-
nss (2:3.28.4-0ubuntu0.14.04.5) trusty-security; urgency=medium
* SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions
- debian/patches/CVE-2018-18508-1.patch: add null checks in
nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c,
nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c,
nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c.
- debian/patches/CVE-2018-18508-2.patch: add null checks in
nss/lib/smime/cmsmessage.c.
- CVE-2018-18508
-- Marc Deslauriers <email address hidden> Tue, 19 Feb 2019 14:41:32 +0100
-
nss (2:3.28.4-0ubuntu0.14.04.4) trusty-security; urgency=medium
* SECURITY UPDATE: side-channel attack on ECDSA signatures
- debian/patches/CVE-2018-0495.patch: improve ecdsa and dsa in
nss/lib/freebl/dsa.c, nss/lib/freebl/ec.c.
- CVE-2018-0495
* SECURITY UPDATE: ServerHello.random is all zero in v2 ClientHello
- debian/patches/CVE-2018-12384-1.patch: fix random logic in
nss/lib/ssl/ssl3con.c.
- debian/patches/CVE-2018-12384-2.patch: add tests to
nss/gtests/ssl_gtest/ssl_loopback_unittest.cc,
nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
- CVE-2018-12384
* SECURITY UPDATE: cache side-channel variant of the Bleichenbacher attack
- debian/patches/CVE-2018-12404-1.patch: improve RSA key exchange
handling in nss/lib/ssl/ssl3con.c.
- debian/patches/CVE-2018-12404-3.patch: add constant time
mp_to_fixlen_octets in nss/gtests/freebl_gtest/mpi_unittest.cc,
nss/lib/freebl/mpi/mpi.c, nss/lib/freebl/mpi/mpi.h.
- CVE-2018-12404
-- Marc Deslauriers <email address hidden> Fri, 14 Dec 2018 10:33:50 -0500
-
nss (2:3.28.4-0ubuntu0.14.04.3) trusty-security; urgency=medium
* SECURITY UPDATE: Use-after-free in TLS 1.2 generating handshake hashes
- debian/patches/CVE-2017-7805.patch: Simplify handling of
CertificateVerify in nss/lib/ssl/ssl3con.c, nss/lib/ssl/ssl3prot.h.
- CVE-2017-7805
-- Marc Deslauriers <email address hidden> Fri, 29 Sep 2017 08:54:40 -0400
-
nss (2:3.28.4-0ubuntu0.14.04.2) trusty-security; urgency=medium
* SECURITY UPDATE: DoS via empty SSLv2 messages
- debian/patches/CVE-2017-7502.patch: reject broken v2 records in
nss/lib/ssl/ssl3gthr.c, nss/lib/ssl/ssldef.c, nss/lib/ssl/sslimpl.h,
added tests to nss/gtests/ssl_gtest/ssl_gather_unittest.cc,
nss/gtests/ssl_gtest/ssl_gtest.gyp, nss/gtests/ssl_gtest/manifest.mn,
nss/gtests/ssl_gtest/ssl_v2_client_hello_unittest.cc.
- CVE-2017-7502
-- Marc Deslauriers <email address hidden> Fri, 16 Jun 2017 08:14:11 -0400
-
nss (2:3.28.4-0ubuntu0.14.04.1) trusty-security; urgency=medium
* Updated to upstream 3.28.4 to fix security issues and get a new CA
certificate bundle.
* SECURITY UPDATE: DES and Triple DES ciphers birthday attack
- CVE-2016-2183
* SECURITY UPDATE: out-of-bounds write in Base64 decoding
- CVE-2017-5461
* debian/patches/99_jarfile_ftbfs.patch: removed, upstream.
* debian/patches/*.patch: refreshed for new version.
* debian/control: bump libnspr4-dev to 4.13.1.
* debian/libnss3.symbols: added new symbols.
-- Marc Deslauriers <email address hidden> Wed, 26 Apr 2017 10:25:43 -0400
-
nss (2:3.26.2-0ubuntu0.14.04.3) trusty-security; urgency=medium
* Updated to upstream 3.26.2 to fix security issues and get a new CA
certificate bundle.
* SECURITY UPDATE: denial of service via invalid DH keys
- CVE-2016-5285
* SECURITY UPDATE: small subgroup confinement attack
- CVE-2016-8635
* SECURITY UPDATE: insufficient mitigation of timing side-channel attack
- CVE-2016-9074
* debian/rules: added libfreeblpriv3.so.
* debian/libnss3.symbols: updated for new version, added
SSL_GetCipherSuiteInfo and SSL_GetChannelInfo as they are not backwards
compatible.
* debian/patches/*.patch: refreshed for new version.
* debian/rules: When building with -O3, build with -Wno-error=maybe-
uninitialized to fix FTBFS on ppc64el.
* debian/patches/99_jarfile_ftbfs.patch: fix FTBFS on powerpc.
-- Marc Deslauriers <email address hidden> Mon, 05 Dec 2016 07:19:11 -0500
-
nss (2:3.23-0ubuntu0.14.04.1) trusty-security; urgency=medium
* Updated to upstream 3.23 to fix a security issue and get a new CA
certificate bundle.
* SECURITY UPDATE: multiple memory safety issues
- CVE-2016-2834
* debian/control: bump libnspr4-dev Build-Depends to 2:4.12.
* debian/libnss3.symbols: updated for new version.
* debian/patches/CVE-2016-1950.patch: dropped, upstream.
* debian/patches/ftbfs_ppc64el.patch: dropped, no longer needed.
* debian/patches/relax_dh_size.patch: removed, now require a minimum DH
size of 1023 bits.
* debian/patches/*.patch: refreshed for new version.
-- Marc Deslauriers <email address hidden> Thu, 07 Jul 2016 14:09:52 -0400
-
nss (2:3.21-0ubuntu0.14.04.2) trusty-security; urgency=medium
* SECURITY UPDATE: buffer overflow during ASN.1 decoding
- debian/patches/CVE-2016-1950.patch: check lengths in
nss/lib/util/secasn1d.c.
- CVE-2016-1950
-- Marc Deslauriers <email address hidden> Wed, 09 Mar 2016 07:38:11 -0500
-
nss (2:3.21-0ubuntu0.14.04.1) trusty-security; urgency=medium
* Updated to upstream 3.21 to fix a security issue and get a new CA
certificate bundle.
* SECURITY UPDATE: improper division in mp_div and mp_exptmod
- CVE-2016-1938
* debian/libnss3.symbols: updated for new version.
* debian/patches/95_add_spi+cacert_ca_certs.patch: dropped, no longer
want the SPI cert
* debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: dropped, no
longer needed
* debian/patches/CVE-2015-7575.patch: dropped, upstream
* debian/patches/ftbfs_ppc64el.patch: don't enable -Werror on ppc64el,
there are too many uninitialized variable false positives.
-- Marc Deslauriers <email address hidden> Thu, 04 Feb 2016 09:38:27 -0500
-
nss (2:3.19.2.1-0ubuntu0.14.04.2) trusty-security; urgency=medium
* SECURITY UPDATE: incorrect MD5 support with TLS 1.2
- debian/patches/CVE-2015-7575.patch: remove MD5 in
nss/lib/ssl/ssl3con.c.
- CVE-2015-7575
-- Marc Deslauriers <email address hidden> Thu, 07 Jan 2016 13:23:37 -0500
-
nss (2:3.19.2.1-0ubuntu0.14.04.1) trusty-security; urgency=medium
* Updated to upstream 3.19.2.1 to fix two security issues.
* SECURITY UPDATE: use-after-poison in sec_asn1d_parse_leaf
- CVE-2015-7181
* SECURITY UPDATE: ASN.1 decoder heap overflow
- CVE-2015-7182
-- Marc Deslauriers <email address hidden> Wed, 04 Nov 2015 10:44:42 -0600
-
nss (2:3.19.2-0ubuntu0.14.04.1) trusty-security; urgency=medium
* SECURITY UPDATE: update to upstream 3.19.2 to fix multiple security
issues and get a new CA certificate bundle.
- CVE-2015-2721
- CVE-2015-2730
* debian/libnss3.symbols: updated for new version.
* debian/patches/relax_dh_size.patch: relax minimum DH size to 768 bits
for compatibility reasons. This patch will get reverted in the future
once servers have upgraded to longer DH sizes.
-- Marc Deslauriers <email address hidden> Wed, 08 Jul 2015 12:27:02 -0400
-
nss (2:3.17.4-0ubuntu0.14.04.1) trusty-security; urgency=medium
* SECURITY UPDATE: update to upstream 3.17.4 to get new CA certificate
bundle, and to fix incorrect SHA-1 behaviour. (LP: #1423031)
* Removed unneeded patches:
- debian/patches/CVE-2014-1569.patch: included upstream.
-- Marc Deslauriers <email address hidden> Thu, 19 Feb 2015 07:44:05 -0500
-
nss (2:3.17.1-0ubuntu0.14.04.2) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary data smuggling via incorrect ASN.1 DER
length decoding
- debian/patches/CVE-2014-1569.patch: properly validate lengths in
nss/lib/util/quickder.c.
- CVE-2014-1569
-- Marc Deslauriers <email address hidden> Tue, 06 Jan 2015 13:19:26 -0500
-
nss (2:3.17.1-0ubuntu0.14.04.1) trusty-security; urgency=medium
* SECURITY UPDATE: update to 3.17.1
- see USN-2361-1
* debian/libnss3.symbols: updated for new version.
* debian/patches/38_ppc64le.patch: removed, upstream.
-- Marc Deslauriers <email address hidden> Wed, 24 Sep 2014 07:32:00 -0400
-
nss (2:3.17-0ubuntu0.14.04.1) trusty-security; urgency=medium
* SECURITY UPDATE: update to upstream 3.17 to get new CA certificate
bundle.
* Removed unneeded patches:
- debian/patches/38_x32.patch: included upstream.
- debian/patches/CVE-2014-1492.patch: included upstream.
- debian/patches/CVE-2014-1544.patch: included upstream.
* Refreshed patches for new version:
- debian/patches/38_kbsd.patch
- debian/patches/85_security_load.patch
- renamed debian/patches/95_add_spi_certs.patch to
debian/patches/95_add_spi+cacert_ca_certs.patch to match Debian.
* debian/patches/38_ppc64le.patch: new patch for ppc64le support.
* debian/libnss3.symbols: updated for new version.
* debian/rules: USE_X32 instead of USE_x32.
-- Marc Deslauriers <email address hidden> Fri, 19 Sep 2014 09:06:41 -0400
-
nss (2:3.15.4-1ubuntu7.1) trusty-security; urgency=medium
* SECURITY UPDATE: possible arbitrary code execution via race condition
- debian/patches/CVE-2014-1544.patch: prevent
nssTrustDomain_AddCertsToCache from freeing the CERTCertificate
associated with the NSSCertificate in nss/lib/pk11wrap/pk11cert.c.
- CVE-2014-1544
-- Marc Deslauriers <email address hidden> Tue, 09 Sep 2014 07:49:06 -0400
-
nss (2:3.15.4-1ubuntu7) trusty; urgency=medium
* SECURITY UPDATE: incorrect IDNA wildcard handling
- debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
nss/lib/certdb/certdb.c.
- CVE-2014-1492
-- Marc Deslauriers <email address hidden> Wed, 02 Apr 2014 10:14:01 -0400
-
nss (2:3.15.4-1ubuntu6) trusty; urgency=medium
* No longer ship cacert.org certificates. (LP: #1258286)
- removed debian/patches/95_add_spi+cacert_ca_certs.patch
- added debian/patches/95_add_spi_certs.patch
-- Marc Deslauriers <email address hidden> Thu, 20 Feb 2014 07:38:51 -0500
-
nss (2:3.15.4-1ubuntu5) trusty; urgency=medium
* debian/rules: Switch from DEB_BUILD_ARCH to DEB_HOST_ARCH to fix cross.
-- Adam Conrad <email address hidden> Sat, 25 Jan 2014 21:08:34 -0700
-
nss (2:3.15.4-1ubuntu4) trusty; urgency=medium
* control: Mark libnss3-nssdb as M-A: foreign. (LP: #1272292)
-- Timo Aaltonen <email address hidden> Fri, 24 Jan 2014 14:13:10 +0200
-
nss (2:3.15.4-1ubuntu3) trusty; urgency=medium
* debian/rules: create directory before creating cert database to fix
ftbfs
-- Marc Deslauriers <email address hidden> Thu, 23 Jan 2014 13:22:01 -0500
-
nss (2:3.15.4-1ubuntu2) trusty; urgency=medium
* debian/rules: switch back to DEB_BUILD_ARCH to fix ftbfs
-- Marc Deslauriers <email address hidden> Thu, 23 Jan 2014 12:39:23 -0500
-
nss (2:3.15.4-1ubuntu1) trusty; urgency=medium
* Merge with Debian, remaining changes:
- Add x32 support.
nss (2:3.15.4-1) unstable; urgency=low
* New upstream release.
* Acknowledge NMU.
* debian/rules: Avoid long one-liner with semi-colons.
* debian/patches/*: Refresh patches.
* debian/copyright: Update. Closes: #730428.
* debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules:
Add shared cert and key databases. Thanks Timo Aaltonen. Closes: #537866.
* debian/rules: Use DEB_HOST_ARCH instead of DEB_BUILD_ARCH.
* debian/control: Mark libnss3-dev as Multi-Arch: same. Thanks Shawn
Landden. Closes: #682925.
* debian/libnss3.symbols: Add NSS_3.15.4 symbol versions.
-- Marc Deslauriers <email address hidden> Thu, 23 Jan 2014 11:32:47 -0500
-
nss (2:3.15.3.1-1.1ubuntu1) trusty; urgency=medium
* Add x32 support. Closes: #699217.
-- Matthias Klose <email address hidden> Mon, 06 Jan 2014 21:27:26 +0100
-
nss (2:3.15.3.1-1.1) unstable; urgency=low
* Non-Maintainer Upload
- ship extra NSS utilities (Closes: #701141)
-- Daniel Kahn Gillmor <email address hidden> Sat, 04 Jan 2014 11:34:41 -0500
-
nss (2:3.15.3.1-1) unstable; urgency=high
* New upstream release.
- Distrusts AC DG Tresor SSL CA.
-- Mike Hommey <email address hidden> Sun, 15 Dec 2013 10:09:48 +0900
-
nss (2:3.15.3-1) unstable; urgency=high
* New upstream release.
- Fixes CVE-2013-1741, CVE-2013-5605, CVE-2013-5606.
-- Mike Hommey <email address hidden> Sat, 16 Nov 2013 08:50:45 +0900
-
nss (2:3.15.2-1) unstable; urgency=low
* New upstream release.
- Fixes CVE-2013-1739. Closes: #726473.
-- Mike Hommey <email address hidden> Mon, 21 Oct 2013 08:05:24 +0900
-
nss (2:3.15.1-1ubuntu1) saucy; urgency=low
* Merge from Debian unstable. FFe: (LP: #1219279)
Remaining changes:
- control: Change Vcs-* to XS-Debian-Vcs-*.
- rules: Include libnssb.a and libnssckfw.a in the -dev package.
nss (2:3.15.1-1) unstable; urgency=low
* New upstream release.
* debian/patches/*: Refresh patches.
* debian/patches/lower-dhe-priority.patch: Removed, as it was only necessary
for Iceweasel 3.5, which is long gone.
nss (2:3.15-1) unstable; urgency=low
* New upstream release.
* debian/patches/*: Refresh patches and removed unused ones.
* debian/rules: Adjusted to the new source layout.
* debian/libnss3.symbols: Add NSS*_3.15 symbol versions.
* debian/control: Bump nspr build dependency.
nss (2:3.14.3-1) unstable; urgency=high
* New upstream release.
- Fixes TLS timing attack (luck 13). Closes: #699888.
* debian/libnss3.symbols: Add NSS_3.14.3 symbol version.
* debian/control: Unbump sqlite3 build dependency, 3.14.3 lifted the need
for sqlite 3.7.15.
-- Marc Deslauriers <email address hidden> Thu, 19 Sep 2013 16:07:11 -0400
