lp://staging/ubuntu/lucid-security/nss

Created by James Westby and last modified
Get this branch:
bzr branch lp://staging/ubuntu/lucid-security/nss
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

34. By Marc Deslauriers

* SECURITY UPDATE: possible arbitrary code execution via race condition
  - debian/patches/CVE-2014-1544.patch: prevent
    nssTrustDomain_AddCertsToCache from freeing the CERTCertificate
    associated with the NSSCertificate in nss/lib/pk11wrap/pk11cert.c.
  - CVE-2014-1544

33. By Marc Deslauriers

* SECURITY UPDATE: incorrect IDNA wildcard handling
  - debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in
    nss/lib/certdb/certdb.c.
  - CVE-2014-1492

32. By Marc Deslauriers

* SECURITY UPDATE: MITM attack via TLS False Start
  - CVE-2013-1740
* Adjusted packaging for new upstream release 3.15.4:
  - debian/patches/*: refreshed.
  - debian/libnss3-1d.symbols: added new symbols.

31. By Marc Deslauriers

* SECURITY UPDATE: New upstream release (LP: #1263135)
  - Distrusts AC DG Tresor SSL CA

30. By Marc Deslauriers

* SECURITY UPDATE: New upstream release to fix multiple security issues
  and add TLSv1.2 support.
  - CVE-2013-1739
  - CVE-2013-1741
  - CVE-2013-5605
  - CVE-2013-5606
* Adjusted packaging for 3.15.3:
  - debian/patches/*: refreshed.
  - debian/patches/01_dont_build_nspr.patch: removed, changed build
    options in debian/rules instead.
  - debian/libnss3-1d.symbols: added new symbols.
  - debian/rules: updated for new source layout.

29. By Jamie Strandboge

* SECURITY UPDATE: New upstream release to fix TLS timing side-channel
  attacks
  - CVE-2013-1620
* Remaining changes:
  - 98_ckbi-1.93.patch: Dropped (included upstream)
  - 01_dont_build_nspr.patch
  - 38_kbsd.patch: refresh/update
  - 80_security_build.patch
  - 85_security_load.patch
  - 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
* debian/libnss3.symbols: add NSS_3.14.3 symbols

28. By Jamie Strandboge

* New upstream release. Dropped the following patches:
  - debian/patches/25_entropy.patch (was bz51429 obsoleted by fix for
    bz174993)
  - debian/patches/38_mips64_build.patch (we don't build on mips)
  - debian/patches/90_realpath.patch (included upstream)
    upstream)
  - debian/patches/diginotar.patch (included upstream)
  - debian/patches/CVE-2012-0441.patch (included upstream)
* debian/patches/01_dont_build_nspr.patch: refresh
* debian/patches/38_kbsd.patch: refresh/update based on Debian
* debian/patches/80_security_build.patch: refresh
* debian/patches/85_security_load.patch: refresh/update based on Debian
* debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch: refresh/update based
  on Debian
* SECURITY UPDATE: distrust improperly issued TURKTRUST intermediate CAs
  - debian/patches/94_ckbi-1.9.patch: update to CKBI 1.93 by using
    mozilla/security/nss/lib/ckfw/builtins/certdata.txt from upstream and
    updating mozilla/security/nss/lib/ckfw/builtins/nssckbi.h. Apply this
    before 95_add_spi+cacert_ca_certs.patch since it keeps this patch clean
    and underscores that SPI and CACERT are not part of upstream Roots.
  - CVE-2013-0743
* debian/libnss3-0d.symbols: updated for *_3.12.10 through *_3.14.1

27. By Marc Deslauriers

* SECURITY UPDATE: denial of service in QuickDER decoder
  - debian/patches/CVE-2012-0441.patch: properly handle zero-length basic
    constraints and zero-length fields in
    nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c,
    nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h,
    nss/mozilla/security/nss/lib/util/quickder.c.
  - CVE-2012-0441
* debian/rules: added a workaround to get package built on more recent
  kernels.

26. By Micah Gersten

* SECURITY UPDATE: Add patch from Debian version 3.12.11-3 rebased against
  3.12.9 to remove the DigiNotar certificates and actively distrust them;
  Thanks to Mike Hommey from Debian for the original patch (LP: #837557)
  - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
    Explicitely distrust various DigiNotar CAs:
    - DigiNotar Root CA
    - DigiNotar Services 1024 CA
    - DigiNotar Cyber CA
    - DigiNotar Cyber CA 2nd
    - DigiNotar PKIoverheid
    - DigiNotar PKIoverheid G2
  - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
    Remove DigiNotar Root CA.

25. By Micah Gersten

* New upstream release v3.12.9 with updated ckbi module
  (NSS_3_12_9_WITH_CKBI_1_82_RTM)
  - SECURITY UPDATE: Update "builtin certificates" module (ckbi) to
    explicitly mark the recently issued and revoked fraudulent certificates
    as explicitly not trusted; NSS will report SEC_ERROR_UNTRUSTED_CERT when
    attempting to verify one of these fraudulent certificates (LP: #741729)
* Add new symbols
  - update debian/libnss3-1d.symbols

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp://staging/ubuntu/natty/nss
This branch contains Public information 
Everyone can see this information.

Subscribers