Log message:
Update to 3.15.4

Changelog:
from: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes

Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.4.
Users are encouraged to upgrade immediately.

Bug 919877 - (CVE-2013-1740) When false start is enabled, libssl will
sometimes return unencrypted, unauthenticated data from PR_Recv

New in NSS 3.15.4
New Functionality
    Implemented OCSP querying using the HTTP GET method, which is the new \ 
default, and will fall back to the HTTP POST method.
    Implemented OCSP server functionality for testing purposes (httpserv utility).
    Support SHA-1 signatures with TLS 1.2 client authentication.
    Added the --empty-password command-line option to certutil, to be used with \ 
-N: use an empty password when creating a new database.
    Added the -w command-line option to pp: don't wrap long output lines.

New Functions
    CERT_ForcePostMethodForOCSP
    CERT_GetSubjectNameDigest
    CERT_GetSubjectPublicKeyDigest
    SSL_PeerCertificateChain
    SSL_RecommendedCanFalseStart
    SSL_SetCanFalseStartCallback

New Types
    CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will \ 
never attempt to use the HTTP GET method for OCSP requests; it will always use \ 
POST.

New PKCS #11 Mechanisms
None.

Notable Changes in NSS 3.15.4

    Reordered the cipher suites offered in SSL/TLS client hello messages to \ 
match modern best practices.
    Updated the set of root CA certificates (version 1.96).
    Improved SSL/TLS false start. In addition to enabling the \ 
SSL_ENABLE_FALSE_START option, an application must now register a callback using \ 
the SSL_SetCanFalseStartCallback function.
    When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT \ 
build configuration, specify OS_TARGET=WINNT.

Bugs fixed in NSS 3.15.4

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS

Compatibility
NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.4 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.

Log message:
whitespace

Log message:
Update to 3.15.3.1

Changelog:
New in NSS 3.15.3.1

New Functionality

No new major functionality is introduced in this release. This is
a patch release to revoke trust of a subordinate CA certificate
that was mis-used to generate a certificate used by a network
appliance.

Bugs fixed in NSS 3.15.3.1

    Bug 946351 - Misissued Google certificates from DCSSI

A complete list of all bugs resolved in this release can be obtained
at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3.1&product=NSS

Compatibility

NSS 3.15.3.1 shared libraries are backward compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with NSS 3.15.3.1 shared libraries
without recompiling or relinking. Furthermore, applications that
restrict their use of NSS APIs to the functions listed in NSS Public
Functions will remain compatible with future versions of the NSS
shared libraries.

Log message:
Update to 3.15.3

Changelog:
Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.3. Users are \ 
encouraged to upgrade immediately.

    Bug 925100 - (CVE-2013-1741) Ensure a size is <= half of the maximum \ 
PRUint32 value
    Bug 934016 - (CVE-2013-5605) Handle invalid handshake packets
    Bug 910438 - (CVE-2013-5606) Return the correct result in CERT_VerifyCert on \ 
failure, if a verifyLog isn't used

New in NSS 3.15.3
New Functionality

No new major functionality is introduced in this release. This release is a \ 
patch release to address CVE-2013-1741, CVE-2013-5605 and CVE-2013-5606.
Bugs fixed in NSS 3.15.3

    Bug 850478 - List RC4_128 cipher suites after AES_128 cipher suites
    Bug 919677 - Don't advertise TLS 1.2-only ciphersuites in a TLS 1.1 ClientHello

A complete list of all bugs resolved in this release can be obtained at
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3&product=NSS

Compatibility

NSS 3.15.3 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.15.3 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.

Log message:
Revbump after updating textproc/icu

Log message:
Update to 3.15.2

Changelog:
Security Advisories

The following security-relevant bugs have been resolved in NSS 3.15.2. Users are \ 
encouraged to upgrade immediately.

    Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event of a \ 
decryption failure.

New in NSS 3.15.2
New Functionality

    AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support \ 
has been added when TLS 1.2 is negotiated. Specifically, the following cipher \ 
suites are now supported:
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_RSA_WITH_AES_128_GCM_SHA256

New Functions

PK11_CipherFinal has been introduced, which is a simple alias for PK11_DigestFinal.
New Types

No new types have been introduced.
New PKCS #11 Mechanisms

No new PKCS#11 mechanisms have been introduced
Notable Changes in NSS 3.15.2

    Bug 880543 - Support for AES-GCM ciphersuites that use the SHA-256 PRF
    Bug 663313 - MD2, MD4, and MD5 signatures are no longer accepted for OCSP or \ 
CRLs, consistent with their handling for general certificate signatures.
    Bug 884178 - Add PK11_CipherFinal macro

Bugs fixed in NSS 3.15.2

    Bug 734007 - sizeof() used incorrectly
    Bug 900971 - nssutil_ReadSecmodDB() leaks memory
    Bug 681839 - Allow SSL_HandshakeNegotiatedExtension to be called before the \ 
handshake is finished.
    Bug 848384 - Deprecate the SSL cipher policy code, as it's no longer \ 
relevant. It is no longer necessary to call NSS_SetDomesticPolicy because all \ 
cipher suites are now allowed by default.

A complete list of all bugs resolved in this release can be obtained at \ 
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.2&product=NSS&list_id=7982238
Compatibility

NSS 3.15.2 shared libraries are backward compatible with all older NSS 3.x \ 
shared libraries. A program linked with older NSS 3.x shared libraries will work \ 
with NSS 3.15.2 shared libraries without recompiling or relinking. Furthermore, \ 
applications that restrict their use of NSS APIs to the functions listed in NSS \ 
Public Functions will remain compatible with future versions of the NSS shared \ 
libraries.

Log message:
Fix misc/rpm build.

* Buildlink include files.

Log message:
Update to 3.15.1

Changelog:
NSS 3.15.1 release notes

Introduction

Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug \ 
fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below.
Distribution Information

NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure \ 
HTTPS download:

    Source tarballs:
    https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/

New in NSS 3.15.1
New Functionality

    TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC \ 
5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. \ 
Note the following limitations.
        The hash function used in the signature for TLS 1.2 client \ 
authentication must be the hash function of the TLS 1.2 PRF, which is always \ 
SHA-256 in NSS 3.15.1.
        AES GCM cipher suites are not yet supported.

New Functions

None.
New Types

    in sslprot.h
        SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the \ 
wire, value 0x0303.
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, \ 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \ 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, \ 
TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites.
    in sslerr.h
        SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE, \ 
SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2.
    in sslt.h
        ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type.
        ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum type.

New PKCS #11 Mechanisms

None.
Notable Changes in NSS 3.15.1

    Bug 856060 - Enforce name constraints on the common name in libpkix  when no \ 
subjectAltName is present.
    Bug 875156 - Add const to the function arguments of SEC_CertNicknameConflict.
    Bug 877798 - Fix ssltap to print the certificate_status handshake message \ 
correctly.
    Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the \ 
RtlGenRandom function.
    Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token \ 
delay, leading to spurious failures.
    Bug 884072 - Fix a typo in the header include guard macro of secmod.h.
    Bug 876352 - certutil now warns if importing a PEM file that contains a \ 
private key.
    Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it \ 
failed.
    The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed.

Bugs fixed in NSS 3.15.1

    \ 
https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS

Compatibility

NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x \ 
shared libraries. A program linked with older NSS 3.x shared libraries will work \ 
with NSS 3.15.1 shared libraries without recompiling or relinking. Furthermore, \ 
applications that restrict their use of NSS APIs to the functions listed in NSS \ 
Public Functions will remain compatible with future versions of the NSS shared \ 
libraries.

NSS 3.15 release notes

Introduction

The NSS team has released Network Security Services (NSS) 3.15, which is a minor \ 
release.
Distribution Information

The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.

NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS \ 
download:

    Source tarballs:
    https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/

New in NSS 3.15
New Functionality

    Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been \ 
added for both client and server sockets. TLS client applications may enable \ 
this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
    Added function SECITEM_ReallocItemV2. It replaces function \ 
SECITEM_ReallocItem, which is now declared as obsolete.
    Support for single-operation (eg: not multi-part) symmetric key encryption \ 
and decryption, via PK11_Encrypt and PK11_Decrypt.
    certutil has been updated to support creating name constraints extensions.

New Functions

    in ssl.h
        SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP \ 
response, when used with a TLS client socket that negotiated the status_request \ 
extension.
        SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS \ 
server socket to return when clients send the status_request extension.
    in ocsp.h
        CERT_PostOCSPRequest - Primarily intended for testing, permits the \ 
sending and receiving of raw OCSP request/responses.
    in secpkcs7.h
        SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at \ 
a specific time other than the present time.
    in xconst.h
        CERT_EncodeNameConstraintsExtension - Matching function for \ 
CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
    in secitem.h
        SECITEM_AllocArray
        SECITEM_DupArray
        SECITEM_FreeArray
        SECITEM_ZfreeArray - Utility functions to handle the allocation and \ 
deallocation of SECItemArrays
        SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now \ 
obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it \ 
updates item->len on allocation. For more details of the issues with \ 
SECITEM_ReallocItem, see Bug 298649 and Bug 298938.
    in pk11pub.h
        PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: \ 
not multi-part). This is necessary for AES-GCM.
        PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: \ 
not multi-part). This is necessary for AES-GCM.

New Types

    in secitem.h
        SECItemArray - Represents a variable-length array of SECItems.

New Macros

    in ssl.h
        SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS \ 
client sockets to request the certificate_status extension (eg: OCSP stapling) \ 
when set to PR_TRUE

Notable Changes in NSS 3.15

    SECITEM_ReallocItem is now deprecated. Please consider using \ 
SECITEM_ReallocItemV2 in all future code.

    NSS has migrated from CVS to the Mercurial source control management system.

    Updated build instructions are available at Migration to HG

    As part of this migration, the source code directory layout has been \ 
re-organized.

    The list of root CA certificates in the nssckbi module has been updated.

    The default implementation of SSL_AuthCertificate has been updated to add \ 
certificate status responses stapled by the TLS server to the OCSP cache.

    Applications that use SSL_AuthCertificateHook to override the default \ 
handler should add appropriate calls to SSL_PeerStapledOCSPResponse and \ 
CERT_CacheOCSPResponseFromSideChannel.
    Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and \ 
other OCSP caching behaviour.
    Bug 853285: Fixed bugs in AES GCM.
    Bug 341127: Fix the invalid read in rc4_wordconv.
    Faster NIST curve P-256 implementation.
    Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library \ 
libfreebl_32int_3.so is no longer produced.

Bugs fixed in NSS 3.15

This Bugzilla query returns all the bugs fixed in NSS 3.15:

https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15

Log message:
Bump all packages for perl-5.18, that
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package

Like last time, where this caused no complaints.

Log message:
Massive revbump after updating graphics/ilmbase, graphics/openexr, textproc/icu.