12:35 jbeich 

security/{,ca_root_}nss: update to 3.19.3

Changes:	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes
MFH:		2015Q3

 

06:06 jbeich 

- Update NSS and ca_root_nss to 3.19.2
- Update Firefox and gmp-api to 39.0
- Update Firefox ESR and libxul to 38.1.0

Changes:	https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.19.2_release_notes
Changes:	https://www.mozilla.org/firefox/39.0/releasenotes/
Changes:	https://www.mozilla.org/firefox/38.1.0/releasenotes/
MFH:		2015Q3
Security:	https://vuxml.freebsd.org/freebsd/44d9daee-940c-4179-86bb-6e3ffd617869.html

 

07:41 koobs 

security/ca_root_nss: Enable certificate verification (for Base OpenSSL)

Enable the ETCSYMLINK option so that SSL certificate verification is
enabled by default for OpenSSL in base.

This change is the third in a set of changes [1][2] that improves the
default configuration and behaviour of client software relying on
OpenSSL for SSL/TLS and certificate verification.

A symlink is installed which points to the root certificate bundle in
the location that OpenSSL in base looks for them, as configured at build
time [2].

This allows any and all software utilising SSL_CTX_load_verify_locations
function to verify SSL certificates by default after installation of
this package.

[1] https://svnweb.freebsd.org/changeset/ports/372629
[2] https://svnweb.freebsd.org/changeset/ports/378720

PR:		189811 196357
Requested by:	many
Submitted by:	dreamcat4 gmail com
Approved by:	maintainer timeout (>1 year)

 

14:21 jbeich 

- Update NSS and ca_root_nss to 3.19.1
- Update Firefox to 38.0.5

Changes:	https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes
Changes:	https://www.mozilla.org/firefox/38.0.5/releasenotes/
MFH:		2015Q2

 

18:06 jbeich 

- Update NSS and ca_root_nss to 3.19
- Update Firefox to 38.0
- Update Firefox ESR and libxul to 31.7.0
- Update Thunderbird to 31.7.0
- Update Enigmail to 1.8.2

Changes:	https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
Changes:	https://www.mozilla.org/firefox/38.0/releasenotes/
Changes:	https://www.mozilla.org/firefox/31.7.0/releasenotes/
Changes:	http://sourceforge.net/p/enigmail/bugs/search/?q=status%3Afixed+%26%26+_fixed%3A1.8.1
MFH:		2015Q2
Security:	https://vuxml.freebsd.org/freebsd/d9b43004-f5fd-4807-b1d7-dbf66455b244.html

 

14:31 jbeich 

- Update NSS to 3.18.1

Changes:	https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes
MFH:		2015Q2

 

08:00 jbeich 

- Update OpenH264 to 1.4.0
- Update NSS and ca_root_nss to 3.18
- Update Firefox to 36.0.4
- Update Firefox ESR and libxul to 31.5.3
- Update SeaMonkey to 2.33.1
- Update Enigmail to 1.8

Changes:	https://github.com/cisco/openh264/releases/tag/v1.4.0
Changes:	https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes
Changes:	https://www.mozilla.org/firefox/36.0.4/releasenotes/
Changes:	https://www.mozilla.org/firefox/31.5.3/releasenotes/
Changes:	http://www.seamonkey-project.org/releases/seamonkey2.33/
Changes:	https://www.enigmail.net/download/changelog.php#enig1.8
MFH:		2015Q1
X-MFH-With:	r380090
Security:	https://vuxml.freebsd.org/freebsd/76ff65f4-17ca-4d3f-864a-a3d6026194fb.html

 

09:44 koobs 

security/ca_root_nss: Fix SSL verification for ports OpenSSL consumers

Since 2.7.9, Python verifies SSL certificates by default. Currently,
even with security/ca_root_nss installed, Python fails certificate
verification.

Upon investigation, Python uses OpenSSL's standard
SSL_CTX_load_verify_locations function to load a list of CA root
certificates.

Support was added to ca_root_nss for "out of the box" certificate
verification for a number of base utilities in r372629 [1], but this
did not include support for software that uses OpenSSL's
SSL_CTX_load_verify_locations function.

[1] https://svnweb.freebsd.org/changeset/ports/372629

OpenSSL defaults (at compile time) to the following paths and filenames
for certificate and CAFile lookup:

Base:
  SSL_CERT_DIR=/etc/ssl/certs
  SSL_CERT_FILE/etc/ssl/cert.pem

Ports:
  SSL_CERT_DIR=/usr/local/openssl/certs
  SSL_CERT_FILE=/usr/local/openssl/cert.pem

This change installs a symlink which points to the root certificate
bundle in the location that OpenSSL from ports looks for them.

This allows any and all software utilising SSL_CTX_load_verify_locations
function to verify SSL certificates by default after installation of
this package.

Additionally, display a pkg-message to the user about the lack of
warranty associated with these certificates.

Note: This is *NOT* related to solving for SSL certificate verification
for OpenSSL in Base, which is covered in bug 189811.

While I'm here:

- Add LICENSE
- Use options helpers and OPTIONS_SUB
- Fix typo in !!! message !!!

PR: 196431
Submitted by:	koobs
Reviewed by:	jbeich
Approved by:	maintainer timeout (1 month)

 

16:46 jbeich 

- Update NSPR to 4.10.8
- Update NSS to 3.17.2
- Update Firefox to 35.0.1

Changes:	http://mozilla.6506.n7.nabble.com/ANNOUNCE-NSPR-4-10-8-Release-td332365.html
Changes:	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.4_release_notes
Changes:	https://www.mozilla.org/en-US/firefox/35.0.1/releasenotes/
Differential Revision:	https://reviews.freebsd.org/D1736
Approved by:	bapt (mentor)

 

14:55 beat 

- Update Thunderbird to 31.3.0
- Update gmp-api to 35.0
- Update openh264 to 1.2
- Update NSS to 3.17.3
- Update Firefox to 34.0.5
- Update Firefox ESR 31.3.0
- Update libxul to 31.3.0
- Improve CONFIGURE_TARGET handling
- Always build using client.mk
- Switch to clang by default on systems without libc++
  (/stable/8 and /stable/9)
- Drop lang/python2 dependency, only lang/python27 is required
  to build
- Use DuckDuckGo searchplugin from upstream (has suggestions
  and purposes)
- Backport a few about:memory fixes
- Backport Web Notifications libnotify integration
- Add GTK3 option for www/firefox. Adwaita is a bit broken
  since Gtk 3.14, see:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1073117

PR:		195559
Submitted by:	Jan Beich
MFH:		2014Q4
Security:	http://vuxml.org/freebsd/7ae61870-9dd2-4884-a2f2-f19bb5784d09.html

 

10:15 bapt 

Link in the right place and fix plist

 

10:10 bapt 

Always install ${PREFIX}/etc/ssl/cert.pem symlink to allow both some base
applications some root certificates.

Discussed with:	des

 

15:48 beat 

- Update Firefox to 33.0
- Update Firefox ESR to 31.2.0
- Update NSS to 3.17.2
- Update Thunderbird to 31.2.0
- Update libxul to 31.2.0 (and mark as BROKEN)
- Disable SSL 3.0 with pref (Upstream bug 1076983)
- (workaround) replace USE_GCC=yes with USES=compiler:gcc-c++11-lib in
  order to fix runtime for PGO and powerpc/powerpc64 on libc++ systems
- Add OSS audio fallback for HTML5 audio from upstream bug;
  not exposed yet because WebRTC still needs ALSA or PulseAudio
- Kill @dirrm from gecko@ ports per CHANGES from 20140922
- Drop workaround for LLVM PR 19007: base and lang/clang34 have the fix
- Improve workaround comment for LLVM PR 15840, partially rejecting
  r348851 by marino@ until bug 193555

PR:		194356
Submitted by:	Jan Beich
Security:	http://www.vuxml.org/freebsd/9c1495ac-8d8c-4789-a0f3-8ca6b476619c.html

 

11:08 beat 

- Update ca_root_nss to 3.17.1
- Update thunderbird to 31.1.2
- Update seamonkey to 2.29.1
- Update firefox to 32.0.3
- Update firefox-esr to 31.1.1
- Update libxul to 24.8.1

Submitted by:	Jan Beich
Security:	http://www.vuxml.org/freebsd/48108fb0-751c-4cbb-8f33-09239ead4b55.html

 

06:16 bapt 

Mozilla upgrades:
- Update nspr to 4.10.7
- Update ca_root_nss to 3.17 (mark as NO_ARCH while here)
- Update firefox to 32.0
- Update thunderbird to 31.1.0
- Add net-im/linux-instantbird
- Update firefox-est to 31.1.0
- Update libxul to 24.8.0
- Update seamonkey to 2.29

Submitted by:	Jan Beich for gecko@

 

09:06 bapt 

Update to 3.16.3
Add cpe informations

Submitted by:	Jan Beich

 

03:42 beat 

- Update Firefox to 30.0
- Update Firefox ESR to 24.6.0
- Update libxul to 24.6.0
- Update NSS to 3.16.1
- Update NSPR to 4.10.6
- Update Thunderbird to 24.6.0
- Convert USE_BZIP2 to USES
- Backport ff31 fix against crashing DEBUG build on newegg.com [1]
- Add a note in UPDATING to not build audio/soundtouch with
  INTEGER_SAMPLES [2]
- Use arc4random_buf(3) to generate UUIDs (version 4)
- Fix debugger detection used by Telemetry and the slow script dialog
- Add STAGE support [3]

PR:		ports/189991 [1]
PR:		ports/189217 [2]
PR:		ports/189488 [2]
Submitted by:	bapt [3]
Sumbitted by:	Jan Beich
Security:	http://www.vuxml.org/freebsd/888a0262-f0d9-11e3-ba0c-b4b52fce4ce8.html

 

09:45 bapt 

Convert all :U to :tu and :L to :tl

Since FreeBSD 8.4 and FreeBSD 9.1 make(1) do support :tu and :tl as a
replacement for :U and :L (which has been marked as deprecated)

bmake which is the default on FreeBSD 10+ only support by default
:tu/:tl a hack has been added at the time to support :U and :L to ease
migration. This hack is now not necessary anymore

Note that this makes the ports tree incompatible with make(1) from
FreeBSD 8.3 or earlier

With hat:	portmgr

 

20:35 beat 

- Update Firefox to 29.0
- Update Firefox ESR to 24.5.0
- Update Thunderbird to 24.5.0
- Update NSS to 3.16
- Use port dependency for soundtouch library
- Require recent graphite2 version explicitly [1]
- Require gst-libav version that doesn't crash on seeking [2]
  and doesn't error out on plugin load [3]
- Remove gstreamer note in pkg-message for www/firefox, [3] may still
  happen with www/firefox-esr but only until it tracks esr31 (ca 2014-09-01)
- Fix USE_XPI in mail/thunderbird-i18n [4]

Security:	http://www.vuxml.org/freebsd/985d4d6c-cfbd-11e3-a003-b4b52fce4ce8.html
PR:		ports/187939 [1]
PR:		ports/188133 [2]
PR:		ports/181964 [3]
PR:		ports/188984 [4]
Submitted by:	Toomas Aas <toomas.aas@raad.tartu.ee> [1]
Submitted by:	Jakub Lach <jakub_lach@mailplus.pl> [2]
Submitted by:	Jan Beich [3] and this update!
Submitted by:	Toni Ballesta <mustelator@yahoo.es> [4]
Approved by:	portmgr (bdrewery, security update to non-staged port)

 

20:46 beat 

- Update Firefox to 28.0
- Update Firefox ESR to 24.4.0
- Update Thunderbird to 24.4.0
- Update NSPR to 4.10.4
- Update NSS to 3.15.5
- Switch GSTREAMER option for non-esr ports to depend on
  multimedia/gstreamer1 [2]
- Switch to Uses/compiler.mk, defaults to lang/gcc47 on 8.x and 9.x
- Use port dependencies for libogg, libvorbis, libopus, harfbuzz, graphite2
- Enable readahead in url-classifier, asmjs, download resume like on Linux
- Build www/firefox and www/seamonkey faster using unified compilation
- Unbreak build on sparc64 [1]
- Workaround OPTIMIZED_CFLAGS startup crash on 8.x and 9.x
- OPTIMIZED_CFLAGS is enabled by default
- A few DEBUG build fixes
- Add clang 3.2/3.3/3.4 workarounds for i386
- Mention known GSTREAMER issue in pkg-message

Submitted by:	Jan Beich
PR:		ports/186580 [1]
Requested by:	kwm [2]
Security:	http://www.vuxml.org/freebsd/610de647-af8d-11e3-a25b-b4b52fce4ce8.html

 

05:23 beat 

- Update Firefox to 27.0
- Update Firefox ESR to 24.3.0
- Update Thunderbird to 24.3.0
- Update NSPR to 4.10.3
- Update NSS to 3.15.4
- Depend on yasm when building with bundled libvpx or libjpeg-turbo
- Prepare gstreamer conditional for upcoming Firefox versions
- Improve jemalloc3 conditional
- Break build unless alsa-lib port installs new config file
- Chase USE_DOS2UNIX deprecation
- Temporarily disable system cairo over screen corruption with
  smoothScroll [1]

Submitted by:	Jan Beich
Reported by:	flo [1]
Security:	http://www.vuxml.org/freebsd/1753f0ff-8dd5-11e3-9b45-b4b52fce4ce8.html

 

13:42 flo 

Update to nspr 4.10.2
Update to nss 3.15.3.1
Update firefox-esr and thunderbird to 24.2.0
Update firefox to 26.0
Update seamonkey to 2.23

- catch up with directory renames since USES=webplugins was introduced;
  fixes plugins not being automatically enabled after install
- linux-firefox and linux-seamonkey can play HTML5 audio [2][3] and
  measure about:memory usage, again
- dom.ipc.plugins.enabled->true no longer crash linux-firefox which makes
  some flash sites work again; as there's no nspluginwrapper in-between
  the infamous "youtube issue" never occurs
- install DEBUG with symbols [3] and describe the option better [4]
- enable dumping about:memory upon kill -65, kill -66 and GC/CC log
  upon kill -67 to a file under /tmp directory; linux-firefox uses
  kill -34, kill -35 and kill -36 respectively

PR:		ports/183861 [1]
PR:		ports/184006 [2]
PR:		ports/169896 [3]
PR:		ports/184285 [3]
PR:		ports/184286 [4]
Security:	dd116b19-64b3-11e3-868f-0025905a4771
In collaboration with: Jan Beich <jbeich@tormail.org>

 

20:45 flo 

- fix stage conversion in the ETCSYMLINK case
- move the check to post-install

Reported by:	ak

 

20:10 flo 

- update to 3.15.2 [1]
- support stage

PR:		ports/183282 [1]
Submitted by:	pfg [1]

 

22:55 bapt 

Add NO_STAGE all over the place in preparation for the staging support (cat:
security)

 

16:58 bapt 

Convert to new perl framework
Convert USE_GMAKE to USES=gmake

 

08:10 mandree 

Update extraction script to:

- Only look at CKA_TRUST_SERVER_AUTH, _EMAIL_PROTECTION, and
  _CODE_SIGNING attributes.

- Omit certificates that do not have any explicit trust value in these
  three attributes; at least one of the purposes must mark the
  certificate a trusted delegator.

- Validate that the trust is one of three known trust values, to become
  aware of syntax changes in certdata.txt. If it is an unknown token,
  abort with an error stating that the script must be updated.

- Check that we have at least 25 certificates in the output or abort.

This removes these two certificates that have "unknown"
(CKT_NSS_MUST_VERIFY_TRUST) in all three tokens, making them unfit as
trust anchors:

1 C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA,
    CN=TC TrustCenter Universal CA III

2 C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
    OU=http://www.usertrust.com,
    CN=UTN-USERFirst-Network Applications

164 trusted certificates remain.

 

13:01 flo 

Update to 3.15.1

Submitted by:	Jan Beich <jbeich@tormail.org>

 

02:00 flo 

- update firefox to 21.0
- update firefox-esr and thunderbird to 17.0.6
- WEBRTC now supports PULSEAUDIO
- make linux-firefox work with plugins again (e.g. quakelive)

Security:		4a1ca8a4-bd82-11e2-b7a0-d43d7e0c7c02
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

23:53 flo 

- update firefox to 19.0
- update firefox-esr, thunderbird, linux-firefox, linux-thunderbird to 17.0.3
- update linux-seamonkey to 2.16
- update nspr to 4.9.5
- update nss to 3.14.3
- add DuckDuckGo search plugin to firefox [1]
- mark kompozer deprecated
- clang fixes for www/libxul19 [2]

Security:	http://www.vuxml.org/freebsd/e3f0374a-7ad6-11e2-84cd-d43d7e0c7c02.html
Submitted by:	DuckDuckGo [1], dim [2]
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

23:28 flo 

- update firefox, thunderbird, linux-firefox and linux-thunderbird to 17.0.2
- update firefox-esr, thunderbird-esr and libxul to 10.0.12
- update linux-seamonkey to 2.15

Security:	http://www.vuxml.org/freebsd/a4ed6632-5aa9-11e2-8fcb-c8600054b392.html

 

21:34 flo 

Update to 3.14.1.with.ckbi.1.93

This was released to revoke certificates that were used for MITM. For
details see:

https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/

 

17:03 flo 

- Update www/firefox{,-i18n} to 16.0.2
- Update seamonkey to 2.13.2
- Update ESR ports and libxul to 10.0.10
- Update nspr to 4.9.3
- Update nss to 3.14
- with GNOMEVFS2 option build its extension, too [1]
- make heap-committed and heap-dirty reporters work in about:memory
- properly mark QT4 as experimental (needs love upstream)
- *miscellaneous cleanups and fixups*

mail/thunderbird will be updated once the tarballs are available.

PR:		ports/173052 [1]
Security:	6b3b1b97-207c-11e2-a03f-c8600054b392
Feature safe:	yes
In collaboration with:	Jan Beich <jbeich@tormail.org>

 

21:13 flo 

- Update firefox-esr, thunderbird-esr, linux-firefox and linux-thunderbird to
10.0.8
- Update firefox and thunderbird to 16.0
- Update seamonkey to 2.13
- Update all -i18n ports respectively
- switch firefox 16.0 and seamonkey 2.13 to ALSA by default for better
  latency during pause and seeking with HTML5 video
- remove fedisableexcept() hacks, obsolete since FreeBSD 4.0
- support system hunspell dictionaries [1]
- unbreak -esr ports with clang3.2 [2]
- unbreak nss build when CC contains full path [3]
- remove GNOME option grouping [4]
- integrate enigmail into thunderbird/seamonkey as an option [5]
- remove mail/enigmail* [6]
- enable ENIGMAIL, LIGHTNING and GIO options by default
- add more reporters in about:memory: page-faults-hard, page-faults-soft,
  resident, vsize
- use bundled jemalloc 3.0.0 on FreeBSD < 10.0 for gecko 16.0,
  only heap-allocated reporter works in about:memory (see bug 762445)
- use lrintf() instead of slow C cast in bundled libopus
- use libjpeg-turbo's faster color conversion if available during build
- record startup time for telemetry
- use -z origin instead of hardcoding path to gecko runtime
- fail early if incompatible libxul version is installed (in USE_GECKO)
- *miscellaneous cleanups and fixups*

PR:		ports/171534 [1]
PR:		ports/171566 [2]
PR:		ports/172164 [3]
PR:		ports/172201 [4]
Discussed with:	ale, beat, Jan Beich [5]
Approved by:	ale [6]
In collaboration with:	Jan Beich <jbeich@tormail.org>
Security:	6e5a9afd-12d3-11e2-b47d-c8600054b392
Feature safe:	yes
Approved by:	portmgr (beat)

 

21:14 flo 

- Update to 3.13.5
- Convert to optionsng

21:09 flo 

update to 3.13.4

17:00 flo 

Update to 3.13.3

19:53 flo 

Just overwrite the link if it still exists. That way we are sure that the link
points to the correct file and there is no reason trying to protect the link as
it would be deleted on deinstall anyway.

Suggested by:   dougb

23:35 flo 

make sure installation does not fail if for whatever reason the symlink in
/etc/ssl is still there on (re)install phase with ETCSYMLINK option set.

Submitted by:   mi

21:41 flo 

update to 3.13.2

23:41 flo 

- update to NSS_3_13_1_WITH_CKBI_1_88_RTM

22:16 flo 

update to CKBI version 1.88 which includes the latest mozilla cert data

21:37 flo 

now that gecko maintains security/nss also take this port into gecko custody

Discussed with: brooks @ EuroBSDCon 2011
Approved by:    brooks

13:25 mandree 

Forced commit to note:
VID: aa5bc971-d635-11e0-b3cf-080027ef73ec
VID: 1b27af46-d6f6-11e0-89a6-080027ef73ec

13:21 mandree 

See to proper version tags in the bundle .pem file.

13:08 mandree 

Security update: use newer Mozilla Builtin-Trust store
to revoke DigiNotar.nl trust.

Security fix: the modssl ca-bundle.pl script did not process
"untrusted" marks on certificates. Drop it and write a new
script in its place that does that.

Synch up with security/nss port to 3.12.11.

Not asking for maintainer approval because of multiple
timeouts in response to related PRs vs. security/[ca_root_]nss.

14:56 brooks 

Increase the size and verbosity of the comment that the versions used in
this port should track security/nss and www/apache13-modssl.

No functional impact.

17:19 brooks 

Chase nss revision and update to 3.12.9.

PR:             ports/154961
Submitted by:   Niclas Zeising

01:42 pgollucci 

- fix file name ca-bundle.crt -> ca-root-nss.crt [1]
- Properly sub VERSION_NSS var [1]
- While here, update to 3.12.6 to sync with security/nss

PR:             ports/143584 [1]
Submitted by:   Kevin Kobb <kkobb@skylinecorp.com> [1]
Approved by:    maintainer timeout (brooks ; 209 days) [1]

19:28 brooks 

Upgrade to 3.12.4.

PR:             ports/140609
Submitted by:   Tijl Coosemans <tijl at ulyssis dot org>

20:51 brooks 

Add a comment documenting the fact that we track the versions of
security/nss and www/apach13-modssl.

PR:             ports/136093

16:00 brooks 

o Fix port OPTION ETCSYMLINK which was not creating the proper link.
  Instead of pointing to the crt file, it was pointing to the directory.
o Bump PORTREVISION

PR:             ports/121782
Submitted by:   lioux
Point hat to:   brooks

21:02 brooks 

Add an option (defaulting to off since messing with files outside PREFIX is
to be avoided) to link the installed certificate bundle to /etc/ssh/cert.pem

20:19 brooks 

Add text to pkg-descr:

This port directly tracks the version of NSS in the security/nss port.

19:39 brooks 

Chase nss version to 3.11.9 and modssl to 2.8.31-1.3.41.  This
includes the changes:

Bug 411299, Add Identrust, Truktrust, SwissSign Roots
Bug 229335, Remove certificates that expired in August 2004 from tree

17:07 brooks 

Update to NSS 3.11.7 to match security/nss.

8 new root certiticates added.

21:37 brooks 

Add ca_root_nss:

Root certificates from certificate authorities included in the Mozilla
NSS library and thus in Firefox and Thunderbird.