SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for mozilla-nss-3.76.1-390.3.x86_64.rpm :

* Sun Apr 10 2022 Callum Farmer - Require nss-util in nss.pc and subsequently remove -lnssutil3
* Sat Apr 02 2022 Wolfgang Rosenauer - update to NSS 3.76.1 NSS 3.76.1
* bmo#1756271 - Remove token member from NSSSlot struct. NSS 3.76
* bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
* bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
* bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
* bmo#1679803 - Add SHA256 fingerprint comments to old certdata.txt entries.
* bmo#1753505 - Avoid truncating files in nss-release-helper.py.
* bmo#1751157 - Throw illegal_parameter alert for illegal extensions in handshake message.
* Fri Mar 25 2022 Callum Farmer - Add nss-util pkgconfig and config files (copied from RH/Fedora)
* Wed Mar 02 2022 Wolfgang Rosenauer - update to NSS 3.75
* bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
* bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
* bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
* bmo#1748386 - Remove redundant key type check.
* bmo#1749869 - Update ABI expectations to match ECH changes.
* bmo#1748386 - Enable CKM_CHACHA20.
* bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
* bmo#1747310 - real move assignment operator.
* bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
* bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
* bmo#1747772 - Allow to build using clang\'s integrated assembler.
* bmo#1321398 - Allow to override python for the build.
* bmo#1747317 - test HKDF output rather than input.
* bmo#1747316 - Use ASSERT macros to end failed tests early.
* bmo#1747310 - move assignment operator for DataBuffer.
* bmo#1712879 - Add test cases for ECH compression and unexpected extensions in SH.
* bmo#1725938 - Update tests for ECH-13.
* bmo#1725938 - Tidy up error handling.
* bmo#1728281 - Add tests for ECH HRR Changes.
* bmo#1728281 - Server only sends GREASE HRR extension if enabled by preference.
* bmo#1725938 - Update generation of the Associated Data for ECH-13.
* bmo#1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
* bmo#1712879 - Allow for compressed, non-contiguous, extensions.
* bmo#1712879 - Scramble the PSK extension in CHOuter.
* bmo#1712647 - Split custom extension handling for ECH.
* bmo#1728281 - Add ECH-13 HRR Handling.
* bmo#1677181 - Client side ECH padding.
* bmo#1725938 - Stricter ClientHelloInner Decompression.
* bmo#1725938 - Remove ECH_inner extension, use new enum format.
* bmo#1725938 - Update the version number for ECH-13 and adjust the ECHConfig size.
* Mon Jan 24 2022 Wolfgang Rosenauer - update to NSS 3.74
* bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses
* bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
* bmo#1721426 - NSS does not properly restrict server keys based on policy
* bmo#1733003 - Set nssckbi version number to 2.54
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
* bmo#1735407 - Replace GlobalSign ECC Root CA R4
* bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
* bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates
* bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate
* bmo#1740095 - Add iTrusChina ECC root certificate
* bmo#1740095 - Add iTrusChina RSA root certificate
* bmo#1738805 - Add ISRG Root X2 root certificate
* bmo#1733012 - Add Chunghwa Telecom\'s HiPKI Root CA - G1 root certificate
* bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
* bmo#1735028 - Check for missing signedData field
* bmo#1737470 - Ensure DER encoded signatures are within size limits- enable key logging option (boo#1195040)
* Wed Dec 29 2021 Andreas Stieger - update to NSS 3.73.1:
* Add SHA-2 support to mozilla::pkix\'s OSCP implementation
* Wed Dec 01 2021 Wolfgang Rosenauer - update to NSS 3.73
* bmo#1735028 - check for missing signedData field.
* bmo#1737470 - Ensure DER encoded signatures are within size limits.
* bmo#1729550 - NSS needs FiPS 140-3 version indicators.
* bmo#1692132 - pkix_CacheCert_Lookup doesn\'t return cached certs
* bmo#1738600 - sunset Coverity from NSS MFSA 2021-51 (bsc#1193170)
* CVE-2021-43527 (bmo#1737470) Memory corruption via DER-encoded DSA and RSA-PSS signatures
* Sun Nov 28 2021 Wolfgang Rosenauer - update to NSS 3.72
* Remove newline at the end of coreconf.dep
* bmo#1731911 - Fix nsinstall parallel failure.
* bmo#1729930 - Increase KDF cache size to mitigate perf regression in about:logins
* Sat Oct 23 2021 Wolfgang Rosenauer - update to NSS 3.71
* bmo#1717716 - Set nssckbi version number to 2.52.
* bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
* bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
* bmo#1717707 - Add HARICA Client ECC Root CA 2021.
* bmo#1717707 - Add HARICA Client RSA Root CA 2021.
* bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
* bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
* bmo#1728394 - Add TunTrust Root CA certificate to NSS.- required for Firefox 94
* Fri Oct 01 2021 Wolfgang Rosenauer - update to NSS 3.70
* bmo#1726022 - Update test case to verify fix.
* bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
* bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
* bmo#1681975 - Avoid using a lookup table in nssb64d.
* bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
* bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
* bmo#1726022 - Cache additional PBE entries.
* bmo#1709750 - Read HPKE vectors from official JSON.- required for Firefox 93
* Fri Sep 03 2021 Wolfgang Rosenauer - Update to NSS 3.69.1
* bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
* bmo#1720226 (Backout) - integrity checks in key4.db not happening on private components with AES_CBC NSS 3.69
* bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
* bmo#1720226 - integrity checks in key4.db not happening on private components with AES_CBC (backed out again)
* bmo#1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms.
* bmo#1721476 - sqlite 3.34 changed it\'s open semantics, causing nss failures. (removed obsolete nss-btrfs-sqlite.patch)
* bmo#1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports.
* bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
* bmo#1720232 - SQLite calls could timeout in starvation situations.
* bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
* bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
* bmo#1720227 - NSS using a tempdir to measure sql performance not active- add nss-fips-stricter-dh.patch- updated existing patches with latest SLE
* Wed Aug 18 2021 Hans Petter Jansson - Update nss-fips-constructor-self-tests.patch to fix crashes reported by upstream. This was likely affecting WebRTC calls.
* Thu Aug 05 2021 Wolfgang Rosenauer - update to NSS 3.68
* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.- required by Firefox 91.0- added nss-fips-fix-missing-nspr.patch (via SLE sync)
* Sat Jul 10 2021 Wolfgang Rosenauer - update to NSS 3.66
* no releasenotes available yet https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.66_release_notes- update to NSS 3.65
* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it\'s csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.- refreshed patches- Firefox 90.0 requires NSS 3.66
* Thu May 27 2021 Andreas Stieger - update to NSS 3.64
* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports(\"vsx\") with ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
* Sun Apr 18 2021 Wolfgang Rosenauer - update to NSS 3.63.1
* no upstream release notes for 3.63.1 (yet) Fixed in 3.63
* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication.
* bmo#1696800 - HACL
* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can\'t enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma\'s \'Chambers of Commerce\' and \'Global Chambersign\' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for \'Chambers of Commerce Root - 2008\' and \'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.- required for Firefox 88
* Tue Mar 16 2021 Wolfgang Rosenauer - update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt \"cachedCertTable\"
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07- required for Firefox 87
* Sun Feb 28 2021 Sasi Olin - Add nss-btrfs-sqlite.patch to address bmo#1690232
* Sun Feb 21 2021 Wolfgang Rosenauer - update to NSS 3.61
* required for Firefox 86
* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.
* Sun Jan 24 2021 Wolfgang Rosenauer - update to NSS 3.60.1 Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 for more information.- removed obsolete ppc-old-abi-v3.patch
* Sun Dec 27 2020 Wolfgang Rosenauer - update to NSS 3.59.1
* bmo#1679290 - Fix potential deadlock with certain third-party PKCS11 modules
* Tue Dec 01 2020 Wolfgang Rosenauer - update to NSS 3.59 Notable changes
* Exported two existing functions from libnss: CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData Bugfixes
* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord (boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds
* bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
* Sun Nov 15 2020 Wolfgang Rosenauer - update to NSS 3.58 Bugs fixed:
* bmo#1641480 (CVE-2020-25648) Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello (draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto extensions.
* bmo#1668328 - Handle spaces in the Python path name when using gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value.
* Thu Nov 12 2020 Ludwig Nussel - install libraries in %{_libdir} (boo#1029961)
* Mon Oct 12 2020 Dominique Leuenberger - Fix build with RPM 4.16: error: bare words are no longer supported, please use \"...\": lib64 == lib64.
* Wed Sep 30 2020 Wolfgang Rosenauer - update to NSS 3.57
* The following CA certificates were Added: bmo#1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed: bmo#1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 bmo#1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified: bmo#1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes- requires NSPR 4.29- removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256)- introduced _constraints due to high memory requirements especially for LTO on Tumbleweed
* Fri Sep 25 2020 Guillaume GARDET - Add patch to fix build on aarch64 - boo#1176934:
* nss-freebl-fix-aarch64.patch
* Thu Sep 17 2020 Hans Petter Jansson - Update nss-fips-approved-crypto-non-ec.patch to match RC2 code being moved to deprecated/.- Remove nss-fix-dh-pkcs-derive-inverted-logic.patch. This was made obsolete by upstream changes.
* Tue Sep 08 2020 Wolfgang Rosenauer - update to NSS 3.56 Notable changes
* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting \"all\" as the default makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28- do not hard require mozilla-nss-certs-32bit via baselibs (boo#1176206)
* Sat Aug 22 2020 Wolfgang Rosenauer - update to NSS 3.55 Notable changes
* P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) Relevant Bugfixes
* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length.
* bmo#1649648 - Don\'t memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don\'t memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don\'t memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension.
* Thu Jul 23 2020 Wolfgang Rosenauer - update to NSS 3.54 Notable changes
* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available (bmo#1528113)
* The following CA certificates were Added: bmo#1645186 - certSIGN Root CA G2. bmo#1645174 - e-Szigno Root CA 2017. bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed: bmo#1645199 - AddTrust Class 1 CA Root. bmo#1645199 - AddTrust External CA Root. bmo#1641718 - LuxTrust Global Root 2. bmo#1639987 - Staat der Nederlanden Root CA - G2. bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
* A number of certificates had their Email trust bit disabled. See bmo#1618402 for a complete list. Bugs fixed
* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL
* curve25519 on Windows.
* bmo#1645186 - Add \"certSIGN Root CA G2\" root certificate.
* bmo#1645174 - Add Microsec\'s \"e-Szigno Root CA 2017\" root certificate.
* bmo#1641716 - Add Microsoft\'s non-EV root certificates.
* bmo1621151 - Disable email trust bit for \"O=Government Root Certification Authority; C=TW\" root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove \"LuxTrust Global Root 2\" root certificate.
* bmo#1639987 - Remove \"Staat der Nederlanden Root CA - G2\" root certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub\' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting self-encrypt keys.
* bmo#1645479 - Don\'t use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.
* Sat Jun 27 2020 Wolfgang Rosenauer - add FIPS mode patches from SLE stream nss-fips-aes-keywrap-post.patch nss-fips-approved-crypto-non-ec.patch nss-fips-cavs-dsa-fixes.patch nss-fips-cavs-general.patch nss-fips-cavs-kas-ecc.patch nss-fips-cavs-kas-ffc.patch nss-fips-cavs-keywrap.patch nss-fips-cavs-rsa-fixes.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch nss-fips-constructor-self-tests.patch nss-fips-detect-fips-mode-fixes.patch nss-fips-dsa-kat.patch nss-fips-gcm-ctr.patch nss-fips-pairwise-consistency-check.patch nss-fips-rsa-keygen-strictness.patch nss-fips-tls-allow-md5-prf.patch nss-fips-use-getrandom.patch nss-fips-use-strong-random-pool.patch nss-fips-zeroization.patch nss-fix-dh-pkcs-derive-inverted-logic.patch
* Tue Jun 23 2020 Wolfgang Rosenauer - update to NSS 3.53.1
* required for Firefox 78
* CVE-2020-12402 - Use constant-time GCD and modular inversion in MPI. (bmo#1631597, bsc#1173032)
* Sun Jun 21 2020 Michel Normand - Add ppc-old-abi-v3.patch as per upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1642174
* Thu Jun 11 2020 Wolfgang Rosenauer - update to NSS 3.53 Notable changes
* SEED is now moved into a new freebl directory freebl/deprecated bmo#1636389
* SEED will be disabled by default in a future release of NSS. At that time, users will need to set the compile-time flag (bmo#1622033) to disable that deprecation in order to use the algorithm.
* Algorithms marked as deprecated will ultimately be removed
* Several root certificates in the Mozilla program now set the CKA_NSS_SERVER_DISTRUST_AFTER attribute, which NSS consumers can query to further refine trust decisions. (bmo#1618404, bmo#1621159). If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a certificate that builtin issued, then clients can elect not to trust it.
* Tue May 26 2020 Wolfgang Rosenauer - update to NSS 3.52.1
* required for Firefox 77.0 Notable changes
* Update NSS to support PKCS#11 v3.0 (bmo#1603628)
* Support new PKCS #11 v3.0 Message Interface for AES-GCM and ChaChaPoly (bmo#1623374)
* Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL
* (bmo#1612493)
* CVE-2020-12399 - Force a fixed length for DSA exponentiation (bmo#1631576, boo#1171978)- removed obsolete nss-kremlin-ppc64le.patch
* Wed Apr 29 2020 Martin Liška - Set NSS_ENABLE_WERROR=0 in order to fix boo#1169746.
* Sat Apr 11 2020 Andreas Stieger - update to NSS 3.51.1:
* Update Delegated Credentials implementation to draft-07 (bmo#1617968)
* Add workaround option to include both DTLS and TLS versions in DTLS supported_versions (bmo#1619102)
* Update README: TLS 1.3 is not experimental anymore (bmo#1619056)
* Don\'t assert fuzzer behavior in SSL_ParseSessionTicket (bmo#1618739)
* Fix UBSAN issue in ssl_ParseSessionTicket (bmo#1618915)
* Consistently handle NULL slot/session (bmo#1608245)
* broken fipstest handling of KI_len (bmo#1608250)
* Update Delegated Credentials implementation to draft-07 (bmo#1617968)
* Tue Mar 31 2020 Michel Normand - Update previous patch nss-kremlin-ppc64le.patch slightly modified to support also ppc64 (BE) versus initial https://github.com/FStarLang/kremlin/issues/166
* Tue Mar 31 2020 Martin Sirringhaus - Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds
* Mon Mar 30 2020 Wolfgang Rosenauer - update to NSS 3.51
* Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892)
* Correct swapped PKCS11 values of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL (bmo#1611209)
* Complete integration of Wycheproof ECDH test cases (bmo#1612259)
* Check if PPC __has_include() (bmo#1614183)
* Fix a compilation error for ‘getFIPSEnv’ \"defined but not used\" (bmo#1614786)
* Send DTLS version numbers in DTLS 1.3 supported_versions extension to avoid an incompatibility. (bmo#1615208)
* SECU_ReadDERFromFile calls strstr on a string that isn\'t guaranteed to be null-terminated (bmo#1538980)
* Correct a warning for comparison of integers of different signs: \'int\' and \'unsigned long\' in security/nss/lib/freebl/ecl/ecp_25519.c:88 (bmo#1561337)
* Add test for mp_int clamping (bmo#1609751)
* Don\'t attempt to read the fips_enabled flag on the machine unless NSS was built with FIPS enabled (bmo#1582169)
* Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940)
* Fix compiler warning in secsign.c (bmo#1617387)
* Fix a OpenBSD/arm64 compilation error: unused variable \'getauxval\' (bmo#1618400)
* Fix a crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics (bmo#1610687)
* Tue Mar 03 2020 Wolfgang Rosenauer - update to NSS 3.50
* Verified primitives from HACL
* were updated, bringing performance improvements for several platforms. Note that Intel processors with SSE4 but without AVX are currently unable to use the improved ChaCha20/Poly1305 due to a build issue; such platforms will fall-back to less optimized algorithms. See bmo#1609569 for details
* Updated DTLS 1.3 implementation to Draft-30. See bmo#1599514 for details.
* Added NIST SP800-108 KBKDF - PKCS#11 implementation. See bmo#1599603 for details.
* Several bugfixes and minor changes
* Thu Feb 27 2020 Fridrich Strba - Package also the cmac.h needed by blapi.h
* Tue Feb 25 2020 Guillaume GARDET - Disable LTO on %arm as LTO fails on neon errors
* Sat Feb 08 2020 Wolfgang Rosenauer - update to NSS 3.49.2 Fixed bugs:
* Fix compilation problems with NEON-specific code in freebl (bmo#1608327)
* Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895)
* Thu Jan 16 2020 Wolfgang Rosenauer - update to NSS 3.49.1 3.49.1 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49.1_release_notes
* Cache the most recent PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts (bmo#1606992) 3.49 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes
* The legacy DBM database, libnssdbm, is no longer built by default when using gyp builds (bmo#1594933)
* several bugfixes
* Tue Jan 07 2020 Wolfgang Rosenauer - update to NSS 3.48 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes Notable Changes
* TLS 1.3 is the default maximum TLS version (bmo#1573118)
* TLS extended master secret is enabled by default, where possible (bmo#1575411)
* The master password PBE now uses 10,000 iterations by default when using the default sql (key4.db) storage (bmo#1562671) Certificate Authority Changes
* Added Entrust Root Certification Authority - G4 Cert (bmo#1591178) Bugfixes- requires NSPR 4.24
* Sun Nov 24 2019 Wolfgang Rosenauer - update to NSS 3.47.1
* CVE-2019-11745 - EncryptUpdate should use maxout, not block size (boo#1158527)
* Fix a crash that could be caused by client certificates during startup (bmo#1590495)
* Fix compile-time warnings from uninitialized variables in a perl script (bmo#1589810)
* Sun Nov 17 2019 Wolfgang Rosenauer - update to NSS 3.47
* required by Firefox 71.0 Notable changes
* Support AES HW acceleration on ARMv8 (bmo#1152625)
* Allow per-socket run-time ordering of the cipher suites presented in ClientHello (bmo#1267894)
* Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501) Bugfixes https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes - requires NSPR 4.23
* Fri Oct 18 2019 Wolfgang Rosenauer - update to NSS 3.46.1
* required by Firefox 70.0 Notable changes in 3.46
* The following CA certificates were Removed: expired Class 2 Primary root certificate expired UTN-USERFirst-Client root certificate expired Deutsche Telekom Root CA 2 root certificate Swisscom Root CA 2 root certificate
* Significant improvements to AES-GCM performance on ARM Many bugfixes Bug fixes in 3.46.1
* Soft token MAC verification not constant time (bmo#1582343)
* Remove arbitrary HKDF output limit by allocating space as needed (bmo#1577953)
* CVE-2019-17006 Add length checks for cryptographic primitives (bmo#1539788)- requires NSPR 4.22
* Thu Aug 29 2019 Martin Pluskal - Small packaging cleanup
* Sat Aug 03 2019 Wolfgang Rosenauer - update to NSS 3.45 (bsc#1141322)
* required by Firefox 69.0 New functions
* PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets
*results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and
*results will be NULL. Notable changes
* bmo#1540403 - Implement Delegated Credentials
* bmo#1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto
* bmo#1551129 - Support static linking on Windows
* bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot
* bmo#1546229 - Add IPSEC IKE support to softoken
* bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23)
* bmo#1543874 - Expose an external clock for SSL
* bmo#1546477 - Various changes in response to the ongoing FIPS review Certificate Authority Changes
* The following CA certificates were Removed: bmo#1552374 - CN = Certinomis - Root CA Bugs fixed
* bmo#1540541 - Don\'t unnecessarily strip leading 0\'s from key material during PKCS11 import (CVE-2019-11719)
* bmo#1515342 - More thorough input checking (CVE-2019-11729)
* bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727)
* bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis)
* bmo#1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis)
* bmo#1509432 - De-duplicate code between mp_set_long and mp_set_ulong
* bmo#1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might have copied the unit test code verbatim
* bmo#1550022 - Ensure nssutil3 gets built on Android
* bmo#1528174 - ChaCha20Poly1305 should no longer modify output length on failure
* bmo#1549382 - Don\'t leak in PKCS#11 modules if C_GetSlotInfo() returns error
* bmo#1551041 - Fix builds using GCC < 4.3 on big-endian architectures
* bmo#1554659 - Add versioning to OpenBSD builds to fix link time errors using NSS
* bmo#1553443 - Send session ticket only after handshake is marked as finished
* bmo#1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so builds
* bmo#1554336 - Optimize away unneeded loop in mpi.c
* bmo#1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
* bmo#1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
* bmo#1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
* bmo#1556591 - Eliminate races in uses of PK11_SetWrapKey
* bmo#1558681 - Stop using a global for anti-replay of TLS 1.3 early data
* bmo#1561510 - Fix a bug where removing -arch XXX args from CC didn\'t work
* bmo#1561523 - Add a string for the new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
* Fri Aug 02 2019 Wolfgang Rosenauer - split hmac subpackages to match SLE\'s packaging
* Mon Jul 22 2019 Martin Liška - Use -ffat-lto-objects in order to provide assembly for static libs.
* Mon Jul 08 2019 Wolfgang Rosenauer - update to NSS 3.44.1
* required by Firefox 68.0 Bugs fixed
* bmo#1554336 - Optimize away unneeded loop in mpi.c
* bmo#1515342 - More thorough input checking
* bmo#1540541 - Don\'t unnecessarily strip leading 0\'s from key material during PKCS11 import
* bmo#1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh
* bmo#1546229 - Add IPSEC IKE support to softoken
* bmo#1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys
* bmo#1546477 - Updates to testing for FIPS validation
* bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
* bmo#1551041 - Unbreak build on GCC < 4.3 big-endian
* Wed Jun 12 2019 Wolfgang Rosenauer - update to NSS 3.44
* required by Firefox 68.0 New functions
* CERT_GetCertificateDer - Access the DER-encoded form of a CERTCertificate Notable changes
* It is now possible to build NSS as a static library (bmo#1543545)
* Initial support for building for iOS Bugs fixed
* full list https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44_release_notes- merge some baselibs fixes from SLE
* Tue Apr 23 2019 Wolfgang Rosenauer - update to NSS 3.43
* required by Firefox 67.0 New functions
* HASH_GetHashOidTagByHashType - convert type HASH_HashType to type SECOidTag
* SSL_SendCertificateRequest - allow server to request post-handshake client authentication. To use this both peers need to enable the SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism is present, post-handshake authentication is currently not TLS 1.3 compliant due to bug 1532312 Notable changes
* The following CA certificates were Added: - emSign Root CA - G1 - emSign ECC Root CA - G3 - emSign Root CA - C1 - emSign ECC Root CA - C3 - Hongkong Post Root CA 3 Bugs fixed
* Improve Gyp build system handling (bmo#1528669, bmo#1529308)
* Improve NSS S/MIME tests for Thunderbird (bmo#1529950, bmo#1521174)
* If Docker isn\'t installed, try running a local clang-format as a fallback (bmo#1530134)
* Enable FIPS mode automatically if the system FIPS mode flag is set (bmo#1531267)
* Add a -J option to the strsclnt command to specify sigschemes (bmo#1528262)
* Add manual for nss-policy-check (bmo#1513909)
* Fix a deref after a null check in SECKEY_SetPublicValue (bmo#1531074)
* Properly handle ESNI with HRR (bmo#1517714)
* Expose HKDF-Expand-Label with mechanism (bmo#1529813)
* Align TLS 1.3 HKDF trace levels (bmo#1535122)
* Use getentropy on compatible versions of FreeBSD (bmo#1530102)
* Sun Mar 17 2019 Wolfgang Rosenauer - update to NSS 3.42.1
* required by Firefox 66.0 New functionality
* Support XDG basedir specification (bmo#818686) Notable changes
* added some testcases from the Wycheproof project Bugs fixed
* Reject invalid CH.legacy_version in TLS 1.3 (bmo#1490006)
* A fix for Solaris where Firefox 60 core dumps during start when using profile from version 52 (bmo#1513913)
* Wed Jan 23 2019 Wolfgang Rosenauer - update to NSS 3.41.1
* (3.41) required by Firefox 65.0 New functionality
* Implemented EKU handling for IPsec IKE. (bmo#1252891)
* Enable half-closed states for TLS. (bmo#1423043)
* Enabled the following ciphersuites by default: (bmo#1493215) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 Notable changes
* The following CA certificates were added: CN = Certigna Root CA CN = GTS Root R1 CN = GTS Root R2 CN = GTS Root R3 CN = GTS Root R4 CN = UCA Global G2 Root CN = UCA Extended Validation Root
* The following CA certificates were removed: CN = AC Raíz Certicámara S.A. CN = Certplus Root CA G1 CN = Certplus Root CA G2 CN = OpenTrust Root CA G1 CN = OpenTrust Root CA G2 CN = OpenTrust Root CA G3 Bugs fixed
* Reject empty supported_signature_algorithms in Certificate Request in TLS 1.2 (bmo#1412829)
* Cache side-channel variant of the Bleichenbacher attack (bmo#1485864) (CVE-2018-12404)
* Resend the same ticket in ClientHello after HelloRetryRequest (bmo#1481271)
* Set session_id for external resumption tokens (bmo#1493769)
* Reject CCS after handshake is complete in TLS 1.3 (bmo#1507179)
* Add additional null checks to several CMS functions to fix a rare CMS crash. (bmo#1507135, bmo#1507174) (3.41.1)- removed obsolete patches nss-disable-ocsp-test.patch
 
ICM