pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/devel/nss Update to 3.45
details: https://anonhg.NetBSD.org/pkgsrc/rev/8971fe4b474b
branches: trunk
changeset: 336979:8971fe4b474b
user: ryoon <ryoon%pkgsrc.org@localhost>
date: Tue Jul 30 12:18:43 2019 +0000
description:
Update to 3.45
Changelog:
New Functions
in pk11pub.h:
PK11_FindRawCertsWithSubject - Finds all certificates on the given
slot with the given subject distinguished name and returns them as DER bytes.
If no such certificates can be found, returns SECSuccess and sets *results to
NULL. If a failure is encountered while fetching any of the matching
certificates, SECFailure is returned and *results will be NULL.
Notable Changes in NSS 3.45
Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
This adds a new experimental function: SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials.
See Bug 1548360.
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming
change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated
credential for better policy enforcement. See Bug 1563078.
Bug 1550579 - Replace ARM32 Curve25519 implementation with one from
fiat-crypto
Bug 1551129 - Support static linking on Windows
Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding
certificates with a given subject on a given slot
Bug 1546229 - Add IPSEC IKE support to softoken
Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
Bug 1543874 - Expose an external clock for SSL
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
Bug 1546477 - Various changes in response to the ongoing FIPS review
Note: The source package size has increased substantially due to the
new FIPS test vectors. This will likely prompt follow-on work, but please
accept our apologies in the meantime.
Certificate Authority Changes
The following CA certificates were Removed:
Bug 1552374 - CN = Certinomis - Root CA
SHA-256 Fingerprint:
2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
Bugs fixed in NSS 3.45
Bug 1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import (CVE-2019-11719)
Bug 1515342 - More thorough input checking (CVE-2019-11729)
Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
(CVE-2019-11727)
Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from
lib/freebl/pqg.c (static analysis)
Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from
lib/freebl/pqg.c (static analysis)
Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags
could be faked. Only relevant for clients that might have copied the unit test
code verbatim
Bug 1550022 - Ensure nssutil3 gets built on Android
Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on
failure
Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns
error
Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors
using NSS
Bug 1553443 - Send session ticket only after handshake is marked as
finished
Bug 1550708 - Fix gyp scripts on Solaris SPARC so that
libfreebl_64fpu_3.so builds
Bug 1554336 - Optimize away unneeded loop in mpi.c
Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor
specific mechanism
Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
Bug 1561523 - Add a string for the new-ish error
SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
diffstat:
devel/nss/Makefile | 4 ++--
devel/nss/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diffs (31 lines):
diff -r 751b48fb9d61 -r 8971fe4b474b devel/nss/Makefile
--- a/devel/nss/Makefile Tue Jul 30 11:24:26 2019 +0000
+++ b/devel/nss/Makefile Tue Jul 30 12:18:43 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.168 2019/06/22 03:54:04 ryoon Exp $
+# $NetBSD: Makefile,v 1.169 2019/07/30 12:18:43 ryoon Exp $
DISTNAME= nss-${NSS_RELEASE:S/.0$//}
-NSS_RELEASE= 3.44.1
+NSS_RELEASE= 3.45.0
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/}
diff -r 751b48fb9d61 -r 8971fe4b474b devel/nss/distinfo
--- a/devel/nss/distinfo Tue Jul 30 11:24:26 2019 +0000
+++ b/devel/nss/distinfo Tue Jul 30 12:18:43 2019 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.97 2019/06/22 03:54:04 ryoon Exp $
+$NetBSD: distinfo,v 1.98 2019/07/30 12:18:43 ryoon Exp $
-SHA1 (nss-3.44.1.tar.gz) = 75c05f0a0677f47d8fd3848c8b8daa72c7e0b58a
-RMD160 (nss-3.44.1.tar.gz) = ecc7be154ece25fa55fe5f4dc221a97b94337395
-SHA512 (nss-3.44.1.tar.gz) = eb8777701a25b54377026633b6bf284e4c62308012058355f348a7c57525afe96db74a07de41ba01754e316a7dff06689de527359a5474ed7ab606779c4cf169
-Size (nss-3.44.1.tar.gz) = 75986343 bytes
+SHA1 (nss-3.45.tar.gz) = bfbb1b7b429c4dbe649ded90f73ec9dac6cd54b8
+RMD160 (nss-3.45.tar.gz) = 610ee052bdcba83f1d5d47c8fa20bb9947c820fa
+SHA512 (nss-3.45.tar.gz) = 33360a1bb4e0a0a974070c354ee82c515d5cfa2a12c9c96817a9fdb3e4ca1ad62eb95886b9b0d60e2f69efda964376d0671c1e3c920b2ea614aeecb719c6ff29
+Size (nss-3.45.tar.gz) = 76017462 bytes
SHA1 (patch-am) = fea682bf03bc8b645049f93ed58554ca45f47aca
SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69
SHA1 (patch-md) = 8547c9414332c02221b96719dea1e09cb741f4d1
Home |
Main Index |
Thread Index |
Old Index