| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Changes:
- Bug 1803190 - conscious language removal in NSS.
- Bug 1794506 - Set nssckbi version number to 2.60.
- Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates.
- Bug 1799038 - Remove Staat der Nederlanden EV Root CA from NSS.
- Bug 1797559 - Remove EC-ACC root cert from NSS.
- Bug 1794507 - Remove SwissSign Platinum CA - G2 from NSS.
- Bug 1794495 - Remove Network Solutions Certificate Authority.
- Bug 1802331 - compress docker image artifact with zstd.
- Bug 1799315 - Migrate nss from AWS to GCP.
- Bug 1800989 - Enable static builds in the CI.
- Bug 1765759 - Removing SAW docker from the NSS build system.
- Bug 1783231 - Initialising variables in the rsa blinding code.
- Bug 320582 - Implementation of the double-signing of the message for ECDSA.
- Bug 1783231 - Adding exponent blinding for RSA.
|
|
|
|
Changes:
- Bug 1792821 - Modification of the primes.c and dhe-params.c in order to have better looking tables.
- Bug 1796815 - Update zlib in NSS to 1.2.13.
- Bug 1796504 - Skip building modutil and shlibsign when building in Firefox.
- Bug 1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard.
- Bug 1796407 - Fix -Wunused-but-set-variable warning from clang 15.
- Bug 1796308 - Fix -Wtautological-constant-out-of-range-compare and -Wtype-limits warnings.
- Bug 1796281 - Followup: add missing stdint.h include.
- Bug 1796281 - Fix -Wint-to-void-pointer-cast warnings.
- Bug 1796280 - Fix -Wunused-{function,variable,but-set-variable} warnings on Windows.
- Bug 1796079 - Fix -Wstring-conversion warnings.
- Bug 1796075 - Fix -Wempty-body warnings.
- Bug 1795242 - Fix unused-but-set-parameter warning.
- Bug 1795241 - Fix unreachable-code warnings.
- Bug 1795222 - Mark _nss_version_c unused on clang-cl.
- Bug 1795668 - Remove redundant variable definitions in lowhashtest.
- No bug - Add note about python executable to build instructions.
|
|
Changes:
- Bug 1791699 - Bump minimum NSPR version to 4.35.
- Bug 1792103 - Add a flag to disable building libnssckbi.
|
|
Changes:
- Bug 1788875 - Remove set-but-unused variables from
SEC_PKCS12DecoderValidateBags
- Bug 1563221 - remove older oses that are unused part3/ BeOS
- Bug 1563221 - remove older unix support in NSS part 3 Irix
- Bug 1563221 - remove support for older unix in NSS part 2 DGUX
- Bug 1563221 - remove support for older unix in NSS part 1 OSF
- Bug 1778413 - Set nssckbi version number to 2.58
- Bug 1785297 - Add two SECOM root certificates to NSS
- Bug 1787075 - Add two DigitalSign root certificates to NSS
- Bug 1778412 - Remove Camerfirma Global Chambersign Root from NSS
- Bug 1771100 - Added bug reference and description to disabled
UnsolicitedServerNameAck bogo ECH test
- Bug 1779361 - Removed skipping of ECH on equality of private and
public server name
- Bug 1779357 - Added comment and bug reference to
ECHRandomHRRExtension bogo test
- Bug 1779370 - Added Bogo shim client HRR test support. Fixed
overwriting of CHInner.random on HRR
- Bug 1779234 - Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
- Bug 1771100 - Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
- Bug 1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
server accept_confirmation bugs
- Bug 1771100 - Update BoGo tests to recent BoringSSL version
- Bug 1785846 - Bump minimum NSPR version to 4.34.1
|
|
Changes:
- Bug 1330271 - check for null template in sec_asn1{d,e}_push_state
- Bug 1735925 - QuickDER: Forbid NULL tags with non-zero length
- Bug 1784724 - Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
- Bug 1784191 - Cast the result of GetProcAddress
- Bug 1681099 - pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
|
|
|
|
Changes:
- Bug 1762831: Enable aarch64 hardware crypto support on OpenBSD.
- Bug 1775359 - make NSS_SecureMemcmp 0/1 valued.
- Bug 1779285: Add no_application_protocol alert handler and test client error code is set.
- Bug 1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
|
|
I cannot recall the reason it was set; seems to work without it now.
|
|
|
|
Ok during freeze: gdt@
Changes:
- Bug 1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h.
- Bug 1617956 - Add support for asynchronous client auth hooks.
- Bug 1497537 - nss-policy-check: make unknown keyword check optional.
- Bug 1765383 - GatherBuffer: Reduced plaintext buffer allocations
by allocating it on initialization. Replaced redundant code with
assert. Debug builds: Added buffer freeing/allocation for each
record.
- Bug 1773022 - Mark 3.79 as an ESR release.
- Bug 1764206 - Bump nssckbi version number for June.
- Bug 1759815 - Remove Hellenic Academic 2011 Root.
- Bug 1770267 - Add E-Tugra Roots.
- Bug 1768970 - Add Certainly Roots.
- Bug 1764392 - Add DigitCert Roots.
- Bug 1759794 - Protect SFTKSlot needLogin with slotLock.
- Bug 1366464 - Compare signature and signatureAlgorithm fields
in legacy certificate verifier.
- Bug 1771497 - Uninitialized value in cert_VerifyCertChainOld.
- Bug 1771495 - Unchecked return code in sec_DecodeSigAlg.
- Bug 1771498 - Uninitialized value in cert_ComputeCertType.
- Bug 1760998 - Avoid data race on primary password change.
- Bug 1769063 - Replace ppc64 dcbzl intrinisic.
- Bug 1771036 - Allow LDFLAGS override in makefile builds.
|
|
This release fixes memory safety violations that can occur when parsing CMS
data. We presume that with enough effort these memory safety violations are
exploitable.
Change:
- Bug 205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- Bug 1766907 - Update mercurial in clang-format docker image.
- Bug 1454072 - Use of uninitialized pointer in lg_init after alloc fail.
- Bug 1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- Bug 1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
- Bug 1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- Bug 1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- Bug 1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- Bug 1764788 - Correct invalid record inner and outer content type alerts.
- Bug 1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- Bug 1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
- Bug 1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- Bug 1769302 - NSS 3.79 should depend on NSPR 4.34
|
|
Change:
- Bug 1755264 - Added TLS 1.3 zero-length inner plaintext checks
and tests, zero-length record/fragment handling tests.
- Bug 1294978 - Reworked overlong record size checks and added
TLS1.3 specific boundaries.
- Bug 1763120 - Add ECH Grease Support to tstclnt
- Bug 1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
- Bug 1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
- Bug 1760813 - Make SEC_PKCS12EnableCipher succeed
- Bug 1762489 - Update zlib in NSS to 1.2.12.
|
|
|
|
|
|
|
|
Changes:
- Bug 1762244 - resolve mpitests build failure on Windows.
- Bug 1761779 - Fix link to TLS page on wireshark wiki
- Bug 1754890 - Add two D-TRUST 2020 root certificates.
- Bug 1751298 - Add Telia Root CA v2 root certificate.
- Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt.
- Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix
- Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
- Bug 1756271 - Remove token member from NSSSlot struct.
- Bug 1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
- Bug 1757279 - Support UTF-8 library path in the module spec string.
- Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
- Bug 1760827 - Add a CI Target for gcc-11.
- Bug 1760828 - Change to makefiles for gcc-4.8.
- Bug 1741688 - Update googletest to 1.11.0
- Bug 1759525 - Add SetTls13GreaseEchSize to experimental API.
- Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
- Bug 1755904 - Fix calculation of ECH HRR Transcript.
- Bug 1758741 - Allow ld path to be set as environment variable.
- Bug 1760653 - Ensure we don't read uninitialized memory in ssl gtests.
- Bug 1758478 - Fix DataBuffer Move Assignment.
- Bug 1552254 - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3
- Bug 1755092 - rework signature verification in mozilla::pkix
|
|
Changelog:
Change:
- Bug 1756271 - Remove token member from NSSSlot struct.
|
|
Changes:
- Bug 1755555 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots.
- Bug 1370866 - Check return value of PK11Slot_GetNSSToken.
- Bug 1747957 - Use Wycheproof JSON for RSASSA-PSS
- Bug 1679803 - Add SHA256 fingerprint comments to old certdata.txt entries.
- Bug 1753505 - Avoid truncating files in nss-release-helper.py.
- Bug 1751157 - Throw illegal_parameter alert for illegal extensions in handshake message.
|
|
Changes:
- Bug 1749030 - This patch adds gcc-9 and gcc-10 to the CI.
- Bug 1749794 - Make DottedOIDToCode.py compatible with python3.
- Bug 1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
- Bug 1748386 - Remove redundant key type check.
- Bug 1749869 - Update ABI expectations to match ECH changes.
- Bug 1748386 - Enable CKM_CHACHA20.
- Bug 1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
- Bug 1747310 - real move assignment operator.
- Bug 1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
- Bug 1743302 - Add ECDSA test vectors to the bltest command line tool.
- Bug 1747772 - Allow to build using clang's integrated assembler.
- Bug 1321398 - Allow to override python for the build.
- Bug 1747317 - test HKDF output rather than input.
- Bug 1747316 - Use ASSERT macros to end failed tests early.
- Bug 1747310 - move assignment operator for DataBuffer.
- Bug 1712879 - Add test cases for ECH compression and unexpected extensions in SH.
- Bug 1725938 - Update tests for ECH-13.
- Bug 1725938 - Tidy up error handling.
- Bug 1728281 - Add tests for ECH HRR Changes.
- Bug 1728281 - Server only sends GREASE HRR extension if enabled by preference.
- Bug 1725938 - Update generation of the Associated Data for ECH-13.
- Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello.
- Bug 1712879 - Allow for compressed, non-contiguous, extensions.
- Bug 1712879 - Scramble the PSK extension in CHOuter.
- Bug 1712647 - Split custom extension handling for ECH.
- Bug 1728281 - Add ECH-13 HRR Handling.
- Bug 1677181 - Client side ECH padding.
- Bug 1725938 - Stricter ClientHelloInner Decompression.
- Bug 1725938 - Remove ECH_inner extension, use new enum format.
- Bug 1725938 - Update the version number for ECH-13 and adjust the ECHConfig size.
|
|
Changes:
• Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses.
• Bug 1553612 - Ensure clients offer consistent ciphersuites after HRR.
• Bug 1721426 - NSS does not properly restrict server keys based on policy.
• Bug 1733003 - Set nssckbi version number to 2.54.
• Bug 1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate in NSS.
• Bug 1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate in NSS.
• Bug 1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate in NSS.
• Bug 1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate in NSS.
• Bug 1735407 - Replace GlobalSign ECC Root CA R4 in NSS.
• Bug 1733560 - Remove Expired Root Certificates from NSS - DST Root CA X3.
• Bug 1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates from NSS.
• Bug 1741930 - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate to NSS.
• Bug 1740095 - Add iTrusChina ECC root certificate to NSS.
• Bug 1740095 - Add iTrusChina RSA root certificate to NSS.
• Bug 1738805 - Add ISRG Root X2 root certificate to NSS.
• Bug 1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate to NSS.
• Bug 1738028 - Avoid a clang 13 unused variable warning in opt build.
• Bug 1735028 - Check for missing signedData field.
• Bug 1737470 - Ensure DER encoded signatures are within size limits.
|
|
Changelog:
Change:
- Add SHA-2 support to mozilla::pkix's OCSP implementation
|
|
|
|
This contains the fix for CVE-2021-43527.
|
|
Changes:
- Documentation: release notes for NSS 3.72
- Documentation: release notes for NSS 3.71
- Remove newline at the end of coreconf.dep
- Bug 1731911 - Fix nsinstall parallel failure.
- Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins.
|
|
Changes:
- Bug 1717716 - Set nssckbi version number to 2.52.
- Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported
- Bug 1717707 - Add HARICA Client ECC Root CA 2021.
- Bug 1717707 - Add HARICA Client RSA Root CA 2021.
- Bug 1717707 - Add HARICA TLS ECC Root CA 2021.
- Bug 1717707 - Add HARICA TLS RSA Root CA 2021.
- Bug 1728394 - Add TunTrust Root CA certificate to NSS.
|
|
Changes:
- Documentation: release notes for NSS 3.70.
- Documentation: release notes for NSS 3.69.1.
- Bug 1726022 - Update test case to verify fix.
- Bug 1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Bug 1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Formatting for lib/util
- Bug 1681975 - Avoid using a lookup table in nssb64d.
- Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
- Bug 1714579 - Change default value of enableHelloDowngradeCheck to true.
- Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc
- Bug 1726022 - Cache additional PBE entries.
- Bug 1709750 - Read HPKE vectors from official JSON.
- Documentation: update for NSS 3.69 release.
|
|
|
|
Bugs fixed:
- Bug 1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
- Bug 1720226 (Backout) - integrity checks in key4.db not happening on private components with AES_CBC
|
|
|
|
Bugs fixed:
- Bug 1722613 - Disable DTLS 1.0 and 1.1 by default
- Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC
- Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms.
- Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures.
- Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- Bug 1720232 - SQLite calls could timeout in starvation situations.
- Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67
- Bug 1709817 - Import the NSS documentation from MDN in nss/doc.
- Bug 1720227 - NSS using a tempdir to measure sql performance not active
|
|
Bugs fixed:
* Bug 1683710 - Add a means to disable ALPN.
* Bug 1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* Bug 1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* Bug 1566124 - Fix counter increase in ppc-gcm-wrap.c.
* Bug 1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
|
|
Bugs fixed:
* Bug 1710716 - Remove Expired Sonera Class2 CA from NSS.
* Bug 1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* Bug 1708307 - Remove Trustis FPS Root CA from NSS.
* Bug 1707097 - Add Certum Trusted Root CA to NSS.
* Bug 1707097 - Add Certum EC-384 CA to NSS.
* Bug 1703942 - Add ANF Secure Server Root CA to NSS.
* Bug 1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* Bug 1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* Bug 1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* Bug 1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* Bug 1710773 - NSS needs FIPS 180-3 FIPS indicators.
* Bug 1709291 - Add VerifyCodeSigningCertificateChain.
* Use GNU tar for the release helper script.
|
|
|
|
Bugs fixed in NSS 3.65:
* Bug 1709654 - Update for NetBSD configuration.
* Bug 1709750 - Disable HPKE test when fuzzing.
* Bug 1566124 - Optimize AES-GCM for ppc64le.
* Bug 1699021 - Add AES-256-GCM to HPKE.
* Bug 1698419 - ECH -10 updates.
* Bug 1692930 - Update HPKE to final version.
* Bug 1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* Bug 1703936 - New coverity/cpp scanner errors.
* Bug 1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* Bug 1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* Bug 1705119 - Deadlock when using GCM and non-thread safe tokens.
|
|
Remove local workarounds again
Bump PKGREVISION.
|
|
|
|
|
|
Changelog:
Bugs fixed in NSS 3.64:
* Bug 1705286 - Properly detect mips64.
* Bug 1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx.
* Bug 1698320 - replace __builtin_cpu_supports("vsx") with
ppc_crypto_support() for clang.
* Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
|
|
While the link fix did fix the case of openssl calling nss code,
the other way round still happens, e.g. in libreoffice (since fixed to
not use nss) and konqueror.
Bump PKGREVISION.
|
|
For a long time now (at least 15 years), the installed pkg-config
file also linked against libsoftokn3, which is wrong according to
upstream. This library is only intended to be loaded as a module.
Having this library linked added symbols to the namespace that conflict
with openssl symbols. This had caused problems before, and patches
had been added to rename symbols to avoid this conflict.
Instead, fix this correctly by not linking against libsoftokn3.
Switch to using the pkg-config and nss-config files provided in the
distfiles instead of pkgsrc-specific ones.
Remove now unneeded symbol-renaming patches.
Remove DragonFly patches while here.
Bump PKGREVISION.
|
|
Changelog:
Bugs fixed in NSS 3.63:
* Bug 1697380 - Make a clang-format run on top of helpful contributions.
* Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization
to prevent build isses with GCC 4.8.
* Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar
multiplication.
* Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization
to prevent build isses with GCC 4.8.
* Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar
multiplication.
* Bug 1696800 - HACL* update March 2021 -
c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* Bug 1694214 - tstclnt can't enable middlebox compat mode.
* Bug 1694392 - NSS does not work with PKCS #11 modules not supporting
profiles.
* Bug 1685880 - Minor fix to prevent unused variable on early return.
* Bug 1685880 - Fix for the gcc compiler version 7 to support setenv with nss
build.
* Bug 1693217 - Increase nssckbi.h version number for March 2021 batch of root
CA changes, CA list version 2.48.
* Bug 1692094 - Set email distrust after to 21-03-01 for Camerfirma's
'Chambers of Commerce' and 'Global Chambersign' roots.
* Bug 1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* Bug 1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* Bug 1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* Bug 1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from
NSS.
* Bug 1687822 - Turn off Websites trust bit for the “Staat der Nederlanden
Root CA - G3” root cert in NSS.
* Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root -
2008' and 'Global Chambersign Root - 2008’.
* Bug 1694291 - Tracing fixes for ECH.
|
|
* Change header files installation suggested by markd@.
Do not install dbm header files and install nss header files
under nss, not nss/nss.
Changelog:
Bugs fixed in NSS 3.62
Bug 1688374 - Fix parallel build NSS-3.61 with make.
Bug 1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable".
Bug 1690583 - Fix CH padding extension size calculation.
Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail.
Bug 1690421 - Install packaged libabigail in docker-builds image.
Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing.
Bug 1674819 - Fixup a51fae403328, enum type may be signed.
Bug 1681585 - Add ECH support to selfserv.
Bug 1681585 - Update ECH to Draft-09.
Bug 1678398 - Add Export/Import functions for HPKE context.
Bug 1678398 - Update HPKE to draft-07.
|
|
Changelog:
Bugs fixed in NSS 3.61:
* Bug 1682071 - Fix issue with IKE Quick mode deriving incorrect key values
under certain conditions.
* Bug 1684300 - Fix default PBE iteration count when NSS is compiled with
NSS_DISABLE_DBM.
* Bug 1651411 - Improve constant-timeness in RSA operations.
* Bug 1677207 - Upgrade Google Test version to latest release.
* Bug 1654332 - Add aarch64-make target to nss-try.
|
|
Changelog:
Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been
added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation.
See bug 1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated to version
2.46. See bugs 1678189, 1678166, and 1670769 for more information.
Bugs fixed in NSS 3.60:
* Bug 1654332 - Implement Encrypted Client Hello (draft-ietf-tls-esni-08).
* Bug 1678189 - Update CA list version to 2.46.
* Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS.
* Bug 1678166 - Add NAVER Global Root Certification Authority root cert to
NSS.
* Bug 1678384 - Add a build flag to allow building nssckbi-testlib in
mozilla-central.
* Bug 1570539 - Remove -X alt-server-hello option from tstclnt.
* Bug 1675523 - Fix incorrect pkcs11t.h value CKR_PUBLIC_KEY_INVALID.
* Bug 1642174 - Fix PowerPC ABI version 1 build failure.
* Bug 1674819 - Fix undefined shift in fuzzer mode.
* Bug 1678990 - Fix ARM crypto extensions detection on macOS.
* Bug 1679290 - Fix lock order inversion and potential deadlock with
libnsspem.
* Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey.
|
|
Changelog:
Notable Changes in NSS 3.59
Exported two existing functions from libnss, CERT_AddCertToListHeadWithData
and CERT_AddCertToListTailWithData
NOTE: NSS will soon require GCC 4.8 or newer. Gyp-based builds will stop
supporting older GCC versions first, followed a few releases later by the
make-based builds. Users of older GCC versions can continue to use the
make-based build system while they upgrade to newer versions of GCC.
Bugs fixed in NSS 3.59
* Bug 1607449 - Lock cert->nssCertificate to prevent a potential data race
* Bug 1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* Bug 1670835 - Support enabling and disabling signatures via Crypto Policy
* Bug 1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs
when SHA1 signatures are disabled.
* Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some
test intermittents
* Bug 1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our
CVE-2020-25648 fix that broke purple-discord
* Bug 1666891 - Support key wrap/unwrap with RSA-OAEP
* Bug 1667989 - Fix gyp linking on Solaris
* Bug 1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder
that affected decoding certain PKCS8 private keys when using NSS debug builds
* Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
|
|
|
|
Add a post-release patch that broke some applications
https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f
Changes nout found.
|
|
Changelog:
Notable Changes in NSS 3.57
* NSPR dependency updated to 4.29.
* The following CA certificates were Added:
Bug 1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint:
97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
Bug 1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint:
945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
Bug 1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint:
55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
Bug 1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint:
3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
Bug 1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint:
7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
Bug 1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
Bugs fixed in NSS 3.57
* Bug 1651211 - Remove EE Certification Centre Root CA certificate.
* Bug 1653092 - Turn off Websites Trust Bit for OISTE WISeKey Global Root GA
CA.
* Bug 1656077 - Remove Taiwan Government Root Certification Authority
certificate.
* Bug 1663049 - Add SecureTrust's Trustwave Global root certificates to NSS.
* Bug 1659256 - AArch64 AES optimization shouldn't be enabled with gcc 4.8.
* Bug 1651834 - Fix Clang static analyzer warnings.
* Bug 1661378 - Fix Build failure with Clang 11.
* Bug 1659727 - Fix mpcpucache.c invalid output constraint on Linux/ARM.
* Bug 1662738 - Only run freebl_fips_RNG_PowerUpSelfTest when linked with
NSPR.
* Bug 1661810 - Fix Crash @ arm_aes_encrypt_ecb_128 when building with Clang
11.
* Bug 1659252 - Fix Make build with NSS_DISABLE_DBM=1.
* Bug 1660304 - Add POST tests for KDFs as required by FIPS.
* Bug 1663346 - Use 64-bit compilation on e2k architecture.
* Bug 1605922 - Account for negative sign in mp_radix_size.
* Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes.
* Bug 1660372 - NSS 3.57 should depend on NSPR 4.29
* Bug 1660734 - Fix Makefile typos.
* Bug 1660735 - Fix Makefile typos.
|
|
|
