NSS in Rawhide updated to nss-3.12.4

Elio Maldonado emaldona at redhat.com
Mon Feb 4 23:54:41 UTC 2013 

To all interested,

This is the upstream announcement:

[NOTE: NSS 3.14.2 does not include a fix for the attacks described in
the paper "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols"
(http://www.isg.rhul.ac.uk/tls/ <http://www.isg.rhul.ac.uk/tls/>). An 
upcoming NSS patch release will
address the attacks.]

Network Security Services (NSS) 3.14.2 is a patch release for NSS 3.14.
The bug fixes in NSS 3.14.2 are described in the "Bugs Fixed" section
below. NSS 3.14.2 should be used with NSPR 4.9.5 or newer.

The release is available for download from
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_2_RTM/src/ 
<https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_2_RTM/src/>

For the primary NSS documentation pages please visit
https://developer.mozilla.org/en-US/docs/NSS 
<https://developer.mozilla.org/en-US/docs/NSS>

New in NSS 3.14.2

* NSS will now make use of the Intel AES-NI and AVX instruction sets
   for hardware-accelerated AES-GCM on 64-bit Linux systems.

* Initial manual pages for some NSS command line tools have been added.
   They are still under review, and contributions are welcome. The
   documentation is in the docbook format and can be rendered as HTML
   and UNIX-style manual pages using an optional build target.

New Types:
* in certt.h
   - cert_pi_useOnlyTrustAnchors
* in secoidt.h
   - SEC_OID_MS_EXT_KEY_USAGE_CTL_
SIGNING

Notable Changes in NSS 3.14.2

* Bug 805604 - Support for AES-NI and AVX accelerated AES-GCM was
   contributed by Shay Gueron of Intel. If compiled on Linux systems in
   64-bit mode, NSS will include runtime detection to check if the
   platform supports AES-NI and PCLMULQDQ. If so, NSS uses the optimized
   code path, reducing the CPU cycles per byte to 1/20 of what was
   required before the patch
   ( https://bugzilla.mozilla.org/show_bug.cgi?id=805604 
<https://bugzilla.mozilla.org/show_bug.cgi?id=805604> and
https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf 
<https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf>).
   Support for other platforms, such as Windows, will follow in a future
   NSS release. ( https://bugzilla.mozilla.org/show_bug.cgi?id=540986 
<https://bugzilla.mozilla.org/show_bug.cgi?id=540986> )
* SQLite has been updated to 3.7.15.
* Bug 816853 - When using libpkix for certificate validation,
   applications may now supply additional application-defined trust
   anchors to be used in addition to those from loaded security tokens,
   rather than as an alternative to.
   ( https://bugzilla.mozilla.org/show_bug.cgi?id=816853 
<https://bugzilla.mozilla.org/show_bug.cgi?id=816853> )
* Bug 772144 - Basic support for running NSS test suites on Android
   devices.This is currently limited to running tests from a Linux host
   machine using an SSH connection. Only the SSHDroid app has been
   tested.
* Bug 373108 - Fixed a bug where, under certain circumstances, when
   applications supplied invalid/out-of-bounds parameters for AES
   encryption, a double free may occur.
* Bug 813857 - Modification of certificate trust flags from multiple
   threads is now a thread-safe operation.
* Bug 618418 - C_Decrypt/C_DecryptFinal now correctly validate the
   PKCS #7 padding when present.
* Bug 807890 - Add support for Microsoft Trust List Signing EKU.
* Bug 822433 - Fix a crash in dtls_FreeHandshakeMessages.
* Bug 823336 - Reject invalid LDAP AIA URIs sooner.

Bugs fixed in NSS 3.14.2

* 
https://bugzilla.mozilla.org/buglist.cgi?list_id=5502456;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.14.2;product=NSS 
<https://bugzilla.mozilla.org/buglist.cgi?list_id=5502456;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.14.2;product=NSS>

Compatibility

NSS 3.14.2 shared libraries are backward compatible with all older NSS
3.x  shared libraries. A program linked with older NSS 3.x shared
libraries will work with NSS 3.14.2 shared libraries without recompiling
or relinking. Furthermore, applications that restrict their use of NSS
APIs to the functions listed in NSS Public Functions will remain
compatible with future versions of the NSS shared libraries.

Feedback

Bugs discovered should be reported by filing a bug report with
bugzilla.mozilla.org <http://bugzilla.mozilla.org> (product NSS).

-----------------------------------

Working now on bringing it to F-18 and F-17.

-Elio

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130204/95bf19f9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cleardot.gif
Type: image/gif
Size: 43 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130204/95bf19f9/attachment-0001.gif>

More information about the devel mailing list