nss (3.13.1.with.ckbi.1.88-1ubuntu7) quantal-proposed; urgency=low

  * SECURITY UPDATE: denial of service in QuickDER decoder
    - debian/patches/CVE-2012-0441.patch: properly handle zero-length basic
      constraints and zero-length fields in
      nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c,
      nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c,
      nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c,
      nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h,
      nss/mozilla/security/nss/lib/util/quickder.c.
    - CVE-2012-0441

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 16 Aug 2012 10:57:28 -0400

nss (3.13.1.with.ckbi.1.88-1ubuntu6) precise; urgency=low

  * Add protect-against-calls-before-nss_init.patch (RHBZ #784672).

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Mon, 27 Feb 2012 14:45:29 +0200

nss (3.13.1.with.ckbi.1.88-1ubuntu5) precise; urgency=low

  * Include libnssckfw.a in the -dev package, also needed by
    mod_revocator.

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Sun, 19 Feb 2012 15:21:19 +0200

nss (3.13.1.with.ckbi.1.88-1ubuntu4) precise; urgency=low

  * Include libnssb.a in the -dev package, needed by mod_revocator.

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Sun, 19 Feb 2012 13:18:09 +0200

nss (3.13.1.with.ckbi.1.88-1ubuntu3) precise; urgency=low

  * Fix LP: #915069 - Add patch from upstream to fix an error in pkcs11n.h
    - add debian/patches/98_fix_header_error.patch
    - update debian/patches/series

 -- Chris Coulson <chris.coulson@canonical.com>  Thu, 12 Jan 2012 11:15:39 +0000

nss (3.13.1.with.ckbi.1.88-1ubuntu2) precise; urgency=low

  * Fix lintian overrides to just list the soname warning to ignore
    and not list the paths, which would break installing multiarched libs.

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Mon, 12 Dec 2011 13:06:15 +0200

nss (3.13.1.with.ckbi.1.88-1ubuntu1) precise; urgency=low

  * Merge from Debian testing. Remaining changes:
    - Ship the main SO files in an unversioned binary, as we don't have
      versioned SO's in Ubuntu. Maintain a transitional versioned binary
      package containing the versioned symlinks, to maintain compatibility
      with Debian
      * update control, rules
      * mass rename libnss3-1d* => libnss3*
    - Fix postinst-must-call-ldconfig - dh_makeshlibs doesn't seem to add
      the maintainer script hooks with the unversioned SO files, so add
      them manually
      * add libnss3.postinst, libnss3.postrm
    - rules: Add support for mozilla-devscripts.
    - control: Change Vcs-* to XS-Debian-Vcs-*.
  * control: Fix typo (LP: #855424)
  * Bugs fixed by the merge:
    - Using dh now (LP: #613477)
    - Adds 85_security_load.patch (LP: #315096)

 -- Timo Aaltonen <tjaalton@ubuntu.com>  Wed, 30 Nov 2011 11:16:39 +0200

nss (3.13.1.with.ckbi.1.88-1) unstable; urgency=low

  * New upstream release.
    - Distrusts malaysian Digicert Sdn. Bhd CA certificate.
    - Addresses CVE-2011-3640 (Untrusted search path vulnerability).
      Closes: #647614.
  * debian/patches/*: Refreshed patches.
  * debian/libnss3-1d.symbols: Add NSS 3.13 symbols.

 -- Mike Hommey <glandium@debian.org>  Sat, 05 Nov 2011 17:05:26 +0100

nss (3.12.11-3) unstable; urgency=high

  * mozilla/security/nss/lib/ckfw/builtins/certdata.*:
    Explicitely distrust various DigiNotar CAs:
    - DigiNotar Root CA
    - DigiNotar Services 1024 CA
    - DigiNotar Cyber CA
    - DigiNotar Cyber CA 2nd
    - DigiNotar PKIoverheid
    - DigiNotar PKIoverheid G2

 -- Mike Hommey <glandium@debian.org>  Sat, 03 Sep 2011 09:33:28 +0200

nss (3.12.11-2) unstable; urgency=high

  * mozilla/security/nss/lib/ckfw/builtins/certdata.*:
    Remove DigiNotar Root CA.

 -- Mike Hommey <glandium@debian.org>  Wed, 31 Aug 2011 08:49:00 +0200

nss (3.12.11-1) unstable; urgency=low

  * New upstream release.
  * mozilla/security/nss/lib/ckfw/builtins/certdata.*,
  * mozilla/security/coreconf/{config,Linux}.mk: Refreshed.
  * debian/copyright: Update dbm license according to that in the source.
    Closes: #624310

 -- Mike Hommey <glandium@debian.org>  Fri, 12 Aug 2011 12:45:08 +0200

nss (3.12.10-3) unstable; urgency=low

  * debian/nss-config.in, debian/nss.pc.in, debian/rules: Return the multiarch
    path in nss-config and nss.pc.

 -- Mike Hommey <glandium@debian.org>  Thu, 21 Jul 2011 18:08:48 +0200

nss (3.12.10-2) unstable; urgency=low

  * debian/control, debian/libnss3-1d.dirs,
    debian/libnss3-1d.lintian-overrides.in, debian/libnss3-dev.dirs,
    debian/libnss3-1d.links.in, debian/libnss3-dev.links.in,
    debian/rules: Switch to multi-arch while keeping backports easy.
    Closes: #497088.

 -- Mike Hommey <glandium@debian.org>  Mon, 04 Jul 2011 11:24:18 +0200

nss (3.12.10-1) unstable; urgency=low

  * New upstream release.
  * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.
  * debian/control: Build depend on libnspr4-dev >= 4.8.8.
  * debian/libnss3-1d.symbols: Add new symbol version.

 -- Mike Hommey <glandium@debian.org>  Wed, 25 May 2011 10:20:59 +0200

nss (3.12.9.with.ckbi.1.82-1) unstable; urgency=low

  * New upstream release.
    - Marks fraudulent Comodo certificates as untrusted.
  * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.

 -- Mike Hommey <glandium@debian.org>  Thu, 24 Mar 2011 16:37:46 +0100

nss (3.12.9+ckbi-1.82-0ubuntu6) oneiric; urgency=low

  * No-change rebuild to force a version bump, forcing upgrades,
    and restoring the deleted library that ca-certificates ate.

 -- Adam Conrad <adconrad@ubuntu.com>  Wed, 21 Sep 2011 14:42:05 -0600

nss (3.12.9+ckbi-1.82-0ubuntu5) oneiric; urgency=low

  * SECURITY UPDATE: Add patch from Debian version 3.12.11-3 rebased against
    3.12.9 to remove the DigiNotar certificates and actively distrust them;
    Thanks to Mike Hommey from Debian for the original patch (LP: #837557)
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Explicitely distrust various DigiNotar CAs:
      - DigiNotar Root CA
      - DigiNotar Services 1024 CA
      - DigiNotar Cyber CA
      - DigiNotar Cyber CA 2nd
      - DigiNotar PKIoverheid
      - DigiNotar PKIoverheid G2
    - mozilla/security/nss/lib/ckfw/builtins/certdata.*:
      Remove DigiNotar Root CA.
  * Add a symlink from Linux2.6.mk to Linux3.0.mk; This is a temporary hack to
    let NSS build on a 3.0.x kernel
    - update debian/rules

 -- Micah Gersten <micahg@ubuntu.com>  Fri, 09 Sep 2011 11:57:13 -0500

nss (3.12.9+ckbi-1.82-0ubuntu4) oneiric; urgency=low

  * nss-config, nss.pc: Fix multiarch libdir location. LP: #778726.

 -- Matthias Klose <doko@ubuntu.com>  Tue, 17 May 2011 16:33:57 +0200

nss (3.12.9+ckbi-1.82-0ubuntu3) oneiric; urgency=low

  * Build for multiarch.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 22 Apr 2011 11:00:14 -0700

nss (3.12.9+ckbi-1.82-0ubuntu2) natty; urgency=low

  * add explicit conflict to sunbird for systems that have this
    package leftover from karmic days (LP: #760713)

 -- Michael Vogt <michael.vogt@ubuntu.com>  Wed, 20 Apr 2011 13:45:50 +0200

nss (3.12.9+ckbi-1.82-0ubuntu1) natty; urgency=low

  * New upstream release v3.12.9 with updated ckbi module
    (NSS_3_12_9_WITH_CKBI_1_82_RTM )

 -- Chris Coulson <chris.coulson@canonical.com>  Thu, 24 Mar 2011 22:30:28 +0000

nss (3.12.9-2) unstable; urgency=low

  * Upload to unstable.
  * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't
    support DEB_BUILD_ARCH_BITS.
  * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which
    was the previous value.
  * mozilla/security/nss/lib/freebl/unix_rand.c: We don't need to prevent
    using netstat for entropy seeding. The seeding will stop before netstat
    if it could get data from /dev/urandom.
  * mozilla/security/coreconf/Linux.mk: We shouldn't need to special case
    mips64 anymore.
  * mozilla/security/nss/cmd/shlibsign/Makefile, debian/rules: Don't rely
    on patching the source to not create .chk files during build.

 -- Mike Hommey <glandium@debian.org>  Sun, 06 Mar 2011 09:58:41 +0100

nss (3.12.9-1) experimental; urgency=low

  * New upstream release.

 -- Mike Hommey <glandium@debian.org>  Sat, 15 Jan 2011 11:33:35 +0100

nss (3.12.9~beta2-1) experimental; urgency=low

  * New upstream snapshot, picked from NSS_3_12_9_BETA2 cvs tag.
  * debian/patches/*: Refresh patches.
  * debian/libnss3-1d.symbols: Add new symbol versions.
  * debian/rules: Bump shlibs.

 -- Mike Hommey <glandium@debian.org>  Fri, 17 Dec 2010 15:01:31 +0100

nss (3.12.9~b2-0ubuntu1) natty; urgency=low

  * New upstream release v3.12.9beta2 (NSS_3_12_9_BETA2)
  * Drop the link shuffeling now, as all upgraders to this version will be
    using a fixed package anyway
    - remove debian/libnss3-1d.postinst
    - remove debian/libnss3-1d.postrm
    - remove debian/libnss3-1d.preinst
    - remove debian/libnss3-1d.prerm
  * Ship the main SO files in an unversioned binary, as we don't have
    versioned SO's in Ubuntu. Maintain a transitional versioned binary
    package containing the versioned symlinks, to maintain compatibility with
    Debian
    - update debian/control
    - mass rename debian/libnss3-1d* => debian/libnss3*
    - update debian/rules
  * Fix postinst-must-call-ldconfig - dh_makeshlibs doesn't seem to add
    the maintainer script hooks with the unversioned SO files, so add them
    manually
    - add debian/libnss3.postinst
    - add debian/libnss3.postrm
  * Drop libnss3-0d now
    - remove debian/libnss3-0d.dirs
    - remove debian/libnss3-0d.links
    - update debian/control
  * Bump libnspr4-dev build-dependency to 4.8.7
    - update debian/control
  * Update symbols
    - update debian/libnss3.symbols

 -- Chris Coulson <chris.coulson@canonical.com>  Tue, 11 Jan 2011 17:06:57 -0600

nss (3.12.8-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/*: Refresh patches.
  * debian/patches/series:
    + lower-dhe-priority.patch: Upstream patch from bz#583337 to lower DHE
      priority. Closes: #592315.

 -- Mike Hommey <glandium@debian.org>  Thu, 07 Oct 2010 08:50:48 +0200

nss (3.12.8-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v3.12.8 (NSS_3_12_8_RTM)
    - Fix browser wildcard certificate validation issue
    - Update root certs
    - Fix SSL deadlocks
  * Refresh patches:
    - update debian/patches/38_kbsd.patch
    - update debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch

 -- Chris Coulson <chris.coulson@canonical.com>  Mon, 04 Oct 2010 22:29:19 +0100

nss (3.12.8~b2-1) experimental; urgency=low

  * New upstream snapshot, picked from NSS_3_12_8_BETA2 cvs tag.
  * debian/patches/*: Refresh patches.

 -- Mike Hommey <glandium@debian.org>  Mon, 23 Aug 2010 18:11:12 +0200

nss (3.12.7-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/*: Refresh patches.
  * debian/control:
    - Bump Standards-Version to 3.9.1.0.
    - Build depend on libnspr4-dev >= 4.8.6.
  * debian/libnss3-1d.symbols: Simplify symbols file and add new symbols.
  * debian/rules: Bump shlibs.

 -- Mike Hommey <glandium@debian.org>  Fri, 06 Aug 2010 13:55:14 +0200

nss (3.12.7-0ubuntu1) maverick; urgency=low

  * New upstream release v3.12.7 (NSS_3_12_7_RTM)
  * Fix some lintian warnings
    - update debian/rules
    - update debian/control
    - udpate debian/copyright
    - update debian/libnss3-1d.postinst
    - update debian/libnss3-1d.postrm
    - update debian/libnss3-1d.preinst
    - update debian/libnss3-1d.prerm
  * Bump minimum nspr version to 4.8.6
    - update debian/control
  * Add new API to symbols file
    - update debian/libnss3-1d.symbols

 -- Chris Coulson <chris.coulson@canonical.com>  Wed, 25 Aug 2010 16:37:04 +0100

nss (3.12.6-3) unstable; urgency=low

  * debian/rules:
    + Sign libnssdbm3.so. Closes: #588806.
    + Test that the FIPS mode can be properly enabled during build.
  * debian/control:
    + Remove conflicts with very old packages.
    + Bump Standards-Version to 3.9.0.0.

 -- Mike Hommey <glandium@debian.org>  Mon, 12 Jul 2010 15:12:24 +0200

nss (3.12.6-2) unstable; urgency=low

  * debian/patches/series:
    + 00_ckbi_1.79.patch: New patch to update CKBI to 1.79.
    + 95_add_spi+cacert_ca_certs.patch: Refreshed against CKBI 1.79.

 -- Mike Hommey <glandium@debian.org>  Fri, 09 Apr 2010 10:45:01 +0200

nss (3.12.6-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/*: Refresh patches.
  * debian/libnss3-1d.symbols, debian/rules: Update symbols file with new
    symbols and bump shlibs.
  * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch,
    debian/patches/series: Enable transitional scheme for ssl renegotiation.
    Closes: #561918.
  * debian/control:
    + Bump Standards-Version to 3.8.4.0.
    + Drop libnss3-1d dependency on dpkg. The versions it didn't really like
      were between oldstable and stable.
    + Don't allow different versions of libnss3-1d, libnss3-1d-dbg and
      libnss3-tools to be installed at the same time.
    + Add ${misc:Depends} to libnss3-1d-dbg dependencies.
  * debian/rules: Revert workaround for gcc 4.4 bug on powerpc with -Os.
  * debian/rules, debian/control, debian/compat: Simplify debian/rules by
    using dh.

 -- Mike Hommey <glandium@debian.org>  Wed, 17 Mar 2010 20:33:32 +0100

nss (3.12.6-0ubuntu3) lucid; urgency=low

  * Generate missing checksum for libnssdbm3.so to make FIPS mode
    work again (LP: #559881)
    - update debian/rules

 -- Chris Coulson <chris.coulson@canonical.com>  Sat, 10 Apr 2010 21:23:03 +0100

nss (3.12.6-0ubuntu2) lucid; urgency=low

  * Enable transitional scheme for SSL renegotiation (LP: #553251)
    - add 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
    - update debian/patches/series

 -- Chris Coulson <chris.coulson@canonical.com>  Wed, 31 Mar 2010 20:42:18 +0100

nss (3.12.6-0ubuntu1) lucid; urgency=low

  * New upstream release 3.12.6 RTM (NSS_3_12_6_RTM)
    - fixes CVE-2009-3555 aka US-CERT VU#120541
  * Adjust patches to changed upstream code base
    - update debian/patches/38_kbsd.patch
    - update debian/patches/38_mips64_build.patch
    - update debian/patches/85_security_load.patch
  * Remove patches that are merged upstream
    - delete debian/patches/91_nonexec_stack.patch
    - update debian/patches/series
  * Bump nspr dependency to 4.8
    - update debian/control
  * Add new symbols for 3.12.6
    - update debian/libnss3-1d.symbols

 -- Chris Coulson <chris.coulson@canonical.com>  Thu, 25 Mar 2010 13:46:06 +0000

nss (3.12.5-2) unstable; urgency=low

  * debian/control:
    + Remove build dependency on autotools-dev, we don't use it.
    + libnss3-dev depends on libnspr4-dev >= 4.6.6-1. 4.6.6-1 was the first
      version where the pkg-config file was nspr.pc instead of
      xulrunner-nspr.pc. Closes: #567134.
  * debian/patches/96_NSS_VersionCheck.patch, debian/patches/series:
    Remove runtime check of NSPR version in NSS_VersionCheck, which seems to
    be pointless. Closes: #567136.

 -- Mike Hommey <glandium@debian.org>  Thu, 28 Jan 2010 12:12:35 +0100

nss (3.12.5-1) unstable; urgency=low

  * New upstream release.
  * debian/copyright: Modify with new location for the embedded copy of zlib.
  * debian/patches/*:
    + Adapt patches to new upstream.
    + Switch to quilt format
  * debian/source/format: Switch to 3.0 (quilt) format.
  * debian/rules, debian/control: Stop using dpatch.
  * debian/patches/38_intel_aes_executable_stack.patch: Removed. An upstream
    change in version 3.12.4 obsoleted it.
  * debian/rules:
    + Remove DEB_{BUILD,HOST}_* variables, they are not used.
    + Use DEB_BUILD_ARCH_BITS to determine whether to build with USE_64 or not.
    + Ship more tools in libnss3-tools. Closes: #526267.
    + Work around gcc 4.4 bug on powerpc with -Os.
    + Force non parallel build. There are too many race conditions in the
      build system to support parallel builds. Closes: #536248.
    + Bump shlibs.
  * debian/control:
    + Bump Standards-Version to 3.8.3.0.
    + Build-depend on dpkg-dev (>= 1.15.4) for DEB_BUILD_ARCH_BITS.
    + Stricter dependency between libnss3-dev and libnss3-1d.
  * debian/libnss3-1d.symbols:
    + Add new symbols.
    + Remove debian revision for symbols added in 3.12.4.
  * debian/patches/38_hurd.patch: Fix FTBFS on Hurd due to PATH_MAX usage in
    unix_rand.c. Closes: #550995.

 -- Mike Hommey <glandium@debian.org>  Fri, 18 Dec 2009 11:48:14 +0100

nss (3.12.4-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/38_kbsd.dpatch:
    + Use CHECK_FORK_PTHREAD on kfreebsd and hurd. Closes: #547301.
    + Adapt to upstream changes.
  * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
  * debian/patches/81_sonames.dpatch: Adapt to upstream changes.
  * debian/libnss3-1d.symbols: Update symbols file with new symbols.
  * debian/rules: Bumped shlibs.

 -- Mike Hommey <glandium@debian.org>  Sun, 11 Oct 2009 01:26:14 +0200

nss (3.12.3.1-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/95_add_spi+cacert_ca_certs.dpatch, Adapted to upstream
    changes.

 -- Mike Hommey <glandium@debian.org>  Fri, 21 Aug 2009 23:47:24 +0200

nss (3.12.3.1-0ubuntu3) lucid; urgency=low

  * rebuild rest of main for armel armv7/thumb2 optimization;
    UbuntuSpec:mobile-lucid-arm-gcc-v7-thumb2

 -- Alexander Sack <asac@ubuntu.com>  Sun, 07 Mar 2010 00:58:36 +0100

nss (3.12.3.1-0ubuntu2) karmic; urgency=low

  * Add 91_nonexec_stack.patch: fix regression in stack memory
    protectons caused by unmarked assembly (LP: #409864).

 -- Kees Cook <kees@ubuntu.com>  Mon, 24 Aug 2009 15:03:19 -0700

nss (3.12.3.1-0ubuntu1) karmic; urgency=low

  * new upstream release 3.12.3.1 RTM (NSS_3_12_3_1_RTM) (LP: #407549)
    - see USN-810-1

 -- Alexander Sack <asac@ubuntu.com>  Sat, 01 Aug 2009 17:05:48 +0200

nss (3.12.3-1) unstable; urgency=low

  * New upstream release.
  * debian/watch: Updated to catch new upstream .bz2 tarballs.
  * debian/copyright: Add information about
    mozilla/security/corecond/mkdepend.
  * debian/patches/38_hurd.dpatch, debian/patches/38_kbsd.dpatch: Adapted
    to upstream changes.
  * debian/patches/85_security_load.dpatch: Load libsoftokn3.so from
    /usr/lib/nss when unable to load it from standard ld.so paths in
    shlibsign.
  * debian/rules:
    + Add debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH when running
      shlibsign during build.
    + Bumped shlibs.
  * debian/libnss3-1d.symbols: Update symbols file with new symbols.
  * debian/control:
    + Bumped Standards-Version to 3.8.1.0. No changes needed.
    + Put the libnss3-1d-dbg package in the "debug" section.
    + Correct libnss3-1d-dbg short description.
    + Remove redundant section on libnss3-1d.
    + Build-depend on proper version of debhelper for dh_lintian.
  * debian/*.lintian-overrides, debian/rules: Install some Lintian
    overrides with dh_lintian.
  * debian/patches/38_intel_aes_executable_stack.dpatch: Indicate that
    we don't need executable stack in intel-aes.s.
  * debian/patches/00list: Updated accordingly.

 -- Mike Hommey <glandium@debian.org>  Sat, 18 Apr 2009 09:37:31 +0200

nss (3.12.3-0ubuntu2) karmic; urgency=low

  * adjust patches to changed upstream code base
    - update debian/patches/38_kbsd.patch
  * needs nspr >= 4.7.4
    - update debian/control
  * update 85_security_load.patch to latest debian version
    - update debian/patches/85_security_load.patch
  * add new symbols for 3.12.3
    - update debian/libnss3-1d.symbols
  * LP: #388350 - nss 3.12.3-0ubuntu2 ftbfs in karmic - shlibsign crashes; we add
    debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH for the shlibsign invocation
    used to sign libs in debian/rules
    - update debian/rules
  * append LD_LIBRARY_PATH to shlibsign invocation to make fakeroot builds happy
    - update debian/rules

 -- Alexander Sack <asac@ubuntu.com>  Wed, 17 Jun 2009 11:59:45 +0200

nss (3.12.2.with.ckbi.1.73-2) unstable; urgency=low

  * mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h:
    Apply patch from upstream to fix alignment issues on sparc and ia64.
    Closes: #509930.

 -- Mike Hommey <glandium@debian.org>  Mon, 06 Apr 2009 20:24:01 +0200

nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low

  * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression
    in previous release that led to FTBFS on i386 only. Closes: #513101.
    Thanks Steffen Joeris, Sebastian Andrzej Siewior and Petr Salinger.
  * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
    debian/patches/80_security_tools.dpatch: Adapted to upstream changes.
  * debian/libnss3-1d.symbols: Update symbols file with new symbols.
  * debian/rules: Bumped shlibs.

 -- Mike Hommey <glandium@debian.org>  Sat, 31 Jan 2009 16:41:26 +0100

nss (3.12.2+cbki.1.73-ubuntu1) jaunty; urgency=low

  * new upstream tag NSS_3_12_2_WITH_CKBI_1_73_RTM fixing
    - 718-1: override rogue md5-collision CA cert; see: mozilla bug 471715

 -- Alexander Sack <asac@ubuntu.com>  Mon, 09 Feb 2009 16:32:56 +0100

nss (3.12.2~rc1-0ubuntu2) jaunty; urgency=low

  * LP: #316452 - ldconfig breaks/removes legacy links for
    previously versioned library names during upgrade; the fix
    prevents ldconfig from treating the transitional/backup files
    as "libs" by using a prefix ("XNOLDCONFIG_")
    - debian/libnspr4-0d.postinst
    - debian/libnspr4-0d.postrm
    - debian/libnspr4-0d.preinst
    - debian/libnspr4-0d.prerm

 -- Alexander Sack <asac@ubuntu.com>  Wed, 14 Jan 2009 13:27:07 +0100

nss (3.12.2~rc1-0ubuntu1) jaunty; urgency=low

  * New upstream snapshot: 3.12.2 RC1

  [ Fabien Tassin <fta@ubuntu.com> ]
  * Remove patch applied upstream:
    - drop debian/patches/80_security_tools.patch
    - update debian/patches/series
  * Update diverged patches:
    - update debian/patches/38_kbsd.patch
    - update debian/patches/38_mips64_build.patch
  * Add new symbols to symbols file
    - update debian/libnss3-1d.symbols

  [ Alexander Sack <asac@ubuntu.com> ]
  * disable soname patch to become binary compatible with upstream
    - update debian/patches/series
  * flip links: libnss3.so <- libnss3.so.1d (before: libnss3.so ->
    libnss3.so.1d); same link flipping was done for all other previously
    soname patched libs: libnssutil3.so, libsmime3.so.1d, libssl3.so.1d
    - update debian/libnss3-1d.links
    - update debian/libnss3-1d.symbols
  * properly transition links in preinst and postrm; also cover abort-
    cases in the other maintainer scripts
    - add debian/libnss3-1d.postinst
    - add debian/libnss3-1d.postrm
    - add debian/libnss3-1d.preinst
    - add debian/libnss3-1d.prerm
  * remove hack from debian/rules that debian uses to recreate
    libsoftokn3.so with a versioned SONAME
    - update debian/rules
  * install the unversioned .so binaries
    - update debian/rules
  * only install the 4 main libraries into /usr/lib; all the others
    go to pkglibdir
    - update debian/rules
  * higher bar for libnspr4 Build-Depend to >= 4.7.3~, which is
    the version where the soname droppage is going to happen
    - update debian/control
  * explitily pass libraries to be used for dpkg-gensymbols run of
    dh_makeshlibs
    - update debian/rules
  * fix lintian complain about no-shlibs-control-file
    - update debian/rules

 -- Alexander Sack <asac@ubuntu.com>  Sun, 11 Jan 2009 15:06:17 +0100

nss (3.12.1-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
    debian/patches/38_mips64_build.dpatch,
    debian/patches/38_kbsd.dpatch: Adapted to upstream changes.
  * debian/libnss3-1d.symbols: Update symbols file with new symbols.
  * debian/rules: Bumped shlibs.

 -- Mike Hommey <glandium@debian.org>  Sat, 20 Dec 2008 12:11:28 +0100

nss (3.12.0.3-0ubuntu5) intrepid; urgency=low

  * fix LP: #232392 - "Ubuntu builds of libnss lack ECC support";
    Thanks to Kain for pointing this out.
    - update debian/rules

 -- Alexander Sack <asac@ubuntu.com>  Tue, 12 Aug 2008 17:40:59 +0200

nss (3.12.0.3-0ubuntu4) intrepid; urgency=low

  * fix LP: #215062 - add Conflicts for libnss3-1d on gutsy version of
    libnss3-0d (<< 3.12.0~)
    - update debian/control

 -- Alexander Sack <asac@ubuntu.com>  Tue, 15 Jul 2008 15:46:54 +0200

nss (3.12.0.3-0ubuntu3) intrepid; urgency=low

  * fix LP: #245122 - add Replaces/Conflicts on libnss3 packages
    - update debian/control

 -- Alexander Sack <asac@ubuntu.com>  Wed, 09 Jul 2008 21:45:44 +0200

nss (3.12.0.3-0ubuntu2) intrepid; urgency=low

  * move non-versioned .so-links from libnss3-dev package to unbreak
    binary compatibility to native extensions built against upstream
    xulrunner; in turn we add versioned Conflicts: Replaces: on libnss3-dev
    for the libnss3-1d package to allow a seemingly upgrade. (LP: #244439)
    - add debian/libnss3-1d.links
    - update debian/libnss3-dev.links
    - update debian/control

 -- Alexander Sack <asac@ubuntu.com>  Tue, 01 Jul 2008 11:49:00 +0200

nss (3.12.0.3-0ubuntu1) intrepid; urgency=low

  * new upstream release 3.12.0.3 fixes certID issue; downloaded from
    http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/nss-3.12.tar.gz

 -- Alexander Sack <asac@ubuntu.com>  Mon, 23 Jun 2008 14:35:54 +0200

nss (3.12.0.2+1.9-0ubuntu1) intrepid; urgency=low

  * new upstream version, picked from FIREFOX_3_0rc1_RELEASE cvs tag
    (LP: #233922)

 -- Fabien Tassin <fta@sofaraway.org>  Wed, 21 May 2008 14:50:00 +0200

nss (3.12.0-5) unstable; urgency=low

  * debian/control:
    + Conflict with libnss3-0d >= 3.11.5, that has conflicting files in
      /usr/lib/nss. Older versions (those from etch) don't conflict.
      This makes updates from old testing smoother. Closes: #492332.
    + Build-depend on libsqlite3-dev >= 3.3.9, since API introduced in this
      version is used. Closes: #493191.

 -- Mike Hommey <glandium@debian.org>  Sun, 03 Aug 2008 09:42:03 +0200

nss (3.12.0-4) unstable; urgency=low

  * debian/control: Remove conflict with libnss3-0d, it was only useful when
    libnss3-0d was a transitional package. Closes: #490995.

 -- Mike Hommey <glandium@debian.org>  Wed, 16 Jul 2008 21:29:19 +0200

nss (3.12.0-3) unstable; urgency=low

  * debian/rules:
    + Enable ECC cypher suite. Closes: #490826.
    + Build with the same optimization level as upstream.

 -- Mike Hommey <glandium@debian.org>  Mon, 14 Jul 2008 17:35:25 +0200

nss (3.12.0-2) unstable; urgency=low

  * debian/patches/95_add_spi+cacert_ca_certs.dpatch:
    + Add CAcert root and class 3 certificates to nssckbi module.
    + Add SPI Inc. certificate to nssckbi module.
    Thanks to Martin F Krafft for these. Closes: #309564.
  * debian/patches/00list: Updated accordingly.

 -- Mike Hommey <glandium@debian.org>  Sat, 12 Jul 2008 18:26:09 +0200

nss (3.12.0-1) unstable; urgency=low

  * New upstream release.
  * debian/patches/92_ocsp.dpatch: Removed, as applied upstream.
  * debian/patches/00list: Updated accordingly.
  * debian/control:
    + Bumped Standards-Version to 3.8.0.1. No changes needed.
    + Added Vcs-Browser and Vcs-Git fields.
    + libnss3-dev don't need explicit version dependency on libnss3-1d.
    + libnss3-dev depends on libnspr4-dev. Closes: #488402.
    + Make the -dbg package less a hassle for manual installations with dpkg.
    + libnss3-1d depends on version of dpkg that either don't support symbols
      files or has fix for #474079.
  * debian/patches/85_security_load.dpatch: Load files from /usr/lib/nss if
    given reference path is only a filename, which happens when freebl is
    statically linked in a binary executable, such as signtool, and the
    executable is run from $PATH. When the executable is run using a full
    path, we must replace /bin/ in the path with /lib/ to find the libraries.
    Closes: #483774.
  * debian/libnss3-1d.symbols: Re-enable symbols file.

 -- Mike Hommey <glandium@debian.org>  Sat, 05 Jul 2008 10:19:53 +0200

nss (3.12.0~rc3-3) unstable; urgency=low

  * debian/control: Make libnss3-0d conflict with old libnss3, which can
    still be installed on some systems, though it hasn't been in the archive 
    since sarge. Closes: #485080.

 -- Mike Hommey <glandium@debian.org>  Sun, 08 Jun 2008 14:11:13 +0200

nss (3.12.0~rc3-2) unstable; urgency=low

  * debian/patches/92_ocsp.dpatch: Apply patches from bz433594 and bz#433386,
    which are applied in upstream RC4 (and are the only changes), to fix
    crashes under some conditions with OCSP checks.
  * debian/patches/00list: Updated accordingly.
  * debian/libnss3-dev.links, debian/libnss3-1d.links: Don't install so
    files in the -dev package but in the library package. It will allow
    external applications linked against upstream nss to work on Debian with
    system nss libraries, and will avoid all browsers to have to implement
    symlinks themselves to allow some external plugins to work properly.
  * debian/control: Make libnss3-1d conflict with older versions of
    libnss3-dev and libnss3-dev need newer libnss3-1d accordingly.

 -- Mike Hommey <glandium@debian.org>  Sat, 07 Jun 2008 11:57:55 +0200

nss (3.12.0~rc3-1) unstable; urgency=low

  * New upstream snapshot, picked from NSS_3_12_RC3 cvs tag.

 -- Mike Hommey <glandium@debian.org>  Sun, 11 May 2008 16:58:17 +0200

nss (3.12.0~beta3-1) unstable; urgency=low

  * New upstream snapshot, picked from NSS_3_12_BETA3 cvs tag.
  * debian/control: Turn Homepage indications in descriptions into a
    control field.
  * debian/patches/91_build_pwdecrypt.dpatch: Enable building and installing
    pwdecrypt. Thanks Paul Wise. Closes: #472303.
  * debian/patches/00list: Updated accordingly.
  * debian/libnss3-1d.symbols: Update symbols file with new symbols and rename
    the file, so that it isn't used, as a workaround to #474079.
    Closes: #474007.
  * debian/rules: Bumped shlibs.

 -- Mike Hommey <glandium@debian.org>  Tue, 08 Apr 2008 21:23:53 +0200

nss (3.12.0~beta3-0ubuntu1) hardy; urgency=low

  * new upstream version, picked from NSS_3_12_BETA3 cvs tag
  * update symbols file:
    - add CERT_NewTempCertificate@NSS_3.12
    - add NSS_InitWithMerge@NSS_3.12
    - add PK11_CreateMergeLog@NSS_3.12
    - add PK11_DestroyMergeLog@NSS_3.12
    - add PK11_IsRemovable@NSS_3.12
    - add PK11_MergeTokens@NSS_3.12
    - add CERT_GetUsePKIXForValidation@NSS_3.12
    - add CERT_SetUsePKIXForValidation@NSS_3.12
    - add CERT_GetClassicOCSPDisabledPolicy@NSS_3.12
    - add CERT_GetClassicOCSPEnabledHardFailurePolicy@NSS_3.12
    - CERT_GetClassicOCSPEnabledSoftFailurePolicy@NSS_3.12
      - update debian/libnss3-1d.symbols
  * bump shlibs requirement to >= 3.12.0~beta3
    - update debian/rules

 -- Fabien Tassin <fta@sofaraway.org>  Fri, 04 Apr 2008 16:14:45 +0200

nss (3.12.0~beta2-1) unstable; urgency=low

  * New upstream snapshot, picked from NSS_3_12_BETA2 cvs tag.
  * debian/patches/10_3.11.7_symbol_fix.dpatch: Removed, as applied upstream.
  * debian/patches/38_kbsd.dpatch: Adapted to upstream changes.
  * debian/patches/81_sonames.dpatch: Add SO_VERSION to libnssutil3.
  * debian/libnss3-dev.links: Add link for libnssutil3.
  * debian/libnss3-1d.symbols: Update symbols file with new symbols. Note that
    SEC_StringToOID disappeared (well, was moved to nssutil), compared to
    version 3.12.0~1.9b1, but it was a new symbol, and isn't used anywhere.
  * debian/nss.pc.in, debian/nss-config.in: Add libnssutil3 support.
  * debian/rules:
    + Bumped shlibs.
    + Don't generate libsoftokn3.so.0d.
  * debian/control:
    + Remove transitional libnss3-0d package.
    + Bumped Standards-Version to 3.7.3.0. No changes needed.
    + Build depend on libnspr4-dev >= 4.7.0 (we *do* need the RTM version, and
      not the preceding betas)
  * debian/libnss3-0d.*: Removed.
  * debian/patches/85_security_load.dpatch: Load files from $ORIGIN/nss before
    those of $ORIGIN. Closes: #469079.
  * debian/patches/38_hurd.dpatch: Fix FTBFS on Hurd because of MAXPATHLEN.
    Closes: #419529.
  * debian/patches/00list: Updated accordingly.

 -- Mike Hommey <glandium@debian.org>  Fri, 07 Mar 2008 21:27:54 +0100

nss (3.12.0~1.9b4-0ubuntu1) hardy; urgency=low

  * new upstream version, picked from FIREFOX_3_0b4_RELEASE cvs tag.
  * update symbols file
    - update debian/libnss3-1d.symbols
  * bump shlibs requirement to >= 3.12.0~1.9b4

 -- Alexander Sack <asac@ubuntu.com>  Tue, 11 Mar 2008 01:52:02 +0100

nss (3.12.0~1.9b3-0ubuntu1) hardy; urgency=low

  * New upstream snapshot, picked from FIREFOX_3_0b3_RELEASE cvs tag.
  * install libnssutil3.so.1d, update symbols file accordingly,
    add nssutil to pkgconfig file and config script
    - update debian/libnss3-dev.links
    - update debian/nss.pc.in
    - update debian/nss-config.in
  * fix UPSTREAM_VERSION to drop ~cvs as it is used by nss-config
    which is causing troubles in xulrunner's configure
    - update debian/rules
  * add support for mozilla-devscripts
    - update debian/rules
  * update symbols file for new symbols:
    + CERT_SetOCSPTimeout@NSS_3.12
    + NSS_3.11.9@NSS_3.11.9
    + PK11_CreateGenericObject@NSS_3.12
    + PK11_UnconfigurePKCS11@NSS_3.11.9
    + PK11_WriteRawAttribute@NSS_3.12
    + CERT_GetValidDNSPatternsFromCert@NSS_3.12
    + PK11_CreatePBEV2AlgorithmID@NSS_3.12
    + PK11_GetPBECryptoMechanism@NSS_3.12
    + SEC_PKCS5IsAlgorithmPBEAlgTag@NSS_3.12
    ~ SEC_StringToOID@NSS_3.12 (moved from libnss3 to libnssutils3)
      - update debian/libnss3-1d.symbols
      - update debian/rules
  * Bump shlibs requirement to >= 3.12.0~1.9b3
    - update debian/rules
  * Bump Standards-Version to 3.7.3 and add Homepage field where needed
    - update debian/control

 -- Fabien Tassin <fta@sofaraway.org>  Fri, 08 Feb 2008 20:13:42 +0100

nss (3.12.0~1.9b2+nobinonly-0ubuntu1) hardy; urgency=low

  * New upstream snapshot, picked from FIREFOX_3_0b2_RELEASE cvs tag.
  * ubuntify maintainer field
    - update debian/control

 -- Alexander Sack <asac@debian.org>  Sun, 16 Dec 2007 11:06:03 +0100

nss (3.12.0~1.9b1-2) unstable; urgency=low

  * debian/control: libnss3-1-dbg needs to conflict with older libnss3-0d-dbg,
    as it overwrites so of its files. Closes: #455875.
  * debian/patches/90_realpath.dpatch: Use realpath() in
    loader_GetOriginalPathname, so that symlinks are properly followed when
    determining where the current library lives.
  * debian/patches/00list: Updated accordingly.
  * debian/patches/85_security_load.dpatch: When the module given by the
    caller contains a directory name, remove it so that the module can be
    properly loaded. Closes: #456296.

 -- Mike Hommey <glandium@debian.org>  Sun, 16 Dec 2007 11:06:03 +0100

nss (3.12.0~1.9b1-1) unstable; urgency=low

  * New upstream snapshot, picked from FIREFOX_3_0b1_RELEASE cvs tag.
  * debian/copyright: Add licensing information about the recently added
    sqlite copy in the source tree.
  * debian/control:
    + Build depend on libsqlite3-dev.
    + Rename all -0d packages to -1d, but keep a transitional -0d package,
      since all libraries are compatible (except for the removed one).
    + Make libnss3-1d conflict with older libnss3-0d.
  * debian/patches/38_kbsd.dpatch, debian/patches/81_sonames.dpatch:
    Adapted to upstream changes.
  * debian/patches/81_sonames.dpatch:
    + Remove SO version from libsoftokn3, now it is not linked against
      anymore, but dlloaded.
    + Remove the hacks to have shlibsign and the signature verification code
      handle the SO version in the file name.
    + Bump SO version to 1d.
  * debian/rules:
    + Add NSS_USE_SYSTEM_SQLITE=1 to the make options.
    + Install libsoftokn3 and the new libnssdbm3 in /usr/lib/nss.
    + Run shlibsign on libsoftokn3 in /usr/lib/nss, without a SO version.
    + For some reason, build-stamp was missing in install-stamp dependencies.
    + Bumped shlibs because of new symbols, and pass -c4 to dpkg-gensymbols,
      so that it fails in all cases where the symbols file is not up to date.
    + Adapt upstream version pattern matching so that the ~1.9b1 part is
      removed.
    + Install .1d libraries in -1d packages.
    + Create a dummy libsoftokn3.so.0d library, installed in the libnss3-0d
      package.
  * debian/libnss3-0d.links:
    + Remove links in /usr/lib/xulrunner. The workaround they were
      implementing is going to be done another way.
    + Add .0d links to .1d libraries.
  * debian/libnss3-dev.links:
    + Don't put a symlink for libsoftokn3.
    + .so files now link to .1d libraries.
  * debian/patches/80_security_build.dpatch: Remove the hack to load libfreebl
    from /usr/lib/nss.
  * debian/patches/85_security_load.dpatch: Load modules from $ORIGIN/nss.
  * debian/patches/10_3.11.7_symbol_fix.dpatch: Fix a symbol version. Stolen
    from bz#325672.
  * debian/patches/00list: Updated accordingly.
  * debian/libnss3-0d.dirs: Renamed to libnss3-1d.dirs.

 -- Mike Hommey <glandium@debian.org>  Sat, 08 Dec 2007 10:53:02 +0100

nss (3.11.7-1) unstable; urgency=low

  * New upstream release, picked from NSS_3_11_7_RTM cvs tag.
  * debian/patches/38_kbsd.dpatch: Also add support for the Hurd.
    Closes: #419529.
  * debian/rules:
    + Don't fail on clean with unpatched ruleset. Closes: #421542.
    + Bumped shlibs because of new symbols.
  * debian/patches/81_sonames.dpatch: Adapted to upstream changes.

 -- Mike Hommey <glandium@debian.org>  Sun, 01 Jul 2007 11:29:06 +0200

nss (3.11.5-3) unstable; urgency=low

  * Upload to unstable.

 -- Mike Hommey <glandium@debian.org>  Mon, 09 Apr 2007 20:37:25 +0200

nss (3.11.5-2) experimental; urgency=low

  * debian/rules:
    + Cleaner way to set the NSPR location.
    + Install libcrmf.a files in libnss3-dev.
    + binary-indep now does nothing.
  * debian/control: Make libnss3-dev an Arch: any package.
  * debian/nss.pc.in:
    + Remove libsoftokn3 from ld libraries.
    + Improvement in directories setting.
  * debian/libnss3-dev.dirs: Create /usr/bin.
  * debian/nss-config.in, debian/rules: Install a nss-config script into
    libnss3-dev.

 -- Mike Hommey <glandium@debian.org>  Tue, 27 Mar 2007 20:41:11 +0200

nss (3.11.5-1) experimental; urgency=low

  * Initial release. (Closes: #416151)

 -- Mike Hommey <glandium@debian.org>  Sun, 25 Mar 2007 23:56:17 +0200

