NSS update to 3.13.3 coming soon

Elio Maldonado emaldona at redhat.com
Mon Mar 12 06:10:22 UTC 2012 

NSS 3.13.3 has been relessed and it's built for Rawhide/F-17-alpha/F-16/F15.
A push to update-testing for f17 will be coming shortly - to f16/f15 som time later.

You can find the new features and bug fixes in NSS 3.13.2 and 3.13.3 with these Bugzilla queries:

https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.13.2&product=NSS

https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.13.3&product=NSS

and fixes for NSPR 4.9 with this query:
https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=4.9&product=NSPR

When we updated nss last, from to nss-3.13.1, a notable change was: https://bugzilla.mozilla.org/show_bug.cgi?id=665814

The NSS upstream announcement stated:
A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack
demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default.
to set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it.

This caused breakage connecting to various servers, due to servers temselvs and some client applications
We opted to reverse the sense of the fix's default and stated tht it was off and that if desired you
could set the SSL_CBC_RANDOM_IV SSL option to PR_TRUE to enable it.

This was done for the stable branches, F-16/15, while Rawhide had fix on by default.

Since then several fedora maintainers have either patched affected procts downstream or submitted
patches that were accepted by their respective upstreams. Some patches have yet to be accepted.
The last time I checked such was the case with OpenSSSL. Others we don't know yet.

Since F-17 is now Alpha and I have set the default to off like it is on F-16/15, Rawhide (f18) still has it on.
We would like to find what additional products will still break with this fix. If you can, could you set the
SSL_CBC_RANDOM_IV SSL option to PR_TRUE and try it and send us feedback on remaining sites or apps that syill break?
 
Thank you in advance,

Elio Maldonado

More information about the devel mailing list