| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: mozilla-nss-sysinit | Distribution: openSUSE Tumbleweed |
| Version: 3.121 | Vendor: openSUSE |
| Release: 1.2 | Build date: Mon Mar 23 13:37:54 2026 |
| Group: System/Management | Build host: reproducible |
| Size: 36569 | Source RPM: mozilla-nss-3.121-1.2.src.rpm |
| Packager: https://bugs.opensuse.org | |
| Url: https://www.mozilla.org/projects/security/pki/nss/ | |
| Summary: System NSS Initialization | |
Default Operation System module that manages applications loading NSS globally on the system. This module loads the system defined PKCS #11 modules for NSS and chains with other NSS modules to load any system or user configured modules.
MPL-2.0
* Mon Mar 23 2026 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.121
* bmo#2017366 - update vendored zlib to v1.3.2.
* bmo#2012645 - Revert the unnecessary changes to intel-gcm-wrap.gyp.
* bmo#2012645 - Use C fallback for AES-GCM on MinGW builds.
* bmo#2005669 - fix ML-KEM PCT.
* bmo#2017008 - Extend NSS Fuzzing docs.
* bmo#2009552 - avoid integer overflow in platform-independent ghash.
* bmo#2003189 - Fix errant whitespace in OISTE Server Root RSA G1 nickname.
* bmo#2012313 - fix build with glibc-2.43 assignment discards 'const'
qualifier from pointer.
* bmo#2013188 - add gcm.gyp dependency for Solaris SPARC builds.
* bmo#2010389 - Set nssckbi version to 2.84.
* bmo#2010389 - Add e-Szigno TLS Root CA 2023 to NSS.
* bmo#2005516 - allow manual selection of CPU_ARCH=x86_64 and ppc64
in coreconf/Darwin.mk.
* bmo#2009998 - Update cryptofuzz version.
* bmo#2001167 - Paranoia assert.
* bmo#2000737 - Darwin compatibility for intel-aes.S and intel-gcm.S.
* bmo#2000737 - rename intel-{aes,gcm}.s to .S.
* bmo#2000737 - rename C files for platform-specific ghash implementations.
* bmo#2000737 - simplify compilation of platform-specific GCM and GHASH.
* bmo#2007911 - FORWARD_NULL null deref of worker in p7decode.c
(sec_pkcs7_decoder_abort_digests).
* bmo#2008112 - Out-of-Bounds Read in ML-DSA Private Key Parsing
(zero-length privateKey).
* Sun Feb 22 2026 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.120.1
* no upstream releasenotes
* Mon Jan 12 2026 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.120
* bmo#2008768 - Fix docs generation bug.
* bmo#2007908 - CID 1678226: Dereferencing null pointer plaintext.data().
* bmo#2004694 - Run PKCS12 fuzz target with --fuzz=tls in CI.
* bmo#1978603 - Allowing RT be started several times.
* bmo#2005751 - move linux decision and build tasks to d2g worker pools.
- Revert back to original naming scheme of tarballs
* Tue Dec 16 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.119.1
* bmo#2004866 - restore coreconf/Darwin.mk behavior for intel archs
- update to NSS 3.119
* bmo#1983320 - Fix ml-dsa return value for SECKEY_PrivateKeyStrengthInBits.
* bmo#1986352 - Make sure we don't accept ECH if the HRR cookie is ill-formatted.
* bmo#2002246 - Add a pkcs12 fuzzer with crypto stubbed out.
* bmo#2003314 - handle errors while setting sanitizers cflags in build.
* bmo#1986912 - Ignore IVs for AES KW.
* bmo#2003286 - Update Cryptofuzz version.
* bmo#2001932 - Fix incorrect logic for SNI selection when ECH is available but disabled.
* bmo#1975855 - fix forwarding of sqlite_libs in sqlite.gyp.
* bmo#1999204 - fix CPU_ARCH setting for arm64 makefile builds.
* bmo#1998094 - remove unused calcThreads variable from cmd/rsaperf.
* bmo#1978348 - Solving the incorrect tests introduced by extending EKU.
* bmo#1972054 - Memory leaks in pkcs12 and pkcs7 decoders.
* bmo#1978348 - Extending parsing with Microsoft Document Signing EKU.
* bmo#1978348 - Extending parsing with Adobe Document Signing EKU.
* bmo#1978348 - Extending pkix parsing with document signing EKUs.
* bmo#2000737 - fix compilation failure on ia32.
* bmo#2000737 - use hardware x64 GCM in static builds.
* bmo#2000737 - separate ppc sha512 library from ppc gcm library.
* bmo#2000737 - simplify cross-compilation from build.sh.
* bmo#1724353 - use clang's integrated assembler.
* bmo#2000737 - remove unused MP_IS_LITTLE_ENDIAN defines.
* bmo#2000737 - fix logic for disabling altivec in gyp builds.
* bmo#1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
* bmo#1972825 - Add TLS interoperability tests with openssl and gnutls.
* bmo#1314849 - Ensure we don't send a DTLS1.3 cookie after DTLS1.2 HelloVerifyRequest.
* bmo#1965329 - add failure checks to pk11_mergeTrust() .
* bmo#1999517 - pk11wrap selects incorrect slot for CKM_ML_KEM*.
- Adjusted for changed naming scheme of tarballs for this release by upstream
* Thu Nov 20 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.118.1
* bmo#1999517 - pk11wrap selects incorrect slot for CKM_ML_KEM*
- update to NSS 3.118
* bmo#1994866 - Remove four Commscope root certificates from NSS
* bmo#1996036 - fix try pushes with --nspr-patch to actually apply the patch
* bmo#1995512 - Support for NIST Curves compressed points
* bmo#1985058 - Destroy certificate on error paths
* bmo#1990242 - Move NSS DB password hash away from SHA-1
* bmo#1983313 - support secp384r1mlkem1024
* bmo#1991549 - vendor latest ML-KEM code from libcrux
* bmo#1991549 - add mlk-kem-1024 tests
* bmo#1996717 - use the correct directory for FStar_UInt_8_16_32_64.h in source consistency test
* bmo#1766767 - Move scripts to python3
* bmo#1983313 - add mlkem1024 support in freebl
* bmo#1983313 - support secp256r1mlkem768
* bmo#1983313 - Make mlkem768x25519 the default
* bmo#1983320 - ML-DSA SGN and VFY interfaces
* bmo#1988625 - Align FIPS interfaces count with array
* bmo#1989477 - Ensure CKK_ML_KEM has derive CK_FALSE
* bmo#1992128 - Add script for tagging an NSS release
* bmo#1992128 - Remove the globals from nss-release-helper.py
* bmo#1992128 - Add release helper command for generating the release index
* bmo#1992128 - Add release helper command for generating a release note
* bmo#1992128 - Add release helper command for freezing a branch
* Tue Oct 07 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.117
* bmo#1992218 - fix memory leak in secasn1decode_unittest.cc
* bmo#1988913 - Add OISTE roots
* bmo#1976051 - Add runbook for certdata.txt changes
* bmo#1991666 - dbtool: close databases before shutdown
* bmo#1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates
* bmo#1956754 - don’t flush base64 when buffer is null
* bmo#1989541 - Set use_pkcs5_pbkd2_params2_only=1 for fuzzing builds
* bmo#1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs
* bmo#1980465 - Fix a big-endian-problematic cast in zlib calls
* bmo#1962321 - Revert removing out/ directory after ossfuzz build
* bmo#1988524 - Add Cryptofuzz to OSS-Fuzz build
* bmo#1984704 - Add PKCS#11 trust tests
* bmo#1983308 - final disable dsa patch cert.sh
* bmo#1983320 - ml-dsa: move tls 1.3 to use streaming signatures
* bmo#1983320 - ml-dsa: Prep Create a FindOidTagByString function
* bmo#1983320 - ml-dsa: softoken changes
* bmo#1983320 - ml-dsa: der key decode
* bmo#1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi
* bmo#1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function
* Tue Oct 07 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.116
* bmo#1983308 - disable DSA in NSS script tests
* bmo#1983308 - Disabling of some algorithms: generic cert.sh
* bmo#1981046 - Need to update to new mechanisms
* bmo#1983320 - Add ML-DSA public key printing support in NSS command-line utilities
* bmo#1986802 - note embedded scts before revocation checks are performed
* bmo#1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface
* bmo#1983320 - Add support for ML-DSA key type and public key structure
* bmo#1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag
* bmo#1983308 - disable kyber
* bmo#1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature)
* bmo#1983308 - Disable dsa - gtests
* bmo#1983313 - make group and scheme support in test tools generic
* bmo#1983770 - Create GH workflow to automatically close PRs
* bmo#1983308 - Disable dsa - base code
* bmo#1983308 - Disabling of some algorithms: remove dsa from pk11_mode
* bmo#1983308 - Disable seed and RC2 bug fixes
* bmo#1982742 - restore support for finding certificates by decoded serial number
* bmo#1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups
* bmo#1983399 - lib/softtoken/{sdb.c,sftkdbti.h}: Align sftkdb_known_attributes_size type
* bmo#1965329 - Use PKCS #11 v3.2 KEM mechanisms and functions
* Fri Aug 22 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.115.1
* bmo#1982742 - restore support for finding certificates by decoded serial number.
* bmo#1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups.
* Mon Aug 18 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.115
* bmo#1970304 - CID 1648399 - Resource leak in shlibsign.c
* bmo#1981034 - CKA_SEED needs to be marked as a private attribute
* bmo#1981518 - Fix bad syntax on Windows in softoken_gtest.cc
* bmo#1974505 - Key private/public/secret keys by key type in softoken keydb
* bmo#1980990 - add PK11_HPKE_GetSharedSecret to abi-check expected report
* bmo#1980429 - remove NetscapeStepUpMatchesServerAuth from mozpkix TrustDomain
* bmo#1927351 - Fixup ABI
* bmo#1927351 - add ECH_SECRET and ECH_CONFIG to SSLKEYLOG for both client and server
* bmo#1900841 - ECH fuzz target
* bmo#1965331 - Implement PKCS #11 v3.2 FIPS indicator and validation objects
* bmo#1978677 - remove expired explicitly distrusted DigiNotar lookalike root
* bmo#1965329 - Implement PKCS #11 v3.2 functions
- update to NSS 3.114
* bmo#1977376 - NSS 3.114 source distribution should include NSPR 4.37
* bmo#1970079 - Prevent leaks during pkcs12 decoding
* bmo#1953731 - Remove redundant assert in p7local.c
* bmo#1974515 - Bump nssckbi version to 2.80
* bmo#1961848 - Remove expired Baltimore CyberTrust Root
* bmo#1972391 - Add TrustAsia Dedicated Roots to NSS
* bmo#1974511 - Add SwissSign 2022 Roots to NSS
* bmo#1836559 - Add backwards compatibility for CK_PKCS5_PBKD2_PARAMS
* bmo#1965328 - Implement PKCS #11 v3.2 trust objects in softoken
* bmo#1965328 - Implement PKCS #11 v3.2 trust objects - nss proper
* bmo#1974331 - remove dead code in ssl3con.c
* bmo#1934867 - DTLS (excl DTLS1.3) Changing Holddown timer logic
* bmo#1974299 - Bump nssckbi version to 2.79
* bmo#1967826 - remove unneccessary assertion
* bmo#1948485 - Update mechanisms for Softoken PCT
* bmo#1974299 - convert Chunghwa Telecom ePKI Root removal to a distrust after
* bmo#1973925 - Ensure ssl_HaveRecvBufLock and friends respect opt.noLocks
* bmo#1973930 - use -O2 for asan build
* bmo#1973187 - Fix leaking locks when toggling SSL_NO_LOCKS
* bmo#1973105 - remove out-of-function semicolon
* bmo#1963009 - Extend pkcs8 fuzz target
* bmo#1963008 - Extend pkcs7 fuzz target
* bmo#1908763 - Remove unused assignment to pageno
* bmo#1908762 - Remove unused assignment to nextChunk
* bmo#1973490 - don't run commands as part of shell `local` declarations
* bmo#1973490 - fix sanitizer setup
* bmo#1973187 - don't silence ssl_gtests output when running with coverage
* bmo#1967411 - Release docs and housekeeping
* bmo#1972768 - migrate to new linux tester pool
- rebase FIPS patches to adjust for upstream FIPS work
* Mon Jul 21 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.113
* bmo#1963792 - Fix alias for mac workers on try.
* bmo#198090 - Part 1: Use AES in the SDR (NSS) r=simonf,nss-reviewers,rrelyea
* bmo#1968764 - Bump nssckbi version to 2.78.
* bmo#1967548 - Turn off Websites Trust Bit for Chunghwa Telecom ePKI Root in FF 141.
* bmo#1965556 - fix frame pointers in intel-gcm.s.
* bmo#1971510 - Typo in release notes for NSS 101.4.
* bmo#1968665 - Improve nss-release-helper.py.
* bmo#1930800 - shlibsign is broken in System FIPS mode.
* bmo#1954612 - Need up update NSS for PKCS 3.1: Move IPSEC to 3.1
* bmo#1965327 - PKCS #11 v3.2 header files.
* Wed Jun 25 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.112
* bmo#1963792 - Fix alias for mac workers on try
* bmo#1966786 - ensure all options can be configured with
SSL_OptionSet and SSL_OptionSetDefault
* bmo#1931930 - ABI/API break in ssl certificate processing
* bmo#1955971 - remove unnecessary assertion in
sec_asn1d_init_state_based_on_template.
* bmo#1965754 - update taskgraph to v14.2.1.
* bmo#1964358 - Workflow for automation of the release on GitHub
when pushing a tag
* bmo#1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate
* bmo#1934877 - Renegotiations should use a fresh ECH GREASE buffer
* bmo#1951396 - update taskgraph to v14.1.1
* bmo#1962503 - Partial fix for ACVP build CI job
* bmo#1961827 - Initialize find in sftk_searchDatabase
* bmo#1963121 - Add clang-18 to extra builds
* bmo#1963044 - Fault tolerant git fetch for fuzzing
* bmo#1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp
* bmo#1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or
CMSDEBUG are set
* bmo#1961835 - fix content type tag check in
NSS_CMSMessage_ContainsCertsOrCrls.
* bmo#1963102 - Remove Cryptofuzz CI version check
- Modify bmo1962556.patch to catch OBS specific errors
* Tue Apr 29 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.110
* bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
* bmo#1954724 - Prevent excess allocations in sslBuffer_Grow
* bmo#1953429 - Remove Crl templates from ASN1 fuzz target
* bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target
* bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned
* bmo#1930807 - NSS policy updates
* bmo#1951161 - Improve locking in nssPKIObject_GetInstances
* bmo#1951394 - Fix race in sdb_GetMetaData
* bmo#1951800 - Fix member access within null pointer
* bmo#1950077 - Increase smime fuzzer memory limit
* bmo#1949677 - Enable resumption when using custom extensions
* bmo#1952568 - change CN of server12 test certificate
* bmo#1949118 - Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* bmo#1949118 - Part 1: Fix smime UBSan errors
* bmo#1930806 - FIPS changes need to be upstreamed: updated key checks
* bmo#1951491 - Don't build libpkix in static builds
* bmo#1951395 - handle `-p all` in try syntax
* bmo#1951346 - fix opt-make builds to actually be opt
* bmo#1951346 - fix opt-static builds to actually be opt
* bmo#1916439 - Remove extraneous assert
- Removed upstreamed nss-fips-stricter-dh.patch
- Added bmo1962556.patch to fix test failures
- Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch
* Sun Mar 30 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.109
* bmo#1939512 - Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* bmo#1930807 - NSS policy updates - fix inaccurate key policy issues
* bmo#1945883 - SMIME fuzz target
* bmo#1914256 - ASN1 decoder fuzz target
* bmo#1936001 - Part 2: Revert “Extract testcases from ssl gtests
for fuzzing”
* bmo#1915155 - Add fuzz/README.md
* bmo#1936001 - Part 4: Fix tstclnt arguments script
* bmo#1944545 - Extend pkcs7 fuzz target
* bmo#1912320 - Extend certDN fuzz target
* bmo#1944300 - revert changes to HACL* files from bug 1866841
* bmo#1936001 - Part 3: Package frida corpus script
* Wed Mar 05 2025 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Updated nss-fips-approved-crypto-non-ec.patch to not pass in
bad targetKeyLength parameters when checking for FIPS approval
after keygen. This was causing false rejections.
- Updated nss-fips-approved-crypto-non-ec.patch to approve
RSA signature verification mechanisms with PKCS padding and
legacy moduli (bsc#1222834).
* Sun Mar 02 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.108
* bmo#1923285 - libclang-16 -> libclang-19
* bmo#1939086 - Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* bmo#1937332 - Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* bmo#1915902 - Remove SwissSign Silver CA – G2
* bmo#1938245 - Add D-Trust 2023 TLS Roots to NSS
* bmo#1942301 - fix fips test failure on windows
* bmo#1935925 - change default sensitivity of KEM keys
* bmo#1936001 - Part 1: Introduce frida hooks and script
* bmo#1942350 - add missing arm_neon.h include to gcm.c
* bmo#1831552 - ci: update windows workers to win2022
* bmo#1831552 - strip trailing carriage returns in tools tests
* bmo#1880256 - work around unix/windows path translation issues
in cert test script
* bmo#1831552 - ci: let the windows setup script work without $m
* bmo#1880255 - detect msys
* bmo#1936680 - add a specialized CTR_Update variant for AES-GCM
* bmo#1930807 - NSS policy updates
* bmo#1930806 - FIPS changes need to be upstreamed: FIPS 140-3 RNG
* bmo#1930806 - FIPS changes need to be upstreamed: Add SafeZero
* bmo#1930806 - FIPS changes need to be upstreamed - updated POST
* bmo#1933031 - Segmentation fault in SECITEM_Hash during pkcs12 processing
* bmo#1929922 - Extending NSS with LoadModuleFromFunction functionality
* bmo#1935984 - Ensure zero-initialization of collectArgs.cert
* bmo#1934526 - pkcs7 fuzz target use CERT_DestroyCertificate
* bmo#1915898 - Fix actual underlying ODR violations issue
* bmo#1184059 - mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* bmo#1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* bmo#1934526 - Fix memory leak in pkcs7 fuzz target
* bmo#1934529 - Set -O2 for ASan builds in CI
* bmo#1934543 - Change branch of tlsfuzzer dependency
* bmo#1915898 - Run tests in CI for ASan builds with detect_odr_violation=1
* bmo#1934241 - Fix coverage failure in CI
* bmo#1934213 - Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* bmo#1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* bmo#1913677 - Part 3: Restructure fuzz/
* bmo#1931925 - Extract testcases from ssl gtests for fuzzing
* bmo#1923037 - Force Cryptofuzz to use NSS in CI
* bmo#1923037 - Fix Cryptofuzz on 32 bit in CI
* bmo#1933154 - Update Cryptofuzz repository link
* bmo#1926256 - fix build error from 9505f79d
* bmo#1926256 - simplify error handling in get_token_objects_for_cache
* bmo#1931973 - nss doc: fix a warning
* bmo#1930797 - pkcs12 fixes from RHEL need to be picked up
- remove obsolete patches
* nss-fips-safe-memset.patch
* nss-bmo1930797.patch
* Tue Jan 07 2025 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.107
* bmo#1923038 - Remove MPI fuzz targets.
* bmo#1925512 - Remove globals `lockStatus` and `locksEverDisabled`.
* bmo#1919015 - Enable PKCS8 fuzz target.
* bmo#1923037 - Integrate Cryptofuzz in CI.
* bmo#1913677 - Part 2: Set tls server target socket options in config class
* bmo#1913677 - Part 1: Set tls client target socket options in config class
* bmo#1913680 - Support building with thread sanitizer.
* bmo#1922392 - set nssckbi version number to 2.72.
* bmo#1919913 - remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* bmo#1920641 - remove Security Communication RootCA3 root cert.
* bmo#1918559 - remove SecureSign RootCA11 root cert.
* bmo#1922387 - Add distrust-after for TLS to Entrust Roots.
* bmo#1927096 - update expected error code in pk12util pbmac1 tests.
* bmo#1929041 - Use random tstclnt args with handshake collection script
* bmo#1920466 - Remove extraneous assert in ssl3gthr.c.
* bmo#1928402 - Adding missing release notes for NSS_3_105.
* bmo#1874451 - Enable the disabled mlkem tests for dtls.
* bmo#1874451 - NSS gtests filter cleans up the constucted buffer
before the use.
* bmo#1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe.
* bmo#1925503 - Remove short circuit test from ssl_Init.
* Wed Dec 11 2024 Adrian Schröter <adrian@suse.de>
- fix build on loongarch64 (setting it as 64bit arch)
* Tue Nov 26 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Remove upstreamed bmo-1400603.patch
- Added nss-bmo1930797.patch to fix failing tests in testsuite
* Thu Nov 21 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.106
* bmo#1925975 - NSS 3.106 should be distributed with NSPR 4.36.
* bmo#1923767 - pk12util: improve error handling in p12U_ReadPKCS12File.
* bmo#1899402 - Correctly destroy bulkkey in error scenario.
* bmo#1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers.
* bmo#1923002 - Extract certificates with handshake collection script.
* bmo#1923006 - Specify len_control for fuzz targets.
* bmo#1923280 - Fix memory leak in dumpCertificatePEM.
* bmo#1102981 - Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* bmo#1921528 - add new error codes to mozilla::pkix for Firefox to use.
* bmo#1921768 - allow null phKey in NSC_DeriveKey.
* bmo#1921801 - Only create seed corpus zip from existing corpus.
* bmo#1826035 - Use explicit allowlist for for KDF PRFS.
* bmo#1920138 - Increase optimization level for fuzz builds.
* bmo#1920470 - Remove incorrect assert.
* bmo#1914870 - Use libFuzzer options from fuzz/options/\*.options in CI.
* bmo#1920945 - Polish corpus collection for automation.
* bmo#1917572 - Detect new and unfuzzed SSL options.
* bmo#1804646 - PKCS12 fuzzing target.
- requires NSPR 4.36
* Sat Oct 26 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.105
* bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key
* bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c
* bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds
* bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* bmo#1918767 - override default definition of KRML_MUSTINLINE
* bmo#1916525 - libssl support for mlkem768x25519
* bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap
* bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL
* bmo#1911912 - Avoid misuse of ctype(3) functions
* bmo#1917311 - part 2: run clang-format
* bmo#1917311 - part 1: upgrade to clang-format 13
* bmo#1916953 - clang-format fuzz
* bmo#1910370 - DTLS client message buffer may not empty be on retransmit
* bmo#1916413 - Optionally print config for TLS client and server
fuzz target
* bmo#1916059 - Fix some simple documentation issues in NSS.
* bmo#1915439 - improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
* Sun Sep 29 2024 ecsos <ecsos@opensuse.org>
- Fix build error under Leap by rebasing nss-fips-safe-memset.patch.
* Sat Sep 28 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.104
* bmo#1910071 - Copy original corpus to heap-allocated buffer
* bmo#1910079 - Fix min ssl version for DTLS client fuzzer
* bmo#1908990 - Remove OS2 support just like we did on NSPR
* bmo#1910605 - clang-format NSS improvements
* bmo#1902078 - Adding basicutil.h to use HexString2SECItem function
* bmo#1908990 - removing dirent.c from build
* bmo#1902078 - Allow handing in keymaterial to shlibsign to make
the output reproducible
* bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references
* bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* bmo#1908990 - remove mentions of WIN95
* bmo#1908990 - remove mentions of WIN16
* bmo#1913750 - More explicit directory naming
* bmo#1913755 - Add more options to TLS server fuzz target
* bmo#1913675 - Add more options to TLS client fuzz target
* bmo#1835240 - Use OSS-Fuzz corpus in NSS CI
* bmo#1908012 - set nssckbi version number to 2.70.
* bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
* bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA.
* bmo#1908006 - Add Cybertrust Japan Roots to NSS.
* bmo#1908004 - Add Taiwan CA Roots to NSS.
* bmo#1911354 - remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* bmo#1913132 - Fix tstclnt CI build failure
* bmo#1913047 - vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* bmo#1912427 - Enable all supported protocol versions for UDP
* bmo#1910361 - Actually use random PSK hash type
* bmo#1911576 - Initialize NSS DB once
* bmo#1910361 - Additional ECH cipher suites and PSK hash types
* bmo#1903604 - Automate corpus file generation for TLS client Fuzzer
* bmo#1910364 - Fix crash with UNSAFE_FUZZER_MODE
* bmo#1910605 - clang-format shlibsign.c
- remove obsolete nss-reproducible-builds.patch
* Tue Aug 13 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.103
* bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* bmo#1909638 - Follow-up to fix test for presence of file nspr.patch.
* bmo#1903783 - Adjust libFuzzer size limits
* bmo#1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Add nss-reproducible-builds.patch to make the rpms reproducible,
by using a hardcoded, static key to generate the checksums (*.chk-files)
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
* Fri Aug 02 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.102.1
* bmo#1905691 - ChaChaXor to return after the function
- update to NSS 3.102
* bmo#1880351 - Add Valgrind annotations to freebl Chacha20-Poly1305.
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* bmo#1660676 - correct length of raw SPKI data before printing in pp utility.
* Mon Jul 29 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
depends on it and will create a broken, empty config, if sed is
missing (bsc#1227918)
* Wed Jul 10 2024 Hans Petter Jansson <hpj@suse.com>
- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.
* Mon Jul 01 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.101.1
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* Mon Jun 10 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.101
* bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
* bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
* bmo#1899883 - fix formatting issues.
* bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
* bmo#1899593 - remove invalid acvp fuzz test vectors.
* bmo#1898830 - pad short P-384 and P-521 signatures gtests.
* bmo#1898627 - remove unused FreeBL ECC code.
* bmo#1898830 - pad short P-384 and P-521 signatures.
* bmo#1898825 - be less strict about ECDSA private key length.
* bmo#1854439 - Integrate HACL* P-521.
* bmo#1854438 - Integrate HACL* P-384.
* bmo#1898074 - memory leak in create_objects_from_handles.
* bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1748105 - clean up escape handling
* bmo#1896353 - Use lib::pkix as default validator instead of the old-one
* bmo#1827444 - Need to add high level support for PQ signing.
* bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
* bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
* bmo#1793811 - Implement support for PBMAC1 in PKCS#12
* bmo#1897487 - disable VLA warnings for fuzz builds.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
* bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update
* bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
* bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
* Fri May 24 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
when using FIPS-mode (bsc#1223724).
- Added "Provides: nss" so other RPMs that require 'nss' can
be installed (jira PED-6358).
* Wed May 08 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.100
- bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
faster Xyber operations.
- bmo#1893752 - remove ckcapi.
- bmo#1893162 - avoid a potential PK11GenericObject memory leak.
- bmo#671060 - Remove incomplete ESDH code.
- bmo#215997 - Decrypt RSA OAEP encrypted messages.
- bmo#1887996 - Fix certutil CRLDP URI code.
- bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH.
- bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c.
- bmo#1548723 - Moving the decodedCert allocation to NSS.
- bmo#1885404 - Allow developers to speed up repeated local execution
of NSS tests that depend on certificates.
* Thu Apr 04 2024 Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.99
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
* Sat Mar 16 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.98
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
in TLS
* bmo#1879513 - Certificate Compression: enabling the check that
the compression was advertised
* bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
* bmo#1879945 - Remove Email trust bit from OISTE WISeKey
Global Root GC CA
* bmo#1877344 - Replace `distutils.spawn.find_executable` with
`shutil.which` within `mach` in `nss`
* bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
support Certificate compression
* bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
* bmo#1875356 - Add valgrind annotations to freebl kyber operations
for constant-time execution tests
* bmo#1870673 - Set nssckbi version number to 2.66
* bmo#1874017 - Add Telekom Security roots
* bmo#1873095 - Add D-Trust 2022 S/MIME roots
* bmo#1865450 - Remove expired Security Communication RootCA1 root
* bmo#1876179 - move keys to a slot that supports concatenation in
PK11_ConcatSymKeys
* bmo#1876800 - remove unmaintained tls-interop tests
* bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
flags
* bmo#1874937 - bogo: add support for the -curves shim flag and
update Kyber expectations
* bmo#1874937 - bogo: adjust expectation for a key usage bit test
* bmo#1757758 - mozpkix: add option to ignore invalid subject
alternative names
* bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
* bmo#1876390 - take ownership of ecckilla shims
* bmo#1874458 - add valgrind annotations to freebl/ec.c
* bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* bmo#1875965 - Update zlib to 1.3.1
* Thu Feb 29 2024 Pedro Monreal <pmonreal@suse.com>
- Add crypto-policies support [bsc#1211301]
deactivated for now
* Fri Feb 23 2024 pgajdos@suse.com
- Use %patch -P N instead of deprecated %patchN.
* Tue Feb 20 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.97
* bmo#1875506 - make Xyber768d00 opt-in by policy
* bmo#1871631 - add libssl support for xyber768d00
* bmo#1871630 - add PK11_ConcatSymKeys
* bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
* bmo#1871152 - add a FreeBL API for Kyber
* bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
* bmo#1835828 - Removing the calls to RSA Blind from loader.*
* bmo#1874111 - fix worker type for level3 mac tasks
* bmo#1835828 - RSA Blind implementation
* bmo#1869642 - Remove DSA selftests
* bmo#1873296 - read KWP testvectors from JSON
* bmo#1822450 - Backed out changeset dcb174139e4f
* bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* bmo#1871219 - Wrap CC shell commands in gyp expansions
* Sun Jan 21 2024 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.96.1
* bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
* bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
* bmo#1867408 - add a defensive check for large ssl_DefSend return values
* bmo#1869378 - Add dependency to the taskcluster script for Darwin
* bmo#1869378 - Upgrade version of the MacOS worker for the CI
* Tue Dec 26 2023 Christian Boltz <suse-beta@cboltz.de>
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
explicit default trust flags" test needs longer than the allowed
6 seconds on s390x
* Sun Dec 17 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.95
* bmo#1842932 - Bump builtins version number.
* bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
Firmaprofesional CIF A62634068 root cert.
* bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
* bmo#1850982 - Remove Camerfirma root certificates from NSS.
* bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
Certificate.
* bmo#1860670 - Add four Commscope root certificates to NSS.
* bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
* bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
* bmo#1861728 - Include P-256 Scalar Validation from HACL*.
* bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
256 ECC without DER wrapping at the softoken level
* bmo#1837987 - Add means to provide library parameters to C_Initialize
* bmo#1573097 - clang format
* bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
* bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
* bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
* bmo#1573097 - Fix Invalid casts in instance.c
* Tue Oct 24 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.94
* bmo#1853737 - Updated code and commit ID for HACL*
* bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
current NSS
* bmo#1827303 - Softoken C_ calls should use system FIPS setting
to select NSC_ or FC_ variants
* bmo#1774659 - NSS needs a database tool that can dump the low level
representation of the database
* bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
* bmo#1852179 - avoid implicit conversion for ByteString
* bmo#1818766 - update rust version for acvp docker
* bmo#1852011 - Moving the init function of the mpi_ints before
clean-up in ec.c
* bmo#1615555 - P-256 ECDH and ECDSA from HACL*
* bmo#1840510 - Add ACVP test vectors to the repository
* bmo#1849077 - Stop relying on std::basic_string<uint8_t>
* bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
* Tue Sep 05 2023 Dominique Leuenberger <dimstar@opensuse.org>
- Update to NSS 3.93:
* bmo#1849471 - Update zlib in NSS to 1.3.
* bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
* bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
* Sun Aug 27 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.92
* bmo#1822935 - Set nssckbi version number to 2.62
* bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
* bmo#1839992 - Add 4 SSL.com Root CA certificates
* bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
* bmo#1840437 - Add LAWtrust Root CA2 (4096)
* bmo#1822936 - Remove E-Tugra Certification Authority root
* bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
* bmo#1840505 - Remove Hongkong Post Root CA 1
* bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
* bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
* Sat Jul 29 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.91
* bmo#1837431 - Implementation of the HW support check for ADX instruction
* bmo#1836925 - Removing the support of Curve25519
* bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
* bmo#1839327 - Adding args to enable-legacy-db build
* bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
default trust flags"
* bmo#1837617 - Initialize flags in slot structures
* bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
* bmo#1829112 - Followup Fixes
* bmo#1784253 - avoid processing unexpected inputs by checking for
m_exptmod base sign
* bmo#1826652 - add a limit check on order_k to avoid infinite loop
* bmo#1834851 - Update HACL* to commit 5f6051d2
* bmo#1753026 - add SHA3 to cryptohi and softoken
* bmo#1753026 - HACL SHA3
* bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch
* Fri Jul 28 2023 Dirk Stoecker <opensuse@dstoecker.de>
- Fix file conflict for pp manual page [bsc#1213281]
* Tue Jul 04 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.90
* bmo#1623338 - ride along: remove a duplicated doc page
* bmo#1623338 - remove a reference to IRC
* bmo#1831983 - clang-format lib/freebl/stubs.c
* bmo#1831983 - Add a constant time select function
* bmo#1774657 - Updating an old dbm with lots of certs with keys to
sql results in a database that is slow to access.
* bmo#1830973 - output early build errors by default
* bmo#1804505 - Update the technical constraints for KamuSM
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates
* bmo#1790763 - Enable default UBSan Checks
* bmo#1786018 - Add explicit handling of zero length records
* bmo#1829391 - Tidy up DTLS ACK Error Handling Path
* bmo#1786018 - Refactor zero length record tests
* bmo#1829112 - Fix compiler warning via correct assert
* bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp
* bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths
larger than the output size of the hash function used,
or provide an indicator
* bmo#1784163 - Fix reading raw negative numbers
* bmo#1748237 - Repairing unreachable code in clang built with gyp
* bmo#1783647 - Integrate Vale Curve25519
* bmo#1799468 - Removing unused flags for Hacl*
* bmo#1748237 - Adding a better error message
* bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6
* bmo#1782980 - Fall back to the softokn when writing certificate trust
* bmo#1806010 - FIPS-104-3 requires we restart post programmatically
* bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13
* bmo#1818766 - Update ACVP dockerfile for compatibility with debian
package changes
* bmo#1815796 - Add a CI task for tracking ECCKiila code status, update
whitespace in ECCKiila files
* bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf
* bmo#1822076 - fix rst warnings in nss doc
* bmo#1821997 - Fix incorrect pygment style
* bmo#1821292 - Change GYP directive to apply across platforms
* Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag
- add nss-fix-bmo1836925.patch to fix build-errors
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
the workaround in FIPS mode (bsc#1200325)
- Remove nss-fips-tests-skip.patch. This is no longer needed since
we removed the code to short-circuit broken hashes and moved to
using the SLI
- Add nss-allow-slow-tests.patch, which allows a timed test to run
longer than 1s. This avoids turning slow builds into broken builds
- Add nss-fips-drbg-libjitter.patch to use libjitterentropy for
entropy. This is disabled until we can avoid the inline assembler
in the latter's header file that relies on GNU extensions
- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency
checks
* Fri Jun 09 2023 Pedro Monreal <pmonreal@suse.com>
- FIPS: Merge the libfreebl3-hmac and libsoftokn3-hmac packages
into the respective libraries. [bsc#1185116]
* Sat Jun 03 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.89.1
* bmo#1804505 - Update the technical constraints for KamuSM.
* bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
* Wed May 31 2023 Martin Sirringhaus <martin.sirringhaus@suse.com>
- Move testsuite to %check-section and move env-variables to
files for easier chroot-debugging
* Mon Apr 10 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.89
* bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase
* bmo#1820175 - PR_STATIC_ASSERT is cursed
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1820175 - Fix unreachable code warning in fuzz builds
* bmo#1820175 - Fix various compiler warnings in NSS
* bmo#1820175 - Enable various compiler warnings for clang builds
* bmo#1815136 - set PORT error after sftk_HMACCmp failure
* bmo#1767883 - Need to add policy control to keys lengths for signatures
* bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt
* bmo#1804660 - Make high tag number assertion failure an error
* bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key
length from 284 to 384
* bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello
* bmo#1789436 - Fix build failure on Windows
* bmo#1811337 - migrate Win 2012 tasks to Azure
* bmo#1810702 - fix title length in doc
* bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite
* bmo#1570615 - Add presence/absence tests for TLS GREASE
* bmo#1804688 - Correct addition of GREASE value to ALPN xtn
* bmo#1789436 - CH extension permutation
* bmo#1570615 - TLS GREASE (RFC8701)
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
* Sat Mar 11 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.88.1
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
- update to NSS 3.88
* bmo#1815870 - use a different treeherder symbol for each docker
image build task
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
20.04 docker images
* bmo#1810702 - remove nested table in rst doc
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
* bmo#1812671 - build failure while implicitly casting SECStatus
to PRUInt32
* bmo#1212915 - Add check for ClientHello SID max length
* bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
* bmo#1790357 - ECH client - Discard resumption TLS < 1.3
Session(IDs|Tickets) if ECH configs are setup
* bmo#1714245 - On HRR skip PSK incompatible with negotiated
ciphersuites hash algorithm
* bmo#1789410 - ECH client: Send ech_required alert on server
negotiating TLS 1.2. Fixed misleading Gtest,
enabled corresponding BoGo test
* bmo#1771100 - Added Bogo ECH rejection test support
* bmo#1771100 - Added ECH 0Rtt support to BoGo shim
* bmo#1747957 - RSA OAEP Wycheproof JSON
* bmo#1747957 - RSA decrypt Wycheproof JSON
* bmo#1747957 - ECDSA Wycheproof JSON
* bmo#1747957 - ECDH Wycheproof JSON
* bmo#1747957 - PKCS#1v1.5 wycheproof json
* bmo#1747957 - Use X25519 wycheproof json
* bmo#1766767 - Move scripts to python3
* bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
* bmo#1805907 - Extending RSA-PSS bltest test coverage
(Adding SHA-256 and SHA-384)
* bmo#1804091 - NSS needs to move off of DSA for integrity checks
* bmo#1805815 - Add initial testing with ACVP vector sets using
acvp-rust
* bmo#1806369 - Don't clone libFuzzer, rely on clang instead
* Tue Feb 14 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.87
* bmo#1803226 - NULL password encoding incorrect
* bmo#1804071 - Fix rng stub signature for fuzzing builds
* bmo#1803595 - Updating the compiler parsing for build
* bmo#1749030 - Modification of supported compilers
* bmo#1774654 - tstclnt crashes when accessing gnutls server
without a user cert in the database.
* bmo#1751707 - Add configuration option to enable source-based
coverage sanitizer
* bmo#1751705 - Update ECCKiila generated files.
* bmo#1730353 - Add support for the LoongArch 64-bit architecture
* bmo#1798823 - add checks for zero-length RSA modulus to avoid
memory errors and failed assertions later
* bmo#1798823 - Additional zero-length RSA modulus checks
- add man-pages to the tools package (boo#1208242)
* Sun Jan 15 2023 Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.86
* bmo#1803190 - conscious language removal in NSS
* bmo#1794506 - Set nssckbi version number to 2.60
* bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3
TrustCor Root Certificates
* bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
* bmo#1797559 - Remove EC-ACC root cert from NSS
* bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
* bmo#1794495 - Remove Network Solutions Certificate Authority
* bmo#1802331 - compress docker image artifact with zstd
* bmo#1799315 - Migrate nss from AWS to GCP
* bmo#1800989 - Enable static builds in the CI
* bmo#1765759 - Removing SAW docker from the NSS build system
* bmo#1783231 - Initialising variables in the rsa blinding code
* bmo#320582 - Implementation of the double-signing of the message
for ECDSA
* bmo#1783231 - Adding exponent blinding for RSA.
/etc/pki /etc/pki/nssdb /etc/pki/nssdb/cert9.db /etc/pki/nssdb/key4.db /etc/pki/nssdb/pkcs11.txt /usr/lib64/libnsssysinit.so /usr/sbin/setup-nsssysinit.sh
Generated by rpm2html 1.8.1
Fabrice Bellet, Sun Apr 19 22:35:28 2026