#7422: nss-3.22
-------------------------+-------------------------
Reporter: fo | Owner: blfs-book@…
Type: enhancement | Status: new
Priority: highest | Milestone: 7.9
Component: BOOK | Version: SVN
Severity: normal | Keywords:
-------------------------+-------------------------
== Previous version 2.21 includes security fix ==
'''CVE-2015-7575''' - Prevent MD5 Downgrade in TLS 1.2 Signatures.
'''If you have an older version, upgrade to 3.22.'''
I did not inform when it was released, so giving this one high priority
tag, to warn it.
[https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_RTM/src/nss-3.22.tar.gz]
[https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_22_RTM/src/SHA1SUMS]
47e1b0f297eabe9965abde3f1c5baafdee513f84 nss-3.22.tar.gz
[https://developer.mozilla.org/en-
US/docs/Mozilla/Projects/NSS/NSS_3.22_release_notes]
Modified:
{{{
NSS 3.22 release notes
Introduction
The NSS team has released Network Security Services (NSS) 3.22, which is a
minor release.
Distribution Information
The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.
New in NSS 3.22
New Functionality
• RSA-PSS signatures are now supported (bug 1215295)
◦ New functions PK11_SignWithMechanism() and
PK11_SignWithMechanism() are provided to allow RSA keys to be
used with PSS.
• Pseudorandom functions based on hashes other than SHA-1 are now
supported with PBKDF (bug 554827).
◦ PK11_CreatePBEV2AlgorithmID() now supports SEC_OID_PKCS5_PBKDF2
with cipherAlgTag and prfAlgTag set to SEC_OID_HMAC_SHA256,
SEC_OID_HMAC_SHA224, SEC_OID_HMAC_SHA384, or
SEC_OID_HMAC_SHA512.
• Enforce an External Policy on NSS from a config file (bug 1009429)
◦ you can now add a config= line to pkcs11.txt (assuming you are
using sql databases), which will force NSS to restrict the
application to certain cryptographic algorithms and protocols. A
complete list can be found in NSS Config Options.
New Functions
• in pk11pub.h
◦ PK11_SignWithMechanism - This function is an extended version
PK11_Sign().
◦ PK11_VerifyWithMechanism - This function is an extended version
of PK11_Verify().
▪ These functions take an explicit mechanism and parameters
as arguments rather than inferring it from the key type
using PK11_MapSignKeyType(). The mechanism type
CKM_RSA_PKCS_PSS is now supported for RSA in addition to
CKM_RSA_PKCS. The CK_RSA_PKCS_PSS mechanism takes a
parameter of type CK_RSA_PKCS_PSS_PARAMS.
• in ssl.h
◦ SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp
TLS extension data
◦ SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
TLS extension data
New Types
• in secoidt.h
◦ The following are added to SECOidTag:
▪ SEC_OID_AES_128_GCM
▪ SEC_OID_AES_192_GCM
▪ SEC_OID_AES_256_GCM
▪ SEC_OID_IDEA_CBC
▪ SEC_OID_RC2_40_CBC
▪ SEC_OID_DES_40_CBC
▪ SEC_OID_RC4_40
▪ SEC_OID_RC4_56
▪ SEC_OID_NULL_CIPHER
▪ SEC_OID_HMAC_MD5
▪ SEC_OID_TLS_RSA
▪ SEC_OID_TLS_DHE_RSA
▪ SEC_OID_TLS_DHE_DSS
▪ SEC_OID_TLS_DH_RSA
▪ SEC_OID_TLS_DH_DSS
▪ SEC_OID_TLS_DH_ANON
▪ SEC_OID_TLS_ECDHE_ECDSA
▪ SEC_OID_TLS_ECDHE_RSA
▪ SEC_OID_TLS_ECDH_ECDSA
▪ SEC_OID_TLS_ECDH_RSA
▪ SEC_OID_TLS_ECDH_ANON
▪ SEC_OID_TLS_RSA_EXPORT
▪ SEC_OID_TLS_DHE_RSA_EXPORT
▪ SEC_OID_TLS_DHE_DSS_EXPORT
▪ SEC_OID_TLS_DH_RSA_EXPORT
▪ SEC_OID_TLS_DH_DSS_EXPORT
▪ SEC_OID_TLS_DH_ANON_EXPORT
▪ SEC_OID_APPLY_SSL_POLICY
• in sslt.h
◦ ssl_signed_cert_timestamp_xtn is added to SSLExtensionType.
New Macros
• in nss.h
◦ NSS_RSA_MIN_KEY_SIZE
◦ NSS_DH_MIN_KEY_SIZE
◦ NSS_DSA_MIN_KEY_SIZE
◦ NSS_TLS_VERSION_MIN_POLICY
◦ NSS_TLS_VERSION_MAX_POLICY
◦ NSS_DTLS_VERSION_MIN_POLICY
◦ NSS_DTLS_VERSION_MAX_POLICY
• in pkcs11t.h
◦ CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - PRF based on HMAC with
GOSTR3411 for PBKDF (not supported)
◦ CKP_PKCS5_PBKD2_HMAC_SHA224 - PRF based on HMAC with SHA-224 for
PBKDF
◦ CKP_PKCS5_PBKD2_HMAC_SHA256 - PRF based on HMAC with SHA-256 for
PBKDF
◦ CKP_PKCS5_PBKD2_HMAC_SHA384 - PRF based on HMAC with SHA-256 for
PBKDF
◦ CKP_PKCS5_PBKD2_HMAC_SHA512 - PRF based on HMAC with SHA-256 for
PBKDF
◦ CKP_PKCS5_PBKD2_HMAC_SHA512_224 - PRF based on HMAC with SHA-512
truncated to 224 bits for PBKDF (not supported)
◦ CKP_PKCS5_PBKD2_HMAC_SHA512_256 - PRF based on HMAC with SHA-512
truncated to 256 bits for PBKDF (not supported)
• in secoidt.h
◦ NSS_USE_ALG_IN_SSL
◦ NSS_USE_POLICY_IN_SSL
• in ssl.h
◦ SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
• in sslt.h
◦ SSL_MAX_EXTENSIONS is updated to 13
Notable Changes in NSS 3.22
• NSS C++ tests are built by default, requiring a C++11 compiler. Set
the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.
Bugs fixed in NSS 3.22
This Bugzilla query returns all the bugs fixed in NSS 3.22:
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.22
Compatibility
NSS 3.22 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries
will work with NSS 3.22 shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.
}}}
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/7422>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
