<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Times New Roman; font-size: 12pt; color: #000000'>
Updated NSS in Rawhide to the upstream's NSS_3_13_RC0 and with it
NSPR to NSPR_4.9_BETA3.<br>
<br>
The bug fixes in NSPR 4.9 BETA3 and NSS 3.18 RC0 can be found by
these Bugzilla queries:<br>
<br>
For nspr: <br>
<a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/buglist.cgi?order=Importance&resolution=FIXED&classification=Components&query_format=advanced&product=NSPR&target_milestone=4.9&list_id=1467991" target="_blank">https://bugzilla.mozilla.org/buglist.cgi?order=Importance&resolution=FIXED&classification=Components&query_format=advanced&product=NSPR&target_milestone=4.9&list_id=1467991</a><br>
<br>
and for nss:<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/buglist.cgi?order=Importance&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.13&list_id=1468013" target="_blank">https://bugzilla.mozilla.org/buglist.cgi?order=Importance&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.13&list_id=1468013</a><br>
<br>
Of particular importance is the fix for (CVE-2011-3389)<br>
Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0
(facilitated by websockets -76)<br>
<a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=665814" target="_blank">https://bugzilla.mozilla.org/show_bug.cgi?id=665814</a><br>
<br>
To quote from the ssl patch itself:<br>
------<br>
For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext
attacks<br>
on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by
splitting<br>
non-empty application_data records into two records; the first
record has<br>
only the first byte of plaintext, and the second has the rest.<br>
<br>
This only prevents the attack in the sending direction; the
connection may<br>
still be vulnerable to such attacks if the peer does not implement
a similar<br>
countermeasure.<br>
<br>
This protection mechanism is on by default; the default can be
overridden by<br>
setting NSS_SSL_CBC_RANDOM_IV=0 in the environment prior to
execution,<br>
and/or by the application setting the option SSL_CBC_RANDOM_IV to
PR_FALSE.<br>
<br>
The per-record IV in TLS 1.1 and later adds one block of overhead
per<br>
record, whereas this hack will add at least two blocks of overhead
per<br>
record, so TLS 1.1+ will always be more efficient.<br>
<br>
Other implementations (e.g. some versions of OpenSSL, in some<br>
configurations) prevent the same attack by prepending an empty<br>
application_data record to every application_data record they send;
we do<br>
not do that because some implementations cannot handle empty<br>
application_data records. Also, we only split application_data
records and<br>
not other types of records, because some implementations will not
accept<br>
fragmented records of some other types (e.g. some versions of NSS
do not<br>
accept fragmented alerts).<br>
------<br>
<br>
The NSS team would greatly appreciate any feedback, specially
regarding <br>
compatiblity issues with various sites.<br>
<br>
Thank you,<br>
<br>
Elio Maldonado<br>
<br>
</div></body></html>