debian/0000775000000000000000000000000012317016130007162 5ustar debian/libnss3.lintian-overrides.in0000664000000000000000000000143412234360534014536 0ustar # ABI compatibility is ensured upstream, and the SO version, if it needed # a change at any time, would be a change in the library name. There is # no reason to make compatibility more difficult with other distros and # upstream binary releases. libnss3: shlib-without-versioned-soname usr/lib/@DEB_HOST_MULTIARCH_WC@/libnss3.so libnss3.so libnss3: shlib-without-versioned-soname usr/lib/@DEB_HOST_MULTIARCH_WC@/libssl3.so libssl3.so libnss3: shlib-without-versioned-soname usr/lib/@DEB_HOST_MULTIARCH_WC@/libnssutil3.so libnssutil3.so libnss3: shlib-without-versioned-soname usr/lib/@DEB_HOST_MULTIARCH_WC@/libsmime3.so libsmime3.so # License says GPL 2 or subsequent, so pointing to the latest version is fine libnss3: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL debian/control0000664000000000000000000000754312270454275010614 0ustar Source: nss Section: libs Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Maintainers of Mozilla-related packages Uploaders: Mike Hommey Build-Depends: debhelper (>= 9), dpkg-dev (>= 1.16.1.1~), libnspr4-dev (>= 2:4.9.4), zlib1g-dev, libsqlite3-dev (>= 3.3.9) Standards-Version: 3.9.3.0 Homepage: http://www.mozilla.org/projects/security/pki/nss/ Vcs-Git: git://git.debian.org/git/pkg-mozilla/nss.git Vcs-Browser: http://git.debian.org/?p=pkg-mozilla/nss.git Package: libnss3 Architecture: any Pre-Depends: ${misc:Pre-Depends} Depends: ${shlibs:Depends}, ${misc:Depends}, libnss3-nssdb Conflicts: libnss3-1d (<< 2:3.13.4-2) Multi-Arch: ${misc:Multi-Arch} Description: Network Security Service libraries This is a set of libraries designed to support cross-platform development of security-enabled client and server applications. It can support SSLv2 and v4, TLS, PKCS #5, #7, #11, #12, S/MIME, X.509 v3 certificates and other security standards. Package: libnss3-1d Section: oldlibs Priority: extra Architecture: any Pre-Depends: ${misc:Pre-Depends} Depends: libnss3 (= ${binary:Version}), ${misc:Depends} Multi-Arch: ${misc:Multi-Arch} Description: Network Security Service libraries - transitional package This is a transitional package to ensure smooth transition of all packages to libnss3. Package: libnss3-nssdb Section: admin Architecture: all Pre-Depends: ${misc:Pre-Depends} Depends: libnss3 (= ${binary:Version}), ${misc:Depends} Multi-Arch: foreign Description: Network Security Security libraries - shared databases This package includes shared certificate and key databases. Package: libnss3-tools Section: admin Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Description: Network Security Service tools This is a set of tools on top of the Network Security Service libraries. This package includes: * certutil: manages certificate and key databases (cert7.db and key3.db) * modutil: manages the database of PKCS11 modules (secmod.db) * pk12util: imports/exports keys and certificates between the cert/key databases and files in PKCS12 format. * shlibsign: creates .chk files for use in FIPS mode. * signtool: creates digitally-signed jar archives containing files and/or code. * ssltap: proxy requests for an SSL server and display the contents of the messages exchanged between the client and server. Homepage: http://www.mozilla.org/projects/security/pki/nss/tools/ Package: libnss3-dev Section: libdevel Architecture: any Depends: ${misc:Depends}, libnss3 (= ${binary:Version}), libnspr4-dev (>= 4.6.6-1) Multi-Arch: ${misc:Multi-Arch} Description: Development files for the Network Security Service libraries This is a set of libraries designed to support cross-platform development of security-enabled client and server applications. It can support SSLv2 and v4, TLS, PKCS #5, #7, #11, #12, S/MIME, X.509 v3 certificates and other security standards. . Install this package if you wish to develop your own programs using the Network Security Service Libraries. Package: libnss3-dbg Section: debug Priority: extra Architecture: any Depends: ${misc:Depends}, libnss3 (= ${binary:Version}) | libnss3-tools (= ${binary:Version}) Conflicts: libnss3 (<< ${binary:Version}), libnss3 (>> ${binary:Version}), libnss3-tools (<< ${binary:Version}), libnss3-tools (>> ${binary:Version}) Provides: libnss3-1d-dbg Multi-Arch: ${misc:Multi-Arch} Description: Debugging symbols for the Network Security Service libraries This is a set of libraries designed to support cross-platform development of security-enabled client and server applications. It can support SSLv2 and v4, TLS, PKCS #5, #7, #11, #12, S/MIME, X.509 v3 certificates and other security standards. . This package provides the debugging symbols for the library. debian/nss-config.in0000664000000000000000000000456212234360534011577 0ustar #!/bin/sh prefix=/usr major_version=@MOD_MAJOR_VERSION@ minor_version=@MOD_MINOR_VERSION@ patch_version=@MOD_PATCH_VERSION@ usage() { cat <&2 fi lib_ssl=yes lib_smime=yes lib_nss=yes lib_nssutil=yes while test $# -gt 0; do case "$1" in -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; *) optarg= ;; esac case $1 in --prefix=*) prefix=$optarg ;; --prefix) echo_prefix=yes ;; --exec-prefix=*) exec_prefix=$optarg ;; --exec-prefix) echo_exec_prefix=yes ;; --includedir=*) includedir=$optarg ;; --includedir) echo_includedir=yes ;; --libdir=*) libdir=$optarg ;; --libdir) echo_libdir=yes ;; --version) echo ${major_version}.${minor_version}.${patch_version} ;; --cflags) echo_cflags=yes ;; --libs) echo_libs=yes ;; ssl) lib_ssl=yes ;; smime) lib_smime=yes ;; nss) lib_nss=yes ;; nssutil) lib_nssutil=yes ;; *) usage 1 1>&2 ;; esac shift done # Set variables that may be dependent upon other variables if test -z "$exec_prefix"; then exec_prefix=${prefix} fi if test -z "$includedir"; then includedir=${prefix}/include/nss fi if test -z "$libdir"; then libdir=${exec_prefix}/lib/@DEB_HOST_MULTIARCH@ fi if test "$echo_prefix" = "yes"; then echo $prefix fi if test "$echo_exec_prefix" = "yes"; then echo $exec_prefix fi if test "$echo_includedir" = "yes"; then echo $includedir fi if test "$echo_libdir" = "yes"; then echo $libdir fi if test "$echo_cflags" = "yes"; then echo -I$includedir fi if test "$echo_libs" = "yes"; then libdirs="-L$libdir" if test -n "$lib_ssl"; then libdirs="$libdirs -lssl${major_version}" fi if test -n "$lib_smime"; then libdirs="$libdirs -lsmime${major_version}" fi if test -n "$lib_nss"; then libdirs="$libdirs -lnss${major_version}" fi if test -n "$lib_nssutil"; then libdirs="$libdirs -lnssutil${major_version}" fi echo $libdirs fi debian/libnss3.symbols0000664000000000000000000000702312264642527012173 0ustar libnss3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER# |libnss3 #MINVER# *@NSS_3.10.2 3.12.0~1.9b1 *@NSS_3.10 3.12.0~1.9b1 *@NSS_3.11.1 3.12.0~1.9b1 *@NSS_3.11.2 3.12.0~1.9b1 *@NSS_3.11.7 3.12.0~1.9b1 *@NSS_3.11.9 3.12.0~beta2 *@NSS_3.11 3.12.0~1.9b1 *@NSS_3.12.1 3.12.1 *@NSS_3.12.3 3.12.3 *@NSS_3.12.4 3.12.4 *@NSS_3.12.5 3.12.5 *@NSS_3.12.6 3.12.6 *@NSS_3.12.7 3.12.7 *@NSS_3.12.9 3.12.9~beta2 *@NSS_3.12.10 3.12.10 *@NSS_3.12 3.12.0~1.9b1 *@NSS_3.13 3.13 *@NSS_3.13.2 3.13.2~beta1 *@NSS_3.14 2:3.14 1 *@NSS_3.14.1 2:3.14.1~beta2 1 *@NSS_3.14.3 2:3.14.3 1 *@NSS_3.15 2:3.15 1 *@NSS_3.15.4 2:3.15.4 1 *@NSS_3.2.1 3.12.0~1.9b1 *@NSS_3.2 3.12.0~1.9b1 *@NSS_3.3.1 3.12.0~1.9b1 *@NSS_3.3 3.12.0~1.9b1 *@NSS_3.4 3.12.0~1.9b1 *@NSS_3.5 3.12.0~1.9b1 *@NSS_3.6 3.12.0~1.9b1 *@NSS_3.7.1 3.12.0~1.9b1 *@NSS_3.7 3.12.0~1.9b1 *@NSS_3.8 3.12.0~1.9b1 *@NSS_3.9.2 3.12.0~1.9b1 *@NSS_3.9.3 3.12.0~1.9b1 *@NSS_3.9 3.12.0~1.9b1 CERT_EncodeSubjectKeyID@NSS_3.12 3.12.0~beta2 CERT_GetClassicOCSPDisabledPolicy@NSS_3.12 3.12.0~beta3 CERT_GetClassicOCSPEnabledHardFailurePolicy@NSS_3.12 3.12.0~beta3 CERT_GetClassicOCSPEnabledSoftFailurePolicy@NSS_3.12 3.12.0~beta3 CERT_GetPKIXVerifyNistRevocationPolicy@NSS_3.12 3.12.0~beta3 CERT_GetUsePKIXForValidation@NSS_3.12 3.12.0~beta3 CERT_GetValidDNSPatternsFromCert@NSS_3.12 3.12.0~beta2 CERT_NewTempCertificate@NSS_3.12 3.12.0~beta3 CERT_SetOCSPTimeout@NSS_3.12 3.12.0~beta2 CERT_SetUsePKIXForValidation@NSS_3.12 3.12.0~beta3 HASH_GetType@NSS_3.12 3.12.0~beta3 NSS_InitWithMerge@NSS_3.12 3.12.0~beta3 PK11_CreateGenericObject@NSS_3.12 3.12.0~beta2 PK11_CreateMergeLog@NSS_3.12 3.12.0~beta3 PK11_CreatePBEV2AlgorithmID@NSS_3.12 3.12.0~beta2 PK11_DestroyMergeLog@NSS_3.12 3.12.0~beta3 PK11_GetPBECryptoMechanism@NSS_3.12 3.12.0~beta2 PK11_IsRemovable@NSS_3.12 3.12.0~beta3 PK11_MergeTokens@NSS_3.12 3.12.0~beta3 PK11_WriteRawAttribute@NSS_3.12 3.12.0~beta2 SEC_PKCS5IsAlgorithmPBEAlgTag@NSS_3.12 3.12.0~beta2 libnssutil3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER# |libnss3 #MINVER# *@NSSUTIL_3.12.3 3.12.3 *@NSSUTIL_3.12.5 3.12.5 *@NSSUTIL_3.12.7 3.12.7 *@NSSUTIL_3.12 3.12.0~beta2 *@NSSUTIL_3.13 3.13 *@NSSUTIL_3.14 2:3.14 1 *@NSSUTIL_3.15 2:3.15 1 libsmime3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER# |libnss3 #MINVER# *@NSS_3.10 3.12.0~1.9b1 *@NSS_3.12.2 3.12.2 *@NSS_3.12.10 3.12.10 *@NSS_3.13 3.13 *@NSS_3.15 2:3.15 1 *@NSS_3.2.1 3.12.0~1.9b1 *@NSS_3.2 3.12.0~1.9b1 *@NSS_3.3 3.12.0~1.9b1 *@NSS_3.4.1 3.12.0~1.9b1 *@NSS_3.4 3.12.0~1.9b1 *@NSS_3.6 3.12.0~1.9b1 *@NSS_3.7.2 3.12.0~1.9b1 *@NSS_3.7 3.12.0~1.9b1 *@NSS_3.8 3.12.0~1.9b1 *@NSS_3.9.3 3.12.0~1.9b1 *@NSS_3.9 3.12.0~1.9b1 libssl3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER# |libnss3 #MINVER# *@NSS_3.11.4 3.12.0~1.9b1 *@NSS_3.11.8 3.12.0~1.9b1 *@NSS_3.12.6 3.12.6 *@NSS_3.12.10 3.12.10 *@NSS_3.13 3.13 *@NSS_3.13.2 3.13.2 *@NSS_3.14 2:3.14 1 *@NSS_3.15 2:3.15 1 *@NSS_3.15.4 2:3.15.4 1 *@NSS_3.2.1 3.12.0~1.9b1 *@NSS_3.2 3.12.0~1.9b1 *@NSS_3.4 3.12.0~1.9b1 *@NSS_3.7.4 3.12.0~1.9b1 libfreebl3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER# |libnss3 #MINVER# *@NSSprivate_3.11 3.12.0~1.9b1 *@NSSRAWHASH_3.12.3 3.12.3 libnssckbi.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER# |libnss3 #MINVER# *@NSS_3.1 3.12.0~1.9b1 libnssdbm3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER# |libnss3 #MINVER# *@NSSDBM_3.12 3.12.0 libnsssysinit.so libnss3 #MINVER# NSS_ReturnModuleSpecData@Base 3.14.2 libsoftokn3.so libnss3 (>= 2:3.13.4-2~) | libnss3-1d #MINVER# |libnss3 #MINVER# *@NSS_3.4 3.12.0~1.9b1 debian/libnss3-1d.lintian-overrides0000664000000000000000000000024512234360534014432 0ustar # License says GPL 2 or subsequent, so pointing to the latest version is fine libnss3-1d: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL debian/libnss3-dev.lintian-overrides0000664000000000000000000000024612234360534014705 0ustar # License says GPL 2 or subsequent, so pointing to the latest version is fine libnss3-dev: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL debian/changelog0000664000000000000000000007375012317015712011055 0ustar nss (2:3.15.4-1ubuntu7) trusty; urgency=medium * SECURITY UPDATE: incorrect IDNA wildcard handling - debian/patches/CVE-2014-1492.patch: conform to RFC 6125 in nss/lib/certdb/certdb.c. - CVE-2014-1492 -- Marc Deslauriers Wed, 02 Apr 2014 10:14:01 -0400 nss (2:3.15.4-1ubuntu6) trusty; urgency=medium * No longer ship cacert.org certificates. (LP: #1258286) - removed debian/patches/95_add_spi+cacert_ca_certs.patch - added debian/patches/95_add_spi_certs.patch -- Marc Deslauriers Thu, 20 Feb 2014 07:38:51 -0500 nss (2:3.15.4-1ubuntu5) trusty; urgency=medium * debian/rules: Switch from DEB_BUILD_ARCH to DEB_HOST_ARCH to fix cross. -- Adam Conrad Sat, 25 Jan 2014 21:08:34 -0700 nss (2:3.15.4-1ubuntu4) trusty; urgency=medium * control: Mark libnss3-nssdb as M-A: foreign. (LP: #1272292) -- Timo Aaltonen Fri, 24 Jan 2014 14:13:10 +0200 nss (2:3.15.4-1ubuntu3) trusty; urgency=medium * debian/rules: create directory before creating cert database to fix ftbfs -- Marc Deslauriers Thu, 23 Jan 2014 13:22:01 -0500 nss (2:3.15.4-1ubuntu2) trusty; urgency=medium * debian/rules: switch back to DEB_BUILD_ARCH to fix ftbfs -- Marc Deslauriers Thu, 23 Jan 2014 12:39:23 -0500 nss (2:3.15.4-1ubuntu1) trusty; urgency=medium * Merge with Debian, remaining changes: - Add x32 support. -- Marc Deslauriers Thu, 23 Jan 2014 11:32:47 -0500 nss (2:3.15.4-1) unstable; urgency=low * New upstream release. * Acknowledge NMU. * debian/rules: Avoid long one-liner with semi-colons. * debian/patches/*: Refresh patches. * debian/copyright: Update. Closes: #730428. * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules: Add shared cert and key databases. Thanks Timo Aaltonen. Closes: #537866. * debian/rules: Use DEB_HOST_ARCH instead of DEB_BUILD_ARCH. * debian/control: Mark libnss3-dev as Multi-Arch: same. Thanks Shawn Landden. Closes: #682925. * debian/libnss3.symbols: Add NSS_3.15.4 symbol versions. -- Mike Hommey Mon, 13 Jan 2014 10:46:04 +0900 nss (2:3.15.3.1-1.1ubuntu1) trusty; urgency=medium * Add x32 support. Closes: #699217. -- Matthias Klose Mon, 06 Jan 2014 21:27:26 +0100 nss (2:3.15.3.1-1.1) unstable; urgency=low * Non-Maintainer Upload - ship extra NSS utilities (Closes: #701141) -- Daniel Kahn Gillmor Sat, 04 Jan 2014 11:34:41 -0500 nss (2:3.15.3.1-1) unstable; urgency=high * New upstream release. - Distrusts AC DG Tresor SSL CA. -- Mike Hommey Sun, 15 Dec 2013 10:09:48 +0900 nss (2:3.15.3-1) unstable; urgency=high * New upstream release. - Fixes CVE-2013-1741, CVE-2013-5605, CVE-2013-5606. -- Mike Hommey Sat, 16 Nov 2013 08:50:45 +0900 nss (2:3.15.2-1) unstable; urgency=low * New upstream release. - Fixes CVE-2013-1739. Closes: #726473. -- Mike Hommey Mon, 21 Oct 2013 08:05:24 +0900 nss (2:3.15.1-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/patches/lower-dhe-priority.patch: Removed, as it was only necessary for Iceweasel 3.5, which is long gone. -- Mike Hommey Mon, 05 Aug 2013 14:41:14 +0900 nss (2:3.15-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches and removed unused ones. * debian/rules: Adjusted to the new source layout. * debian/libnss3.symbols: Add NSS*_3.15 symbol versions. * debian/control: Bump nspr build dependency. -- Mike Hommey Sat, 15 Jun 2013 19:23:12 +0900 nss (2:3.14.3-1) unstable; urgency=high * New upstream release. - Fixes TLS timing attack (luck 13). Closes: #699888. * debian/libnss3.symbols: Add NSS_3.14.3 symbol version. * debian/control: Unbump sqlite3 build dependency, 3.14.3 lifted the need for sqlite 3.7.15. -- Mike Hommey Sun, 17 Mar 2013 15:01:06 +0100 nss (2:3.14.2-1) unstable; urgency=low * New upstream release. * debian/control: Bump sqlite3 build dependency. * debian/rules: Avoid installing freebl, softokn, nssckbi and nssdbm in two places. * debian/libnss3-1d.lintian-overrides.in: Stop preprocessing, it has nothing to preprocess anymore. * debian/libnss3.lintian-overrides.in: Fix not to contain a reference to the libnss3-1d package. -- Mike Hommey Fri, 15 Feb 2013 10:06:59 +0100 nss (2:3.14.1.with.ckbi.1.93-1) unstable; urgency=low * New upstream release. - Explicitly distrust two intermediate CA certificates mis-issued by TURKTRUST. * debian/patches/95_add_spi+cacert_ca_certs.patch: Refreshed. -- Mike Hommey Fri, 04 Jan 2013 11:16:33 +0100 nss (2:3.14.1-1) unstable; urgency=low * New upstream release. * debian/patches: Removed patches applied upstream, and refreshed the others. * debian/libnss3.symbols: Updated for new symbols. -- Mike Hommey Sun, 23 Dec 2012 17:40:21 +0100 nss (2:3.14-2) unstable; urgency=low * debian/nss-config.in: Fix nss-config when version is in the x.y form instead of x.y.z. -- Mike Hommey Fri, 07 Dec 2012 17:07:05 +0100 nss (2:3.14-1) unstable; urgency=low * New upstream release. * debian/patches: Removed patches applied upstream, and refreshed the others. * debian/libnss3.symbols: Updated for new symbols. -- Mike Hommey Thu, 01 Nov 2012 10:37:39 +0100 nss (2:3.13.6-1) unstable; urgency=low * New upstream release. * debian/rules: Use xz compression for binary packages. Thanks Ansgar Burchardt. Closes: #683835. -- Mike Hommey Fri, 31 Aug 2012 09:56:53 +0200 nss (2:3.13.5-1) unstable; urgency=low * New upstream release. -- Mike Hommey Fri, 15 Jun 2012 09:40:00 +0200 nss (2:3.13.4-3) unstable; urgency=low * debian/rules: Skip epoch when getting upstream version number. -- Mike Hommey Sun, 20 May 2012 07:36:11 +0200 nss (2:3.13.4-2) unstable; urgency=low * debian/control, debian/libnss3*, debian/rules, mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn: Move to unversioned library. ABI compatibility is ensured upstream, and the SO version, if it needed a change at any time, would be a change in the library name. There is no reason to keep making compatibility more difficult with other distros and upstream binary releases. While previous versions were one-way compatible (binaries built against other distros or upstream nspr could work on Debian), this approach works both ways. * debian/control: - Bump Standards-Version to 3.9.3.0. No changes required. - Force to build against libnspr4-dev >= 2:4.9 * Removed unapplied patches. * Adding an epoch to match the old libnss3 package that used to be in the Debian archive. -- Mike Hommey Thu, 17 May 2012 09:45:36 +0200 nss (3.13.4-1) unstable; urgency=low * New upstream release. - Changed __GNUC_MINOR__ use in pkcs11n.h. Closes: #650319. * mozilla/security/nss/cmd/certcgi/certcgi.c, mozilla/security/nss/cmd/digest/digest.c, mozilla/security/nss/cmd/signver/pk7print.c: Import patch from Moritz Muehlenhoff for hardened format strings. * debian/make.mk, debian/rules, debian/control: Enable hardening. Closes: #657325. * debian/libnss3-1d.lintian-overrides.in, debian/rules: Use wildcards in lintian override. Closes: #670013. * debian/compat, debian/control: Bump debian/compat to 9. This has the effect of using build-id for debug files, thus Closes: #670015. * debian/libnss3-1d.symbols: Add symbols for /usr/lib/nss/ libraries. -- Mike Hommey Sun, 29 Apr 2012 09:48:58 +0200 nss (3.13.3-1) unstable; urgency=low * New upstream release. * debian/libnss3-1d.symbols: Updated to fit new upstream. -- Mike Hommey Fri, 24 Feb 2012 09:56:10 +0100 nss (3.13.2~beta1-3) experimental; urgency=low * debian/libnss3-1d.symbols: Fix symbol version for the symbol added in -2. -- Mike Hommey Fri, 23 Dec 2011 19:20:23 +0100 nss (3.13.2~beta1-2) experimental; urgency=low * mozilla/security/nss/lib/ssl/*, mozilla/security/nss/cmd/tstclnt/tstclnt.c, mozilla/security/nss/tests/ssl/ssl.sh: Apply patches from bz#542832, required for Iceweasel 11. * debian/libnss3-1d.symbols: Add corresponding symbol. -- Mike Hommey Fri, 23 Dec 2011 17:54:03 +0100 nss (3.13.2~beta1-1) experimental; urgency=low * New upstream snapshot, picked from NSS_3_13_2_BETA1 cvs tag. * debian/libnss3-1d.symbols: Add NSS 3.13.2 symbols. -- Mike Hommey Fri, 23 Dec 2011 16:22:05 +0100 nss (3.13.1.with.ckbi.1.88-1) unstable; urgency=low * New upstream release. - Distrusts malaysian Digicert Sdn. Bhd CA certificate. - Addresses CVE-2011-3640 (Untrusted search path vulnerability). Closes: #647614. * debian/patches/*: Refreshed patches. * debian/libnss3-1d.symbols: Add NSS 3.13 symbols. -- Mike Hommey Sat, 05 Nov 2011 17:05:26 +0100 nss (3.12.11-3) unstable; urgency=high * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Explicitely distrust various DigiNotar CAs: - DigiNotar Root CA - DigiNotar Services 1024 CA - DigiNotar Cyber CA - DigiNotar Cyber CA 2nd - DigiNotar PKIoverheid - DigiNotar PKIoverheid G2 -- Mike Hommey Sat, 03 Sep 2011 09:33:28 +0200 nss (3.12.11-2) unstable; urgency=high * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Remove DigiNotar Root CA. -- Mike Hommey Wed, 31 Aug 2011 08:49:00 +0200 nss (3.12.11-1) unstable; urgency=low * New upstream release. * mozilla/security/nss/lib/ckfw/builtins/certdata.*, * mozilla/security/coreconf/{config,Linux}.mk: Refreshed. * debian/copyright: Update dbm license according to that in the source. Closes: #624310 -- Mike Hommey Fri, 12 Aug 2011 12:45:08 +0200 nss (3.12.10-3) unstable; urgency=low * debian/nss-config.in, debian/nss.pc.in, debian/rules: Return the multiarch path in nss-config and nss.pc. -- Mike Hommey Thu, 21 Jul 2011 18:08:48 +0200 nss (3.12.10-2) unstable; urgency=low * debian/control, debian/libnss3-1d.dirs, debian/libnss3-1d.lintian-overrides.in, debian/libnss3-dev.dirs, debian/libnss3-1d.links.in, debian/libnss3-dev.links.in, debian/rules: Switch to multi-arch while keeping backports easy. Closes: #497088. -- Mike Hommey Mon, 04 Jul 2011 11:24:18 +0200 nss (3.12.10-1) unstable; urgency=low * New upstream release. * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed. * debian/control: Build depend on libnspr4-dev >= 4.8.8. * debian/libnss3-1d.symbols: Add new symbol version. -- Mike Hommey Wed, 25 May 2011 10:20:59 +0200 nss (3.12.9.with.ckbi.1.82-1) unstable; urgency=low * New upstream release. - Marks fraudulent Comodo certificates as untrusted. * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed. -- Mike Hommey Thu, 24 Mar 2011 16:37:46 +0100 nss (3.12.9-2) unstable; urgency=low * Upload to unstable. * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't support DEB_BUILD_ARCH_BITS. * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which was the previous value. * mozilla/security/nss/lib/freebl/unix_rand.c: We don't need to prevent using netstat for entropy seeding. The seeding will stop before netstat if it could get data from /dev/urandom. * mozilla/security/coreconf/Linux.mk: We shouldn't need to special case mips64 anymore. * mozilla/security/nss/cmd/shlibsign/Makefile, debian/rules: Don't rely on patching the source to not create .chk files during build. -- Mike Hommey Sun, 06 Mar 2011 09:58:41 +0100 nss (3.12.9-1) experimental; urgency=low * New upstream release. -- Mike Hommey Sat, 15 Jan 2011 11:33:35 +0100 nss (3.12.9~beta2-1) experimental; urgency=low * New upstream snapshot, picked from NSS_3_12_9_BETA2 cvs tag. * debian/patches/*: Refresh patches. * debian/libnss3-1d.symbols: Add new symbol versions. * debian/rules: Bump shlibs. -- Mike Hommey Fri, 17 Dec 2010 15:01:31 +0100 nss (3.12.8-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/patches/series: + lower-dhe-priority.patch: Upstream patch from bz#583337 to lower DHE priority. Closes: #592315. -- Mike Hommey Thu, 07 Oct 2010 08:50:48 +0200 nss (3.12.8~b2-1) experimental; urgency=low * New upstream snapshot, picked from NSS_3_12_8_BETA2 cvs tag. * debian/patches/*: Refresh patches. -- Mike Hommey Mon, 23 Aug 2010 18:11:12 +0200 nss (3.12.7-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/control: - Bump Standards-Version to 3.9.1.0. - Build depend on libnspr4-dev >= 4.8.6. * debian/libnss3-1d.symbols: Simplify symbols file and add new symbols. * debian/rules: Bump shlibs. -- Mike Hommey Fri, 06 Aug 2010 13:55:14 +0200 nss (3.12.6-3) unstable; urgency=low * debian/rules: + Sign libnssdbm3.so. Closes: #588806. + Test that the FIPS mode can be properly enabled during build. * debian/control: + Remove conflicts with very old packages. + Bump Standards-Version to 3.9.0.0. -- Mike Hommey Mon, 12 Jul 2010 15:12:24 +0200 nss (3.12.6-2) unstable; urgency=low * debian/patches/series: + 00_ckbi_1.79.patch: New patch to update CKBI to 1.79. + 95_add_spi+cacert_ca_certs.patch: Refreshed against CKBI 1.79. -- Mike Hommey Fri, 09 Apr 2010 10:45:01 +0200 nss (3.12.6-1) unstable; urgency=low * New upstream release. * debian/patches/*: Refresh patches. * debian/libnss3-1d.symbols, debian/rules: Update symbols file with new symbols and bump shlibs. * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch, debian/patches/series: Enable transitional scheme for ssl renegotiation. Closes: #561918. * debian/control: + Bump Standards-Version to 3.8.4.0. + Drop libnss3-1d dependency on dpkg. The versions it didn't really like were between oldstable and stable. + Don't allow different versions of libnss3-1d, libnss3-1d-dbg and libnss3-tools to be installed at the same time. + Add ${misc:Depends} to libnss3-1d-dbg dependencies. * debian/rules: Revert workaround for gcc 4.4 bug on powerpc with -Os. * debian/rules, debian/control, debian/compat: Simplify debian/rules by using dh. -- Mike Hommey Wed, 17 Mar 2010 20:33:32 +0100 nss (3.12.5-2) unstable; urgency=low * debian/control: + Remove build dependency on autotools-dev, we don't use it. + libnss3-dev depends on libnspr4-dev >= 4.6.6-1. 4.6.6-1 was the first version where the pkg-config file was nspr.pc instead of xulrunner-nspr.pc. Closes: #567134. * debian/patches/96_NSS_VersionCheck.patch, debian/patches/series: Remove runtime check of NSPR version in NSS_VersionCheck, which seems to be pointless. Closes: #567136. -- Mike Hommey Thu, 28 Jan 2010 12:12:35 +0100 nss (3.12.5-1) unstable; urgency=low * New upstream release. * debian/copyright: Modify with new location for the embedded copy of zlib. * debian/patches/*: + Adapt patches to new upstream. + Switch to quilt format * debian/source/format: Switch to 3.0 (quilt) format. * debian/rules, debian/control: Stop using dpatch. * debian/patches/38_intel_aes_executable_stack.patch: Removed. An upstream change in version 3.12.4 obsoleted it. * debian/rules: + Remove DEB_{BUILD,HOST}_* variables, they are not used. + Use DEB_BUILD_ARCH_BITS to determine whether to build with USE_64 or not. + Ship more tools in libnss3-tools. Closes: #526267. + Work around gcc 4.4 bug on powerpc with -Os. + Force non parallel build. There are too many race conditions in the build system to support parallel builds. Closes: #536248. + Bump shlibs. * debian/control: + Bump Standards-Version to 3.8.3.0. + Build-depend on dpkg-dev (>= 1.15.4) for DEB_BUILD_ARCH_BITS. + Stricter dependency between libnss3-dev and libnss3-1d. * debian/libnss3-1d.symbols: + Add new symbols. + Remove debian revision for symbols added in 3.12.4. * debian/patches/38_hurd.patch: Fix FTBFS on Hurd due to PATH_MAX usage in unix_rand.c. Closes: #550995. -- Mike Hommey Fri, 18 Dec 2009 11:48:14 +0100 nss (3.12.4-1) unstable; urgency=low * New upstream release. * debian/patches/38_kbsd.dpatch: + Use CHECK_FORK_PTHREAD on kfreebsd and hurd. Closes: #547301. + Adapt to upstream changes. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, * debian/patches/81_sonames.dpatch: Adapt to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sun, 11 Oct 2009 01:26:14 +0200 nss (3.12.3.1-1) unstable; urgency=low * New upstream release. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, Adapted to upstream changes. -- Mike Hommey Fri, 21 Aug 2009 23:47:24 +0200 nss (3.12.3-1) unstable; urgency=low * New upstream release. * debian/watch: Updated to catch new upstream .bz2 tarballs. * debian/copyright: Add information about mozilla/security/corecond/mkdepend. * debian/patches/38_hurd.dpatch, debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/patches/85_security_load.dpatch: Load libsoftokn3.so from /usr/lib/nss when unable to load it from standard ld.so paths in shlibsign. * debian/rules: + Add debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH when running shlibsign during build. + Bumped shlibs. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/control: + Bumped Standards-Version to 3.8.1.0. No changes needed. + Put the libnss3-1d-dbg package in the "debug" section. + Correct libnss3-1d-dbg short description. + Remove redundant section on libnss3-1d. + Build-depend on proper version of debhelper for dh_lintian. * debian/*.lintian-overrides, debian/rules: Install some Lintian overrides with dh_lintian. * debian/patches/38_intel_aes_executable_stack.dpatch: Indicate that we don't need executable stack in intel-aes.s. * debian/patches/00list: Updated accordingly. -- Mike Hommey Sat, 18 Apr 2009 09:37:31 +0200 nss (3.12.2.with.ckbi.1.73-2) unstable; urgency=low * mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h: Apply patch from upstream to fix alignment issues on sparc and ia64. Closes: #509930. -- Mike Hommey Mon, 06 Apr 2009 20:24:01 +0200 nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression in previous release that led to FTBFS on i386 only. Closes: #513101. Thanks Steffen Joeris, Sebastian Andrzej Siewior and Petr Salinger. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, debian/patches/80_security_tools.dpatch: Adapted to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sat, 31 Jan 2009 16:41:26 +0100 nss (3.12.1-1) unstable; urgency=low * New upstream release. * debian/patches/95_add_spi+cacert_ca_certs.dpatch, debian/patches/38_mips64_build.dpatch, debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/libnss3-1d.symbols: Update symbols file with new symbols. * debian/rules: Bumped shlibs. -- Mike Hommey Sat, 20 Dec 2008 12:11:28 +0100 nss (3.12.0-5) unstable; urgency=low * debian/control: + Conflict with libnss3-0d >= 3.11.5, that has conflicting files in /usr/lib/nss. Older versions (those from etch) don't conflict. This makes updates from old testing smoother. Closes: #492332. + Build-depend on libsqlite3-dev >= 3.3.9, since API introduced in this version is used. Closes: #493191. -- Mike Hommey Sun, 03 Aug 2008 09:42:03 +0200 nss (3.12.0-4) unstable; urgency=low * debian/control: Remove conflict with libnss3-0d, it was only useful when libnss3-0d was a transitional package. Closes: #490995. -- Mike Hommey Wed, 16 Jul 2008 21:29:19 +0200 nss (3.12.0-3) unstable; urgency=low * debian/rules: + Enable ECC cypher suite. Closes: #490826. + Build with the same optimization level as upstream. -- Mike Hommey Mon, 14 Jul 2008 17:35:25 +0200 nss (3.12.0-2) unstable; urgency=low * debian/patches/95_add_spi+cacert_ca_certs.dpatch: + Add CAcert root and class 3 certificates to nssckbi module. + Add SPI Inc. certificate to nssckbi module. Thanks to Martin F Krafft for these. Closes: #309564. * debian/patches/00list: Updated accordingly. -- Mike Hommey Sat, 12 Jul 2008 18:26:09 +0200 nss (3.12.0-1) unstable; urgency=low * New upstream release. * debian/patches/92_ocsp.dpatch: Removed, as applied upstream. * debian/patches/00list: Updated accordingly. * debian/control: + Bumped Standards-Version to 3.8.0.1. No changes needed. + Added Vcs-Browser and Vcs-Git fields. + libnss3-dev don't need explicit version dependency on libnss3-1d. + libnss3-dev depends on libnspr4-dev. Closes: #488402. + Make the -dbg package less a hassle for manual installations with dpkg. + libnss3-1d depends on version of dpkg that either don't support symbols files or has fix for #474079. * debian/patches/85_security_load.dpatch: Load files from /usr/lib/nss if given reference path is only a filename, which happens when freebl is statically linked in a binary executable, such as signtool, and the executable is run from $PATH. When the executable is run using a full path, we must replace /bin/ in the path with /lib/ to find the libraries. Closes: #483774. * debian/libnss3-1d.symbols: Re-enable symbols file. -- Mike Hommey Sat, 05 Jul 2008 10:19:53 +0200 nss (3.12.0~rc3-3) unstable; urgency=low * debian/control: Make libnss3-0d conflict with old libnss3, which can still be installed on some systems, though it hasn't been in the archive since sarge. Closes: #485080. -- Mike Hommey Sun, 08 Jun 2008 14:11:13 +0200 nss (3.12.0~rc3-2) unstable; urgency=low * debian/patches/92_ocsp.dpatch: Apply patches from bz433594 and bz#433386, which are applied in upstream RC4 (and are the only changes), to fix crashes under some conditions with OCSP checks. * debian/patches/00list: Updated accordingly. * debian/libnss3-dev.links, debian/libnss3-1d.links: Don't install so files in the -dev package but in the library package. It will allow external applications linked against upstream nss to work on Debian with system nss libraries, and will avoid all browsers to have to implement symlinks themselves to allow some external plugins to work properly. * debian/control: Make libnss3-1d conflict with older versions of libnss3-dev and libnss3-dev need newer libnss3-1d accordingly. -- Mike Hommey Sat, 07 Jun 2008 11:57:55 +0200 nss (3.12.0~rc3-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_RC3 cvs tag. -- Mike Hommey Sun, 11 May 2008 16:58:17 +0200 nss (3.12.0~beta3-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_BETA3 cvs tag. * debian/control: Turn Homepage indications in descriptions into a control field. * debian/patches/91_build_pwdecrypt.dpatch: Enable building and installing pwdecrypt. Thanks Paul Wise. Closes: #472303. * debian/patches/00list: Updated accordingly. * debian/libnss3-1d.symbols: Update symbols file with new symbols and rename the file, so that it isn't used, as a workaround to #474079. Closes: #474007. * debian/rules: Bumped shlibs. -- Mike Hommey Tue, 08 Apr 2008 21:23:53 +0200 nss (3.12.0~beta2-1) unstable; urgency=low * New upstream snapshot, picked from NSS_3_12_BETA2 cvs tag. * debian/patches/10_3.11.7_symbol_fix.dpatch: Removed, as applied upstream. * debian/patches/38_kbsd.dpatch: Adapted to upstream changes. * debian/patches/81_sonames.dpatch: Add SO_VERSION to libnssutil3. * debian/libnss3-dev.links: Add link for libnssutil3. * debian/libnss3-1d.symbols: Update symbols file with new symbols. Note that SEC_StringToOID disappeared (well, was moved to nssutil), compared to version 3.12.0~1.9b1, but it was a new symbol, and isn't used anywhere. * debian/nss.pc.in, debian/nss-config.in: Add libnssutil3 support. * debian/rules: + Bumped shlibs. + Don't generate libsoftokn3.so.0d. * debian/control: + Remove transitional libnss3-0d package. + Bumped Standards-Version to 3.7.3.0. No changes needed. + Build depend on libnspr4-dev >= 4.7.0 (we *do* need the RTM version, and not the preceding betas) * debian/libnss3-0d.*: Removed. * debian/patches/85_security_load.dpatch: Load files from $ORIGIN/nss before those of $ORIGIN. Closes: #469079. * debian/patches/38_hurd.dpatch: Fix FTBFS on Hurd because of MAXPATHLEN. Closes: #419529. * debian/patches/00list: Updated accordingly. -- Mike Hommey Fri, 07 Mar 2008 21:27:54 +0100 nss (3.12.0~1.9b1-2) unstable; urgency=low * debian/control: libnss3-1-dbg needs to conflict with older libnss3-0d-dbg, as it overwrites so of its files. Closes: #455875. * debian/patches/90_realpath.dpatch: Use realpath() in loader_GetOriginalPathname, so that symlinks are properly followed when determining where the current library lives. * debian/patches/00list: Updated accordingly. * debian/patches/85_security_load.dpatch: When the module given by the caller contains a directory name, remove it so that the module can be properly loaded. Closes: #456296. -- Mike Hommey Sun, 16 Dec 2007 11:06:03 +0100 nss (3.12.0~1.9b1-1) unstable; urgency=low * New upstream snapshot, picked from FIREFOX_3_0b1_RELEASE cvs tag. * debian/copyright: Add licensing information about the recently added sqlite copy in the source tree. * debian/control: + Build depend on libsqlite3-dev. + Rename all -0d packages to -1d, but keep a transitional -0d package, since all libraries are compatible (except for the removed one). + Make libnss3-1d conflict with older libnss3-0d. * debian/patches/38_kbsd.dpatch, debian/patches/81_sonames.dpatch: Adapted to upstream changes. * debian/patches/81_sonames.dpatch: + Remove SO version from libsoftokn3, now it is not linked against anymore, but dlloaded. + Remove the hacks to have shlibsign and the signature verification code handle the SO version in the file name. + Bump SO version to 1d. * debian/rules: + Add NSS_USE_SYSTEM_SQLITE=1 to the make options. + Install libsoftokn3 and the new libnssdbm3 in /usr/lib/nss. + Run shlibsign on libsoftokn3 in /usr/lib/nss, without a SO version. + For some reason, build-stamp was missing in install-stamp dependencies. + Bumped shlibs because of new symbols, and pass -c4 to dpkg-gensymbols, so that it fails in all cases where the symbols file is not up to date. + Adapt upstream version pattern matching so that the ~1.9b1 part is removed. + Install .1d libraries in -1d packages. + Create a dummy libsoftokn3.so.0d library, installed in the libnss3-0d package. * debian/libnss3-0d.links: + Remove links in /usr/lib/xulrunner. The workaround they were implementing is going to be done another way. + Add .0d links to .1d libraries. * debian/libnss3-dev.links: + Don't put a symlink for libsoftokn3. + .so files now link to .1d libraries. * debian/patches/80_security_build.dpatch: Remove the hack to load libfreebl from /usr/lib/nss. * debian/patches/85_security_load.dpatch: Load modules from $ORIGIN/nss. * debian/patches/10_3.11.7_symbol_fix.dpatch: Fix a symbol version. Stolen from bz#325672. * debian/patches/00list: Updated accordingly. * debian/libnss3-0d.dirs: Renamed to libnss3-1d.dirs. -- Mike Hommey Sat, 08 Dec 2007 10:53:02 +0100 nss (3.11.7-1) unstable; urgency=low * New upstream release, picked from NSS_3_11_7_RTM cvs tag. * debian/patches/38_kbsd.dpatch: Also add support for the Hurd. Closes: #419529. * debian/rules: + Don't fail on clean with unpatched ruleset. Closes: #421542. + Bumped shlibs because of new symbols. * debian/patches/81_sonames.dpatch: Adapted to upstream changes. -- Mike Hommey Sun, 01 Jul 2007 11:29:06 +0200 nss (3.11.5-3) unstable; urgency=low * Upload to unstable. -- Mike Hommey Mon, 09 Apr 2007 20:37:25 +0200 nss (3.11.5-2) experimental; urgency=low * debian/rules: + Cleaner way to set the NSPR location. + Install libcrmf.a files in libnss3-dev. + binary-indep now does nothing. * debian/control: Make libnss3-dev an Arch: any package. * debian/nss.pc.in: + Remove libsoftokn3 from ld libraries. + Improvement in directories setting. * debian/libnss3-dev.dirs: Create /usr/bin. * debian/nss-config.in, debian/rules: Install a nss-config script into libnss3-dev. -- Mike Hommey Tue, 27 Mar 2007 20:41:11 +0200 nss (3.11.5-1) experimental; urgency=low * Initial release. (Closes: #416151) -- Mike Hommey Sun, 25 Mar 2007 23:56:17 +0200 debian/nss.pc.in0000664000000000000000000000043212234360534010725 0ustar prefix=/usr exec_prefix=${prefix} libdir=${exec_prefix}/lib/@DEB_HOST_MULTIARCH@ includedir=${prefix}/include/nss Name: NSS Description: Mozilla Network Security Services Version: @VERSION@ Requires: nspr Libs: -L${libdir} -lnss3 -lnssutil3 -lsmime3 -lssl3 Cflags: -I${includedir} debian/libnss3-1d.links.in0000664000000000000000000000053012234360534012516 0ustar usr/lib/@DEB_HOST_MULTIARCH@/libnss3.so usr/lib/@DEB_HOST_MULTIARCH@/libnss3.so.1d usr/lib/@DEB_HOST_MULTIARCH@/libnssutil3.so usr/lib/@DEB_HOST_MULTIARCH@/libnssutil3.so.1d usr/lib/@DEB_HOST_MULTIARCH@/libsmime3.so usr/lib/@DEB_HOST_MULTIARCH@/libsmime3.so.1d usr/lib/@DEB_HOST_MULTIARCH@/libssl3.so usr/lib/@DEB_HOST_MULTIARCH@/libssl3.so.1d debian/pkcs11.txt0000664000000000000000000000070112264616670011043 0ustar library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/var/lib/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) debian/source/0000775000000000000000000000000012234360534010472 5ustar debian/source/format0000664000000000000000000000001412234360534011700 0ustar 3.0 (quilt) debian/compat0000664000000000000000000000000212234360534010370 0ustar 9 debian/libnss3-tools.lintian-overrides0000664000000000000000000000025012234360534015262 0ustar # License says GPL 2 or subsequent, so pointing to the latest version is fine libnss3-tools: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL debian/libnss3-dbg.lintian-overrides0000664000000000000000000000024612234360534014663 0ustar # License says GPL 2 or subsequent, so pointing to the latest version is fine libnss3-dbg: copyright-refers-to-versionless-license-file usr/share/common-licenses/GPL debian/libnss3-dev.dirs0000664000000000000000000000003012234360534012177 0ustar usr/bin usr/include/nss debian/patches/0000775000000000000000000000000012317015721010616 5ustar debian/patches/95_add_spi_certs.patch0000664000000000000000000003117512301374060014763 0ustar Description: Adds the SPI Inc. CA certificates Origin: edited version of 95_add_spi+cacert_ca_certs.patch in Debian's nss Index: nss-3.15.4/nss/lib/ckfw/builtins/certdata.txt =================================================================== --- nss-3.15.4.orig/nss/lib/ckfw/builtins/certdata.txt 2014-02-20 07:36:53.528213036 -0500 +++ nss-3.15.4/nss/lib/ckfw/builtins/certdata.txt 2014-02-20 07:38:15.800215240 -0500 @@ -28969,3 +28969,212 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "Software in the Public Interest, Inc. Root CA (2008)" +# +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Software in the Public Interest, Inc. Root CA (2008)" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\201\274\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\020\060\016\006\003\125\004\010\023\007\111\156\144\151\141 +\156\141\061\025\060\023\006\003\125\004\007\023\014\111\156\144 +\151\141\156\141\160\157\154\151\163\061\050\060\046\006\003\125 +\004\012\023\037\123\157\146\164\167\141\162\145\040\151\156\040 +\164\150\145\040\120\165\142\154\151\143\040\111\156\164\145\162 +\145\163\164\061\023\060\021\006\003\125\004\013\023\012\150\157 +\163\164\155\141\163\164\145\162\061\036\060\034\006\003\125\004 +\003\023\025\103\145\162\164\151\146\151\143\141\164\145\040\101 +\165\164\150\157\162\151\164\171\061\045\060\043\006\011\052\206 +\110\206\367\015\001\011\001\026\026\150\157\163\164\155\141\163 +\164\145\162\100\163\160\151\055\151\156\143\056\157\162\147 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\201\274\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\020\060\016\006\003\125\004\010\023\007\111\156\144\151\141 +\156\141\061\025\060\023\006\003\125\004\007\023\014\111\156\144 +\151\141\156\141\160\157\154\151\163\061\050\060\046\006\003\125 +\004\012\023\037\123\157\146\164\167\141\162\145\040\151\156\040 +\164\150\145\040\120\165\142\154\151\143\040\111\156\164\145\162 +\145\163\164\061\023\060\021\006\003\125\004\013\023\012\150\157 +\163\164\155\141\163\164\145\162\061\036\060\034\006\003\125\004 +\003\023\025\103\145\162\164\151\146\151\143\141\164\145\040\101 +\165\164\150\157\162\151\164\171\061\045\060\043\006\011\052\206 +\110\206\367\015\001\011\001\026\026\150\157\163\164\155\141\163 +\164\145\162\100\163\160\151\055\151\156\143\056\157\162\147 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\011\000\350\216\266\311\370\052\024\050 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\010\016\060\202\005\366\240\003\002\001\002\002\011\000 +\350\216\266\311\370\052\024\050\060\015\006\011\052\206\110\206 +\367\015\001\001\005\005\000\060\201\274\061\013\060\011\006\003 +\125\004\006\023\002\125\123\061\020\060\016\006\003\125\004\010 +\023\007\111\156\144\151\141\156\141\061\025\060\023\006\003\125 +\004\007\023\014\111\156\144\151\141\156\141\160\157\154\151\163 +\061\050\060\046\006\003\125\004\012\023\037\123\157\146\164\167 +\141\162\145\040\151\156\040\164\150\145\040\120\165\142\154\151 +\143\040\111\156\164\145\162\145\163\164\061\023\060\021\006\003 +\125\004\013\023\012\150\157\163\164\155\141\163\164\145\162\061 +\036\060\034\006\003\125\004\003\023\025\103\145\162\164\151\146 +\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061 +\045\060\043\006\011\052\206\110\206\367\015\001\011\001\026\026 +\150\157\163\164\155\141\163\164\145\162\100\163\160\151\055\151 +\156\143\056\157\162\147\060\036\027\015\060\070\060\065\061\063 +\060\070\060\067\065\066\132\027\015\061\070\060\065\061\061\060 +\070\060\067\065\066\132\060\201\274\061\013\060\011\006\003\125 +\004\006\023\002\125\123\061\020\060\016\006\003\125\004\010\023 +\007\111\156\144\151\141\156\141\061\025\060\023\006\003\125\004 +\007\023\014\111\156\144\151\141\156\141\160\157\154\151\163\061 +\050\060\046\006\003\125\004\012\023\037\123\157\146\164\167\141 +\162\145\040\151\156\040\164\150\145\040\120\165\142\154\151\143 +\040\111\156\164\145\162\145\163\164\061\023\060\021\006\003\125 +\004\013\023\012\150\157\163\164\155\141\163\164\145\162\061\036 +\060\034\006\003\125\004\003\023\025\103\145\162\164\151\146\151 +\143\141\164\145\040\101\165\164\150\157\162\151\164\171\061\045 +\060\043\006\011\052\206\110\206\367\015\001\011\001\026\026\150 +\157\163\164\155\141\163\164\145\162\100\163\160\151\055\151\156 +\143\056\157\162\147\060\202\002\042\060\015\006\011\052\206\110 +\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002 +\012\002\202\002\001\000\334\066\346\107\102\302\304\121\165\051 +\207\100\303\330\216\041\006\322\030\116\353\357\040\275\220\074 +\205\020\023\214\051\133\224\143\366\364\055\361\006\102\221\271 +\031\304\102\151\010\277\213\066\105\352\050\005\063\111\110\240 +\047\103\223\065\212\101\330\170\263\360\357\263\156\055\335\321 +\313\175\352\364\165\046\323\076\220\072\356\327\347\054\004\265 +\174\341\365\174\305\116\357\167\275\134\242\223\063\222\316\175 +\201\110\317\153\265\042\054\010\203\375\323\325\317\073\055\375 +\265\111\220\133\366\255\115\023\312\336\323\246\235\123\121\161 +\143\106\370\112\026\134\230\356\055\155\232\026\241\166\220\342 +\140\103\231\326\211\326\154\056\172\230\262\013\003\054\343\172 +\117\307\335\343\314\343\112\152\215\171\122\372\364\301\257\056 +\217\052\010\313\033\051\202\222\162\103\274\316\210\251\252\247 +\212\121\103\125\205\232\067\003\170\223\310\360\275\264\101\310 +\007\102\232\313\065\227\172\212\201\145\336\035\124\010\001\361 +\144\134\267\027\032\121\274\036\303\131\207\166\030\026\230\356 +\277\366\147\201\213\006\065\305\113\155\131\031\307\322\306\110 +\276\156\024\050\203\112\020\234\033\365\157\274\251\216\365\151 +\376\262\301\125\314\347\024\311\371\133\024\123\121\007\352\316 +\075\344\117\050\037\074\141\011\327\063\322\156\247\156\324\307 +\023\011\157\153\135\024\356\235\211\033\245\152\362\366\370\320 +\162\216\352\162\037\057\064\152\051\012\305\012\354\034\100\205 +\022\367\246\245\323\117\255\300\205\214\114\174\163\040\314\123 +\030\361\262\130\114\001\365\277\352\144\325\134\071\305\316\154 +\314\123\132\126\272\101\017\045\337\153\120\266\307\212\240\275 +\002\302\305\073\125\245\262\144\042\204\121\050\126\256\061\356 +\136\373\013\026\115\106\005\221\200\104\355\254\155\360\127\250 +\372\353\141\110\240\313\033\263\037\216\315\305\041\167\003\204 +\036\374\254\243\103\010\143\214\355\371\047\357\264\260\135\147 +\326\117\355\320\213\076\135\133\311\221\275\226\002\204\075\305 +\115\274\102\077\164\375\074\135\254\134\110\066\136\207\061\057 +\030\154\304\150\356\241\213\311\131\320\030\343\000\200\263\124 +\047\056\231\360\025\123\002\003\001\000\001\243\202\002\017\060 +\202\002\013\060\035\006\003\125\035\016\004\026\004\024\064\161 +\321\070\327\025\066\203\107\153\327\067\144\102\073\216\215\122 +\235\253\060\201\361\006\003\125\035\043\004\201\351\060\201\346 +\200\024\064\161\321\070\327\025\066\203\107\153\327\067\144\102 +\073\216\215\122\235\253\241\201\302\244\201\277\060\201\274\061 +\013\060\011\006\003\125\004\006\023\002\125\123\061\020\060\016 +\006\003\125\004\010\023\007\111\156\144\151\141\156\141\061\025 +\060\023\006\003\125\004\007\023\014\111\156\144\151\141\156\141 +\160\157\154\151\163\061\050\060\046\006\003\125\004\012\023\037 +\123\157\146\164\167\141\162\145\040\151\156\040\164\150\145\040 +\120\165\142\154\151\143\040\111\156\164\145\162\145\163\164\061 +\023\060\021\006\003\125\004\013\023\012\150\157\163\164\155\141 +\163\164\145\162\061\036\060\034\006\003\125\004\003\023\025\103 +\145\162\164\151\146\151\143\141\164\145\040\101\165\164\150\157 +\162\151\164\171\061\045\060\043\006\011\052\206\110\206\367\015 +\001\011\001\026\026\150\157\163\164\155\141\163\164\145\162\100 +\163\160\151\055\151\156\143\056\157\162\147\202\011\000\350\216 +\266\311\370\052\024\050\060\017\006\003\125\035\023\001\001\377 +\004\005\060\003\001\001\377\060\021\006\011\140\206\110\001\206 +\370\102\001\001\004\004\003\002\000\007\060\011\006\003\125\035 +\022\004\002\060\000\060\056\006\011\140\206\110\001\206\370\102 +\001\015\004\041\026\037\123\157\146\164\167\141\162\145\040\151 +\156\040\164\150\145\040\120\165\142\154\151\143\040\111\156\164 +\145\162\145\163\164\060\060\006\011\140\206\110\001\206\370\102 +\001\004\004\043\026\041\150\164\164\160\163\072\057\057\143\141 +\056\163\160\151\055\151\156\143\056\157\162\147\057\143\141\055 +\143\162\154\056\160\145\155\060\062\006\011\140\206\110\001\206 +\370\102\001\003\004\045\026\043\150\164\164\160\163\072\057\057 +\143\141\056\163\160\151\055\151\156\143\056\157\162\147\057\143 +\145\162\164\055\143\162\154\056\160\145\155\060\041\006\003\125 +\035\021\004\032\060\030\201\026\150\157\163\164\155\141\163\164 +\145\162\100\163\160\151\055\151\156\143\056\157\162\147\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\015 +\006\011\052\206\110\206\367\015\001\001\005\005\000\003\202\002 +\001\000\264\315\275\340\271\352\262\003\053\176\062\351\336\162 +\077\311\113\202\136\235\342\257\125\011\242\014\124\350\317\030 +\074\050\040\035\251\273\003\002\057\122\071\042\371\027\317\255 +\147\220\263\003\177\330\025\343\153\176\273\233\126\001\257\065 +\324\332\271\307\147\027\233\324\325\016\067\263\040\101\056\014 +\001\304\133\371\145\076\302\141\350\322\360\152\225\160\303\306 +\157\325\065\244\254\131\162\341\211\337\241\240\235\044\275\051 +\171\351\141\052\331\323\036\311\106\244\010\170\101\222\162\017 +\253\024\165\355\011\360\242\360\134\357\303\012\142\040\267\302 +\050\146\256\114\057\056\217\105\143\046\226\360\356\061\346\213 +\125\233\252\072\371\202\071\035\210\074\342\007\165\032\341\017 +\261\060\274\161\062\322\072\376\372\241\211\363\103\054\326\162 +\304\171\247\025\110\005\300\330\055\162\002\343\313\075\026\152 +\272\311\270\021\020\342\111\205\314\226\107\140\005\045\056\357 +\165\131\063\365\107\031\026\357\332\154\137\007\310\246\120\266 +\035\313\146\064\045\374\146\203\353\305\266\060\101\370\106\104 +\142\250\301\014\124\346\352\114\132\050\346\256\306\267\376\177 +\073\226\250\056\356\307\150\076\335\000\075\051\257\052\143\253 +\137\356\111\052\055\305\334\373\321\306\323\321\227\126\122\206 +\266\224\353\324\140\121\267\374\036\233\314\002\233\324\037\217 +\371\112\217\266\056\050\073\027\314\305\246\005\343\322\323\265 +\306\003\311\341\110\102\233\313\077\344\027\340\376\015\001\225 +\011\272\270\015\161\344\011\160\167\102\330\115\341\102\251\140 +\203\327\027\211\103\322\324\335\247\030\266\253\324\044\045\207 +\265\324\342\374\056\042\151\275\255\150\054\377\162\265\230\252 +\006\234\347\052\152\270\241\223\166\316\260\363\177\234\341\340 +\117\270\330\206\106\245\063\002\054\045\141\067\052\222\310\254 +\201\164\150\143\207\063\166\275\005\177\136\325\325\002\155\275 +\257\377\052\132\252\111\354\230\171\107\123\221\366\016\064\132 +\311\245\306\353\262\343\305\254\266\240\160\065\273\310\121\151 +\320\362\265\242\062\156\274\077\240\067\071\174\161\066\246\005 +\337\014\022\344\026\247\305\326\313\143\243\225\160\077\346\004 +\243\140 +END + +# Trust for Certificate "Software in the Public Interest, Inc. Root CA (2008)" +CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Software in the Public Interest, Inc. Root CA (2008)" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\257\160\210\103\203\202\002\025\315\141\306\274\354\375\067\044 +\251\220\103\034 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\052\107\237\140\273\203\164\157\001\003\327\013\015\366\015\170 +END +CKA_ISSUER MULTILINE_OCTAL +\060\201\274\061\013\060\011\006\003\125\004\006\023\002\125\123 +\061\020\060\016\006\003\125\004\010\023\007\111\156\144\151\141 +\156\141\061\025\060\023\006\003\125\004\007\023\014\111\156\144 +\151\141\156\141\160\157\154\151\163\061\050\060\046\006\003\125 +\004\012\023\037\123\157\146\164\167\141\162\145\040\151\156\040 +\164\150\145\040\120\165\142\154\151\143\040\111\156\164\145\162 +\145\163\164\061\023\060\021\006\003\125\004\013\023\012\150\157 +\163\164\155\141\163\164\145\162\061\036\060\034\006\003\125\004 +\003\023\025\103\145\162\164\151\146\151\143\141\164\145\040\101 +\165\164\150\157\162\151\164\171\061\045\060\043\006\011\052\206 +\110\206\367\015\001\011\001\026\026\150\157\163\164\155\141\163 +\164\145\162\100\163\160\151\055\151\156\143\056\157\162\147 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\011\000\350\216\266\311\370\052\024\050 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE debian/patches/series0000664000000000000000000000025112317015400012023 0ustar 38_hurd.patch 38_kbsd.patch 38_x32.patch 80_security_tools.patch 85_security_load.patch 95_add_spi_certs.patch 97_SSL_RENEGOTIATE_TRANSITIONAL.patch CVE-2014-1492.patch debian/patches/85_security_load.patch0000664000000000000000000000665612241531406015035 0ustar ## 85_security_load.patch by Mike Hommey ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Load modules from $ORIGIN/nss. Index: nss/nss/cmd/shlibsign/shlibsign.c =================================================================== --- nss.orig/nss/cmd/shlibsign/shlibsign.c 2013-08-05 14:40:31.041657554 +0900 +++ nss/nss/cmd/shlibsign/shlibsign.c 2013-08-05 14:40:31.033657739 +0900 @@ -851,6 +851,8 @@ libname = PR_GetLibraryName(NULL, "softokn3"); assert(libname != NULL); lib = PR_LoadLibrary(libname); + if (!lib) + lib = PR_LoadLibrary("/usr/lib/nss/libsoftokn3.so"); assert(lib != NULL); PR_FreeLibraryName(libname); Index: nss/nss/lib/pk11wrap/pk11load.c =================================================================== --- nss.orig/nss/lib/pk11wrap/pk11load.c 2013-08-05 14:40:31.041657554 +0900 +++ nss/nss/lib/pk11wrap/pk11load.c 2013-08-05 14:40:31.033657739 +0900 @@ -406,6 +406,13 @@ * unload the library if anything goes wrong from here on out... */ library = PR_LoadLibrary(mod->dllName); + if ((library == NULL) && + !rindex(mod->dllName, PR_GetDirectorySeparator())) { + library = PORT_LoadLibraryFromOrigin(my_shlib_name, + (PRFuncPtr) &softoken_LoadDSO, + mod->dllName); + } + mod->library = (void *)library; if (library == NULL) { Index: nss/nss/lib/util/secload.c =================================================================== --- nss.orig/nss/lib/util/secload.c 2013-08-05 14:40:31.041657554 +0900 +++ nss/nss/lib/util/secload.c 2013-08-05 14:40:31.033657739 +0900 @@ -69,9 +69,14 @@ /* Remove the trailing filename from referencePath and add the new one */ c = strrchr(referencePath, PR_GetDirectorySeparator()); + if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0] + * and program was called from $PATH. Hack to get libs from /usr/lib */ + referencePath = "/usr/lib/"; + c = &referencePath[8]; /* last / */ + } if (c) { size_t referencePathSize = 1 + c - referencePath; - fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 1); + fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 5); if (fullName) { memcpy(fullName, referencePath, referencePathSize); strcpy(fullName + referencePathSize, name); @@ -81,6 +86,12 @@ #endif libSpec.type = PR_LibSpec_Pathname; libSpec.value.pathname = fullName; + if ((referencePathSize >= 4) && + (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) { + memcpy(fullName + referencePathSize -4, "lib", 3); + } + strcpy(fullName + referencePathSize, "nss/"); + strcpy(fullName + referencePathSize + 4, name); dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL #ifdef PR_LD_ALT_SEARCH_PATH /* allow library's dependencies to be found in the same directory @@ -88,6 +99,10 @@ | PR_LD_ALT_SEARCH_PATH #endif ); + if (! dlh) { + strcpy(fullName + referencePathSize, name); + dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL); + } PORT_Free(fullName); } } debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch0000664000000000000000000000167012241531406016437 0ustar Enable transitional scheme for ssl renegotiation: (from nss/lib/ssl/ssl.h) Disallow unsafe renegotiation in server sockets only, but allow clients to continue to renegotiate with vulnerable servers. This value should only be used during the transition period when few servers have been upgraded. Index: nss/nss/lib/ssl/sslsock.c =================================================================== --- nss.orig/nss/lib/ssl/sslsock.c 2013-10-21 08:03:16.836020806 +0900 +++ nss/nss/lib/ssl/sslsock.c 2013-10-21 08:03:16.832020901 +0900 @@ -74,7 +74,7 @@ PR_FALSE, /* noLocks */ PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ - 2, /* enableRenegotiation (default: requires extension) */ + 3, /* enableRenegotiation (default: transitional) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ PR_TRUE, /* cbcRandomIV */ debian/patches/38_x32.patch0000664000000000000000000000232112270242117012562 0ustar Index: b/nss/coreconf/Linux.mk =================================================================== --- a/nss/coreconf/Linux.mk +++ b/nss/coreconf/Linux.mk @@ -55,6 +55,10 @@ ifeq ($(OS_TEST),x86_64) ifeq ($(USE_64),1) CPU_ARCH = x86_64 + ARCHFLAG = -m64 +else ifeq ($(USE_x32),1) + CPU_ARCH = x86_64 + ARCHFLAG = -mx32 else OS_REL_CFLAGS = -Di386 CPU_ARCH = x86 Index: b/nss/lib/freebl/Makefile =================================================================== --- a/nss/lib/freebl/Makefile +++ b/nss/lib/freebl/Makefile @@ -97,6 +97,8 @@ DEFINES += -DNSS_X86_OR_X64 ifdef USE_64 DEFINES += -DNSS_X64 +else ifdef USE_x32 + DEFINES += -DNSS_X64 else DEFINES += -DNSS_X86 endif @@ -179,6 +181,9 @@ ifeq ($(OS_TARGET),Linux) ifeq ($(CPU_ARCH),x86_64) + ifeq ($(USE_x32),1) + DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN + else ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s ASFLAGS += -m64 -fPIC -Wa,--noexecstack DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY @@ -191,6 +196,7 @@ EXTRA_SRCS += intel-gcm-wrap.c INTEL_GCM = 1 MPI_SRCS += mpi_amd64.c mp_comba.c + endif endif ifeq ($(CPU_ARCH),x86) ASFILES = mpi_x86.s debian/patches/80_security_tools.patch0000664000000000000000000000154412241531406015240 0ustar ## 80_security_tools.patch by Mike Hommey ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Enable building of some NSS tools. ## DP: Disable rpath. Index: nss/nss/cmd/platlibs.mk =================================================================== --- nss.orig/nss/cmd/platlibs.mk 2013-06-15 19:11:44.412435015 +0900 +++ nss/nss/cmd/platlibs.mk 2013-06-15 19:11:44.408435138 +0900 @@ -8,6 +8,7 @@ # set RPATH-type linker instructions here so they can be used in the shared # version and in the mixed (static nss libs/shared NSPR libs) version. +ifdef ENABLE_RPATH ifeq ($(OS_ARCH), SunOS) ifeq ($(USE_64), 1) EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64' @@ -31,6 +32,7 @@ else DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) endif +endif ifdef USE_STATIC_LIBS debian/patches/38_kbsd.patch0000664000000000000000000001260212264613724013105 0ustar ## 38_kbsd.patch by Petr Salinger ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: GNU/kFreeBSD support. bz#356011 ## DP: Added Hurd support. Index: nss/nss/lib/freebl/unix_rand.c =================================================================== --- nss.orig/nss/lib/freebl/unix_rand.c 2014-01-13 07:31:45.939967858 +0900 +++ nss/nss/lib/freebl/unix_rand.c 2014-01-13 07:31:45.935967956 +0900 @@ -156,7 +156,8 @@ #if defined(SCO) || defined(UNIXWARE) || defined(BSDI) || defined(FREEBSD) \ || defined(NETBSD) || defined(DARWIN) || defined(OPENBSD) \ - || defined(NTO) || defined(__riscos__) + || defined(NTO) || defined(__riscos__) || defined(__GNU__) \ + || defined(__FreeBSD_kernel__) || defined(__NetBSD_kernel__) #include #define getdtablesize() sysconf(_SC_OPEN_MAX) Index: nss/nss/lib/softoken/softoken.h =================================================================== --- nss.orig/nss/lib/softoken/softoken.h 2014-01-13 07:31:45.939967858 +0900 +++ nss/nss/lib/softoken/softoken.h 2014-01-13 07:31:45.935967956 +0900 @@ -197,7 +197,7 @@ #define CHECK_FORK_MIXED -#elif defined(LINUX) +#elif defined(LINUX) || defined (__GLIBC__) #define CHECK_FORK_PTHREAD Index: nss/nss/lib/ssl/sslmutex.c =================================================================== --- nss.orig/nss/lib/ssl/sslmutex.c 2014-01-13 07:31:45.939967858 +0900 +++ nss/nss/lib/ssl/sslmutex.c 2014-01-13 07:31:45.935967956 +0900 @@ -56,7 +56,7 @@ return SECSuccess; } -#if defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) +#if defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) || defined(__GLIBC__) #include #include Index: nss/nss/lib/ssl/sslmutex.h =================================================================== --- nss.orig/nss/lib/ssl/sslmutex.h 2014-01-13 07:31:45.939967858 +0900 +++ nss/nss/lib/ssl/sslmutex.h 2014-01-13 07:31:45.935967956 +0900 @@ -50,7 +50,7 @@ typedef int sslPID; -#elif defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) +#elif defined(LINUX) || defined(AIX) || defined(BEOS) || defined(BSDI) || (defined(NETBSD) && __NetBSD_Version__ < 500000000) || defined(OPENBSD) || defined(__GLIBC__) #include #include "prtypes.h" Index: nss/nss/coreconf/arch.mk =================================================================== --- nss.orig/nss/coreconf/arch.mk 2014-01-13 07:31:45.939967858 +0900 +++ nss/nss/coreconf/arch.mk 2014-01-13 07:31:45.935967956 +0900 @@ -122,6 +122,14 @@ ifneq ($(words $(OS_RELEASE)),1) OS_RELEASE := $(word 1,$(OS_RELEASE)).$(word 2,$(OS_RELEASE)) endif + KERNEL = linux +endif + +# This check must be last. Since all uses of OS_ARCH that follow affect only +# userland, we can merge other Glibc systems with Linux here. +ifneq (, $(filter GNU GNU_%, $(OS_ARCH))) +OS_ARCH = Linux +OS_RELEASE = 2.6 endif # Index: nss/nss/coreconf/Linux.mk =================================================================== --- nss.orig/nss/coreconf/Linux.mk 2014-01-13 07:31:45.939967858 +0900 +++ nss/nss/coreconf/Linux.mk 2014-01-13 07:31:45.935967956 +0900 @@ -93,7 +93,7 @@ LIBC_TAG = _glibc endif -ifeq ($(OS_RELEASE),2.0) +ifeq ($(KERNEL)-$(OS_RELEASE),linux-2.0) OS_REL_CFLAGS += -DLINUX2_0 MKSHLIB = $(CC) -shared -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE @@ -128,14 +128,21 @@ # -ansi on platforms like Android where the system headers are C99 and do # not build with -ansi. STANDARDS_CFLAGS = -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE -OS_CFLAGS = $(STANDARDS_CFLAGS) $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR +OS_CFLAGS = $(STANDARDS_CFLAGS) $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DHAVE_STRERROR +ifeq ($(KERNEL),linux) +OS_CFLAGS += -DLINUX -Dlinux +endif OS_LIBS = $(OS_PTHREAD) -ldl -lc ifdef USE_PTHREADS DEFINES += -D_REENTRANT endif -ARCH = linux +ifeq ($(KERNEL),linux) + ARCH = linux +else + ARCH = gnu +endif DSO_CFLAGS = -fPIC DSO_LDOPTS = -shared $(ARCHFLAG) @@ -152,7 +159,7 @@ LDFLAGS += -Wl,-rpath-link,/usr/lib:/lib endif -# INCLUDES += -I/usr/include -Y/usr/include/linux +# INCLUDES += -I/usr/include G++INCLUDES = -I/usr/include/g++ # @@ -187,7 +194,9 @@ endif endif +ifeq ($(KERNEL), linux) OS_REL_CFLAGS += -DLINUX2_1 +endif MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH) ifdef MAPFILE Index: nss/nss/coreconf/config.mk =================================================================== --- nss.orig/nss/coreconf/config.mk 2014-01-13 07:31:45.939967858 +0900 +++ nss/nss/coreconf/config.mk 2014-01-13 07:31:45.935967956 +0900 @@ -31,7 +31,7 @@ ####################################################################### TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \ - AIX RISCOS WINNT WIN95 Linux Android + AIX RISCOS WINNT WIN95 Linux Android GNU GNU_% ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk debian/patches/38_hurd.patch0000664000000000000000000000345712264613721013131 0ustar ## 38_hurd.patch by ## ## All lines beginning with `## DP:' are a description of the patch. ## DP: Fix FTBFS on Hurd because of MAXPATHLEN Index: nss/nss/cmd/shlibsign/shlibsign.c =================================================================== --- nss.orig/nss/cmd/shlibsign/shlibsign.c 2014-01-13 07:31:42.212057898 +0900 +++ nss/nss/cmd/shlibsign/shlibsign.c 2014-01-13 07:31:42.208057994 +0900 @@ -706,7 +706,6 @@ #ifdef USES_LINKS int ret; struct stat stat_buf; - char link_buf[MAXPATHLEN+1]; char *link_file = NULL; #endif @@ -1034,10 +1033,22 @@ } if (S_ISLNK(stat_buf.st_mode)) { char *dirpath,*dirend; - ret = readlink(input_file, link_buf, sizeof(link_buf) - 1); - if (ret < 0) { - perror(input_file); - goto cleanup; + char *link_buf = NULL; + size_t size = 64; + while (1) { + link_buf = realloc(link_buf, size); + if (!link_buf) { + perror(input_file); + goto cleanup; + } + ret = readlink(input_file, link_buf, size - 1); + if (ret < 0) { + perror(input_file); + goto cleanup; + } + if (ret < size - 1) + break; + size *= 2; } link_buf[ret] = 0; link_file = mkoutput(input_file); Index: nss/nss/lib/freebl/unix_rand.c =================================================================== --- nss.orig/nss/lib/freebl/unix_rand.c 2014-01-13 07:31:42.212057898 +0900 +++ nss/nss/lib/freebl/unix_rand.c 2014-01-13 07:31:42.208057994 +0900 @@ -1031,6 +1031,10 @@ #define _POSIX_PTHREAD_SEMANTICS #include +#ifndef PATH_MAX +#define PATH_MAX 1024 +#endif + PRBool ReadFileOK(char *dir, char *file) { debian/patches/CVE-2014-1492.patch0000664000000000000000000000401412317015720013233 0ustar Description: fix incorrect IDNA wildcard handling Origin: upstream, https://hg.mozilla.org/projects/nss/rev/15ea62260c21 Origin: upstream, https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55 Origin: upstream, https://hg.mozilla.org/projects/nss/rev/709d4e597979 Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=903885 Index: nss-3.15.4/nss/lib/certdb/certdb.c =================================================================== --- nss-3.15.4.orig/nss/lib/certdb/certdb.c 2014-01-03 14:59:10.000000000 -0500 +++ nss-3.15.4/nss/lib/certdb/certdb.c 2014-04-02 10:13:42.488039726 -0400 @@ -1381,7 +1381,7 @@ return rv; } } else { - /* New approach conforms to RFC 2818. */ + /* New approach conforms to RFC 6125. */ char *wildcard = PORT_Strchr(cn, '*'); char *firstcndot = PORT_Strchr(cn, '.'); char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; @@ -1390,14 +1390,17 @@ /* For a cn pattern to be considered valid, the wildcard character... * - may occur only in a DNS name with at least 3 components, and * - may occur only as last character in the first component, and - * - may be preceded by additional characters + * - may be preceded by additional characters, and + * - must not be preceded by an IDNA ACE prefix (xn--) */ if (wildcard && secondcndot && secondcndot[1] && firsthndot - && firstcndot - wildcard == 1 - && secondcndot - firstcndot > 1 - && PORT_Strrchr(cn, '*') == wildcard + && firstcndot - wildcard == 1 /* wildcard is last char in first component */ + && secondcndot - firstcndot > 1 /* second component is non-empty */ + && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ && !PORT_Strncasecmp(cn, hn, wildcard - cn) - && !PORT_Strcasecmp(firstcndot, firsthndot)) { + && !PORT_Strcasecmp(firstcndot, firsthndot) + /* If hn starts with xn--, then cn must start with wildcard */ + && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { /* valid wildcard pattern match */ return SECSuccess; } debian/libnss3-tools.dirs0000664000000000000000000000001012234360534012557 0ustar usr/bin debian/libnss3-dev.links.in0000664000000000000000000000014612234360534012773 0ustar usr/lib/@DEB_HOST_MULTIARCH@/pkgconfig/nss.pc usr/lib/@DEB_HOST_MULTIARCH@/pkgconfig/xulrunner-nss.pc debian/copyright0000664000000000000000000006275412264614421011143 0ustar This package was debianized by Mike Hommey on Sun, 25 Mar 2007 19:36:42 +0200. It was downloaded from http://ftp.mozilla.org/pub/mozilla.org/security/nss/ Upstream Author: The Mozilla Project. The NSS library is licensed under the terms of the Mozilla Public License version 2.0, which terms can be found further below. The original code is copyright (c) 1994-2000 Netscape Communications Corporation. Some external libraries are also provided in the source tree with the following licensing terms: === zlib The nss/lib/zlib directory is licensed under the following terms: (C) 1995-2004 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.caltech.edu If you use the zlib library in a product, we would appreciate *not* receiving lengthy legal documents to sign. The sources are provided for free but without warranty of any kind. The library has been entirely written by Jean-loup Gailly and Mark Adler; it does not include third-party code. If you redistribute modified sources, we would appreciate that you include in the file ChangeLog history information documenting your changes. Please read the FAQ for more information on the distribution of modified source versions. === dbm The nss/lib/dbm directory, with few exceptions, is licensed under the following terms: Copyright (c) 1991, 1993, 1994 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. ***REMOVED*** - see ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change" 4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. === sqlite The nss/lib/sqlite/sqlite3.[ch] files contain a copy of sqlite with the following licensing terms: The author disclaims copyright to this source code. In place of a legal notice, here is a blessing: May you do good and not evil. May you find forgiveness for yourself and forgive others. May you share freely, never taking more than you give. === mkdepend The nss/coreconf/mkdepend directory contains a copy of mkdepend with the following licensing terms: cppsetup.c, def.h, include.c, main.c, mkdepend.man, parse.c, pr.c: Copyright (c) 1993, 1994, 1998 The Open Group Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of The Open Group shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from The Open Group. ifparser.[ch]: Copyright 1992 Network Computing Devices, Inc. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Network Computing Devices may not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Network Computing Devices makes no representations about the suitability of this software for any purpose. It is provided ``as is'' without express or implied warranty. NETWORK COMPUTING DEVICES DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL NETWORK COMPUTING DEVICES BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. imakemdep.h: Copyright (c) 1993, 1994 X Consortium Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of the X Consortium shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from the X Consortium. === MPL Note on GPL Compatibility ------------------------- The MPL 2, section 3.3, permits you to combine NSS with code under the GNU General Public License (GPL) version 2, or any later version of that license, to make a Larger Work, and distribute the result under the GPL. The only condition is that you must also make NSS, and any changes you have made to it, available to recipients under the terms of the MPL 2 also. Anyone who receives the combined code from you does not have to continue to dual licence in this way, and may, if they wish, distribute under the terms of either of the two licences - either the MPL alone or the GPL alone. However, we discourage people from distributing copies of NSS under the GPL alone, because it means that any improvements they make cannot be reincorporated into the main version of NSS. There is never a need to do this for license compatibility reasons. Note on LGPL Compatibility -------------------------- The above also applies to combining MPLed code in a single library with code under the GNU Lesser General Public License (LGPL) version 2.1, or any later version of that license. If the LGPLed code and the MPLed code are not in the same library, then the copyleft coverage of the two licences does not overlap, so no issues arise. Mozilla Public License Version 2.0 ================================== 1. Definitions -------------- 1.1. "Contributor" means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software. 1.2. "Contributor Version" means the combination of the Contributions of others (if any) used by a Contributor and that particular Contributor's Contribution. 1.3. "Contribution" means Covered Software of a particular Contributor. 1.4. "Covered Software" means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof. 1.5. "Incompatible With Secondary Licenses" means (a) that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or (b) that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License. 1.6. "Executable Form" means any form of the work other than Source Code Form. 1.7. "Larger Work" means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software. 1.8. "License" means this document. 1.9. "Licensable" means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License. 1.10. "Modifications" means any of the following: (a) any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or (b) any new file in Source Code Form that contains any Covered Software. 1.11. "Patent Claims" of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version. 1.12. "Secondary License" means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses. 1.13. "Source Code Form" means the form of the work preferred for making modifications. 1.14. "You" (or "Your") means an individual or a legal entity exercising rights under this License. For legal entities, "You" includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, "control" means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. 2. License Grants and Conditions -------------------------------- 2.1. Grants Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license: (a) under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and (b) under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version. 2.2. Effective Date The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution. 2.3. Limitations on Grant Scope The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor: (a) for any code that a Contributor has removed from Covered Software; or (b) for infringements caused by: (i) Your and any other third party's modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or (c) under Patent Claims infringed by Covered Software in the absence of its Contributions. This License does not grant any rights in the trademarks, service marks, or logos of any Contributor (except as may be necessary to comply with the notice requirements in Section 3.4). 2.4. Subsequent Licenses No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3). 2.5. Representation Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License. 2.6. Fair Use This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents. 2.7. Conditions Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1. 3. Responsibilities ------------------- 3.1. Distribution of Source Form All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients' rights in the Source Code Form. 3.2. Distribution of Executable Form If You distribute Covered Software in Executable Form then: (a) such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and (b) You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients' rights in the Source Code Form under this License. 3.3. Distribution of a Larger Work You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s). 3.4. Notices You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies. 3.5. Application of Additional Terms You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction. 4. Inability to Comply Due to Statute or Regulation --------------------------------------------------- If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Termination -------------- 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice. 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate. 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements (excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination. ************************************************************************ * * * 6. Disclaimer of Warranty * * ------------------------- * * * * Covered Software is provided under this License on an "as is" * * basis, without warranty of any kind, either expressed, implied, or * * statutory, including, without limitation, warranties that the * * Covered Software is free of defects, merchantable, fit for a * * particular purpose or non-infringing. The entire risk as to the * * quality and performance of the Covered Software is with You. * * Should any Covered Software prove defective in any respect, You * * (not any Contributor) assume the cost of any necessary servicing, * * repair, or correction. This disclaimer of warranty constitutes an * * essential part of this License. No use of any Covered Software is * * authorized under this License except under this disclaimer. * * * ************************************************************************ ************************************************************************ * * * 7. Limitation of Liability * * -------------------------- * * * * Under no circumstances and under no legal theory, whether tort * * (including negligence), contract, or otherwise, shall any * * Contributor, or anyone who distributes Covered Software as * * permitted above, be liable to You for any direct, indirect, * * special, incidental, or consequential damages of any character * * including, without limitation, damages for lost profits, loss of * * goodwill, work stoppage, computer failure or malfunction, or any * * and all other commercial damages or losses, even if such party * * shall have been informed of the possibility of such damages. This * * limitation of liability shall not apply to liability for death or * * personal injury resulting from such party's negligence to the * * extent applicable law prohibits such limitation. Some * * jurisdictions do not allow the exclusion or limitation of * * incidental or consequential damages, so this exclusion and * * limitation may not apply to You. * * * ************************************************************************ 8. Litigation ------------- Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a party's ability to bring cross-claims or counter-claims. 9. Miscellaneous ---------------- This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor. 10. Versions of the License --------------------------- 10.1. New Versions Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number. 10.2. Effect of New Versions You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward. 10.3. Modified Versions If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License). 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached. Exhibit A - Source Code Form License Notice ------------------------------------------- This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. If it is not possible or desirable to put the notice in a particular file, then You may include the notice in a location (such as a LICENSE file in a relevant directory) where a recipient would be likely to look for such a notice. You may add additional accurate notices of copyright ownership. Exhibit B - "Incompatible With Secondary Licenses" Notice --------------------------------------------------------- This Source Code Form is "Incompatible With Secondary Licenses", as defined by the Mozilla Public License, v. 2.0. debian/watch0000664000000000000000000000017612234360534010227 0ustar version=3 http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_(\d_[\d_]+)_RTM/src/nss-([\d\.]+)\.tar\.(?:bz2|gz) debian/libnss3-nssdb.links0000664000000000000000000000003412264616670012725 0ustar var/lib/nssdb etc/pki/nssdb debian/libnss3-nssdb.dirs0000664000000000000000000000002612264617640012545 0ustar etc/pki var/lib/nssdb debian/rules0000775000000000000000000001343112271105101010240 0ustar #!/usr/bin/make -f include debian/make.mk $(call lazy,DEB_HOST_MULTIARCH,$$(shell dpkg-architecture -qDEB_HOST_MULTIARCH)) $(call lazy,CFLAGS,$$(shell dpkg-buildflags --get CFLAGS)) $(call lazy,CPPFLAGS,$$(shell dpkg-buildflags --get CPPFLAGS)) $(call lazy,LDFLAGS,$$(shell dpkg-buildflags --get LDFLAGS)) PREPROCESS_FILES := $(wildcard debian/*.in) $(PREPROCESS_FILES:.in=): %: %.in sed 's,/@DEB_HOST_MULTIARCH@,$(DEB_HOST_MULTIARCH:%=/%),g;$(EXTRA_REPLACES)' $< > $@ UPSTREAM_VERSION := $(shell dpkg-parsechangelog | sed -n 's/^Version: *\([0-9]*:\)\?\([^~]*\)\(~.*\)\?-.*$$/\2/ p') MOD_MAJOR_VERSION := $(word 1, $(subst ., ,$(UPSTREAM_VERSION))) MOD_MINOR_VERSION := $(word 2, $(subst ., ,$(UPSTREAM_VERSION))) MOD_PATCH_VERSION := $(or $(word 3, $(subst ., ,$(UPSTREAM_VERSION))),0) debian/nss.pc: EXTRA_REPLACES := s/@VERSION@/$(UPSTREAM_VERSION)/ debian/nss-config: EXTRA_REPLACES := s/@MOD_MAJOR_VERSION@/$(MOD_MAJOR_VERSION)/;s/@MOD_MINOR_VERSION@/$(MOD_MINOR_VERSION)/;s/@MOD_PATCH_VERSION@/$(MOD_PATCH_VERSION)/ debian/libnss3.lintian-overrides: EXTRA_REPLACES := s,/@DEB_HOST_MULTIARCH_WC@,$(DEB_HOST_MULTIARCH:%=/*),g ifneq (,$(filter 64 alpha amd64 ia64 s390x,$(shell dpkg-architecture -qDEB_HOST_ARCH_BITS 2> /dev/null || dpkg-architecture -qDEB_HOST_ARCH))) USE_64 := USE_64=1 else ifeq ($(shell dpkg-architecture -qDEB_HOST_ARCH),x32) USE_64 := USE_x32=1 else USE_64 := endif # $(foreach foo,$(list),$(call cmd,some command $(foo))) expands to # some command first-elem # some command second-elem # etc. # This avoid using a long one liner with semi colons. define cmd $(1) endef CFLAGS += -Wall -pipe DISTDIR := $(CURDIR)/dist override_dh_auto_build: $(MAKE) -C nss \ all \ NSPR_INCLUDE_DIR=/usr/include/nspr \ NSPR_LIB_DIR=/usr/lib \ SOURCE_PREFIX=$(DISTDIR) \ SOURCE_MD_DIR=$(DISTDIR) \ DIST=$(DISTDIR) \ BUILD_OPT=1 \ NS_USE_GCC=1 \ OPTIMIZER="$(CFLAGS) $(CPPFLAGS)" \ LDFLAGS='$(LDFLAGS) $$(ARCHFLAG) $$(ZDEFS_FLAG)' \ DSO_LDOPTS='-shared $$(LDFLAGS)' \ NSS_USE_SYSTEM_SQLITE=1 \ NSS_ENABLE_ECC=1 \ CHECKLOC= \ $(USE_64) override_dh_auto_clean: -$(MAKE) -C nss \ clobber \ SOURCE_PREFIX=$(DISTDIR) \ SOURCE_MD_DIR=$(DISTDIR) \ DIST=$(DISTDIR) \ BUILD_OPT=1 \ $(USE_64) rm -rf $(DISTDIR) $(PREPROCESS_FILES:.in=) override_dh_auto_install: $(PREPROCESS_FILES:.in=) install -m 755 -d debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-dev/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig install -m 644 -t debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH) \ $(DISTDIR)/lib/libnss3.so \ $(DISTDIR)/lib/libnssutil3.so \ $(DISTDIR)/lib/libsmime3.so \ $(DISTDIR)/lib/libssl3.so install -m 644 -t debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss \ $(DISTDIR)/lib/libfreebl3.so \ $(DISTDIR)/lib/libsoftokn3.so \ $(DISTDIR)/lib/libnssdbm3.so \ $(DISTDIR)/lib/libnsssysinit.so \ $(DISTDIR)/lib/libnssckbi.so install -m 644 -t debian/libnss3-dev/usr/include/nss \ $(DISTDIR)/public/nss/* install -m 644 -t debian/libnss3-dev/usr/lib/$(DEB_HOST_MULTIARCH) \ $(DISTDIR)/lib/libcrmf.a install -m 644 -t debian/libnss3-dev/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig debian/nss.pc install -m 755 -t debian/libnss3-dev/usr/bin debian/nss-config install -m 755 -t debian/libnss3-tools/usr/bin \ $(foreach bin, \ certutil \ chktest \ cmsutil \ crlutil \ derdump \ httpserv \ modutil \ ocspclnt \ p7content \ p7env \ p7sign \ p7verify \ pk12util \ pk1sign \ pwdecrypt \ rsaperf \ selfserv \ shlibsign \ signtool \ signver \ ssltap \ strsclnt \ symkeyutil \ tstclnt \ vfychain \ vfyserv \ , $(DISTDIR)/bin/$(bin)) # these utilities are too generically-named, so we prefix them with nss- (see http://bugs.debian.org/701141) $(foreach bin, \ addbuiltin \ dbtest \ pp \ , $(call cmd,install -m 755 -T $(DISTDIR)/bin/$(bin) debian/libnss3-tools/usr/bin/nss-$(bin))) # Create the empty certificate databases, with empty passphrase mkdir -p debian/tmp echo "\n" > debian/tmp/password mkdir -p debian/libnss3-nssdb/var/lib/nssdb LD_LIBRARY_PATH=$(DISTDIR)/lib $(DISTDIR)/bin/certutil -N -d debian/libnss3-nssdb/var/lib/nssdb \ -f debian/tmp/password LD_LIBRARY_PATH=$(DISTDIR)/lib $(DISTDIR)/bin/certutil -N -d sql:debian/libnss3-nssdb/var/lib/nssdb \ -f debian/tmp/password -@ debian/tmp/password # Remove DBM certificate and key databases. rm debian/libnss3-nssdb/var/lib/nssdb/cert8.db debian/libnss3-nssdb/var/lib/nssdb/key3.db chmod 644 debian/libnss3-nssdb/var/lib/nssdb/* install -m 644 -t debian/libnss3-nssdb/var/lib/nssdb debian/pkcs11.txt override_dh_strip: dh_strip -a --dbg-package=libnss3-dbg $(foreach lib,libsoftokn3.so libfreebl3.so libnssdbm3.so, \ LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss \ debian/libnss3-tools/usr/bin/shlibsign -v -i debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss/$(lib);) # Check FIPS mode correctly works mkdir -p debian/tmp LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -create -dbdir debian/tmp < /dev/null LD_LIBRARY_PATH=debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH):debian/libnss3/usr/lib/$(DEB_HOST_MULTIARCH)/nss debian/libnss3-tools/usr/bin/modutil -fips true -dbdir debian/tmp < /dev/null override_dh_makeshlibs: /usr/share/debhelper/autoscripts/postinst-makeshlibs /usr/share/debhelper/autoscripts/postrm-makeshlibs dh_makeshlibs -a -- -c4 cat /usr/share/debhelper/autoscripts/postinst-makeshlibs > debian/libnss3.postinst.debhelper cat /usr/share/debhelper/autoscripts/postrm-makeshlibs > debian/libnss3.postrm.debhelper ifneq (,$(DEB_HOST_MULTIARCH)) override_dh_gencontrol: dh_gencontrol -- -Vmisc:Multi-Arch=same endif override_dh_builddeb: dh_builddeb -- -Zxz %: dh $@ debian/make.mk0000664000000000000000000000172512234360534010445 0ustar lazy = $(eval $(1) = $$(if $$(___$(1)),,$$(eval ___$(1) := $(2)))$$(___$(1))) lc = $(subst A,a,$(subst B,b,$(subst C,c,$(subst D,d,$(subst E,e,$(subst F,f,$(subst G,g,$(subst H,h,$(subst I,i,$(subst J,j,$(subst K,k,$(subst L,l,$(subst M,m,$(subst N,n,$(subst O,o,$(subst P,p,$(subst Q,q,$(subst R,r,$(subst S,s,$(subst T,t,$(subst U,u,$(subst V,v,$(subst W,w,$(subst X,x,$(subst Y,y,$(subst Z,z,$1)))))))))))))))))))))))))) uc = $(subst a,A,$(subst b,B,$(subst c,C,$(subst d,D,$(subst e,E,$(subst f,F,$(subst g,G,$(subst h,H,$(subst i,I,$(subst j,J,$(subst k,K,$(subst l,L,$(subst m,M,$(subst n,N,$(subst o,O,$(subst p,P,$(subst q,Q,$(subst r,R,$(subst s,S,$(subst t,T,$(subst u,U,$(subst v,V,$(subst w,W,$(subst x,X,$(subst y,Y,$(subst z,Z,$1)))))))))))))))))))))))))) __VARS := $(.VARIABLES) dump: @$(foreach var,$(sort $(filter-out $(__VARS) __VARS preprocess ___%,$(.VARIABLES))),echo '$(var) = $(subst ','\'',$(subst \,\\,$($(var))))';) dump-%: @echo $($*) .PHONY: dump