SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for mozilla-nss-3.16.3-86.1.x86_64.rpm :

* Sat Jul 05 2014 wrAATTrosenauer.org- update to 3.16.3
* required for Firefox 32 New Functions:
* CERT_GetGeneralNameTypeFromString (This function was already added in NSS 3.16.2, however, it wasn\'t declared in a public header file.) Notable Changes:
* The following 1024-bit CA certificates were removed - Entrust.net Secure Server Certification Authority - GTE CyberTrust Global Root - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority
* Additionally, the following CA certificate was removed as requested by the CA: - TDC Internet Root CA
* The following CA certificates were added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3
* The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado- changes in 3.16.2 New functionality:
* DTLS 1.2 is supported.
* The TLS application layer protocol negotiation (ALPN) extension is also supported on the server side.
* RSA-OEAP is supported. Use the new PK11_PrivDecrypt and PK11_PubEncrypt functions with the CKM_RSA_PKCS_OAEP mechanism.
* New Intel AES assembly code for 32-bit and 64-bit Windows, contributed by Shay Gueron and Vlad Krasnov of Intel. New Functions:
* CERT_AddExtensionByOID
* PK11_PrivDecrypt
* PK11_PubEncrypt New Macros
* SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK
* SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL Notable Changes:
* The btoa command has a new command-line option -w suffix, which causes the output to be wrapped in BEGIN/END lines with the given suffix
* The certutil commands supports additionals types of subject alt name extensions.
* The certutil command supports generic certificate extensions, by loading binary data from files, which have been prepared using external tools, or which have been extracted from other existing certificates and dumped to file.
* The certutil command supports three new certificate usage specifiers.
* The pp command supports printing UTF-8 (-u).
* On Linux, NSS is built with the -ffunction-sections -fdata-sections compiler flags and the --gc-sections linker flag to allow unused functions to be discarded.
* Thu May 08 2014 wrAATTrosenauer.org- update to 3.16.1
* required for Firefox 31 New functionality:
* Added the \"ECC\" flag for modutil to select the module used for elliptic curve cryptography (ECC) operations. New Functions:
* PK11_ExportDERPrivateKeyInfo/PK11_ExportPrivKeyInfo exports a private key in a DER-encoded ASN.1 PrivateKeyInfo type or a SECKEYPrivateKeyInfo structure. Only RSA private keys are supported now.
* SECMOD_InternalToPubMechFlags converts from NSS-internal to public representation of mechanism flags New Types:
* ssl_padding_xtn the value of this enum constant changed from the experimental value 35655 to the IANA-assigned value 21 New Macros
* PUBLIC_MECH_ECC_FLAG a public mechanism flag for elliptic curve cryptography (ECC) operations
* SECMOD_ECC_FLAG an NSS-internal mechanism flag for elliptic curve cryptography (ECC) operations. This macro has the same numeric value as PUBLIC_MECH_ECC_FLAG. Notable Changes:
* Imposed name constraints on the French government root CA ANSSI (DCISS).
* Fri Mar 21 2014 wrAATTrosenauer.org- update to 3.16
* required for Firefox 29
* bmo#903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2.
* Supports the Linux x32 ABI. To build for the Linux x32 target, set the environment variable USE_X32=1 when building NSS. New Functions:
* NSS_CMSSignerInfo_Verify New Macros
* TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc., cipher suites that were first defined in SSL 3.0 can now be referred to with their official IANA names in TLS, with the TLS_ prefix. Previously, they had to be referred to with their names in SSL 3.0, with the SSL_ prefix. Notable Changes:
* ECC is enabled by default. It is no longer necessary to set the environment variable NSS_ENABLE_ECC=1 when building NSS. To disable ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS.
* libpkix should not include the common name of CA as DNS names when evaluating name constraints.
* AESKeyWrap_Decrypt should not return SECSuccess for invalid keys.
* Fix a memory corruption in sec_pkcs12_new_asafe.
* If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime test sdb_measureAccess.
* The built-in roots module has been updated to version 1.97, which adds, removes, and distrusts several certificates.
* The atob utility has been improved to automatically ignore lines of text that aren\'t in base64 format.
* The certutil utility has been improved to support creation of version 1 and version 2 certificates, in addition to the existing version 3 support.
* Tue Feb 25 2014 wrAATTrosenauer.org- update to 3.15.5
* required for Firefox 28
* export FREEBL_LOWHASH to get the correct default headers (bnc#865539) New functionality
* Added support for the TLS application layer protocol negotiation (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both) should be used for application layer protocol negotiation.
* Added the TLS padding extension. The extension type value is 35655, which may change when an official extension type value is assigned by IANA. NSS automatically adds the padding extension to ClientHello when necessary.
* Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting the tail of a CERTCertList. Notable Changes
* bmo#950129: Improve the OCSP fetching policy when verifying OCSP responses
* bmo#949060: Validate the iov input argument (an array of PRIOVec structures) of ssl_WriteV (called via PR_Writev). Applications should still take care when converting struct iov to PRIOVec because the iov_len members of the two structures have different types (size_t vs. int). size_t is unsigned and may be larger than int.
* Thu Feb 20 2014 ajAATTajaissle.de- BuildRequire mozilla-nspr >= 4.9
* Tue Jan 07 2014 wrAATTrosenauer.org- update to 3.15.4
* required for Firefox 27
* regular CA root store update (1.96)
* Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices.
* Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function.
* When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv (CVE-2013-1740, bmo#919877)
* MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 NSS ticket handling issues New functionality
* Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method.
* Implemented OCSP server functionality for testing purposes (httpserv utility).
* Support SHA-1 signatures with TLS 1.2 client authentication.
* Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database.
* Added the -w command-line option to pp: don\'t wrap long output lines. New functions
* CERT_ForcePostMethodForOCSP
* CERT_GetSubjectNameDigest
* CERT_GetSubjectPublicKeyDigest
* SSL_PeerCertificateChain
* SSL_RecommendedCanFalseStart
* SSL_SetCanFalseStartCallback New types
* CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST.- removed obsolete char.patch
* Thu Dec 05 2013 wrAATTrosenauer.org- update to 3.15.3.1 (bnc#854367)
* includes certstore update (1.95) (bmo#946351) (explicitely distrust AC DG Tresor SSL)
* Wed Dec 04 2013 mlsAATTsuse.de- adapt specfile to ppc64le
* Mon Nov 11 2013 wrAATTrosenauer.org- update to 3.15.3 (bnc#850148)
* CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates, when the CERTVerifyLog log parameter is given (bmo#910438)
* NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello (bmo#919677)
* fix CVE-2013-5605
* Sat Sep 28 2013 crrodriguezAATTopensuse.org- update to 3.15.2 (bnc#842979)
* Support for AES-GCM ciphersuites that use the SHA-256 PRF
* MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs
* Add PK11_CipherFinal macro
* sizeof() used incorrectly
* nssutil_ReadSecmodDB() leaks memory
* Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished.
* Deprecate the SSL cipher policy code
* Avoid uninitialized data read in the event of a decryption failure. (CVE-2013-1739)
* Fri Jul 05 2013 lnusselAATTsuse.de- fix 32bit requirement, it\'s without () actually
* Wed Jul 03 2013 wrAATTrosenauer.org- update to 3.15.1
* TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations: The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported.
* some bugfixes and improvements
* Fri Jun 28 2013 lnusselAATTsuse.de- require libnssckbi instead of mozilla-nss-certs so p11-kit can conflict with the latter (fate#314991)
* Tue Jun 11 2013 wrAATTrosenauer.org- update to 3.15
* Packaging + removed obsolete patches
* nss-disable-expired-testcerts.patch
* bug-834091.patch
* New Functionality + Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. + Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + certutil has been updated to support creating name constraints extensions.
* New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server\'s stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set\'s a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.
* New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems.
* New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE
* Notable changes + SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. + The list of root CA certificates in the nssckbi module has been updated. + The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache.
* a lot of bugfixes
* Tue Apr 16 2013 idonmezAATTsuse.com- Add Source URL, see https://en.opensuse.org/SourceUrls
* Sun Mar 24 2013 wrAATTrosenauer.org- disable tests with expired certificates (nss-disable-expired-testcerts.patch)- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from mozilla tree to fulfill Firefox 21 requirements (bug-834091.patch; bmo#834091)
* Thu Feb 28 2013 wrAATTrosenauer.org- update to 3.14.3
* No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1620 (bmo#822365)
* \"certutil -a\" was not correctly producing ASCII output as requested. (bmo#840714)
* NSS 3.14.2 broke compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now properly compiles when used with older versions of sqlite (bmo#837799) - remove system-sqlite.patch- add aarch64 support
* Tue Feb 05 2013 wrAATTrosenauer.org- added system-sqlite.patch (bmo#837799)
* do not depend on latest sqlite just for a #define- enable system sqlite usage again
* Sat Feb 02 2013 wrAATTrosenauer.org- update to 3.14.2
* required for Firefox >= 20
* removed obsolete nssckbi update patch
* MFSA 2013-40/CVE-2013-0791 (bmo#629816) Out-of-bounds array read in CERT_DecodeCertPackage- disable system sqlite usage since we depend on 3.7.15 which is not provided in any openSUSE distribution
* add nss-sqlitename.patch to avoid any name clash
* Sun Dec 30 2012 wrAATTrosenauer.org- updated CA database (nssckbi-1.93.patch)
* MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) revoke mis-issued intermediate certificates from TURKTRUST
* Tue Dec 18 2012 wrAATTrosenauer.org- update to 3.14.1 RTM
* minimal requirement for Gecko 20
* several bugfixes
* Thu Oct 25 2012 wrAATTrosenauer.org- update to 3.14 RTM
* Support for TLS 1.1 (RFC 4346)
* Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764)
* Support for AES-CTR, AES-CTS, and AES-GCM
* Support for Keying Material Exporters for TLS (RFC 5705)
* Support for certificate signatures using the MD5 hash algorithm is now disabled by default
* The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explanation on GPL/LGPL compatibility, see security/nss/COPYING in the source code.
* Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default- disabled OCSP testcases since they need external network (nss-disable-ocsp-test.patch)
* Wed Aug 15 2012 wrAATTrosenauer.org- update to 3.13.6 RTM
* root CA update
* other bugfixes
* Fri Jun 01 2012 wrAATTrosenauer.org- update to 3.13.5 RTM
* Fri Apr 13 2012 wrAATTrosenauer.org- update to 3.13.4 RTM
* fixed some bugs
* fixed cert verification regression in PKIX mode (bmo#737802) introduced in 3.13.2
* Thu Feb 23 2012 wrAATTrosenauer.org- update to 3.13.3 RTM - distrust Trustwave\'s MITM certificates (bmo#724929) - fix generic blacklisting mechanism (bmo#727204)
* Thu Feb 16 2012 wrAATTrosenauer.org- update to 3.13.2 RTM
* requirement with Gecko >= 11- removed obsolete patches
* ckbi-1.88
* pkcs11n-header-fix.patch
* Sun Dec 18 2011 adrianAATTsuse.de- fix spec file syntax for qemu-workaround
* Mon Nov 14 2011 johnAATTredux.org.uk- Added a patch to fix errors in the pkcs11n.h header file. (bmo#702090)
* Sat Nov 05 2011 wolfgangAATTrosenauer.org- update to 3.13.1 RTM
* better SHA-224 support (bmo#647706)
* fixed a regression (causing hangs in some situations) introduced in 3.13 (bmo#693228)- update to 3.13.0 RTM
* SSL 2.0 is disabled by default
* A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it.
* SHA-224 is supported
* Ported to iOS. (Requires NSPR 4.9.)
* Added PORT_ErrorToString and PORT_ErrorToName to return the error message and symbolic name of an NSS error code
* Added NSS_GetVersion to return the NSS version string
* Added experimental support of RSA-PSS to the softoken only
* NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db anymore (bmo#641052, bnc#726096)
* Sat Nov 05 2011 wrAATTrosenauer.org- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753)- make sure NSS_NoDB_Init does not try to use wrong certificate databases (CVE-2011-3640, bnc#726096, bmo#641052)
* Fri Sep 30 2011 crrodriguezAATTopensuse.org- Workaround qemu-arm bugs.
* Fri Sep 09 2011 wrAATTrosenauer.org- explicitely distrust/override DigiNotar certs (bmo#683261) (trustdb version 1.87)
* Fri Sep 02 2011 pcernyAATTsuse.com- removed DigiNotar root certificate from trusted db (bmo#682927, bnc#714931)
* Wed Aug 24 2011 andrea.turriniAATTgmail.com- fixed typo in summary of mozilla-nss (libsoftokn3)
* Fri Aug 12 2011 wrAATTrosenauer.org- update to 3.12.11 RTM
* no upstream release notes available
* Wed Jul 13 2011 meissnerAATTsuse.de- Linux3.0 is the new Linux2.6 (make it build)
* Mon May 23 2011 crrodriguezAATTopensuse.org- Do not include build dates in binaries, messes up build compare
* Thu May 19 2011 wrAATTrosenauer.org- update to 3.12.10 RTM
* no changes except internal release information
* Thu Apr 28 2011 wrAATTrosenauer.org- update to 3.12.10beta1
* root CA changes
* filter certain bogus certs (bmo#642815)
* fix minor memory leaks
* other bugfixes
* Sun Jan 09 2011 wrAATTrosenauer.org- update to 3.12.9rc0
* fix minor memory leaks (bmo#619268)
* fix crash in nss_cms_decoder_work_data (bmo#607058)
* fix crash in certutil (bmo#620908)
* handle invalid argument in JPAKE (bmo#609068)
* Thu Dec 09 2010 wrAATTrosenauer.org- update to 3.12.9beta2
* J-PAKE support (API requirement for Firefox >= 4.0b8)
* Tue Nov 09 2010 wrAATTrosenauer.org- replaced expired PayPal test certificate (fixing testsuite)
* Sat Sep 25 2010 wrAATTrosenauer.org- update to 3.12.8 RTM release
* support TLS false start (needed for Firefox4) (bmo#525092)
* fix wildcard matching for IP addresses (bnc#637290, bmo#578697) (CVE-2010-3170)
* bugfixes
* Fri Jul 23 2010 wrAATTrosenauer.org- update to 3.12.7 RTM release
* bugfix release
* updated root CA list- removed obsolete patches
* Fri Jul 09 2010 jengelhAATTmedozas.de- Disable testsuite on SPARC. Some tests fails, probably due to just bad timing/luck.
* Thu Jun 03 2010 wrAATTrosenauer.org- Use preloaded empty system database since creating with modutil leaves database in nonusable state
* Sat Apr 24 2010 cooloAATTnovell.com- buildrequire pkg-config to fix provides
* Sun Apr 04 2010 wrAATTrosenauer.org- disabled a test using an expired cert (bmo#557071)
* Sat Mar 20 2010 wrAATTrosenauer.org- fixed builds for older dists where internal sqlite3 is used (nss-sqlitename.patch was not refreshed correctly)- fixed baselibs.conf as is not a valid identifier
* Tue Mar 09 2010 wrAATTrosenauer.org- update to 3.12.6 RTM release
* added mozilla-nss-sysinit subpackage- change renegotiation behaviour to the old default for a transition phase
* Tue Mar 09 2010 wrAATTrosenauer.org- split off libsoftokn3 subpackage to allow mixed NSS installation
* Sat Dec 26 2009 wrAATTrosenauer.org- added mozilla-nss-certs baselibs (bnc#567322)
* Fri Dec 18 2009 wrAATTrosenauer.org- split mozilla-nss-certs from main package- added rpmlintrc to ignore expected warnings- added baselibs.conf as source
* Mon Dec 14 2009 wrAATTrosenauer.org- updated builtin certs (version 1.77)
* Mon Nov 23 2009 wrAATTrosenauer.org- rebased patches to apply w/o fuzz
* Fri Aug 14 2009 wrAATTrosenauer.org- update to 3.12.4 RTM release
* Fri Aug 07 2009 wrAATTrosenauer.org- update to recent snapshot (20090806)- libnssdbm3.so has to be signed starting with 3.12.4
* Mon Aug 03 2009 wrAATTrosenauer.org- update to NSS 3.12.4pre snapshot- rebased existing patches- enable testsuite again (was disabled accidentally before)
* Wed Jul 29 2009 wrAATTrosenauer.org- update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611)
* RNG_SystemInfoForRNG called twice by nsc_CommonInitialize (bmo#489811; other changes are unrelated to Linux)- moved shlibsign to tools package again (as it\'s not needed at library install time anymore)- use %{_libexecdir} for the tools
* Sat Jun 06 2009 wrAATTrosenauer.org- Temporary testsuite fix for Factory (bnc#509308) (malloc.patch)- remove the post scriptlet which created the
*.chk files and use a RPM feature to create them after debuginfo stuff
* Tue Jun 02 2009 wrAATTrosenauer.org- updated builtin root certs by updating to NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the base for Firefox 3.5.0- PreReq coreutils in the main package already as \"rm\" is used in its %post script- disable testsuite for this moment as it crashes on Factory currently for an unknown reason
* Thu May 21 2009 wrAATTrosenauer.org- renew Paypal certs to fix testsuite errors (bmo#491163)
* Mon Apr 20 2009 wrAATTrosenauer.org- update to version 3.12.3 RTM
* default behaviour changed slightly but can be set up backward compatible using environment variables https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables
* New Korean SEED cipher
* Some new functions in the nss library: CERT_RFC1485_EscapeAndQuote (see cert.h) CERT_CompareCerts (see cert.h) CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) PK11_GetSymKeyHandle (see pk11pqg.h) UTIL_SetForkState (see secoid.h) NSS_GetAlgorithmPolicy (see secoid.h) NSS_SetAlgorithmPolicy (see secoid.h)- created libfreebl3 subpackage and build it w/o nspr and nss deps- added patch to make all ASM noexecstack- create the softokn3 and freebl3 checksums at installation time (moved shlibsign to the main package to achieve that)- applied upstream patch to avoid OSCP test failures (bmo#488646)- applied upstream patch to fix libjar crashes (bmo#485145)
  
ICM