Navigation:
Browse pkgsrc
(this page) 2015-04-05 14:51:51 by Ryo ONODERA | Files touched by this commit (2) |  |
Log message: Update to 3.18 Changelog: The NSS team has released Network Security Services (NSS) 3.18, which is a minor release. New functionality: * When importing certificates and keys from a PKCS#12 source, it's now possible to override the nicknames, prior to importing them into the NSS database, using new API SEC_PKCS12DecoderRenameCertNicknames. * The tstclnt test utility program has new command-line options -C, -D, -b and -R. Use -C one, two or three times to print information about the certificates received from a server, and information about the locally found and trusted issuer certificates, to diagnose server side configuration issues. It is possible to run tstclnt without providing a database (-D). A PKCS#11 library that contains root CA certificates can be loaded by tstclnt, which may either be the nssckbi library provided by NSS (-b) or another compatible library (-R). New Functions: * SEC_CheckCrlTimes * SEC_GetCrlTimes * SEC_PKCS12DecoderRenameCertNicknames New Types * SEC_PKCS12NicknameRenameCallback Notable Changes: * The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from DTLS 1.0 to DTLS 1.2. * The default key size used by certutil when creating an RSA key pair has been increased from 1024 bits to 2048 bits. * On Mac OS X, by default the softokn shared library will link with the sqlite library installed by the operating system, if it is version 3.5 or newer. * The following CA certificates had the Websites and Code Signing trust bits turned off: - Equifax Secure Certificate Authority - Equifax Secure Global eBusiness CA-1 - TC TrustCenter Class 3 CA II * The following CA certificates were Added: - Staat der Nederlanden Root CA - G3 - Staat der Nederlanden EV Root CA - IdenTrust Commercial Root CA 1 - IdenTrust Public Sector Root CA 1 - S-TRUST Universal Root CA - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - CFCA EV ROOT * The version number of the updated root CA list has been set to 2.3 |
| 2015-01-28 22:12:09 by Ryo ONODERA | Files touched by this commit (2) |
Log message: Update to 3.17.4 Changelog: Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17. No new functionality is introduced in this release. Notable Changes: * If an SSL/TLS connection fails, because client and server don't have any common protocol version enabled, NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting SSL_ERROR_NO_CYPHER_OVERLAP). * libpkix was fixed to prefer the newest certificate, if multiple certificates match. * fixed a memory corruption issue during failure of keypair generation. * fixed a failure to reload a PKCS#11 module in FIPS mode. * fixed interoperability of NSS server code with a LibreSSL client. |
| 2014-12-19 15:21:55 by Ryo ONODERA | Files touched by this commit (1) |
Log message: Fix build of www/firefox. The build breakage is caused from inconsistent use of sqlite3 from NetBSD base and pkgsrc. Bump PKGREVISION. |
| 2014-12-01 19:23:29 by Ryo ONODERA | Files touched by this commit (2) | |
Log message: Update to 3.17.3 Changelog: New functionality: * Support for TLS_FALLBACK_SCSV has been added to the ssltap and tstclnt utilities Notable Changes: * The QuickDER decoder now decodes lengths robustly (CVE-2014-1569) * The following 1024-bit CA certificates were Removed: - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 * The following CA certificates had the Websites and Code Signing trust bits turned off: - Class 3 Public Primary Certification Authority - G2 - Equifax Secure eBusiness CA-1 * The following CA certificates were Added: - COMODO RSA Certification Authority - USERTrust RSA Certification Authority - USERTrust ECC Certification Authority - GlobalSign ECC Root CA - R4 - GlobalSign ECC Root CA - R5 * The version number of the updated root CA list has been set to 2.2 |
| 2014-10-15 15:04:20 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
Update to 3.17.2
Changelog:
New in NSS 3.17.2
New Functionality
No new functionality is introduced in this release. This is a patch release to \
fix a regression and other bugs.
Notable Changes in NSS 3.17.2
Bug 1049435: Change RSA_PrivateKeyCheck to not require p > q. This fixes \
a regression introduced in NSS 3.16.2 that prevented NSS from importing some RSA \
private keys (such as in PKCS #12 files) generated by other crypto libraries.
Bug 1057161: Check that an imported elliptic curve public key is valid. \
Previously NSS would only validate the peer's public key before performing ECDH \
key agreement. Now EC public keys are validated at import time.
Bug 1078669: certutil crashes when an argument is passed to the \
--certVersion option.
Bugs fixed in NSS 3.17.2
This Bugzilla query returns all the bugs fixed in NSS 3.17.2:
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.2
Compatibility
NSS 3.17.2 shared libraries are backward compatible with all older NSS 3.x \
shared libraries. A program linked with older NSS 3.x shared libraries will work \
with NSS 3.17.2 shared libraries without recompiling or relinking. Furthermore, \
applications that restrict their use of NSS APIs to the functions listed in NSS \
Public Functions will remain compatible with future versions of the NSS shared \
libraries.
|
| 2014-10-07 18:47:38 by Adam Ciarcinski | Files touched by this commit (442) |
Log message: Revbump after updating libwebp and icu |
| 2014-09-26 17:42:09 by Thomas Klausner | Files touched by this commit (1) |
Log message: Revert unintended part of previous. Discussed with spz. |
| 2014-09-26 05:25:22 by S.P.Zeidler | Files touched by this commit (3) | |
Log message: security update fixing: - Incorrect DigestInfo validation in NSS (CVE-2014-1568) - RSA signature verification vulnerabilities in parsing of DigestInfo (see https://www.mozilla.org/security/announce/2014/mfsa2014-73.html) |
| 2014-08-12 11:43:07 by Mark Davies | Files touched by this commit (2) | |
Log message: Update to nss 3.16.4 This release consists primarily of CA certificate changes as listed below, and includes a small number of bug fixes. Notable Changes: * The following 1024-bit root CA certificate was restored to allow more time to develop a better transition strategy for affected sites. It was removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers. - CN = GTE CyberTrust Global Root * In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit intermediate CA certificate has been included, without explicit trust. The intention is to mitigate the effects of the previous removal of the 1024-bit Entrust.net root certificate, because many public Internet sites still use the "USERTrust Legacy Secure Server CA" intermediate certificate that is signed by the 1024-bit Entrust.net root certificate. The inclusion of the intermediate certificate is a temporary measure to allow those sites to function, by allowing them to find a trust path to another 2048-bit root CA certificate. The temporarily included intermediate certificate expires November 1, 2015. |
| 2014-07-05 06:53:39 by Ryo ONODERA | Files touched by this commit (2) |
Log message: Update to 3.16.2 Changelog: Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16. This release consists primarily of CA certificate changes as listed below, and fixes an issue with a recently added utility function. New Functions: * CERT_GetGeneralNameTypeFromString (This function was already added in NSS 3.16.2, however, it wasn't declared in a public header file.) Notable Changes: * The following 1024-bit CA certificates were Removed - Entrust.net Secure Server Certification Authority - GTE CyberTrust Global Root - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority * Additionally, the following CA certificate was Removed as requested by the CA: - TDC Internet Root CA * The following CA certificates were Added: - Certification Authority of WoSign - CA æ²éæ ¹è¯ä¹¦ - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 * The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC RaÃz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado |
New packages: