12.3 RTM

* default behaviour changed slightly but can be set up
backward compatible using environment variables
https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables

* New Korean SEED cipher

* Some new functions in the nss library:
CERT_RFC1485_EscapeAndQuote (see cert.h)
CERT_CompareCerts (see cert.h)
CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h)
PK11_GetSymKeyHandle (see pk11pqg.h)
UTIL_SetForkState (see secoid.h)
NSS_GetAlgorithmPolicy (see secoid.h)
NSS_SetAlgorithmPolicy (see secoid.h)
- created libfreebl3 subpackage and build it w/o nspr and nss deps
- added patch to make all ASM noexecstack
- create the softokn3 and freebl3 checksums at installation time
(moved shlibsign to the main package to achieve that)
- applied upstream patch to avoid OSCP test failures (bmo#488646)
- applied upstream patch to fix libjar crashes (bmo#485145)