Subject: CVS commit: pkgsrc/emulators/suse131_mozilla-nss
From: OBATA Akio
Date: 2014-11-03 09:28:08
Message id:

Log Message:
Apply following updates to suse131_mozilla-nss, bump PKGREVISION to 4.

   openSUSE Security Update: MozillaFirefox to Firefox 32

Announcement ID:    openSUSE-SU-2014:1099-1
Rating:             moderate
References:         #894201 #894370
Cross-References:   CVE-2014-1553 CVE-2014-1562 CVE-2014-1563
                    CVE-2014-1564 CVE-2014-1565 CVE-2014-1567

Affected Products:
                    openSUSE 13.1
                    openSUSE 12.3

   An update that fixes 6 vulnerabilities is now available.

   Mozilla NSS was updated to 3.16.4: Notable Changes:
   * The following 1024-bit root CA certificate was restored to allow more
     time to develop a better transition strategy for affected sites. It was
     removed in NSS 3.16.3, but discussion in the
     forum led to the decision to keep this root included longer in order to
     give website administrators more time to update their web servers.
       - CN = GTE CyberTrust Global Root
   * In NSS 3.16.3, the 1024-bit " Secure Server Certification
     Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit
     intermediate CA certificate has been included, without explicit trust.
     The intention is to mitigate the effects of the previous removal of the
     1024-bit root certificate, because many public Internet
     sites still use the "USERTrust Legacy Secure Server CA" intermediate
     certificate that is signed by the 1024-bit root certificate.
     The inclusion of the intermediate certificate is a temporary measure to
     allow those sites to function, by allowing them to find a trust path to
     another 2048-bit root CA certificate. The temporarily included
     intermediate certificate expires November 1, 2015.

   openSUSE Security Update: mozilla-nss: update to avoid signature forgery

Announcement ID:    openSUSE-SU-2014:1232-1
Rating:             critical
References:         #897890
Cross-References:   CVE-2014-1568
Affected Products:
                    openSUSE 13.1
                    openSUSE 12.3

   An update that fixes one vulnerability is now available.


   Mozilla NSS is vulnerable to a variant of a signature forgery attack
   previously published by Daniel Bleichenbacher. This is due to lenient
   parsing of ASN.1 values involved in a signature and could lead to the
   forging of RSA certificates.

   openSUSE Security Update: update for firefox, mozilla-nspr, mozilla-nss and \ 

Announcement ID:    openSUSE-SU-2014:1345-1
Rating:             moderate
References:         #894370 #896624 #897890 #900941 #901213
Cross-References:   CVE-2014-1554 CVE-2014-1574 CVE-2014-1575
                    CVE-2014-1576 CVE-2014-1577 CVE-2014-1578
                    CVE-2014-1580 CVE-2014-1581 CVE-2014-1582
                    CVE-2014-1583 CVE-2014-1584 CVE-2014-1585
Affected Products:
                    openSUSE 13.1

   An update that fixes 13 vulnerabilities is now available.

   Changes in mozilla-nss:
   - update to 3.17.1 (bnc#897890)
     * Change library's signature algorithm default to SHA256
     * Add support for draft-ietf-tls-downgrade-scsv
     * Add clang-cl support to the NSS build system
     * Implement TLS 1.3:
       * Part 1. Negotiate TLS 1.3
       * Part 2. Remove deprecated cipher suites andcompression.
     * Add support for little-endian powerpc64

   - update to 3.17
     * required for Firefox 33 New functionality:
     * When using ECDHE, the TLS server code may be configured to generate a
       fresh ephemeral ECDH key for each handshake, by setting the
       SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The
       SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the
       server's ephemeral ECDH key is reused for multiple handshakes. This
       option does not affect the TLS client code, which always generates a
       fresh ephemeral ECDH key for each handshake. New Macros
     * SSL_REUSE_SERVER_ECDHE_KEY Notable Changes:
     * The manual pages for the certutil and pp tools have been updated to
       document the new parameters that had been added in NSS 3.16.2.
     * On Windows, the new build variable USE_STATIC_RTL can be used to
       specify the static C runtime library should be used. By default the
       dynamic C runtime library is used.