<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
To all interested,<br>
<br>
This is the upstream announcement:<br>
<br>
<div aria-haspopup="true" class="ajy"><img aria-label="Show details"
data-tooltip="Show details" class="ajz" id=":1ab" role="button"
tabindex="0" src="cid:part1.08030703.04000903@redhat.com" alt=""></div>
[NOTE: NSS 3.14.2 does not include a fix for the attacks described
in<br>
the paper "Lucky Thirteen: Breaking the TLS and DTLS Record
Protocols"<br>
(<a href="http://www.isg.rhul.ac.uk/tls/" target="_blank">http://www.isg.rhul.ac.uk/<wbr>tls/</a>).
An upcoming NSS patch release will<br>
address the attacks.]<br>
<br>
Network Security Services (NSS) 3.14.2 is a patch release for NSS
3.14.<br>
The bug fixes in NSS 3.14.2 are described in the "Bugs Fixed"
section<br>
below. NSS 3.14.2 should be used with NSPR 4.9.5 or newer.<br>
<br>
The release is available for download from<br>
<a
href="https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_2_RTM/src/"
target="_blank">https://ftp.mozilla.org/pub/<wbr>mozilla.org/security/nss/<wbr>releases/NSS_3_14_2_RTM/src/</a><br>
<br>
For the primary NSS documentation pages please visit<br>
<a href="https://developer.mozilla.org/en-US/docs/NSS"
target="_blank">https://developer.mozilla.org/<wbr>en-US/docs/NSS</a><br>
<br>
New in NSS 3.14.2<br>
<br>
* NSS will now make use of the Intel AES-NI and AVX instruction sets<br>
for hardware-accelerated AES-GCM on 64-bit Linux systems.<br>
<br>
* Initial manual pages for some NSS command line tools have been
added.<br>
They are still under review, and contributions are welcome. The<br>
documentation is in the docbook format and can be rendered as HTML<br>
and UNIX-style manual pages using an optional build target.<br>
<br>
New Types:<br>
* in certt.h<br>
- cert_pi_useOnlyTrustAnchors<br>
* in secoidt.h<br>
- SEC_OID_MS_EXT_KEY_USAGE_CTL_
<div id=":1c3"><wbr>SIGNING<br>
<br>
Notable Changes in NSS 3.14.2<br>
<br>
* Bug 805604 - Support for AES-NI and AVX accelerated AES-GCM was<br>
contributed by Shay Gueron of Intel. If compiled on Linux
systems in<br>
64-bit mode, NSS will include runtime detection to check if the<br>
platform supports AES-NI and PCLMULQDQ. If so, NSS uses the
optimized<br>
code path, reducing the CPU cycles per byte to 1/20 of what was<br>
required before the patch<br>
( <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=805604"
target="_blank">https://bugzilla.mozilla.org/<wbr>show_bug.cgi?id=805604</a>
and<br>
<a
href="https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf"
target="_blank">https://crypto.stanford.edu/<wbr>RealWorldCrypto/slides/gueron.<wbr>pdf</a>).<br>
Support for other platforms, such as Windows, will follow in a
future<br>
NSS release. ( <a
href="https://bugzilla.mozilla.org/show_bug.cgi?id=540986"
target="_blank">https://bugzilla.mozilla.org/<wbr>show_bug.cgi?id=540986</a>
)<br>
* SQLite has been updated to 3.7.15.<br>
* Bug 816853 - When using libpkix for certificate validation,<br>
applications may now supply additional application-defined trust<br>
anchors to be used in addition to those from loaded security
tokens,<br>
rather than as an alternative to.<br>
( <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=816853"
target="_blank">https://bugzilla.mozilla.org/<wbr>show_bug.cgi?id=816853</a>
)<br>
* Bug 772144 - Basic support for running NSS test suites on
Android<br>
devices.This is currently limited to running tests from a Linux
host<br>
machine using an SSH connection. Only the SSHDroid app has been<br>
tested.<br>
* Bug 373108 - Fixed a bug where, under certain circumstances,
when<br>
applications supplied invalid/out-of-bounds parameters for AES<br>
encryption, a double free may occur.<br>
* Bug 813857 - Modification of certificate trust flags from
multiple<br>
threads is now a thread-safe operation.<br>
* Bug 618418 - C_Decrypt/C_DecryptFinal now correctly validate the<br>
PKCS #7 padding when present.<br>
* Bug 807890 - Add support for Microsoft Trust List Signing EKU.<br>
* Bug 822433 - Fix a crash in dtls_FreeHandshakeMessages.<br>
* Bug 823336 - Reject invalid LDAP AIA URIs sooner.<br>
<br>
Bugs fixed in NSS 3.14.2<br>
<br>
* <a
href="https://bugzilla.mozilla.org/buglist.cgi?list_id=5502456;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.14.2;product=NSS"
target="_blank">https://bugzilla.mozilla.org/<wbr>buglist.cgi?list_id=5502456;<wbr>resolution=FIXED;<wbr>classification=Components;<wbr>query_format=advanced;target_<wbr>milestone=3.14.2;product=NSS</a><br>
<br>
Compatibility<br>
<br>
NSS 3.14.2 shared libraries are backward compatible with all older
NSS<br>
3.x shared libraries. A program linked with older NSS 3.x shared<br>
libraries will work with NSS 3.14.2 shared libraries without
recompiling<br>
or relinking. Furthermore, applications that restrict their use of
NSS<br>
APIs to the functions listed in NSS Public Functions will remain<br>
compatible with future versions of the NSS shared libraries.<br>
<br>
Feedback<br>
<br>
Bugs discovered should be reported by filing a bug report with<br>
<a href="http://bugzilla.mozilla.org" target="_blank">bugzilla.mozilla.org</a>
(product NSS).<br>
<br>
-----------------------------------<br>
<br>
Working now on bringing it to F-18 and F-17.<br>
<br>
-Elio<br>
<div class="yj6qo ajU">
<div aria-label="Show trimmed content" data-tooltip="Show
trimmed content" id=":1cz" class="ajR" role="button"
tabindex="0"><img class="ajT"
src="cid:part1.08030703.04000903@redhat.com"></div>
</div>
</div>
<br>
</body>
</html>