pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/devel/nss Update to 3.45



details:   https://anonhg.NetBSD.org/pkgsrc/rev/2a970ed3bf8d
branches:  trunk
changeset: 398781:2a970ed3bf8d
user:      ryoon <ryoon%pkgsrc.org@localhost>
date:      Tue Jul 30 12:18:43 2019 +0000

description:
Update to 3.45

Changelog:
New Functions

    in pk11pub.h:
        PK11_FindRawCertsWithSubject - Finds all certificates on the given
slot with the given subject distinguished name and returns them as DER bytes.
If no such certificates can be found, returns SECSuccess and sets *results to
NULL. If a failure is encountered while fetching any of the matching
certificates, SECFailure is returned and *results will be NULL.

Notable Changes in NSS 3.45

    Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
        This adds a new experimental function: SSL_DelegateCredential
        Note: In 3.45, selfserv does not yet support delegated credentials.
See Bug 1548360.
        Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming
change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated
credential for better policy enforcement. See Bug 1563078.
    Bug 1550579 - Replace ARM32 Curve25519 implementation with one from
fiat-crypto
    Bug 1551129 - Support static linking on Windows
    Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding
certificates with a given subject on a given slot
    Bug 1546229 - Add IPSEC IKE support to softoken
    Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
    Bug 1543874 - Expose an external clock for SSL
        This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
        The experimental function SSL_InitAntiReplay is removed.
    Bug 1546477 - Various changes in response to the ongoing FIPS review
        Note: The source package size has increased substantially due to the
new FIPS test vectors. This will likely prompt follow-on work, but please
accept our apologies in the meantime.

Certificate Authority Changes

    The following CA certificates were Removed:
        Bug 1552374 - CN = Certinomis - Root CA
            SHA-256 Fingerprint:
2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158

Bugs fixed in NSS 3.45

    Bug 1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import (CVE-2019-11719)
    Bug 1515342 - More thorough input checking (CVE-2019-11729)
    Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
(CVE-2019-11727)
    Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from
lib/freebl/pqg.c (static analysis)
    Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from
lib/freebl/pqg.c  (static analysis)
    Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
    Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags
could be faked. Only relevant for clients that might have copied the unit test
code verbatim
    Bug 1550022 - Ensure nssutil3 gets built on Android
    Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on
failure
    Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns
error
    Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
    Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors
using NSS
    Bug 1553443 - Send session ticket only after handshake is marked as
finished
    Bug 1550708 - Fix gyp scripts on Solaris SPARC so that
libfreebl_64fpu_3.so builds
    Bug 1554336 - Optimize away unneeded loop in mpi.c
    Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor
specific mechanism
    Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
    Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
    Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
    Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
    Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
    Bug 1561523 - Add a string for the new-ish error
SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION

diffstat:

 devel/nss/Makefile |   4 ++--
 devel/nss/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (31 lines):

diff -r e8cdd592fc30 -r 2a970ed3bf8d devel/nss/Makefile
--- a/devel/nss/Makefile        Tue Jul 30 11:24:26 2019 +0000
+++ b/devel/nss/Makefile        Tue Jul 30 12:18:43 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.168 2019/06/22 03:54:04 ryoon Exp $
+# $NetBSD: Makefile,v 1.169 2019/07/30 12:18:43 ryoon Exp $
 
 DISTNAME=              nss-${NSS_RELEASE:S/.0$//}
-NSS_RELEASE=           3.44.1
+NSS_RELEASE=           3.45.0
 CATEGORIES=            security
 MASTER_SITES=          ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/}
 
diff -r e8cdd592fc30 -r 2a970ed3bf8d devel/nss/distinfo
--- a/devel/nss/distinfo        Tue Jul 30 11:24:26 2019 +0000
+++ b/devel/nss/distinfo        Tue Jul 30 12:18:43 2019 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.97 2019/06/22 03:54:04 ryoon Exp $
+$NetBSD: distinfo,v 1.98 2019/07/30 12:18:43 ryoon Exp $
 
-SHA1 (nss-3.44.1.tar.gz) = 75c05f0a0677f47d8fd3848c8b8daa72c7e0b58a
-RMD160 (nss-3.44.1.tar.gz) = ecc7be154ece25fa55fe5f4dc221a97b94337395
-SHA512 (nss-3.44.1.tar.gz) = eb8777701a25b54377026633b6bf284e4c62308012058355f348a7c57525afe96db74a07de41ba01754e316a7dff06689de527359a5474ed7ab606779c4cf169
-Size (nss-3.44.1.tar.gz) = 75986343 bytes
+SHA1 (nss-3.45.tar.gz) = bfbb1b7b429c4dbe649ded90f73ec9dac6cd54b8
+RMD160 (nss-3.45.tar.gz) = 610ee052bdcba83f1d5d47c8fa20bb9947c820fa
+SHA512 (nss-3.45.tar.gz) = 33360a1bb4e0a0a974070c354ee82c515d5cfa2a12c9c96817a9fdb3e4ca1ad62eb95886b9b0d60e2f69efda964376d0671c1e3c920b2ea614aeecb719c6ff29
+Size (nss-3.45.tar.gz) = 76017462 bytes
 SHA1 (patch-am) = fea682bf03bc8b645049f93ed58554ca45f47aca
 SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69
 SHA1 (patch-md) = 8547c9414332c02221b96719dea1e09cb741f4d1



Home | Main Index | Thread Index | Old Index