Security update for mozilla-nss (critical)

This update to version 3.13.1 of mozilla-nss fixes the
following issues:

• Explicitly distrust DigiCert Sdn. Bhd (bmo#698753)
• Better SHA-224 support (bmo#647706)
• Fix a regression (causing hangs in some situations)
  introduced in 3.13 (bmo#693228)
• SSL 2.0 is disabled by default
• A defense against the SSL 3.0 and TLS 1.0 CBC chosen
  plaintext attack demonstrated by Rizzo and Duong
  (CVE-2011-3389) has been enabled by default. Set the
  SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it.
• Support SHA-224
• Add PORT_ErrorToString and PORT_ErrorToName to return
  the error message and symbolic name of an NSS error code
• Add NSS_GetVersion to return the NSS version string
• Add experimental support of RSA-PSS to the softoken
  only
• NSS_NoDB_Init does not try to open /pkcs11.txt and
  /secmod.db anymore (bmo#641052)

Security Issues:

• CVE-2011-3648
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3648</a>
  >
• CVE-2011-3000
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3000”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3000</a>
  >
• CVE-2011-3001
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3001”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3001</a>
  >
• CVE-2011-3647
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3647”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3647</a>
  >
• CVE-2011-2372
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2372”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2372</a>
  >
• CVE-2011-2999
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2999”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2999</a>
  >
• CVE-2011-3650
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3650</a>
  >
• CVE-2011-2998
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2998”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2998</a>
  >
• CVE-2011-2996
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2996”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2996</a>
  >
• CVE-2011-3655
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3655”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3655</a>
  >
• CVE-2011-3653
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3653”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3653</a>
  >
• CVE-2011-3649
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3649”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3649</a>
  >
• CVE-2011-3651
  <<a href=“http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3651”>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3651</a>
  >