-
nss (3.17.4-0ubuntu0.10.04.1) lucid-security; urgency=medium
* SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
* Removed unneeded patches:
- debian/patches/CVE-2014-1569.patch: included upstream.
-- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:48:44 -0500
-
nss (3.17.1-0ubuntu0.10.04.2) lucid-security; urgency=medium
* SECURITY UPDATE: arbitrary data smuggling via incorrect ASN.1 DER
length decoding
- debian/patches/CVE-2014-1569.patch: properly validate lengths in
nss/lib/util/quickder.c.
- CVE-2014-1569
-- Marc Deslauriers <email address hidden> Tue, 06 Jan 2015 13:20:46 -0500
-
nss (3.17.1-0ubuntu0.10.04.1) lucid-security; urgency=medium
* SECURITY UPDATE: update to 3.17.1
- see USN-2361-1
* debian/libnss3-1d.symbols: updated for new version.
-- Marc Deslauriers <email address hidden> Wed, 24 Sep 2014 07:44:17 -0400
-
nss (3.17-0ubuntu0.10.04.1) lucid-security; urgency=medium
* SECURITY UPDATE: update to upstream 3.17 to get new CA certificate
bundle.
* Removed unneeded patches:
- debian/patches/CVE-2014-1492.patch: included upstream.
- debian/patches/CVE-2014-1544.patch: included upstream.
* Refreshed patches for new version:
- debian/patches/38_kbsd.patch
- debian/patches/85_security_load.patch
* debian/libnss3-1d.symbols: updated for new version.
-- Marc Deslauriers <email address hidden> Fri, 19 Sep 2014 09:36:49 -0400
-
nss (3.15.4-0ubuntu0.10.04.3) lucid-security; urgency=medium
* SECURITY UPDATE: possible arbitrary code execution via race condition
- debian/patches/CVE-2014-1544.patch: prevent
nssTrustDomain_AddCertsToCache from freeing the CERTCertificate
associated with the NSSCertificate in nss/lib/pk11wrap/pk11cert.c.
- CVE-2014-1544
-- Marc Deslauriers <email address hidden> Tue, 09 Sep 2014 07:54:31 -0400
-
nss (3.15.4-0ubuntu0.10.04.2) lucid-security; urgency=medium
* SECURITY UPDATE: incorrect IDNA wildcard handling
- debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
nss/lib/certdb/certdb.c.
- CVE-2014-1492
-- Marc Deslauriers <email address hidden> Wed, 02 Apr 2014 10:23:33 -0400
-
nss (3.15.4-0ubuntu0.10.04.1) lucid-security; urgency=medium
* SECURITY UPDATE: MITM attack via TLS False Start
- CVE-2013-1740
* Adjusted packaging for new upstream release 3.15.4:
- debian/patches/*: refreshed.
- debian/libnss3-1d.symbols: added new symbols.
-- Marc Deslauriers <email address hidden> Wed, 22 Jan 2014 15:16:14 -0500
-
nss (3.15.3.1-0ubuntu0.10.04.1) lucid-security; urgency=low
* SECURITY UPDATE: New upstream release (LP: #1263135)
- Distrusts AC DG Tresor SSL CA
-- Marc Deslauriers <email address hidden> Fri, 20 Dec 2013 10:54:44 -0500
-
nss (3.15.3-0ubuntu0.10.04.1) lucid-security; urgency=low
* SECURITY UPDATE: New upstream release to fix multiple security issues
and add TLSv1.2 support.
- CVE-2013-1739
- CVE-2013-1741
- CVE-2013-5605
- CVE-2013-5606
* Adjusted packaging for 3.15.3:
- debian/patches/*: refreshed.
- debian/patches/01_dont_build_nspr.patch: removed, changed build
options in debian/rules instead.
- debian/libnss3-1d.symbols: added new symbols.
- debian/rules: updated for new source layout.
-- Marc Deslauriers <email address hidden> Fri, 15 Nov 2013 08:08:08 -0500
-
nss (3.14.3-0ubuntu0.10.04.1) lucid-security; urgency=low
* SECURITY UPDATE: New upstream release to fix TLS timing side-channel
attacks
- CVE-2013-1620
* Remaining changes:
- 98_ckbi-1.93.patch: Dropped (included upstream)
- 01_dont_build_nspr.patch
- 38_kbsd.patch: refresh/update
- 80_security_build.patch
- 85_security_load.patch
- 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
* debian/libnss3.symbols: add NSS_3.14.3 symbols
-- Jamie Strandboge <email address hidden> Wed, 13 Mar 2013 13:18:17 -0500
-
nss (3.14.1-0ckbi1.93ubuntu.0.10.04.1) lucid-security; urgency=low
* New upstream release. Dropped the following patches:
- debian/patches/25_entropy.patch (was bz51429 obsoleted by fix for
bz174993)
- debian/patches/38_mips64_build.patch (we don't build on mips)
- debian/patches/90_realpath.patch (included upstream)
upstream)
- debian/patches/diginotar.patch (included upstream)
- debian/patches/CVE-2012-0441.patch (included upstream)
* debian/patches/01_dont_build_nspr.patch: refresh
* debian/patches/38_kbsd.patch: refresh/update based on Debian
* debian/patches/80_security_build.patch: refresh
* debian/patches/85_security_load.patch: refresh/update based on Debian
* debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: refresh/update based
on Debian
* SECURITY UPDATE: distrust improperly issued TURKTRUST intermediate CAs
- debian/patches/94_ckbi-1.9.patch: update to CKBI 1.93 by using
mozilla/security/nss/lib/ckfw/builtins/certdata.txt from upstream and
updating mozilla/security/nss/lib/ckfw/builtins/nssckbi.h. Apply this
before 95_add_spi+cacert_ca_certs.patch since it keeps this patch clean
and underscores that SPI and CACERT are not part of upstream Roots.
- CVE-2013-0743
* debian/libnss3-0d.symbols: updated for *_3.12.10 through *_3.14.1
-- Jamie Strandboge <email address hidden> Fri, 11 Jan 2013 14:47:38 -0600
-
nss (3.12.9+ckbi-1.82-0ubuntu0.10.04.4) lucid-security; urgency=low
* SECURITY UPDATE: denial of service in QuickDER decoder
- debian/patches/CVE-2012-0441.patch: properly handle zero-length basic
constraints and zero-length fields in
nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c,
nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c,
nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c,
nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h,
nss/mozilla/security/nss/lib/util/quickder.c.
- CVE-2012-0441
* debian/rules: added a workaround to get package built on more recent
kernels.
-- Marc Deslauriers <email address hidden> Mon, 30 Jul 2012 14:29:03 -0400
-
nss (3.12.9+ckbi-1.82-0ubuntu0.10.04.3) lucid-security; urgency=low
* SECURITY UPDATE: Add patch from Debian version 3.12.11-3 rebased against
3.12.9 to remove the DigiNotar certificates and actively distrust them;
Thanks to Mike Hommey from Debian for the original patch (LP: #837557)
- mozilla/security/nss/lib/ckfw/builtins/certdata.*:
Explicitely distrust various DigiNotar CAs:
- DigiNotar Root CA
- DigiNotar Services 1024 CA
- DigiNotar Cyber CA
- DigiNotar Cyber CA 2nd
- DigiNotar PKIoverheid
- DigiNotar PKIoverheid G2
- mozilla/security/nss/lib/ckfw/builtins/certdata.*:
Remove DigiNotar Root CA.
-- Micah Gersten <email address hidden> Wed, 07 Sep 2011 14:53:13 -0500
-
nss (3.12.9+ckbi-1.82-0ubuntu0.10.04.1) lucid-security; urgency=low
* New upstream release v3.12.9 with updated ckbi module
(NSS_3_12_9_WITH_CKBI_1_82_RTM)
- SECURITY UPDATE: Update "builtin certificates" module (ckbi) to
explicitly mark the recently issued and revoked fraudulent certificates
as explicitly not trusted; NSS will report SEC_ERROR_UNTRUSTED_CERT when
attempting to verify one of these fraudulent certificates (LP: #741729)
* Add new symbols
- update debian/libnss3-1d.symbols
-- Micah Gersten <email address hidden> Mon, 28 Mar 2011 14:55:05 -0500
-
nss (3.12.8-0ubuntu0.10.04.1) lucid-security; urgency=low
* New upstream release v3.12.8 (NSS_3_12_8_RTM)
- Fix browser wildcard certificate validation issue
- Update root certs
- Fix SSL deadlocks
* Refresh patches:
- update debian/patches/38_kbsd.patch
- update debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch
* Bump minimum nspr version to 4.8.6
- update debian/control
* Add new API to symbols file
- update debian/libnss3-1d.symbols
-- Chris Coulson <email address hidden> Mon, 04 Oct 2010 23:11:32 +0100
-
nss (3.12.6-0ubuntu3) lucid; urgency=low
* Generate missing checksum for libnssdbm3.so to make FIPS mode
work again (LP: #559881)
- update debian/rules
-- Chris Coulson <email address hidden> Sat, 10 Apr 2010 21:23:03 +0100
-
nss (3.12.6-0ubuntu2) lucid; urgency=low
* Enable transitional scheme for SSL renegotiation (LP: #553251)
- add 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
- update debian/patches/series
-- Chris Coulson <email address hidden> Wed, 31 Mar 2010 20:42:18 +0100
-
nss (3.12.6-0ubuntu1) lucid; urgency=low
* New upstream release 3.12.6 RTM (NSS_3_12_6_RTM)
- fixes CVE-2009-3555 aka US-CERT VU#120541
* Adjust patches to changed upstream code base
- update debian/patches/38_kbsd.patch
- update debian/patches/38_mips64_build.patch
- update debian/patches/85_security_load.patch
* Remove patches that are merged upstream
- delete debian/patches/91_nonexec_stack.patch
- update debian/patches/series
* Bump nspr dependency to 4.8
- update debian/control
* Add new symbols for 3.12.6
- update debian/libnss3-1d.symbols
-- Chris Coulson <email address hidden> Thu, 25 Mar 2010 13:46:06 +0000
-
nss (3.12.3.1-0ubuntu3) lucid; urgency=low
* rebuild rest of main for armel armv7/thumb2 optimization;
UbuntuSpec:mobile-lucid-arm-gcc-v7-thumb2
-- Alexander Sack <email address hidden> Sun, 07 Mar 2010 00:58:36 +0100
-
nss (3.12.3.1-0ubuntu2) karmic; urgency=low
* Add 91_nonexec_stack.patch: fix regression in stack memory
protectons caused by unmarked assembly (LP: #409864).
-- Kees Cook <email address hidden> Mon, 24 Aug 2009 15:03:19 -0700
