openembedded-core.git/meta/recipes-support/nss, branch dizzy Mirror of openembedded-core nss: CVE-2014-1568 2014-11-24T16:24:26+00:00 Chong Lu Chong.Lu@windriver.com 2014-11-06T07:50:38+00:00 0ed9070619f959b802dcc4ee8399d252d0349583 the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568 https://bugzilla.mozilla.org/show_bug.cgi?id=1064636 nss ng log: ===== changeset: 11252:ad411fb64046 user: Kai Engert <kaie@kuix.de> date: Tue Sep 23 19:28:34 2014 +0200 summary: Fix bug 1064636, patch part 2, r=rrelyea ===== changeset: 11253:4e90910ad2f9 user: Kai Engert <kaie@kuix.de> date: Tue Sep 23 19:28:45 2014 +0200 summary: Fix bug 1064636, patch part 3, r=rrelyea ===== changeset: 11254:fb7208e91ae8 user: Kai Engert <kaie@kuix.de> date: Tue Sep 23 19:28:52 2014 +0200 summary: Fix bug 1064636, patch part 1, r=rrelyea ===== changeset: 11255:8dd6c6ac977d user: Kai Engert <kaie@kuix.de> date: Tue Sep 23 19:39:40 2014 +0200 summary: Bug 1064636, follow up commit to fix Windows build bustage Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> 
the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1568
https://bugzilla.mozilla.org/show_bug.cgi?id=1064636
nss ng log:
=====
changeset:   11252:ad411fb64046
user:        Kai Engert <kaie@kuix.de>
date:        Tue Sep 23 19:28:34 2014 +0200
summary:     Fix bug 1064636, patch part 2, r=rrelyea
=====
changeset:   11253:4e90910ad2f9
user:        Kai Engert <kaie@kuix.de>
date:        Tue Sep 23 19:28:45 2014 +0200
summary:     Fix bug    1064636, patch part 3, r=rrelyea
=====
changeset:   11254:fb7208e91ae8
user:        Kai Engert <kaie@kuix.de>
date:        Tue Sep 23 19:28:52 2014 +0200
summary:     Fix bug    1064636, patch part 1, r=rrelyea
=====
changeset:   11255:8dd6c6ac977d
user:        Kai Engert <kaie@kuix.de>
date:        Tue Sep 23 19:39:40 2014 +0200
summary:     Bug 1064636, follow up commit to fix Windows build bustage

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
nss: nss.pc is not target specific 2014-09-30T19:50:37+00:00 Saul Wold sgw@linux.intel.com 2014-09-30T17:16:51+00:00 f70efca58e9411feb251c9d00066f8631b167004 RPM4 requires an nss-native component Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
RPM4 requires an nss-native component

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nss.inc: Fix LICENSE 2014-09-29T11:12:35+00:00 Elizabeth Flanagan elizabeth.flanagan@intel.com 2014-09-25T22:59:56+00:00 ed3e7d4a584d836887d798e0f30339808d09804f From reading the COPYING and various license headers, the nss LICENSE was incorrect. It's actually MPL-2.0 (not 1.1) with a few different Or instances. Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
From reading the COPYING and various license headers, the nss
LICENSE was incorrect. It's actually MPL-2.0 (not 1.1) with a
few different Or instances.

Signed-off-by: Elizabeth Flanagan <elizabeth.flanagan@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
nss: CVE-2014-1544 2014-08-27T11:12:06+00:00 Li Wang li.wang@windriver.com 2014-08-26T08:33:24+00:00 7ef613c7f4b9e4ff153766f31dae81fc4810c0df the patch comes from: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544 https://hg.mozilla.org/projects/nss/rev/204f22c527f8 author Robert Relyea <rrelyea@redhat.com> https://bugzilla.mozilla.org/show_bug.cgi?id=963150 Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from freeing the CERTCertificate associated with the NSSCertificate. r=wtc. Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
the patch comes from:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544
https://hg.mozilla.org/projects/nss/rev/204f22c527f8

author  Robert Relyea <rrelyea@redhat.com>
https://bugzilla.mozilla.org/show_bug.cgi?id=963150
Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls
to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from
freeing the CERTCertificate associated with the NSSCertificate. r=wtc.

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nss*: Replace hardcoded "/etc" with "${sysconfdir}" 2014-08-06T09:02:39+00:00 Robert P. J. Day rpjday@crashcourse.ca 2014-08-02T10:38:49+00:00 1c44e057c66fe20d491fcb3ae45defe0a300b256 Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nss: CVE-2013-5606 2014-07-29T08:56:54+00:00 Li Wang li.wang@windriver.com 2014-07-28T06:50:42+00:00 1e153b1b21276d56144add464d592cd7b96a4ede the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606 https://bugzilla.mozilla.org/show_bug.cgi?id=910438 http://hg.mozilla.org/projects/nss/rev/d29898e0981c The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return value for an incompatible key-usage certificate when the CERTVerifyLog argument is valid, which might allow remote attackers to bypass intended access restrictions via a crafted certificate. Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606
https://bugzilla.mozilla.org/show_bug.cgi?id=910438
http://hg.mozilla.org/projects/nss/rev/d29898e0981c

The CERT_VerifyCert function in lib/certhigh/certvfy.c in
Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides
an unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote
attackers to bypass intended access restrictions via a crafted certificate.

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nss-3.15.1: fix CVE-2013-1739 2014-06-24T18:53:01+00:00 yzhu1 yanjun.zhu@windriver.com 2014-06-18T09:41:30+00:00 9b43af77d112e75fa9827a9080b7e94f41f9a116 Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1739 Signed-off-by: yzhu1 <yanjun.zhu@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Mozilla Network Security Services (NSS) before 3.15.2 does
not ensure that data structures are initialized before
read operations, which allows remote attackers to cause a
denial of service or possibly have unspecified other
impact via vectors that trigger a decryption failure.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1739
Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
nss: CVE-2013-1740 2014-05-21T08:08:10+00:00 Li Wang li.wang@windriver.com 2014-05-19T05:42:53+00:00 11e728e64e37eec72ed0cb3fb4d5a49ddeb88666 the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740 https://bugzilla.mozilla.org/show_bug.cgi?id=919877 https://bugzilla.mozilla.org/show_bug.cgi?id=713933 changeset: 10946:f28426e944ae user: Wan-Teh Chang <wtc@google.com> date: Tue Nov 26 16:44:39 2013 -0800 summary: Bug 713933: Handle the return value of both ssl3_HandleRecord calls changeset: 10945:774c7dec7565 user: Wan-Teh Chang <wtc@google.com> date: Mon Nov 25 19:16:23 2013 -0800 summary: Bug 713933: Declare the |falseStart| local variable in the smallest changeset: 10848:141fae8fb2e8 user: Wan-Teh Chang <wtc@google.com> date: Mon Sep 23 11:25:41 2013 -0700 summary: Bug 681839: Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished, r=brian@briansmith.org changeset: 10898:1b9c43d28713 user: Brian Smith <brian@briansmith.org> date: Thu Oct 31 15:40:42 2013 -0700 summary: Bug 713933: Make SSL False Start work with asynchronous certificate validation, r=wtc Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740
https://bugzilla.mozilla.org/show_bug.cgi?id=919877
https://bugzilla.mozilla.org/show_bug.cgi?id=713933

changeset:   10946:f28426e944ae
user:        Wan-Teh Chang <wtc@google.com>
date:        Tue Nov 26 16:44:39 2013 -0800
summary:     Bug 713933: Handle the return value of both ssl3_HandleRecord calls

changeset:   10945:774c7dec7565
user:        Wan-Teh Chang <wtc@google.com>
date:        Mon Nov 25 19:16:23 2013 -0800
summary:     Bug 713933: Declare the |falseStart| local variable in the smallest

changeset:   10848:141fae8fb2e8
user:        Wan-Teh Chang <wtc@google.com>
date:        Mon Sep 23 11:25:41 2013 -0700
summary:     Bug 681839: Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished, r=brian@briansmith.org

changeset:   10898:1b9c43d28713
user:        Brian Smith <brian@briansmith.org>
date:        Thu Oct 31 15:40:42 2013 -0700
summary:     Bug 713933: Make SSL False Start work with asynchronous certificate validation, r=wtc

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
nss: CVE-2014-1492 2014-05-21T08:08:10+00:00 Li Wang li.wang@windriver.com 2014-05-19T05:42:52+00:00 a83a1b26704f1f3aadaa235bf38094f03b3610fd the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492 https://bugzilla.mozilla.org/show_bug.cgi?id=903885 changeset: 11063:709d4e597979 user: Kai Engert <kaie@kuix.de> date: Wed Mar 05 18:38:55 2014 +0100 summary: Bug 903885, address requests to clarify comments from wtc changeset: 11046:2ffa40a3ff55 tag: tip user: Wan-Teh Chang <wtc@google.com> date: Tue Feb 25 18:17:08 2014 +0100 summary: Bug 903885, fix IDNA wildcard handling v4, r=kaie changeset: 11045:15ea62260c21 user: Christian Heimes <sites@cheimes.de> date: Mon Feb 24 17:50:25 2014 +0100 summary: Bug 903885, fix IDNA wildcard handling, r=kaie Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> 
the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492
https://bugzilla.mozilla.org/show_bug.cgi?id=903885

changeset:   11063:709d4e597979
user:        Kai Engert <kaie@kuix.de>
date:        Wed Mar 05 18:38:55 2014 +0100
summary:     Bug 903885, address requests to clarify comments from wtc

changeset:   11046:2ffa40a3ff55
tag:         tip
user:        Wan-Teh Chang <wtc@google.com>
date:        Tue Feb 25 18:17:08 2014 +0100
summary:     Bug 903885, fix IDNA wildcard handling v4, r=kaie

changeset:   11045:15ea62260c21
user:        Christian Heimes <sites@cheimes.de>
date:        Mon Feb 24 17:50:25 2014 +0100
summary:     Bug 903885, fix IDNA wildcard handling, r=kaie

Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
nss-3.15.1: fix CVE-2013-5605 2014-03-28T11:01:05+00:00 yanjun.zhu yanjun.zhu@windriver.com 2014-03-28T09:43:38+00:00 09e8cd6f09284ad3faf0bc05d623a43e2b174866 Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid handshake packets. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5605 Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and
3.15 before 3.15.3 allows remote attackers to cause a denial
of service or possibly have unspecified other impact via
invalid handshake packets.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5605
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>