CVS commit: pkgsrc/devel/nss

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/devel/nss
From: "Thomas Klausner" <wiz%netbsd.org@localhost>
Date: Fri, 17 Apr 2026 09:31:18 +0000

Module Name:    pkgsrc
Committed By:   wiz
Date:           Fri Apr 17 09:31:18 UTC 2026

Modified Files:
        pkgsrc/devel/nss: Makefile distinfo

Log Message:
nss: update to 3.123.0.

   - Bug 2023202 - Add gtests for SSL_ReconfigFD covering certs, ALPN, PSK, and double-reconfig.
   - Bug 2022410 - handle client cert callback completion prior to server Finished.
   - Bug 2023202 - Extract ssl_CopySocketConfig() to remove duplicate logic in SSL_ReconfigFD.
   - Bug 2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey (NSS 3.90.5).
   - Bug 2029462 - store email on subject cache_entry in NSS trust domain.
   - Bug 2029425 - Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[] entry on NameConstraints violation.
   - Bug 2029323 - Improve size calculations in CMS content buffering.
   - Bug 2028001 - avoid integer overflow while escaping RFC822 Names.
   - Bug 2027378 - Reject excessively large ASN.1 SEQUENCE OF in quickder.
   - Bug 2027365 - Deep copy profile data in CERT_FindSMimeProfile.
   - Bug 2027345 - Improve input validation in DSAU signature decoding.
   - Bug 2026089 - Clarify extension negotiation mechanism for TLS Handshakes (NSS 3.90.5).
   - Bug 2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree r?jschanck.
   - Bug 2009552 - avoid integer overflow in platform-independent ghash.
   - Bug 1935995 - make ss->ssl3.hs.cookie an owned-copy of the cookie.
   - Bug 2030135 - improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
   - Bug 2029752 - Improving the allocation of S/MIME DecryptSymKey.
   - Bug 2026311 - avoid integer overflow in RSA_EMSAEncodePSS.
   - Bug 2019357 - RSA_EMSAEncodePSS should validate the length of mHash r?nkulatova.
   - Bug 2026156 - Add a maximum cert uncompressed len and tests.
   - Bug 2026089 - Clarify extension negotiation mechanism for TLS Handshakes.
   - Bug 2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
   - Bug 2019224 - Remove invalid PORT_Free(), r?#nss-reviewers,djackson.
   - Bug 1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed r?#nss-reviewers.
   - Bug 2027382 - Reject oversized inputs in UTF-8 conversion functions.
   - Bug 1998526 - Align PKCS7 digest array with digestAlgorithms.
   - Bug 2030729 - remove SEC_ASN1_CHOICE entries from PQ private key templates.
   - Bug 2029782 - fix 8-byte over-read of AES-192 key buffer in x86 builds without USE_HW_AES.
   - Bug 2031163 - set PK11_ChangePW error after PK11_InitToken.
   - Bug 2026025 - Extend ./mach tests & all.sh to pretty print their output.
   - Bug 2029720 - avoid integer overflow when converting AVA value to hex string.
   - Bug 2030979 - handle SEC_ASN1_NULL in sec_asn1e_contents_length.
   - Bug 2027329 - PK11SDR_Decrypt: allowlist supported encryption algorithms.
   - Bug 2029783 - fix use of PORT_ArenaGrow when decoding multi-chunk PKCS#7 EncryptedData with no content callback.
   - Bug 2029818 - avoid refcount over-release in CERT_CertChainFromCert error path.
   - Bug 2030794 - avoid memory leak in SECITEM_FreeArray.
   - Bug 2027847 - Set nssckbi version to 2.86.
   - Bug 2027847 - Remove FIRMAPROFESIONAL CA ROOT-A WEB from NSS.
   - Bug 2020164 - Remove GLOBALTRUST 2020 from NSS.
   - Bug 2020151 - Remove TeliaSonera Root CA v1 from NSS.
   - Bug 2020144 - Remove Six Viking Cloud Root CAs from NSS.
   - Bug 2020137 - Turn off certain Trust Bits in NSS for Five GTS CAs.
   - Bug 2017471 - Remove Websites Trust Bit from SwissSign Gold CA - G2.
   - Bug 2017468 - Remove OU=certSIGN ROOT CA from NSS.
   - Bug 2017464 - Remove Websites Trust Bit from Root CN=Certigna.
   - Bug 2017460 - Remove AffirmTrust Roots from NSS.
   - Bug 2017453 - Remove Websites Trust Bit from DigiCert 2006 Roots.
   - Bug 2017348 - Remove Websites Trust Bit from Entrust Root Certification Authority – G2 & EC1.
   - Bug 2017345 - Remove Websites Trust Bit from COMODO Certification Authority.
   - Bug 2017322 - Set CKA_NSS_SERVER_DISTRUST_AFTER for CN=Izenpe.com.
   - Bug 2016750 - Remove Email Trust Bit from Four Amazon Root CAs.
   - Bug 2029431 - avoid signed int overflow in CTS_EncryptUpdate.
   - Bug 2030100 - VerifyCodeSigningCertificateChain: require at least one certificate.
   - Bug 2029721 - fix use of uninitialised length after failed PK11_SignWithMechanism.
   - Bug 2029731 - modify linked-list only on success in CERT_AddExtensionByOID.
   - Bug 2029746 - reject oversized DSA subPrime values.
   - Bug 2029740 - check object handle types in NSC_EncapsulateKey and NSC_DecapsulateKey.
   - Bug 2029448 - enforce minimum buffer length in sftk_CheckCBCPadding.
   - Bug 2029432 - validate parameter length in sftk_ChaCha20_Poly1305_Message_Encrypt.
   - Bug 2029771 - Heap use-after-free in [@ token_destructor] reading tok->pk11slot after nssToken_Destroy frees the token arena.
   - Bug 2029774 - Invalid free of arena-interior pointer in [@ DSA_NewRandom] due to inverted arena guard.
   - Bug 2029885 - avoid leaving dangling pointer in tls_DestroySignOrVerifyContext.
   - Bug 2022059 - NSS can't import, store, or export mlk-kem keys.
   - Bug 2029439 - fix instances of softoken attributes freed after owning object.
   - Bug 2027381 - improve error handling in SECITEM_DupArray with non-null arena.
   - Bug 2027324 - NSS_CMSContentInfo_SetContent: only modify cinfo if everything succeeds.
   - Bug 2027363 - initialize src in SEC_PKCS5GetIV.
   - Bug 2029046 - clang format.
   - Bug 2029046 - changes to allow building gtests from mozilla-central.
   - Bug 2029182 - split database creation scripts out of ssl_gtests.sh and gtests.sh.
   - Bug 2017948 - handleObjects in Softoken needs cleanup.
   - Bug 2027383 - fix maxSize calculation in NSSUTIL_AddNSSFlagToModuleSpec.
   - Bug 2029023 - add missing breaks in CheckECDHShareReuse test helper.
   - Bug 2027434 - avoid integer underflow in sec_CreateRSAPSSParameters.
   - Bug 2007224 - mlDsaPubTemplate is missing a CKA_ENCAPSULATE entry.
   - Bug 2024530 - Add clang-tidy CI job with security-focused checks.
   - Bug 1834672 - Adjust PBE iteration limit.
   - Bug 2025100 - Update Botan version for cryptofuzz.
   - Bug 2017788 - FIPS indicators need to take into account target keys.
   - Bug 1965329 - add failure checks to pk11_mergeTrust() .
   - Bug 2024785 - consistently protect SFTKSlot.{isLoggedIn,ssoLoggedIn,needLogin} with slotLock.
   - Bug 2025098 - Part 2: Always return unique nickname for PKCS12 fuzzer.
   - Bug 2025098 - Part 1: Simplify fuzzer MAC verification to always pass.
   - Bug 1834672 - Limit PBE iteration count.
   - Bug 2025801 - TLS interoperability tests - fix gnutls flakiness and extend to all platforms.
   - Bug 2012680 - improve DER_GetInteger error handling.
   - Bug 2017987 - Fix missing zero-init in generate_blinding_params.
   - Bug 2017987 - Need "partial public key validation" for RSA OAEP in FIPS mode.


To generate a diff of this commit:
cvs rdiff -u -r1.293 -r1.294 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.208 -r1.209 pkgsrc/devel/nss/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/nss/Makefile
diff -u pkgsrc/devel/nss/Makefile:1.293 pkgsrc/devel/nss/Makefile:1.294
--- pkgsrc/devel/nss/Makefile:1.293     Tue Apr 14 09:39:46 2026
+++ pkgsrc/devel/nss/Makefile   Fri Apr 17 09:31:18 2026
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.293 2026/04/14 09:39:46 wiz Exp $
+# $NetBSD: Makefile,v 1.294 2026/04/17 09:31:18 wiz Exp $
 #
 # release notes
 # https://firefox-source-docs.mozilla.org/security/nss/releases/index.html
 
 DISTNAME=              nss-${NSS_RELEASE:S/.0$//}
-NSS_RELEASE=           3.122.1
+NSS_RELEASE=           3.123.0
 PKGNAME=               nss-${NSS_RELEASE}
 CATEGORIES=            devel security
 MASTER_SITES=          ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/}

Index: pkgsrc/devel/nss/distinfo
diff -u pkgsrc/devel/nss/distinfo:1.208 pkgsrc/devel/nss/distinfo:1.209
--- pkgsrc/devel/nss/distinfo:1.208     Tue Apr 14 09:39:46 2026
+++ pkgsrc/devel/nss/distinfo   Fri Apr 17 09:31:18 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.208 2026/04/14 09:39:46 wiz Exp $
+$NetBSD: distinfo,v 1.209 2026/04/17 09:31:18 wiz Exp $
 
-BLAKE2s (nss-3.122.1.tar.gz) = 013183777f58a8132cdf40524f5b7239350079ade2a50102849ad7e3d388c342
-SHA512 (nss-3.122.1.tar.gz) = 132cb72032b2d0b1ac962745980190013f29217a126951d6bfe013262e363c94fabe024066da01f1cee1d364b9ff9b08aef0cea86e83a3615ac8e1333b1e3ac9
-Size (nss-3.122.1.tar.gz) = 77656779 bytes
+BLAKE2s (nss-3.123.tar.gz) = d6abcffe7acab91992051740a2d00998bf882b4df774fef2acb603c54f8dd1c0
+SHA512 (nss-3.123.tar.gz) = 99675ce3725c4b9cb84b776b21626c2aa66098aeb6091616de1499bd529fd521b29ace027af4722415f928fa16369e314872fe563243eb27c8e5a454f350db8f
+Size (nss-3.123.tar.gz) = 77762089 bytes
 SHA1 (patch-md) = ebc903bb19456bfa111fad3c101e3f18168b43b3
 SHA1 (patch-me) = 30aa8b8e22bb687b9c71da40ea9e76b56885d1f8
 SHA1 (patch-mf) = 40e58385fb6f944f463bf00b9aad72bc4ea229d0

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index