nss (3.12.9+ckbi-1.82-0ubuntu0.10.04.3) lucid-security; urgency=low * SECURITY UPDATE: Add patch from Debian version 3.12.11-3 rebased against 3.12.9 to remove the DigiNotar certificates and actively distrust them; Thanks to Mike Hommey from Debian for the original patch (LP: #837557) - mozilla/security/nss/lib/ckfw/builtins/certdata.*: Explicitely distrust various DigiNotar CAs: - DigiNotar Root CA - DigiNotar Services 1024 CA - DigiNotar Cyber CA - DigiNotar Cyber CA 2nd - DigiNotar PKIoverheid - DigiNotar PKIoverheid G2 - mozilla/security/nss/lib/ckfw/builtins/certdata.*: Remove DigiNotar Root CA. -- Micah Gersten Wed, 07 Sep 2011 14:53:13 -0500 nss (3.12.9+ckbi-1.82-0ubuntu0.10.04.1) lucid-security; urgency=low * New upstream release v3.12.9 with updated ckbi module (NSS_3_12_9_WITH_CKBI_1_82_RTM) - SECURITY UPDATE: Update "builtin certificates" module (ckbi) to explicitly mark the recently issued and revoked fraudulent certificates as explicitly not trusted; NSS will report SEC_ERROR_UNTRUSTED_CERT when attempting to verify one of these fraudulent certificates (LP: #741729) * Add new symbols - update debian/libnss3-1d.symbols -- Micah Gersten Mon, 28 Mar 2011 14:55:05 -0500 nss (3.12.8-0ubuntu0.10.04.1) lucid-security; urgency=low * New upstream release v3.12.8 (NSS_3_12_8_RTM) - Fix browser wildcard certificate validation issue - Update root certs - Fix SSL deadlocks * Refresh patches: - update debian/patches/38_kbsd.patch - update debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch * Bump minimum nspr version to 4.8.6 - update debian/control * Add new API to symbols file - update debian/libnss3-1d.symbols -- Chris Coulson Mon, 04 Oct 2010 23:11:32 +0100 nss (3.12.6-0ubuntu3) lucid; urgency=low * Generate missing checksum for libnssdbm3.so to make FIPS mode work again (LP: #559881) - update debian/rules -- Chris Coulson Sat, 10 Apr 2010 21:23:03 +0100 nss (3.12.6-0ubuntu2) lucid; urgency=low * Enable transitional scheme for SSL renegotiation (LP: #553251) - add 97_SSL_RENEGOTIATE_TRANSITIONAL.patch - update debian/patches/series -- Chris Coulson Wed, 31 Mar 2010 20:42:18 +0100 nss (3.12.6-0ubuntu1) lucid; urgency=low * New upstream release 3.12.6 RTM (NSS_3_12_6_RTM) - fixes CVE-2009-3555 aka US-CERT VU#120541 * Adjust patches to changed upstream code base - update debian/patches/38_kbsd.patch - update debian/patches/38_mips64_build.patch - update debian/patches/85_security_load.patch * Remove patches that are merged upstream - delete debian/patches/91_nonexec_stack.patch - update debian/patches/series * Bump nspr dependency to 4.8 - update debian/control * Add new symbols for 3.12.6 - update debian/libnss3-1d.symbols -- Chris Coulson Thu, 25 Mar 2010 13:46:06 +0000 nss (3.12.3.1-0ubuntu3) lucid; urgency=low * rebuild rest of main for armel armv7/thumb2 optimization; UbuntuSpec:mobile-lucid-arm-gcc-v7-thumb2 -- Alexander Sack Sun, 07 Mar 2010 00:58:36 +0100 nss (3.12.3.1-0ubuntu2) karmic; urgency=low * Add 91_nonexec_stack.patch: fix regression in stack memory protectons caused by unmarked assembly (LP: #409864). -- Kees Cook Mon, 24 Aug 2009 15:03:19 -0700 nss (3.12.3.1-0ubuntu1) karmic; urgency=low * new upstream release 3.12.3.1 RTM (NSS_3_12_3_1_RTM) (LP: #407549) - see USN-810-1 -- Alexander Sack Sat, 01 Aug 2009 17:05:48 +0200 nss (3.12.3-0ubuntu2) karmic; urgency=low * adjust patches to changed upstream code base - update debian/patches/38_kbsd.patch * needs nspr >= 4.7.4 - update debian/control * update 85_security_load.patch to latest debian version - update debian/patches/85_security_load.patch * add new symbols for 3.12.3 - update debian/libnss3-1d.symbols * LP: #388350 - nss 3.12.3-0ubuntu2 ftbfs in karmic - shlibsign crashes; we add debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH for the shlibsign invocation used to sign libs in debian/rules - update debian/rules * append LD_LIBRARY_PATH to shlibsign invocation to make fakeroot builds happy - update debian/rules -- Alexander Sack Wed, 17 Jun 2009 11:59:45 +0200 nss (3.12.2+cbki.1.73-ubuntu1) jaunty; urgency=low * new upstream tag NSS_3_12_2_WITH_CKBI_1_73_RTM fixing - 718-1: override rogue md5-collision CA cert; see: mozilla bug 471715 -- Alexander Sack Mon, 09 Feb 2009 16:32:56 +0100 nss (3.12.2~rc1-0ubuntu2) jaunty; urgency=low * LP: #316452 - ldconfig breaks/removes legacy links for previously versioned library names during upgrade; the fix prevents ldconfig from treating the transitional/backup files as "libs" by using a prefix ("XNOLDCONFIG_") - debian/libnspr4-0d.postinst - debian/libnspr4-0d.postrm - debian/libnspr4-0d.preinst - debian/libnspr4-0d.prerm -- Alexander Sack Wed, 14 Jan 2009 13:27:07 +0100 nss (3.12.2~rc1-0ubuntu1) jaunty; urgency=low * New upstream snapshot: 3.12.2 RC1 [ Fabien Tassin ] * Remove patch applied upstream: - drop debian/patches/80_security_tools.patch - update debian/patches/series * Update diverged patches: - update debian/patches/38_kbsd.patch - update debian/patches/38_mips64_build.patch * Add new symbols to symbols file - update debian/libnss3-1d.symbols [ Alexander Sack ] * disable soname patch to become binary compatible with upstream - update debian/patches/series * flip links: libnss3.so <- libnss3.so.1d (before: libnss3.so -> libnss3.so.1d); same link flipping was done for all other previously soname patched libs: libnssutil3.so, libsmime3.so.1d, libssl3.so.1d - update debian/libnss3-1d.links - update debian/libnss3-1d.symbols * properly transition links in preinst and postrm; also cover abort- cases in the other maintainer scripts - add debian/libnss3-1d.postinst - add debian/libnss3-1d.postrm - add debian/libnss3-1d.preinst - add debian/libnss3-1d.prerm * remove hack from debian/rules that debian uses to recreate libsoftokn3.so with a versioned SONAME - update debian/rules * install the unversioned .so binaries - update debian/rules * only install the 4 main libraries into /usr/lib; all the others go to pkglibdir - update debian/rules * higher bar for libnspr4 Build-Depend to >= 4.7.3~, which is the version where the soname droppage is going to happen - update debian/control * explitily pass libraries to be used for dpkg-gensymbols run of dh_makeshlibs - update debian/rules * fix lintian complain about no-shlibs-control-file - update debian/rules -- Alexander Sack Sun, 11 Jan 2009 15:06:17 +0100 nss (3.12.0.3-0ubuntu5) intrepid; urgency=low * fix LP: #232392 - "Ubuntu builds of libnss lack ECC support"; Thanks to Kain for pointing this out. - update debian/rules -- Alexander Sack Tue, 12 Aug 2008 17:40:59 +0200 nss (3.12.0.3-0ubuntu4) intrepid; urgency=low * fix LP: #215062 - add Conflicts for libnss3-1d on gutsy version of libnss3-0d (<< 3.12.0~) - update debian/control -- Alexander Sack Tue, 15 Jul 2008 15:46:54 +0200 nss (3.12.0.3-0ubuntu3) intrepid; urgency=low * fix LP: #245122 - add Replaces/Conflicts on libnss3 packages - update debian/control -- Alexander Sack Wed, 09 Jul 2008 21:45:44 +0200 nss (3.12.0.3-0ubuntu2) intrepid; urgency=low * move non-versioned .so-links from libnss3-dev package to unbreak binary compatibility to native extensions built against upstream xulrunner; in turn we add versioned Conflicts: Replaces: on libnss3-dev for the libnss3-1d package to allow a seemingly upgrade. (LP: #244439) - add debian/libnss3-1d.links - update debian/libnss3-dev.links - update debian/control -- Alexander Sack Tue, 01 Jul 2008 11:49:00 +0200 nss (3.12.0.3-0ubuntu1) intrepid; urgency=low * new upstream release 3.12.0.3 fixes certID issue; downloaded from http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/nss-3.12.tar.gz -- Alexander Sack Mon, 23 Jun 2008 14:35:54 +0200 nss (3.12.0.2+1.9-0ubuntu1) intrepid; urgency=low * new upstream version, picked from FIREFOX_3_0rc1_RELEASE cvs tag (LP: #233922) -- Fabien Tassin Wed, 21 May 2008 14:50:00 +0200 nss (3.12.0~beta3-0ubuntu1) hardy; urgency=low * new upstream version, picked from NSS_3_12_BETA3 cvs tag * update symbols file: - add CERT_NewTempCertificate@NSS_3.12 - add NSS_InitWithMerge@NSS_3.12 - add PK11_CreateMergeLog@NSS_3.12 - add PK11_DestroyMergeLog@NSS_3.12 - add PK11_IsRemovable@NSS_3.12 - add PK11_MergeTokens@NSS_3.12 - add CERT_GetUsePKIXForValidation@NSS_3.12 - add CERT_SetUsePKIXForValidation@NSS_3.12 - add CERT_GetClassicOCSPDisabledPolicy@NSS_3.12 - add CERT_GetClassicOCSPEnabledHardFailurePolicy@NSS_3.12 - CERT_GetClassicOCSPEnabledSoftFailurePolicy@NSS_3.12 - update debian/libnss3-1d.symbols * bump shlibs requirement to >= 3.12.0~beta3 - update debian/rules -- Fabien Tassin Fri, 04 Apr 2008 16:14:45 +0200 nss (3.12.0~1.9b4-0ubuntu1) hardy; urgency=low * new upstream version, picked from FIREFOX_3_0b4_RELEASE cvs tag. * update symbols file - update debian/libnss3-1d.symbols * bump shlibs requirement to >= 3.12.0~1.9b4 -- Alexander Sack Tue, 11 Mar 2008 01:52:02 +0100 nss (3.12.0~1.9b3-0ubuntu1) hardy; urgency=low * New upstream snapshot, picked from FIREFOX_3_0b3_RELEASE cvs tag. * install libnssutil3.so.1d, update symbols file accordingly, add nssutil to pkgconfig file and config script - update debian/libnss3-dev.links - update debian/nss.pc.in - update debian/nss-config.in * fix UPSTREAM_VERSION to drop ~cvs as it is used by nss-config which is causing troubles in xulrunner's configure - update debian/rules * add support for mozilla-devscripts - update debian/rules * update symbols file for new symbols: + CERT_SetOCSPTimeout@NSS_3.12 + NSS_3.11.9@NSS_3.11.9 + PK11_CreateGenericObject@NSS_3.12 + PK11_UnconfigurePKCS11@NSS_3.11.9 + PK11_WriteRawAttribute@NSS_3.12 + CERT_GetValidDNSPatternsFromCert@NSS_3.12 + PK11_CreatePBEV2AlgorithmID@NSS_3.12 + PK11_GetPBECryptoMechanism@NSS_3.12 + SEC_PKCS5IsAlgorithmPBEAlgTag@NSS_3.12 ~ SEC_StringToOID@NSS_3.12 (moved from libnss3 to libnssutils3) - update debian/libnss3-1d.symbols - update debian/rules * Bump shlibs requirement to >= 3.12.0~1.9b3 - update debian/rules * Bump Standards-Version to 3.7.3 and add Homepage field where needed - update debian/control -- Fabien Tassin Fri, 08 Feb 2008 20:13:42 +0100 nss (3.12.0~1.9b2+nobinonly-0ubuntu1) hardy; urgency=low * New upstream snapshot, picked from FIREFOX_3_0b2_RELEASE cvs tag. * ubuntify maintainer field - update debian/control -- Alexander Sack Sun, 16 Dec 2007 11:06:03 +0100 nss (3.12.0~1.9b1-2) unstable; urgency=low * debian/control: libnss3-1-dbg needs to conflict with older libnss3-0d-dbg, as it overwrites so of its files. Closes: #455875. * debian/patches/90_realpath.dpatch: Use realpath() in loader_GetOriginalPathname, so that symlinks are properly followed when determining where the current library lives. * debian/patches/00list: Updated accordingly. * debian/patches/85_security_load.dpatch: When the module given by the caller contains a directory name, remove it so that the module can be properly loaded. Closes: #456296. -- Mike Hommey Sun, 16 Dec 2007 11:06:03 +0100 nss (3.12.0~1.9b1-1) unstable; urgency=low * New upstream snapshot, picked from FIREFOX_3_0b1_RELEASE cvs tag. * debian/copyright: Add licensing information about the recently added sqlite copy in the source tree. * debian/control: + Build depend on libsqlite3-dev. + Rename all -0d packages to -1d, but keep a transitional -0d package, since all libraries are compatible (except for the removed one). + Make libnss3-1d conflict with older libnss3-0d. * debian/patches/38_kbsd.dpatch, debian/patches/81_sonames.dpatch: Adapted to upstream changes. * debian/patches/81_sonames.dpatch: + Remove SO version from libsoftokn3, now it is not linked against anymore, but dlloaded. + Remove the hacks to have shlibsign and the signature verification code handle the SO version in the file name. + Bump SO version to 1d. * debian/rules: + Add NSS_USE_SYSTEM_SQLITE=1 to the make options. + Install libsoftokn3 and the new libnssdbm3 in /usr/lib/nss. + Run shlibsign on libsoftokn3 in /usr/lib/nss, without a SO version. + For some reason, build-stamp was missing in install-stamp dependencies. + Bumped shlibs because of new symbols, and pass -c4 to dpkg-gensymbols, so that it fails in all cases where the symbols file is not up to date. + Adapt upstream version pattern matching so that the ~1.9b1 part is removed. + Install .1d libraries in -1d packages. + Create a dummy libsoftokn3.so.0d library, installed in the libnss3-0d package. * debian/libnss3-0d.links: + Remove links in /usr/lib/xulrunner. The workaround they were implementing is going to be done another way. + Add .0d links to .1d libraries. * debian/libnss3-dev.links: + Don't put a symlink for libsoftokn3. + .so files now link to .1d libraries. * debian/patches/80_security_build.dpatch: Remove the hack to load libfreebl from /usr/lib/nss. * debian/patches/85_security_load.dpatch: Load modules from $ORIGIN/nss. * debian/patches/10_3.11.7_symbol_fix.dpatch: Fix a symbol version. Stolen from bz#325672. * debian/patches/00list: Updated accordingly. * debian/libnss3-0d.dirs: Renamed to libnss3-1d.dirs. -- Mike Hommey Sat, 08 Dec 2007 10:53:02 +0100 nss (3.11.7-1) unstable; urgency=low * New upstream release, picked from NSS_3_11_7_RTM cvs tag. * debian/patches/38_kbsd.dpatch: Also add support for the Hurd. Closes: #419529. * debian/rules: + Don't fail on clean with unpatched ruleset. Closes: #421542. + Bumped shlibs because of new symbols. * debian/patches/81_sonames.dpatch: Adapted to upstream changes. -- Mike Hommey Sun, 01 Jul 2007 11:29:06 +0200 nss (3.11.5-3) unstable; urgency=low * Upload to unstable. -- Mike Hommey Mon, 09 Apr 2007 20:37:25 +0200 nss (3.11.5-2) experimental; urgency=low * debian/rules: + Cleaner way to set the NSPR location. + Install libcrmf.a files in libnss3-dev. + binary-indep now does nothing. * debian/control: Make libnss3-dev an Arch: any package. * debian/nss.pc.in: + Remove libsoftokn3 from ld libraries. + Improvement in directories setting. * debian/libnss3-dev.dirs: Create /usr/bin. * debian/nss-config.in, debian/rules: Install a nss-config script into libnss3-dev. -- Mike Hommey Tue, 27 Mar 2007 20:41:11 +0200 nss (3.11.5-1) experimental; urgency=low * Initial release. (Closes: #416151) -- Mike Hommey Sun, 25 Mar 2007 23:56:17 +0200