From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- security/nss/doc/rst/legacy/nss_releases/index.rst | 161 ++++++++ .../nss_releases/jss_4.4.0_release_notes/index.rst | 109 ++++++ .../nss_3.12.3_release_notes/index.rst | 432 +++++++++++++++++++++ .../nss_3.12.4_release_notes/index.rst | 327 ++++++++++++++++ .../nss_3.12.5_release_notes/index.rst | 285 ++++++++++++++ .../nss_3.12.6_release_notes/index.rst | 318 +++++++++++++++ .../nss_3.12.9_release_notes/index.rst | 144 +++++++ .../nss_3.14.1_release_notes/index.rst | 127 ++++++ .../nss_3.14.2_release_notes/index.rst | 103 +++++ .../nss_3.14.3_release_notes/index.rst | 132 +++++++ .../nss_3.14.4_release_notes/index.rst | 82 ++++ .../nss_3.14.5_release_notes/index.rst | 82 ++++ .../nss_releases/nss_3.14_release_notes/index.rst | 174 +++++++++ .../nss_3.15.1_release_notes/index.rst | 131 +++++++ .../nss_3.15.2_release_notes/index.rst | 126 ++++++ .../nss_3.15.3.1_release_notes/index.rst | 89 +++++ .../nss_3.15.3_release_notes/index.rst | 94 +++++ .../nss_3.15.4_release_notes/index.rst | 137 +++++++ .../nss_3.15.5_release_notes/index.rst | 93 +++++ .../nss_releases/nss_3.15_release_notes/index.rst | 157 ++++++++ .../nss_3.16.1_release_notes/index.rst | 97 +++++ .../nss_3.16.2.1_release_notes/index.rst | 99 +++++ .../nss_3.16.2.2_release_notes/index.rst | 81 ++++ .../nss_3.16.2.3_release_notes/index.rst | 110 ++++++ .../nss_3.16.2_release_notes/index.rst | 114 ++++++ .../nss_3.16.3_release_notes/index.rst | 171 ++++++++ .../nss_3.16.4_release_notes/index.rst | 75 ++++ .../nss_3.16.5_release_notes/index.rst | 98 +++++ .../nss_3.16.6_release_notes/index.rst | 81 ++++ .../nss_releases/nss_3.16_release_notes/index.rst | 98 +++++ .../nss_3.17.1_release_notes/index.rst | 132 +++++++ .../nss_3.17.2_release_notes/index.rst | 88 +++++ .../nss_3.17.3_release_notes/index.rst | 134 +++++++ .../nss_3.17.4_release_notes/index.rst | 90 +++++ .../nss_releases/nss_3.17_release_notes/index.rst | 72 ++++ .../nss_3.18.1_release_notes/index.rst | 105 +++++ .../nss_releases/nss_3.18_release_notes/index.rst | 169 ++++++++ .../nss_3.19.1_release_notes/index.rst | 113 ++++++ .../nss_3.19.2.1_release_notes/index.rst | 88 +++++ .../nss_3.19.2.2_release_notes/index.rst | 84 ++++ .../nss_3.19.2.3_release_notes/index.rst | 84 ++++ .../nss_3.19.2.4_release_notes/index.rst | 82 ++++ .../nss_3.19.2_release_notes/index.rst | 94 +++++ .../nss_3.19.3_release_notes/index.rst | 117 ++++++ .../nss_3.19.4_release_notes/index.rst | 88 +++++ .../nss_releases/nss_3.19_release_notes/index.rst | 119 ++++++ .../nss_3.20.1_release_notes/index.rst | 88 +++++ .../nss_3.20.2_release_notes/index.rst | 80 ++++ .../nss_releases/nss_3.20_release_notes/index.rst | 140 +++++++ .../nss_3.21.1_release_notes/index.rst | 80 ++++ .../nss_3.21.2_release_notes/index.rst | 70 ++++ .../nss_3.21.3_release_notes/index.rst | 78 ++++ .../nss_3.21.4_release_notes/index.rst | 75 ++++ .../nss_releases/nss_3.21_release_notes/index.rst | 277 +++++++++++++ .../nss_3.22.1_release_notes/index.rst | 69 ++++ .../nss_3.22.2_release_notes/index.rst | 90 +++++ .../nss_3.22.3_release_notes/index.rst | 70 ++++ .../nss_releases/nss_3.22_release_notes/index.rst | 194 +++++++++ .../nss_releases/nss_3.23_release_notes/index.rst | 192 +++++++++ .../nss_releases/nss_3.24_release_notes/index.rst | 201 ++++++++++ .../nss_3.25.1_release_notes/index.rst | 80 ++++ .../nss_releases/nss_3.25_release_notes/index.rst | 140 +++++++ .../nss_3.26.2_release_notes/index.rst | 80 ++++ .../nss_releases/nss_3.26_release_notes/index.rst | 91 +++++ .../nss_3.27.1_release_notes/index.rst | 92 +++++ .../nss_3.27.2_release_notes/index.rst | 84 ++++ .../nss_releases/nss_3.27_release_notes/index.rst | 149 +++++++ .../nss_3.28.1_release_notes/index.rst | 148 +++++++ .../nss_3.28.2_release_notes/index.rst | 79 ++++ .../nss_3.28.3_release_notes/index.rst | 95 +++++ .../nss_3.28.4_release_notes/index.rst | 77 ++++ .../nss_3.28.5_release_notes/index.rst | 116 ++++++ .../nss_releases/nss_3.28_release_notes/index.rst | 170 ++++++++ .../nss_3.29.1_release_notes/index.rst | 94 +++++ .../nss_3.29.2_release_notes/index.rst | 71 ++++ .../nss_3.29.3_release_notes/index.rst | 73 ++++ .../nss_3.29.5_release_notes/index.rst | 75 ++++ .../nss_releases/nss_3.29_release_notes/index.rst | 68 ++++ .../nss_3.30.1_release_notes/index.rst | 73 ++++ .../nss_3.30.2_release_notes/index.rst | 115 ++++++ .../nss_releases/nss_3.30_release_notes/index.rst | 125 ++++++ .../nss_3.31.1_release_notes/index.rst | 71 ++++ .../nss_releases/nss_3.31_release_notes/index.rst | 129 ++++++ .../nss_releases/nss_3.32_release_notes/index.rst | 143 +++++++ .../nss_releases/nss_3.33_release_notes/index.rst | 115 ++++++ .../nss_3.34.1_release_notes/index.rst | 94 +++++ .../nss_releases/nss_3.34_release_notes/index.rst | 215 ++++++++++ .../nss_releases/nss_3.35_release_notes/index.rst | 273 +++++++++++++ .../nss_3.36.1_release_notes/index.rst | 84 ++++ .../nss_3.36.2_release_notes/index.rst | 75 ++++ .../nss_3.36.4_release_notes/index.rst | 68 ++++ .../nss_3.36.5_release_notes/index.rst | 69 ++++ .../nss_3.36.6_release_notes/index.rst | 73 ++++ .../nss_3.36.7_release_notes/index.rst | 74 ++++ .../nss_3.36.8_release_notes/index.rst | 90 +++++ .../nss_releases/nss_3.36_release_notes/index.rst | 78 ++++ .../nss_3.37.1_release_notes/index.rst | 75 ++++ .../nss_releases/nss_3.37_release_notes/index.rst | 112 ++++++ .../nss_releases/nss_3.38_release_notes/index.rst | 106 +++++ .../nss_releases/nss_3.39_release_notes/index.rst | 149 +++++++ .../nss_3.40.1_release_notes/index.rst | 81 ++++ .../nss_releases/nss_3.40_release_notes/index.rst | 102 +++++ .../nss_3.41.1_release_notes/index.rst | 76 ++++ .../nss_releases/nss_3.41_release_notes/index.rst | 163 ++++++++ .../nss_3.42.1_release_notes/index.rst | 65 ++++ .../nss_releases/nss_3.42_release_notes/index.rst | 143 +++++++ .../nss_releases/nss_3.43_release_notes/index.rst | 151 +++++++ .../nss_3.44.1_release_notes/index.rst | 140 +++++++ .../nss_3.44.2_release_notes/index.rst | 72 ++++ .../nss_3.44.3_release_notes/index.rst | 76 ++++ .../nss_3.44.4_release_notes/index.rst | 69 ++++ .../nss_releases/nss_3.44_release_notes/index.rst | 146 +++++++ .../nss_releases/nss_3.45_release_notes/index.rst | 224 +++++++++++ .../nss_3.46.1_release_notes/index.rst | 72 ++++ .../nss_releases/nss_3.46_release_notes/index.rst | 219 +++++++++++ .../nss_3.47.1_release_notes/index.rst | 78 ++++ .../nss_releases/nss_3.47_release_notes/index.rst | 179 +++++++++ .../nss_3.48.1_release_notes/index.rst | 71 ++++ .../nss_releases/nss_3.48_release_notes/index.rst | 178 +++++++++ .../nss_3.49.1_release_notes/index.rst | 71 ++++ .../nss_3.49.2_release_notes/index.rst | 76 ++++ .../nss_releases/nss_3.49_release_notes/index.rst | 103 +++++ .../nss_releases/nss_3.50_release_notes/index.rst | 120 ++++++ .../nss_3.51.1_release_notes/index.rst | 79 ++++ .../nss_releases/nss_3.51_release_notes/index.rst | 103 +++++ .../nss_3.52.1_release_notes/index.rst | 69 ++++ .../nss_releases/nss_3.52_release_notes/index.rst | 158 ++++++++ .../nss_3.53.1_release_notes/index.rst | 69 ++++ .../nss_releases/nss_3.53_release_notes/index.rst | 128 ++++++ .../nss_releases/nss_3.54_release_notes/index.rst | 184 +++++++++ .../nss_releases/nss_3.55_release_notes/index.rst | 135 +++++++ .../nss_releases/nss_3.56_release_notes/index.rst | 98 +++++ .../nss_releases/nss_3.57_release_notes/index.rst | 151 +++++++ .../nss_releases/nss_3.58_release_notes/index.rst | 76 ++++ .../nss_3.59.1_release_notes/index.rst | 57 +++ .../nss_releases/nss_3.59_release_notes/index.rst | 108 ++++++ .../nss_3.60.1_release_notes/index.rst | 58 +++ .../nss_releases/nss_3.60_release_notes/index.rst | 144 +++++++ .../nss_releases/nss_3.61_release_notes/index.rst | 65 ++++ .../nss_releases/nss_3.62_release_notes/index.rst | 84 ++++ .../nss_3.63.1_release_notes/index.rst | 66 ++++ .../nss_releases/nss_3.63_release_notes/index.rst | 90 +++++ .../nss_releases/nss_3.64_release_notes/index.rst | 69 ++++ 143 files changed, 16544 insertions(+) create mode 100644 security/nss/doc/rst/legacy/nss_releases/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst (limited to 'security/nss/doc/rst/legacy/nss_releases') diff --git a/security/nss/doc/rst/legacy/nss_releases/index.rst b/security/nss/doc/rst/legacy/nss_releases/index.rst new file mode 100644 index 0000000000..74858e969d --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/index.rst @@ -0,0 +1,161 @@ +.. _mozilla_projects_nss_nss_releases: + +Release notes for recent versions of NSS +======================================== + +.. container:: + + The current **Stable** release of NSS is 3.64, which was released on **15 April 2021**. + (:ref:`mozilla_projects_nss_nss_3_64_release_notes`) + + The current **ESR** releases of NSS are 3.44.4 + (:ref:`mozilla_projects_nss_nss_3_44_4_release_notes`), intended for Firefox ESR 68, which was + released on **19 May 2020**, and 3.53.1 :ref:`mozilla_projects_nss_nss_3_53_1_release_notes`, + intended for Firefox ESR 78, which was released on **16 June 2020**. + +.. _past_releases: + +`Past releases <#past_releases>`__ +---------------------------------- + +.. container:: + + - :ref:`mozilla_projects_nss_nss_3_63_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_63_release_notes` + - :ref:`mozilla_projects_nss_nss_3_62_release_notes` + - :ref:`mozilla_projects_nss_nss_3_61_release_notes` + - :ref:`mozilla_projects_nss_nss_3_60_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_60_release_notes` + - :ref:`mozilla_projects_nss_nss_3_59_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_59_release_notes` + - :ref:`mozilla_projects_nss_nss_3_58_release_notes` + - :ref:`mozilla_projects_nss_nss_3_57_release_notes` + - :ref:`mozilla_projects_nss_nss_3_56_release_notes` + - :ref:`mozilla_projects_nss_nss_3_55_release_notes` + - :ref:`mozilla_projects_nss_nss_3_54_release_notes` + - :ref:`mozilla_projects_nss_nss_3_53_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_53_release_notes` + - :ref:`mozilla_projects_nss_nss_3_52_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_44_4_release_notes` + - :ref:`mozilla_projects_nss_nss_3_52_release_notes` + - :ref:`mozilla_projects_nss_nss_3_51_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_51_release_notes` + - :ref:`mozilla_projects_nss_nss_3_50_release_notes` + - :ref:`mozilla_projects_nss_nss_3_49_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_49_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_49_release_notes` + - :ref:`mozilla_projects_nss_nss_3_48_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_48_release_notes` + - :ref:`mozilla_projects_nss_nss_3_47_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_47_release_notes` + - :ref:`mozilla_projects_nss_nss_3_46_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_46_release_notes` + - :ref:`mozilla_projects_nss_nss_3_45_release_notes` + - :ref:`mozilla_projects_nss_nss_3_44_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_44_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_44_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_44_release_notes` + - :ref:`mozilla_projects_nss_nss_3_43_release_notes` + - :ref:`mozilla_projects_nss_nss_3_42_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_42_release_notes` + - :ref:`mozilla_projects_nss_nss_3_36_8_release_notes` + - :ref:`mozilla_projects_nss_nss_3_36_7_release_notes` + - :ref:`mozilla_projects_nss_nss_3_41_release_notes` + - :ref:`mozilla_projects_nss_nss_3_40_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_36_6_release_notes` + - :ref:`mozilla_projects_nss_nss_3_40_release_notes` + - :ref:`mozilla_projects_nss_nss_3_39_release_notes` + - :ref:`mozilla_projects_nss_nss_3_38_release_notes` + - :ref:`mozilla_projects_nss_nss_3_37_3release_notes` + - :ref:`mozilla_projects_nss_nss_3_37_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_37_release_notes` + - :ref:`mozilla_projects_nss_nss_3_36_5_release_notes` + - :ref:`mozilla_projects_nss_nss_3_36_4_release_notes` + - :ref:`mozilla_projects_nss_nss_3_36_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_36_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_36_release_notes` + - :ref:`mozilla_projects_nss_nss_3_35_release_notes` + - :ref:`mozilla_projects_nss_nss_3_34_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_34_release_notes` + - :ref:`mozilla_projects_nss_nss_3_33_release_notes` + - :ref:`mozilla_projects_nss_nss_3_32_release_notes` + - :ref:`mozilla_projects_nss_nss_3_31_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_31_release_notes` + - :ref:`mozilla_projects_nss_nss_3_30_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_30_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_30_release_notes` + - :ref:`mozilla_projects_nss_nss_3_29_5_release_notes` + - :ref:`mozilla_projects_nss_nss_3_29_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_29_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_29_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_29_release_notes` + - :ref:`mozilla_projects_nss_nss_3_28_5_release_notes` + - :ref:`mozilla_projects_nss_nss_3_28_4_release_notes` + - :ref:`mozilla_projects_nss_nss_3_28_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_28_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_28_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_28_release_notes` + - :ref:`mozilla_projects_nss_nss_3_27_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_27_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_27_release_notes` + - :ref:`mozilla_projects_nss_nss_3_26_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_26_release_notes` + - :ref:`mozilla_projects_nss_nss_3_25_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_25_release_notes` + - :ref:`mozilla_projects_nss_nss_3_24_release_notes` + - :ref:`mozilla_projects_nss_nss_3_23_release_notes` + - :ref:`mozilla_projects_nss_nss_3_22_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_22_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_22_release_notes` + - :ref:`mozilla_projects_nss_nss_3_21_4_release_notes` + - :ref:`mozilla_projects_nss_nss_3_21_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_21_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_21_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_21_release_notes` + - :ref:`mozilla_projects_nss_nss_3_20_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_20_release_notes` + - :ref:`mozilla_projects_nss_nss_3_19_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_19_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_19_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_19_release_notes` + - :ref:`mozilla_projects_nss_nss_3_18_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_18_release_notes` + - :ref:`mozilla_projects_nss_nss_3_17_4_release_notes` + - :ref:`mozilla_projects_nss_nss_3_17_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_17_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_17_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_17_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_6_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_5_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_4_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_2_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_2_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_2_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_16_release_notes` + - :ref:`mozilla_projects_nss_nss_3_15_5_release_notes` + - :ref:`mozilla_projects_nss_nss_3_15_4_release_notes` + - :ref:`mozilla_projects_nss_nss_3_15_3_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_15_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_15_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_15_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_15_release_notes` + - :ref:`mozilla_projects_nss_nss_3_14_5_release_notes` + - :ref:`mozilla_projects_nss_nss_3_14_4_release_notes` + - :ref:`mozilla_projects_nss_nss_3_14_3_release_notes` + - :ref:`mozilla_projects_nss_nss_3_14_2_release_notes` + - :ref:`mozilla_projects_nss_nss_3_14_1_release_notes` + - :ref:`mozilla_projects_nss_nss_3_14_release_notes` + - :ref:`mozilla_projects_nss_release_notes` + +.. _future_releases: + +`Future releases <#future_releases>`__ +-------------------------------------- + +.. container:: + + Release planning is done on the Mozilla wiki: `NSS:Release + Versions `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst new file mode 100644 index 0000000000..9be1956bde --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst @@ -0,0 +1,109 @@ +.. _mozilla_projects_nss_jss_4_4_0_release_notes: + +JSS 4.4.0 Release Notes +======================= + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Java Security Services (JSS) team has released JSS 4.4.0, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is JSS_4_4\ **\_20170313**. JSS 4.4.0 requires Netswork Security Services (NSS) 3.29.1 + and Netscape Portable Runtime (NSPR) 4.13.1 or newer. + + JSS 4.4.0 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + `https://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_4_0_RTM/src/ `__ + +.. _new_in_jss_4.40: + +`New in JSS 4.40 <#new_in_jss_4.40>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: New Functions + :name: new_functions + + New Macros + +.. _notable_changes_in_jss_4.40: + +`Notable Changes in JSS 4.40 <#notable_changes_in_jss_4.40>`__ +-------------------------------------------------------------- + +.. container:: + + - Picks up work done downstream for Fedora and RHEL and used by various Linux distributions with + includes:. + - Support for IPv6. + - Support for TLS v1.1 and TLS v1.2 via NSS though JSS. + +.. _bugs_fixed_in_jss_4.4.0: + +`Bugs fixed in JSS 4.4.0 <#bugs_fixed_in_jss_4.4.0>`__ +------------------------------------------------------ + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 4.4.0: + + https://bugzilla.mozilla.org/buglist.cgi?product=JSS&target_milestone=4.4&target_milestone=4.4&bug_status=RESOLVED&resolution=FIXED + +`Documentation <#documentation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Build instructions for JSS at https://hg.mozilla.org/projects/jss/file/tip/README + +.. _platform_information: + +`Platform Information <#platform_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - You can check out the source from mercurial via hg clone -r 055aa3ce8a61 + https://hg.mozilla.org/projects/jss + + - JSS 4.4.0 works with OpenJDK versions 1.7 or higher we suggest the latest - OpenJDK 1.8. + - JSS 4.4.0 requires :ref:`mozilla_projects_nss_nss_3_12_5_release_notes` or higher though NSS + 3.28.3 is recommended. + - JSS 4.3.1 requires `NSPR 4.7.1 `__ or + higher though NSPR 3.13 is recommended. + - JSS only supports the native threading model (no green threads). + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + JSS 3.30 shared libraries are not backward compatible with all older JSS 4.3.2 shared libraries. + A program linked with older jSS 4.3.2 shared libraries will not work with JSS 4.4.0 shared + libraries without recompiling or relinking. Furthermore, applications that restrict their use of + jSS APIs to the functions listed in JSS Public Functions will remain compatible with future + versions of the JSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product JSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst new file mode 100644 index 0000000000..8cb7d7a64b --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst @@ -0,0 +1,432 @@ +.. _mozilla_projects_nss_nss_3_12_3_release_notes: + +NSS_3.12.3_release_notes.html +============================= + +.. _nss_3.12.3_release_notes: + +`NSS 3.12.3 Release Notes <#nss_3.12.3_release_notes>`__ +-------------------------------------------------------- + +.. _2009-04-01: + +`2009-04-01 <#2009-04-01>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + +`Contents <#contents>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Introduction <#introduction>`__ + - `Distribution Information <#distribution_information>`__ + - `New in NSS 3.12.3 <#new_in_nss_3.12.3>`__ + - `Bugs Fixed <#bugs_fixed>`__ + - `Documentation <#documentation>`__ + - `Compatibility <#compatibility>`__ + - `Feedback <#feedback>`__ + + -------------- + +`Introduction <#introduction>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services (NSS) 3.12.3 is a patch release for NSS 3.12. The bug fixes in NSS + 3.12.3 are described in the "`Bugs Fixed <#bugs_fixed>`__" section below. + + NSS 3.12.3 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1. + + -------------- + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + | The CVS tag for the NSS 3.12.3 release is NSS_3_12_3_RTM. NSS 3.12.3 requires `NSPR + 4.7.4 `__. + | See the `Documentation <#documentation>`__ section for the build instructions. + + NSS 3.12.3 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS + download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_3_RTM/src/. + - Binary distributions: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_3_RTM/. Both debug and + optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT + (optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12.3 + directory containing three subdirectories: + + - include - NSS header files + - lib - NSS shared libraries + - bin - `NSS Tools `__ and test + programs + + You also need to download the NSPR 4.7.4 binary distributions to get the NSPR 4.7.4 header files + and shared libraries, which NSS 3.12.3 requires. NSPR 4.7.4 binary distributions are in + https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.7.4/. + + -------------- + +.. _new_in_nss_3.12.3: + +`New in NSS 3.12.3 <#new_in_nss_3.12.3>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Changes in behavior: + - In the development of NSS 3.12.3, it became necessary to change some old library behaviors due + to the discovery of certain vulnerabilities in the old behaviors, and to correct some errors + that had limited NSS's ability to interoperate with cryptographic hardware and software from + other sources. + Most of these changes should cause NO problems for NSS users, but in some cases, some + customers' software, hardware and/or certificates may be dependent on the old behaviors, and + may have difficulty with the new behaviors. In anticipation of that, the NSS team has provided + ways to easily cause NSS to revert to its previous behavior through the use of environment + variables. + Here is a table of the new environment variables introduced in NSS 3.12.3 and information + about how they affect these new behaviors. The information in this table is excerpted from + :ref:`mozilla_projects_nss_reference_nss_environment_variables` + + +--------------------------------+--------------------------------+--------------------------------+ + | **Environment Variable** | **Value Type** | **Description** | + +--------------------------------+--------------------------------+--------------------------------+ + | NSRANDCOUNT | Integer | Sets the maximum number of | + | | (byte count) | bytes to read from the file | + | | | named in the environment | + | | | variable NSRANDFILE (see | + | | | below). Makes NSRANDFILE | + | | | usable with /dev/urandom. | + +--------------------------------+--------------------------------+--------------------------------+ + | NSS_ALLOW_WEAK_SIGNATURE_ALG | Boolean | Enables the use of MD2 and MD4 | + | | (any non-empty value to | hash algorithms inside | + | | enable) | signatures. This was allowed | + | | | by default before NSS 3.12.3. | + +--------------------------------+--------------------------------+--------------------------------+ + | NSS_HASH_ALG_SUPPORT | String | Specifies algorithms allowed | + | | | to be used in certain | + | | | applications, such as in | + | | | signatures on certificates and | + | | | CRLs. See documentation at | + | | | `this | + | | | link | + | | | `__. | + +--------------------------------+--------------------------------+--------------------------------+ + | NSS_STRICT_NOFORK | String | It is an error to try to use a | + | | ("1", | PKCS#11 crypto module in a | + | | "DISABLED", | process before it has been | + | | or any other non-empty value) | initialized in that process, | + | | | even if the module was | + | | | initialized in the parent | + | | | process. Beginning in NSS | + | | | 3.12.3, Softoken will detect | + | | | this error. This environment | + | | | variable controls Softoken's | + | | | response to that error. | + | | | | + | | | - If set to "1" or unset, | + | | | Softoken will trigger an | + | | | assertion failure in debug | + | | | builds, and will report an | + | | | error in non-DEBUG builds. | + | | | - If set to "DISABLED", | + | | | Softoken will ignore forks, | + | | | and behave as it did in | + | | | older versions. | + | | | - If set to any other | + | | | non-empty value, Softoken | + | | | will report an error in | + | | | both DEBUG and non-DEBUG | + | | | builds. | + +--------------------------------+--------------------------------+--------------------------------+ + | NSS_USE_DECODED_CKA_EC_POINT | Boolean | Tells NSS to send EC key | + | | (any non-empty value to | points across the PKCS#11 | + | | enable) | interface in the non-standard | + | | | unencoded format that was used | + | | | by default before NSS 3.12.3. | + | | | The new key point format is a | + | | | DER encoded ASN.1 OCTET | + | | | STRING. | + +--------------------------------+--------------------------------+--------------------------------+ + | NSS_USE_SHEXP_IN_CERT_NAME | Boolean | Tells NSS to allow shell-style | + | | (any non-empty value to | wildcard patterns in | + | | enable) | certificates to match SSL | + | | | server host names. This | + | | | behavior was the default | + | | | before NSS 3.12.3. The new | + | | | behavior conforms to RFC 2818. | + +--------------------------------+--------------------------------+--------------------------------+ + + - New Korean SEED cipher: + + - New macros for SEED support: + + - *in blapit.h:* + NSS_SEED + NSS_SEED_CBC + SEED_BLOCK_SIZE + SEED_KEY_LENGTH + *in pkcs11t.h:* + CKK_SEED + CKM_SEED_KEY_GEN + CKM_SEED_ECB + CKM_SEED_CBC + CKM_SEED_MAC + CKM_SEED_MAC_GENERAL + CKM_SEED_CBC_PAD + CKM_SEED_ECB_ENCRYPT_DATA + CKM_SEED_CBC_ENCRYPT_DATA + *in secmod.h:* + PUBLIC_MECH_SEED_FLAG + *in secmodt.h:* + SECMOD_SEED_FLAG + *in secoidt.h:* + SEC_OID_SEED_CBC + *in sslproto.h:* + TLS_RSA_WITH_SEED_CBC_SHA + *in sslt.h:* + ssl_calg_seed + + - New structure for SEED support: + + - (see blapit.h) + SEEDContextStr + SEEDContext + + - New functions in the nss shared library: + + - CERT_RFC1485_EscapeAndQuote (see cert.h) + CERT_CompareCerts (see cert.h) + CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) + PK11_GetSymKeyHandle (see pk11pqg.h) + UTIL_SetForkState (see secoid.h) + NSS_GetAlgorithmPolicy (see secoid.h) + NSS_SetAlgorithmPolicy (see secoid.h) + + - For the 2 functions above see also (in secoidt.h): + NSS_USE_ALG_IN_CERT_SIGNATURE + NSS_USE_ALG_IN_CMS_SIGNATURE + NSS_USE_ALG_RESERVED + + - Support for the Watcom C compiler is removed + + - The file watcomfx.h is removed. + + -------------- + +.. _bugs_fixed: + +`Bugs Fixed <#bugs_fixed>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The following bugs have been fixed in NSS 3.12.3. + + - `Bug 159483 `__: cert name matching: RFC + 2818 vs. backwards compatibility (wildcards) + - `Bug 334678 `__: prng_fips1861.c + redefines the macro BSIZE on HP-UX + - `Bug 335016 `__: mpp_pprime (Miller-Rabin + probabilistic primality test) may choose 0 or 1 as the random integer + - `Bug 347037 `__: Make shlibsign depend on + the softoken only + - `Bug 371522 `__: Auto-Update of CRLs + stops after first update + - `Bug 380784 `__: PK11MODE in non FIPS + mode failed. + - `Bug 394077 `__: libpkix need to return + revocation status of a cert + - `Bug 412468 `__: modify certutil + - `Bug 417092 `__: Modify pkix_CertSelector + API to return an error if cert was rejected. + - `Bug 426413 `__: Audit messages need + distinct types + - `Bug 438870 `__: Free Freebl hashing code + of dependencies on NSPR and libUtil + - `Bug 439115 `__: DB merge allows nickname + conflicts in merged DB + - `Bug 439199 `__: SSE2 instructions for + bignum are not implemented on Windows 32-bit + - `Bug 441321 `__: Tolerate incorrect + encoding of DSA signatures in SSL 3.0 handshakes + - `Bug 444404 `__: libpkix reports unknown + issuer for nearly all certificate errors + - `Bug 452391 `__: certutil -K incorrectly + reports ec private key as an orphan + - `Bug 453234 `__: Support for SEED Cipher + Suites to TLS RFC4010 + - `Bug 453364 `__: Improve PK11_CipherOp + error reporting (was: PK11_CreateContextBySymKey returns NULL + - `Bug 456406 `__: Slot list leaks in + symkeyutil + - `Bug 461085 `__: RFE: export function + CERT_CompareCerts + - `Bug 462293 `__: Crash on fork after + Softoken is dlClose'd on some Unix platforms in NSS 3.12 + - `Bug 463342 `__: move some headers to + freebl/softoken + - `Bug 463452 `__: SQL DB creation does not + set files protections to 0600 + - `Bug 463678 `__: Need to add RPATH to + 64-bit libraries on HP-UX + - `Bug 464088 `__: Option to build NSS + without dbm (handy for WinCE) + - `Bug 464223 `__: Certutil didn't accept + certificate request to sign. + - `Bug 464406 `__: Fix signtool regressions + - `Bug 465270 `__: uninitialised value in + devutil.c::create_object() + - `Bug 465273 `__: dead assignment in + devutil.c::nssSlotArray_Clone() + - `Bug 465926 `__: During import of PKCS + #12 files + - `Bug 466180 `__: + SSL_ConfigMPServerSIDCache with default parameters fails on {Net + - `Bug 466194 `__: CERT_DecodeTrustString + should take a const char \* input trusts string. + - `Bug 466736 `__: Incorrect use of + NSS_USE_64 in lib/libpkix/pkix_pl_nss/system/pkix_pl_object.c + - `Bug 466745 `__: random number generator + fails on windows ce + - `Bug 467298 `__: SQL DB code uses local + cache on local file system + - `Bug 468279 `__: softoken crash importing + email cert into newly upgraded DB + - `Bug 468532 `__: Trusted CA trust flags + not being honored in CERT_VerifyCert + - `Bug 469583 `__: Coverity: uninitialized + variable used in sec_pkcs5CreateAlgorithmID + - `Bug 469944 `__: when built with + Microsoft compilers + - `Bug 470351 `__: crlutil build fails on + Windows because it calls undeclared isatty + - `Bug 471539 `__: Stop honoring digital + signatures in certificates and CRLs based on weak hashes + - `Bug 471665 `__: NSS reports incorrect + sizes for (AES) symmetric keys + - `Bug 471715 `__: Add cert to nssckbi to + override rogue md5-collision CA cert + - `Bug 472291 `__: crash in libpkix object + leak tests due to null pointer dereferencing in pkix_build.c:3218. + - `Bug 472319 `__: Vfychain validates chain + even if revoked certificate. + - `Bug 472749 `__: Softoken permits AES + keys of ANY LENGTH to be created + - `Bug 473147 `__: pk11mode tests fails on + AIX when using shareable DBs. + - `Bug 473357 `__: ssltap incorrectly + parses handshake messages that span record boundaries + - `Bug 473365 `__: Incompatible argument in + pkix_validate.c. + - `Bug 473505 `__: softoken's C_Initialize + and C_Finalize should succeed after a fork in a child process + - `Bug 473944 `__: Trust anchor is not + trusted when requireFreshInfo flag is set. + - `Bug 474532 `__: Softoken cannot import + certs with empty subjects and non-empty nicknames + - `Bug 474777 `__: Wrong deallocation when + modifying CRL. + - `Bug 476126 `__: CERT_AsciiToName fails + when AVAs in an RDN are separated by '+' + - `Bug 477186 `__: Infinite loop in + CERT_GetCertChainFromCert + - `Bug 477777 `__: Selfserv crashed in + client/server tests. + - `Bug 478171 `__: Consolidate the + coreconf/XXX.mk files for Windows + - `Bug 478563 `__: Add \_MSC_VER (the cl + version) to coreconf. + - `Bug 478724 `__: NSS build fails on + Windows since 20090213.1 nightly build. + - `Bug 478931 `__: object leak in + pkix_List_MergeLists function + - `Bug 478994 `__: Allow Softoken's fork + check to be disabled + - `Bug 479029 `__: OCSP Response signature + cert found invalid if issuer is trusted only for SSL + - `Bug 479601 `__: Wrong type (UTF8 String) + for email addresses in subject by CERT_AsciiToName + - `Bug 480142 `__: Use sizeof on the + correct type of ckc_x509 in lib/ckfw + - `Bug 480257 `__: OCSP fails when response + > 1K Byte + - `Bug 480280 `__: The CKA_EC_POINT PKCS#11 + attribute is encoded in the wrong way: missing encapsulating octet string + - `Bug 480442 `__: Remove (empty) + watcomfx.h from nss + - `Bug 481216 `__: Fix specific spelling + errors in NSS + - `Bug 482702 `__: OCSP test with revoked + CA cert validated as good. + - `Bug 483113 `__: add environment variable + to disable/enable hash algorithms in cert/CRL signatures + - `Bug 483168 `__: NSS Callback API for + looking up a default OCSP Responder URL + - `Bug 483963 `__: Assertion failure in + OCSP tests. + - `Bug 484425 `__: Need accessor function + to retrieve SymKey handle + - `Bug 484466 `__: sec_error_invalid_args + with NSS_ENABLE_PKIX_VERIFY=1 + - `Bug 485127 `__: bltest crashes when + attempting rc5_cbc or rc5_ecb + - `Bug 485140 `__: Wrong command line flags + used to build intel-aes.s with Solaris gas for x86_64 + - `Bug 485370 `__: crash + - `Bug 485713 `__: Files added by Red Hat + recently have missing texts in license headers. + - `Bug 485729 `__: Remove + lib/freebl/mapfile.Solaris + - `Bug 485837 `__: vc90.pdb files are + output in source directory instead of OBJDIR + - `Bug 486060 `__: sec_asn1d_parse_leaf + uses argument uninitialized by caller pbe_PK11AlgidToParam + + -------------- + +`Documentation <#documentation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + For a list of the primary NSS documentation pages on mozilla.org, see `NSS + Documentation <../index.html#Documentation>`__. New and revised documents available since the + release of NSS 3.11 include the following: + + - `Build Instructions for NSS 3.11.4 and above <../nss-3.11.4/nss-3.11.4-build.html>`__ + - `NSS Shared DB `__ + + -------------- + +`Compatibility <#compatibility>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS 3.12.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.12.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain + compatible with future versions of the NSS shared libraries. + + -------------- + +`Feedback <#feedback>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + | Bugs discovered should be reported by filing a bug report with `mozilla.org + Bugzilla `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst new file mode 100644 index 0000000000..400ff005c9 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst @@ -0,0 +1,327 @@ +.. _mozilla_projects_nss_nss_3_12_4_release_notes: + +NSS 3.12.4 release notes +======================== + +.. container:: + + .. code:: + + 2009-08-20 + + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + .. rubric:: Introduction + :name: Introduction + + Network Security Services (NSS) 3.12.4 is a patch release for NSS 3.12. The bug fixes in NSS + 3.12.4 are described in the "`Bugs Fixed <#bugsfixed>`__" section below. + + NSS 3.12.4 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1. + + .. rubric:: Distribution Information + :name: Distribution_Information + + This release is built from the source, at the CVS repository rooted at cvs.mozilla.org:/cvsroot, + with the CVS tag ``NSS_3_12_4_RTM``. + + NSS 3.12.4 requires `NSPR 4.8 `__. This is + not a hard requirement. Our QA tested NSS 3.12.4 with NSPR 4.8, but it should work with NSPR + 4.7.1 or later. + + You can check out the source from CVS by + + .. note:: + + cvs co -r NSPR_4_8_RTM NSPR + cvs co -r NSS_3_12_4_RTM NSS + + See the `Documentation <#docs>`__ section for the build instructions. + + NSS 3.12.4 source is also available on ``ftp.mozilla.org`` for secure HTTPS download: + + - Source tarball: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/src/. + + .. rubric:: Major changes in NSS 3.12.4 + :name: Major_changes_in_NSS_3.12.4 + + - NSS 3.12.4 is the version that we submitted to NIST for FIPS 140-2 validation. + Currently NSS 3.12.4 is in the "Review Pending" state in the FIPS 140-2 pre-validation + list at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf + - Added CRL Distribution Point support (see cert.h). + **CERT_DecodeCRLIssuingDistributionPoint** + **CERT_FindCRLIssuingDistPointExten** + - The old documentation of the expression matching syntax rules was + incorrect, and the new corrected documentation is as follows for + public nssutil functions (see portreq.h): + + - **PORT_RegExpValid** + - **PORT_RegExpSearch** + - **PORT_RegExpCaseSearch** + + - These functions will match a string with a shell expression. The expressions + accepted are based loosely on the expressions accepted by zsh. + Expected return values: + + - NON_SXP if exp is a standard string + - INVALID_SXP if exp is a shell expression, but invalid + - VALID_SXP if exp is a valid shell expression + + Expression matching rules: + + - \* matches anything + - ? matches one character + - \\ will escape a special character + - $ matches the end of the string + - Bracketed expressions: + [abc] matches one occurrence of a, b, or c. + [^abc] matches any character except a, b, or c. + To be matched between [ and ], these characters must be escaped: \\ ] + No other characters need be escaped between brackets. + Unnecessary escaping is permitted. + - [a-z] matches any character between a and z, inclusive. + The two range-definition characters must be alphanumeric ASCII. + If one is upper case and the other is lower case, then the ASCII + non-alphanumeric characters between Z and a will also be in range. + - [^a-z] matches any character except those between a and z, inclusive. + These forms cannot be combined, e.g [a-gp-z] does not work. + - Exclusions: + As a top level, outter-most expression only, the expression + foo~bar will match the expression foo, provided it does not also + match the expression bar. Either expression or both may be a union. + Except between brackets, any unescaped ~ is an exclusion. + At most one exclusion is permitted. + Exclusions cannot be nested (contain other exclusions). + example: \*~abc will match any string except abc + - Unions: + (foo|bar) will match either the expression foo, or the expression bar. + At least one '|' separator is required. More are permitted. + Expressions inside unions may not include unions or exclusions. + Inside a union, to be matched and not treated as a special character, + these characters must be escaped: \\ ( \| ) [ ~ except when they occur + inside a bracketed expression, where only \\ and ] require escaping. + + - New functions in the nss shared library: + + - PK11_IsInternalKeySlot (see pk11pub.h) + - SECMOD_OpenNewSlot (see pk11pub.h) + + - New error codes (see secerr.h): + + - SEC_ERROR_BAD_INFO_ACCESS_METHOD + - SEC_ERROR_CRL_IMPORT_FAILED + + - New OIDs (see secoidt.h) + + - SEC_OID_X509_ANY_POLICY + + - The nssckbi PKCS #11 module's version changed to 1.75. + - Obsolete code for Win16 has been removed. + - Support for OpenVMS has been removed. + + .. rubric:: Bugs Fixed + :name: Bugs_Fixed + + The following bugs have been fixed in NSS 3.12.4. + + - `Bug 321755 `__: implement + crlDistributionPoint extension in libPKIX + - `Bug 391434 `__: avoid multiple + encoding/decoding of PKIX_PL_OID to and from ascii string + - `Bug 405297 `__: Problems building + nss/lib/ckfw/capi/ with MingW GCC + - `Bug 420991 `__: libPKIX returns wrong + NSS error code + - `Bug 427135 `__: Add super-H (sh3,4) + architecture support + - `Bug 431958 `__: Improve DES and SHA512 + for x86_64 platform + - `Bug 433791 `__: Win16 support should be + deleted from NSS + - `Bug 449332 `__: SECU_ParseCommandLine + does not validate its inputs + - `Bug 453735 `__: When using cert9 + (SQLite3) DB, set or change master password fails + - `Bug 463544 `__: warning: passing enum\* + for an int\* argument in pkix_validate.c + - `Bug 469588 `__: Coverity errors reported + for softoken + - `Bug 470055 `__: + pkix_HttpCertStore_FindSocketConnection reuses closed socket + - `Bug 470070 `__: Multiple object leaks + reported by tinderbox + - `Bug 470479 `__: IO timeout during cert + fetching makes libpkix abort validation. + - `Bug 470500 `__: Firefox 3.1b2 Crash + Report [[@ nssutil3.dll@0x34c0 ] + - `Bug 482742 `__: Enable building util + independently of the rest of nss + - `Bug 483653 `__: unable to build + certutil.exe for fennec/wince + - `Bug 485145 `__: Miscellaneous crashes in + signtool on Windows + - `Bug 485155 `__: NSS_ENABLE_PKIX_VERIFY=1 + causes sec_error_unknown_issuer errors + - `Bug 485527 `__: Rename the \_X86\_ macro + in lib/freebl + - `Bug 485658 `__: vfychain -p reports + revoked cert + - `Bug 485745 `__: modify fipstest.c to + support CAVS 7.1 DRBG testing + - `Bug 486304 `__: cert7.db/cert8.db + corruption when importing a large certificate (>64K) + - `Bug 486405 `__: Allocator mismatches in + pk12util.c + - `Bug 486537 `__: Disable execstack in + freebl x86_64 builds on Linux + - `Bug 486698 `__: Facilitate the building + of major components independently and in a chain manner by downstream distributions + - `Bug 486999 `__: Calling + SSL_SetSockPeerID a second time leaks the previous value + - `Bug 487007 `__: Make lib/jar conform to + NSS coding style + - `Bug 487162 `__: ckfw/capi build failure + on windows + - `Bug 487239 `__: nssutil.rc doesn't + compile on WinCE + - `Bug 487254 `__: sftkmod.c uses POSIX + file IO Functions on WinCE + - `Bug 487255 `__: sdb.c uses POSIX file IO + Functions on WinCE + - `Bug 487487 `__: CERT_NameToAscii reports + !Invalid AVA! whenever value exceeds 384 bytes + - `Bug 487736 `__: libpkix passes wrong + argument to DER_DecodeTimeChoice and crashes + - `Bug 487858 `__: Remove obsolete build + options MOZILLA_SECURITY_BUILD and MOZILLA_BSAFE_BUILD + - `Bug 487884 `__: object leak in libpkix + library upon error + - `Bug 488067 `__: PK11_ImportCRL reports + SEC_ERROR_CRL_NOT_FOUND when it fails to import a CRL + - `Bug 488350 `__: NSPR-free freebl + interface need to do post tests only in fips mode. + - `Bug 488396 `__: DBM needs to be FIPS + certifiable. + - `Bug 488550 `__: crash in certutil or pp + when printing cert with empty subject name + - `Bug 488992 `__: Fix + lib/freebl/win_rand.c warnings + - `Bug 489010 `__: stop exporting mktemp + and dbopen (again) + - `Bug 489287 `__: Resolve a few remaining + issues with NSS's new revocation flags + - `Bug 489710 `__: byteswap optimize for + MSVC++ + - `Bug 490154 `__: Cryptokey framework + requires module to implement GenerateKey when they support KeyPairGeneration + - `Bug 491044 `__: Remove support for VMS + (a.k.a., OpenVMS) from NSS + - `Bug 491174 `__: CERT_PKIXVerifyCert + reports wrong error code when EE cert is expired + - `Bug 491919 `__: cert.h doesn't have + valid functions prototypes + - `Bug 492131 `__: A failure to import a + cert from a P12 file leaves error code set to zero + - `Bug 492385 `__: crash freeing named CRL + entry on shutdown + - `Bug 493135 `__: bltest crashes if it + can't open the input file + - `Bug 493364 `__: can't build with + --disable-dbm option when not cross-compiling + - `Bug 493693 `__: SSE2 instructions for + bignum are not implemented on OS/2 + - `Bug 493912 `__: sqlite3_reset should be + invoked in sdb_FindObjectsInit when error occurs + - `Bug 494073 `__: update RSA/DSA + powerupself tests to be compliant for 2011 + - `Bug 494087 `__: Passing NULL as the + value of cert_pi_trustAnchors causes a crash in cert_pkixSetParam + - `Bug 494107 `__: During NSS_NoDB_Init(), + softoken tries but fails to load libsqlite3.so crash [@ @0x0 ] + - `Bug 495097 `__: sdb_mapSQLError returns + signed int + - `Bug 495103 `__: + NSS_InitReadWrite(sql:) causes NSS to look for sql:/libnssckbi.so + - `Bug 495365 `__: Add const to the + 'nickname' parameter of SEC_CertNicknameConflict + - `Bug 495656 `__: + NSS_InitReadWrite(sql:) leaves behind a pkcs11.txu file if libnssckbi.so is in + . + - `Bug 495717 `__: Unable to compile + nss/cmd/certutil/keystuff.c on WinCE + - `Bug 496961 `__: provide truncated HMAC + support for testing tool fipstest + - `Bug 497002 `__: Lab required nspr-free + freebl changes. + - `Bug 497217 `__: The first random value + ever generated by the RNG should be discarded + - `Bug 498163 `__: assert if profile path + contains cyrillic chars. [[@isspace - secmod_argIsBlank - secmod_argHasBlanks - + secmod_formatPair - secmod_mkNewModuleSpec] + - `Bug 498509 `__: Produce debuggable + optimized builds for Mozilla on MacOSX + - `Bug 498511 `__: Produce debuggable + optimized NSS builds for Mozilla on Linux + - `Bug 499385 `__: DRBG Reseed function + needs to be tested on POST + - `Bug 499825 `__: utilrename.h is missing + from Solaris packages + - `Bug 502961 `__: Allocator mismatch in + pk11mode + - `Bug 502965 `__: Allocator mismatch in + sdrtest + - `Bug 502972 `__: Another allocator + mismatch in sdrtest + - `Bug 504398 `__: + pkix_pl_AIAMgr_GetHTTPCerts could crash if SEC_GetRegisteredHttpClient fails + - `Bug 504405 `__: pkix_pl_CrlDp_Create + will fail on alloc success because of a missing ! + - `Bug 504408 `__: pkix_pl_CrlDp_Create + will always fail if dp->distPointType != generalName + - `Bug 504456 `__: Exploitable heap + overflow in NSS shell expression (filename globbing) parsing + - `Bug 505559 `__: Need function to + identify the one and only default internal private key slot. + - `Bug 505561 `__: Need a generic function + a la SECMOD_OpenUserDB() that can be used on non-softoken modules. + - `Bug 505858 `__: NSS_RegisterShutdown can + return without unlocking nssShutdownList.lock + - `Bug 507041 `__: Invalid build options + for VC6 + - `Bug 507228 `__: coreconf.dep doesn't + need to contain the NSS version number + - `Bug 507422 `__: crash [[@ PORT_FreeArena + - lg_mkSecretKeyRep] when PORT_NewArena fails + - `Bug 507482 `__: NSS 3.12.3 (and later) + doesn't build on AIX 5.1 + - `Bug 507937 `__: pwdecrypt program + problems + - `Bug 508259 `__: Pk11mode crashed on + Linux2.4 + - `Bug 508467 `__: libpkix ocsp checker + should use date argument to obtain the time for cert validity verification + - `Bug 510367 `__: Fix the UTF8 characters + in the nickname string for AC Raíz Certicamara S.A. + + .. rubric:: Documentation + :name: Documentation + + For a list of the primary NSS documentation pages on developer.mozilla.org, see NSS. New and + revised documents available since the release of NSS 3.12 include the following: + + - :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions` + + .. rubric:: Compatibility + :name: Compatibility + + NSS 3.12.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.12.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in `NSS Public Functions `__ will remain + compatible with future versions of the NSS shared libraries. + + .. rubric:: Feedback + :name: Feedback + + Bugs discovered should be reported by filing a bug report with `mozilla.org + Bugzilla `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst new file mode 100644 index 0000000000..b36b631e5d --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst @@ -0,0 +1,285 @@ +.. _mozilla_projects_nss_nss_3_12_5_release_notes: + +NSS 3.12.5 release_notes +======================== + +.. _nss_3.12.5_release_notes: + +`NSS 3.12.5 release notes <#nss_3.12.5_release_notes>`__ +-------------------------------------------------------- + +.. container:: + + .. container:: + + 2009-12-02 + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + + -------------- + + .. container:: + :name: section_1 + + .. rubric:: Introduction + :name: Introduction + + Network Security Services (NSS) 3.12.5 is a patch release for NSS 3.12. The bug fixes in + NSS 3.12.5 are described in the "`Bugs + Fixed `__" section below. + + NSS 3.12.5 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1. + + .. container:: + :name: section_2 + + .. rubric:: Distribution Information + :name: Distribution_Information + + The CVS tag for the NSS 3.12.5 release is ``NSS_3_12_5_RTM``. + + NSS 3.12.5 requires `NSPR 4.8 `__. + + You can check out the source from CVS by + + .. note:: + + cvs co -r NSPR_4_8_RTM NSPR + cvs co -r NSS_3_12_5_RTM NSS + + See the `Documentation `__ section + for the build instructions. + + NSS 3.12.5 source is also available on ``ftp.mozilla.org`` for secure HTTPS download: + + - Source tarball: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_5_RTM/src/. + + .. container:: + :name: section_3 + + .. rubric:: New in NSS 3.12.5 + :name: New_in_NSS_3.12.5 + + .. container:: + :name: section_4 + + .. rubric:: SSL3 & TLS Renegotiation Vulnerability + :name: SSL3_TLS_Renegotiation_Vulnerability + + See `CVE-2009-3555 `__ and + `US-CERT VU#120541 `__ for more information about + this security vulnerability. + + All SSL/TLS renegotiation is disabled by default in NSS 3.12.5. This will cause programs + that attempt to perform renegotiation to experience failures where they formerly + experienced successes, and is necessary for them to not be vulnerable, until such time + as a new safe renegotiation scheme is standardized by the IETF. + + If an application depends on renegotiation feature, it can be enabled by setting the + environment variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental + variable, the fix provided by these patches will have no effect and the application may + become vulnerable to the issue. + + This default setting can also be changed within the application by using the following + existing API functions: + + - + + - SECStatus SSL_OptionSet(PRFileDesc \*fd, PRInt32 option, PRBool on) + - SECStatus SSL_OptionSetDefault(PRInt32 option, PRBool on) + + - There is now a new value for "option", which is: + + - SSL_ENABLE_RENEGOTIATION + + The corresponding new values for SSL_ENABLE_RENEGOTIATION are: + + - SSL_RENEGOTIATE_NEVER: Never renegotiate at all (default). + - SSL_RENEGOTIATE_UNRESTRICTED: Renegotiate without restriction, whether or not the + peer's client hello bears the renegotiation info extension (as we always did in + the past). **UNSAFE**. + + .. container:: + :name: section_5 + + .. rubric:: TLS compression + :name: TLS_compression + + - Enable TLS compression with: + + - SSL_ENABLE_DEFLATE: Enable TLS compression with DEFLATE. Off by default. (See + ssl.h) + + Error codes: + + - SSL_ERROR_DECOMPRESSION_FAILURE (see sslerr.h) + - SSL_ERROR_RENEGOTIATION_NOT_ALLOWED (see sslerr.h) + + .. container:: + :name: section_6 + + .. rubric:: New context initialization and shutdown functions + :name: New_context_initialization_and_shutdown_functions + + - See nss.h for details. The 2 new functions are: + + - NSS_InitContext + - NSS_ShutdownContext + + Parameters for these functions are used to initialize softoken. These are mostly + strings used to internationalize softoken. Memory for the strings are owned by the + caller, who is free to free them once NSS_ContextInit returns. If the string + parameter is NULL (as opposed to empty, zero length), then the softoken default is + used. These are equivalent to the parameters for PK11_ConfigurePKCS11(). + + See the following struct in nss.h for details: + + - NSSInitParametersStr + + .. container:: + :name: section_7 + + .. rubric:: Other new functions + :name: Other_new_functions + + - *In secmod.h:* + + - SECMOD_GetSkipFirstFlag + - SECMOD_GetDefaultModDBFlag + + *In prlink.h* + + - NSS_SecureMemcmp + - PORT_LoadLibraryFromOrigin + + .. container:: + :name: section_8 + + .. rubric:: Modified functions + :name: Modified_functions + + - SGN_Update (see cryptohi.h) + + - The parameter "input" of this function is changed from *unsigned char \** to + *const unsigned char \**. + + - PK11_ConfigurePKCS11 (see nss.h) + + - The name of some parameters have been slightly changed ("des" became "desc"). + + .. container:: + :name: section_9 + + .. rubric:: Deprecated headers + :name: Deprecated_headers + + - The header file key.h is deprecated. Please use keyhi.h instead. + + .. container:: + :name: section_10 + + .. rubric:: Additional documentation + :name: Additional_documentation + + - *In pk11pub.h:* + + - The caller of PK11_DEREncodePublicKey should free the returned SECItem with a + SECITEM_FreeItem(..., PR_TRUE) call. + - PK11_ReadRawAttribute allocates the buffer for returning the attribute value. The + caller of PK11_ReadRawAttribute should free the data buffer pointed to by item + using a SECITEM_FreeItem(item, PR_FALSE) or PORT_Free(item->data) call. + + *In secasn1.h:* + + - If both pool and dest are NULL, the caller should free the returned SECItem with a + SECITEM_FreeItem(..., PR_TRUE) call. If pool is NULL but dest is not NULL, the + caller should free the data buffer pointed to by dest with a + SECITEM_FreeItem(dest, PR_FALSE) or PORT_Free(dest->data) call. + + .. container:: + :name: section_11 + + .. rubric:: Environment variables + :name: Environment_variables + + - NSS_FIPS + + - Will start NSS in FIPS mode. + + - NSS_SSL_ENABLE_RENEGOTIATION + - NSS_SSL_REQUIRE_SAFE_NEGOTIATION + + - See SSL3 & TLS Renegotiation Vulnerability. + + .. container:: + :name: section_12 + + .. rubric:: Bugs Fixed + :name: Bugs_Fixed + + The following bugs have been fixed in NSS 3.12.5. + + - `Bug 510435 `__: Remove unused make + variable DSO_LDFLAGS + - `Bug 510436 `__: Add macros for + build numbers (4th component of version number) to nssutil.h + - `Bug 511227 `__: Firefox 3.0.13 + fails to compile on FreeBSD/powerpc + - `Bug 511312 `__: NSS fails to load + softoken, looking for sqlite3.dll + - `Bug 511781 `__: Add new TLS 1.2 + cipher suites implemented in Windows 7 to ssltap + - `Bug 516101 `__: If PK11_ImportCert + fails, it leaves the certificate undiscoverable by CERT_PKIXVerifyCert + - `Bug 518443 `__: + PK11_ImportAndReturnPrivateKey leaks an arena + - `Bug 518446 `__: + PK11_DEREncodePublicKey leaks a CERTSubjectPublicKeyInfo + - `Bug 518457 `__: + SECKEY_EncodeDERSubjectPublicKeyInfo and PK11_DEREncodePublicKey are duplicate + - `Bug 522510 `__: Add deprecated + comments to key.h and pk11func.h + - `Bug 522580 `__: NSS uses + PORT_Memcmp for comparing secret data. + - `Bug 525056 `__: Timing attack + against ssl3ext.c:ssl3_ServerHandleSessionTicketXtn() + - `Bug 526689 `__: SSL3 & TLS + Renegotiation Vulnerability + + .. container:: + :name: section_13 + + .. rubric:: Documentation + :name: Documentation + + For a list of the primary NSS documentation pages on mozilla.org, see `NSS + Documentation `__. New + and revised documents available since the release of NSS 3.11 include the following: + + - `Build Instructions `__ + - `NSS Shared DB `__ + + .. container:: + :name: section_14 + + .. rubric:: Compatibility + :name: Compatibility + + NSS 3.12.5 shared libraries are backward compatible with all older NSS 3.x shared + libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.5 + shared libraries without recompiling or relinking. Furthermore, applications that restrict + their use of NSS APIs to the functions listed in `NSS Public + Functions `__ will + remain compatible with future versions of the NSS shared libraries. + + .. container:: + :name: section_15 + + .. rubric:: Feedback + :name: Feedback + + Bugs discovered should be reported by filing a bug report with `mozilla.org + Bugzilla `__ (product NSS). + + This document was generated by *genma teruaki* on *November 28, 2010* using `texi2html + 1.82 `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst new file mode 100644 index 0000000000..19087bb9eb --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst @@ -0,0 +1,318 @@ +.. _mozilla_projects_nss_nss_3_12_6_release_notes: + +NSS 3.12.6 release notes +======================== + +.. _nss_3.12.6_release_notes: + +`NSS 3.12.6 release notes <#nss_3.12.6_release_notes>`__ +-------------------------------------------------------- + +.. container:: + + .. container:: + + 2010-03-03 + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + + .. container:: + :name: section_1 + + .. rubric:: Introduction + :name: Introduction + + Network Security Services (NSS) 3.12.6 is a patch release for NSS 3.12. The bug fixes in + NSS 3.12.6 are described in the "`Bugs + Fixed `__" section below. + + NSS 3.12.6 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1. + + .. container:: + :name: section_2 + + .. rubric:: Distribution Information + :name: Distribution_Information + + | The CVS tag for the NSS 3.12.6 release is ``NSS_3_12_6_RTM``. NSS 3.12.6 requires `NSPR + 4.8.4 `__. + | See the `Documentation `__ + section for the build instructions. + + NSS 3.12.6 source and binary distributions are also available on ``ftp.mozilla.org`` for + secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_6_RTM/src/. + + | You also need to download the NSPR 4.8.4 binary distributions to get the NSPR 4.8.4 + header files and shared libraries, which NSS 3.12.6 requires. NSPR 4.8.4 binary + distributions are in https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.4/. + | + + .. container:: + :name: section_3 + + .. rubric:: New in NSS 3.12.6 + :name: New_in_NSS_3.12.6 + + .. container:: + :name: section_4 + + .. rubric:: SSL3 & TLS Renegotiation Indication Extension (RFC 5746) + :name: SSL3_TLS_Renegotiation_Indication_Extension_(RFC_5746) + + - By default, NSS 3.12.6 uses the new TLS Renegotiation Indication Extension for TLS + renegotiation but allows simple SSL/TLS connections (without renegotiation) with + peers that don't support the TLS Renegotiation Indication Extension. + + The behavior of NSS for renegotiation can be changed through API function calls, or + with the following environment variables: + + - NSS_SSL_ENABLE_RENEGOTIATION + + - values: + + - [0|n|N]: SSL_RENEGOTIATE_NEVER + + - Never allow renegotiation - That was the default for 3.12.5 release. + + - [1|u|U]: SSL_RENEGOTIATE_UNRESTRICTED + + - Server and client are allowed to renegotiate without any restrictions. + This setting was the default prior 3.12.5 and makes products vulnerable. + + - [2|r|R]: SSL_RENEGOTIATE_REQUIRES_XTN (default) + + - Only allows renegotiation if the peer's hello bears the TLS + renegotiation_info extension. This is the safe renegotiation. + + - [3|t|T]: SSL_RENEGOTIATE_TRANSITIONAL + + - Disallows unsafe renegotiation in server sockets only, but allows clients + to continue to renegotiate with vulnerable servers. This value should + only be used during the transition period when few servers have been + upgraded. + + - NSS_SSL_REQUIRE_SAFE_NEGOTIATION + + - values: + + - 1: requireSafeNegotiation = TRUE + - unset: requireSafeNegotiation = FALSE + + Controls whether safe renegotiation indication is required for initial + handshake. If TRUE, a connection will be dropped at initial handshake if the + peer server or client does not support safe renegotiation. The default setting + for this option is FALSE. + + These options can also be set with the following SSL options: + + - sslOptions.enableRenegotiation + - sslOptions.requireSafeNegotiation + - New pseudo cipher suite value: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (cannot be + negotiated) + + .. container:: + :name: section_5 + + .. rubric:: TLS Server Name Indication for servers + :name: TLS_Server_Name_Indication_for_servers + + - | TLS Server Name Indication (SNI) for servers is almost fully implemented in NSS + 3.12.6. + | See `bug 360421 `__ for + details. + + Note: The TLS Server Name Indication for clients is already fully implemented in NSS. + + - New functions for SNI *(see ssl.h for more information)*: + + - SSLSNISocketConfig + + - Return values: + + - SSL_SNI_CURRENT_CONFIG_IS_USED: libSSL must use the default cert and key. + - SSL_SNI_SEND_ALERT: libSSL must send the "unrecognized_name" alert. + + - SSL_SNISocketConfigHook + - SSL_ReconfigFD + - SSL_ConfigServerSessionIDCacheWithOpt + - SSL_SetTrustAnchors + - SSL_GetNegotiatedHostInfo + + - New enum for SNI: + + - SSLSniNameType *(see sslt.h)* + + .. container:: + :name: section_6 + + .. rubric:: New functions + :name: New_functions + + - *in cert.h* + + - CERTDistNames: Duplicate distinguished name array. + - CERT_DistNamesFromCertList: Generate an array of Distinguished names from a list + of certs. + + *in ocsp.h* + + - CERT_CacheOCSPResponseFromSideChannel: + + - This function is intended for use when OCSP responses are provided via a + side-channel, i.e. TLS OCSP stapling (a.k.a. the status_request extension). + + *in ssl.h* + + - SSL_GetImplementedCiphers + - SSL_GetNumImplementedCiphers + - SSL_HandshakeNegotiatedExtension + + .. container:: + :name: section_7 + + .. rubric:: New error codes + :name: New_error_codes + + - *in sslerr.h* + + - SSL_ERROR_UNSAFE_NEGOTIATION + - SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD + + .. container:: + :name: section_8 + + .. rubric:: New types + :name: New_types + + - *in sslt.h* + + - SSLExtensionType + + .. container:: + :name: section_9 + + .. rubric:: New environment variables + :name: New_environment_variables + + - SQLITE_FORCE_PROXY_LOCKING + + - 1 means force always use proxy, 0 means never use proxy, NULL means use proxy for + non-local files only. + + - SSLKEYLOGFILE + + - Key log file. If set, NSS logs RSA pre-master secrets to this file. This allows + packet sniffers to decrypt TLS connections. + See `documentation `__. + Note: The code must be built with TRACE defined to use this functionality. + + .. container:: + :name: section_10 + + .. rubric:: Bugs Fixed + :name: Bugs_Fixed + + The following bugs have been fixed in NSS 3.12.6. + + - `Bug 275744 `__: Support for TLS + compression RFC 3749 + - `Bug 494603 `__: Update NSS's copy + of sqlite3 to 3.6.22 to get numerous bug fixes + - `Bug 496993 `__: Add accessor + functions for SSL_ImplementedCiphers + - `Bug 515279 `__: + CERT_PKIXVerifyCert considers a certificate revoked if cert_ProcessOCSPResponse fails + for any reason + - `Bug 515870 `__: GCC compiler + warnings in NSS 3.12.4 + - `Bug 518255 `__: The input buffer + for SGN_Update should be declared const + - `Bug 519550 `__: Allow the + specification of an alternate library for SQLite + - `Bug 524167 `__: Crash in [[@ + find_objects_by_template - nssToken_FindCertificateByIssuerAndSerialNumber] + - `Bug 526910 `__: maxResponseLength + (initialized to PKIX_DEFAULT_MAX_RESPONSE_LENGTH) is too small for downloading some + CRLs. + - `Bug 527759 `__: Add multiple roots + to NSS (single patch) + - `Bug 528741 `__: pkix_hash throws a + null-argument exception on empty strings + - `Bug 530907 `__: The peerID + argument to SSL_SetSockPeerID should be declared const + - `Bug 531188 `__: Decompression + failure with https://livechat.merlin.pl/ + - `Bug 532417 `__: Build problem with + spaces in path names + - `Bug 534943 `__: Clean up the + makefiles in lib/ckfw/builtins + - `Bug 534945 `__: lib/dev does not + need to include headers from lib/ckfw + - `Bug 535669 `__: Move common + makefile code in if and else to the outside + - `Bug 536023 `__: DER_UTCTimeToTime + and DER_GeneralizedTimeToTime ignore all bytes after an embedded null + - `Bug 536474 `__: Add support for + logging pre-master secrets + - `Bug 537356 `__: Implement new safe + SSL3 & TLS renegotiation + - `Bug 537795 `__: NSS_InitContext + does not work with NSS_RegisterShutdown + - `Bug 537829 `__: Allow NSS to build + for Android + - `Bug 540304 `__: Implement + SSL_HandshakeNegotiatedExtension + - `Bug 541228 `__: Remove an obsolete + NSPR version check in lib/util/secport.c + - `Bug 541231 `__: nssinit.c doesn't + need to include ssl.h and sslproto.h. + - `Bug 542538 `__: NSS: Add function + for recording OCSP stapled replies + - `Bug 544191 `__: Use system zlib on + Mac OS X + - `Bug 544584 `__: segmentation fault + when enumerating the nss database + - `Bug 544586 `__: Various + nss-sys-init patches from Fedora + - `Bug 545273 `__: Remove unused + function SEC_Init + - `Bug 546389 `__: nsssysinit binary + built inside source tree + + .. container:: + :name: section_11 + + .. rubric:: Documentation + :name: Documentation + + For a list of the primary NSS documentation pages on mozilla.org, see `NSS + Documentation `__. New + and revised documents available since the release of NSS 3.11 include the following: + + - `Build + Instructions `__ + - `NSS Shared DB `__ + + .. container:: + :name: section_12 + + .. rubric:: Compatibility + :name: Compatibility + + NSS 3.12.6 shared libraries are backward compatible with all older NSS 3.x shared + libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.6 + shared libraries without recompiling or relinking. Furthermore, applications that restrict + their use of NSS APIs to the functions listed in `NSS Public + Functions `__ will + remain compatible with future versions of the NSS shared libraries. + + .. container:: + :name: section_13 + + .. rubric:: Feedback + :name: Feedback + + Bugs discovered should be reported by filing a bug report with `mozilla.org + Bugzilla `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst new file mode 100644 index 0000000000..2f534fd0ad --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst @@ -0,0 +1,144 @@ +.. _: + +NSS 3.12.9 release notes +======================== + +.. _removed_functions: + +`Removed functions <#removed_functions>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + 2010-09-23 + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + + .. container:: + :name: section_1 + + .. rubric:: Introduction + :name: Introduction_2 + + Network Security Services (NSS) 3.12.9 is a patch release for NSS 3.12. The bug fixes in NSS + 3.12.9 are described in the "\ `Bugs Fixed <#bugsfixed>`__" section below. + + NSS 3.12.9 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1. + + .. container:: + :name: section_2 + + .. rubric:: Distribution Information + :name: Distribution_Information + + | The CVS tag for the NSS 3.12.9 release is ``NSS_3.12.9_RTM``. NSS 3.12.9 requires `NSPR + 4.8.7 `__. + | See the `Documentation <#docs>`__ section for the build instructions. + + NSS 3.12.9 source distribution is also available on ``ftp.mozilla.org`` for secure HTTPS + download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3.12.9_RTM/src/. + + You also need to download the NSPR 4.8.7 binary distributions to get the NSPR 4.8.7 header + files and shared libraries, which NSS 3.12.9 requires. NSPR 4.8.7 binary distributions are in + https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.8.7/. + + .. container:: + :name: section_3 + + .. rubric:: New in NSS 3.12.9 + :name: New_in_NSS_3.12.9 + + .. container:: + :name: section_5 + + .. container:: + :name: section_6 + + .. rubric:: New SSL options + :name: New_SSL_options + + .. container:: + :name: section_7 + + .. rubric:: New error codes + :name: New_error_codes + + .. container:: + :name: section_8 + + .. rubric:: Bugs Fixed + :name: Bugs_Fixed + + The following bugs have been fixed in NSS 3.12.9. + + - `Bug 609068 `__: Implement J-PAKE in + FreeBL + - `Bug 607058 `__: crash [@ + nss_cms_decoder_work_data] + - `Bug 613394 `__: November/December + 2010 batch of NSS root CA changes + - `Bug 610843 `__: Need way to recover + softoken in child after fork() + - `Bug 617492 `__: Add + PK11_KeyGenWithTemplate function to pk11wrap (for Firefox Sync) + - `Bug 610162 `__: SHA-512 and SHA-384 + hashes are incorrect for inputs of 512MB or larger when running under Windows and other + 32-bit platforms (Fx 3.6.12 and 4.0b6) + - `Bug 518551 `__: Vfychain crashes in + PKITS tests. + - `Bug 536485 `__: crash during ssl + handshake in [@ intel_aes_decrypt_cbc_256] + - `Bug 444367 `__: NSS 3.12 softoken + returns the certificate type of a certificate object as CKC_X_509_ATTR_CERT. + - `Bug 620908 `__: certutil -T -d + "sql:." dumps core + - `Bug 584257 `__: Need a way to expand + partial private keys. + - `Bug 596798 `__: win_rand.c (among + others) uses unsafe \_snwprintf + - `Bug 597622 `__: Do not use the + SEC_ERROR_BAD_INFO_ACCESS_LOCATION error code for bad CRL distribution point URLs + - `Bug 619268 `__: Memory leaks in + CERT_ChangeCertTrust and CERT_SaveSMimeProfile + - `Bug 585518 `__: AddTrust Qualified CA + Root serial wrong in certdata.txt trust entry + - `Bug 337433 `__: Need + CERT_FindCertByNicknameOrEmailAddrByUsage + - `Bug 592939 `__: Expired CAs in + certdata.txt + + .. container:: + :name: section_9 + + .. rubric:: Documentation + :name: Documentation + + NSS Documentation. New and revised documents available since the release of NSS 3.11 include + the following: + + - `Build Instructions for NSS 3.11.4 and + above `__ + - `NSS Shared DB `__ + + .. container:: + :name: section_10 + + .. rubric:: Compatibility + :name: Compatibility + + NSS 3.12.9 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.12.9 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS + APIs to the functions listed in `NSS Public Functions `__ will + remain compatible with future versions of the NSS shared libraries. + + .. container:: + :name: section_11 + + .. rubric:: Feedback + :name: Feedback + + Bugs discovered should be reported by filing a bug report with `mozilla.org + Bugzilla `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst new file mode 100644 index 0000000000..658f9a8f3a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst @@ -0,0 +1,127 @@ +.. _mozilla_projects_nss_nss_3_14_1_release_notes: + +NSS 3.14.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.14.1 is a patch release for NSS 3.14. The bug fixes in NSS + 3.14.1 are described in the "Bugs Fixed" section below. + + NSS 3.14.1 is licensed under the MPL 2.0. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The CVS tag is NSS_3_14_1_RTM. NSS 3.14.1 requires NSPR 4.9.4 or newer. + + NSS 3.14.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_1_RTM/src/ + +.. _new_in_nss_3.14.1: + +`New in NSS 3.14.1 <#new_in_nss_3.14.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - NSS now has the ability to create signed OCSP responses. + + - The ability to create signed OCSP responses has been added in NSS 3.14.1. Note that this + code is used primarily for purposes of testing. + + .. rubric:: New Functions + :name: new_functions + + - *in ocspt.h* + + - CERT_CreateOCSPSingleResponseGood + - CERT_CreateOCSPSingleResponseUnknown + - CERT_CreateOCSPSingleResponseRevoked + - CERT_CreateEncodedOCSPSuccessResponse + - CERT_CreateEncodedOCSPErrorResponse + + .. rubric:: New Types + :name: new_types + + - *in ocspt.h* + + - CERTOCSPResponderIDType + +.. _notable_changes_in_nss_3.14.1: + +`Notable Changes in NSS 3.14.1 <#notable_changes_in_nss_3.14.1>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Windows CE support has been removed from the code base. + - `Bug 812399 `__ - In NSS 3.14, a + regression caused `Bug 641052 `__ / + CVE-2011-3640 to be re-introduced under certain situations. This regression only affected + applications that initialize NSS via the NSS_NoDB_Init function. NSS 3.14.1 includes the + complete fix for this issue. + - `Bug 357025 `__ - NSS 3.14 added support + for tokens that make use of CKA_ALWAYS_AUTHENTICATE. However, when authenticating with such + tokens, it was possible for an internal lock to be acquired twice, causing a hang. This hang + has been fixed in NSS 3.14.1. + - `Bug 802429 `__ - In previous versions of + NSS, the "cipherOrder" slot configuration flag was not respected, causing the most recently + added slot that supported the requested PKCS#11 mechanism to be used instead. NSS now + correctly respects the supplied cipherOrder. + Applications which use multiple PKCS#11 modules, which do not indicate which tokens should be + used by default for particular algorithms, and which do make use of cipherOrder may now find + that cryptographic operations occur on a different PKCS#11 token. + - `Bug 802429 `__ - The NSS softoken is now + the default token for SHA-256 and SHA-512. In previous versions of NSS, these algorithms would + be handled by the most recently added PKCS#11 token that supported them. + - `Bug 611451 `__ - When built with the + current version of Apple XCode on Mac OS X, the NSS shared libraries will now only export the + public NSS functions. + - `Bug 810582 `__ - TLS False Start is now + only used with servers that negotiate a cipher suite that supports forward secrecy. + **Note**: The criteria for False Start may change again in future NSS releases. + +.. _bugs_fixed_in_nss_3.14.1: + +`Bugs fixed in NSS 3.14.1 <#bugs_fixed_in_nss_3.14.1>`__ +-------------------------------------------------------- + +.. container:: + + The following Bugzilla query returns all of the bugs fixed in NSS 3.14.1: + + https://bugzilla.mozilla.org/buglist.cgi?list_id=5216669;resolution=FIXED;query_format=advanced;bug_status=RESOLVED;bug_status=VERIFIED;target_milestone=3.14.1;product=NSS + +`Compatability <#compatability>`__ +---------------------------------- + +.. container:: + + NSS 3.14.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.14.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered in this release should be reported by filing a bug report at + https://bugzilla.mozilla.org with the Product of NSS. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst new file mode 100644 index 0000000000..b0b6420aab --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst @@ -0,0 +1,103 @@ +.. _mozilla_projects_nss_nss_3_14_2_release_notes: + +NSS 3.14.2 release notes +======================== + +.. container:: + + Network Security Services (NSS) 3.14.2 is a patch release for NSS 3.14. The bug fixes in NSS + 3.14.2 are described in the "Bugs Fixed" section below. NSS 3.14.2 should be used with NSPR 4.9.5 + or newer. + + The release is available for download from + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_2_RTM/src/ + + For the primary NSS documentation pages please visit :ref:`mozilla_projects_nss` + +.. _new_in_nss_3.14.2: + +`New in NSS 3.14.2 <#new_in_nss_3.14.2>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - NSS will now make use of the Intel AES-NI and AVX instruction sets for hardware-accelerated + AES-GCM on 64-bit Linux systems. Note: the new assembly code requires GNU as version 2.19 or + newer. On Red Hat Enterprise Linux 5.x systems, install the binutils220 package and add + /usr/libexec/binutils220 to the beginning of your PATH environment variable. + - Initial manual pages for some NSS command line tools have been added. They are still under + review, and contributions are welcome. The documentation is in the docbook format and can be + rendered as HTML and UNIX-style manual pages using an optional build target. + + .. rubric:: New Types: + :name: new_types + + - in certt.h + + - ``cert_pi_useOnlyTrustAnchors`` + + - in secoidt.h + + - ``SEC_OID_MS_EXT_KEY_USAGE_CTL_SIGNING`` + +.. _notable_changes_in_nss_3.14.2: + +`Notable Changes in NSS 3.14.2 <#notable_changes_in_nss_3.14.2>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Bug 805604 - Support for AES-NI and AVX accelerated AES-GCM was contributed by Shay Gueron of + Intel. If compiled on Linux systems in 64-bit mode, NSS will include runtime detection to + check if the platform supports AES-NI and PCLMULQDQ. If so, NSS uses the optimized code path, + reducing the CPU cycles per byte to 1/20 of what was required before the patch + (https://bugzilla.mozilla.org/show_bug.cgi?id=805604 and + https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf). Support for other platforms, + such as Windows, will follow in a future NSS release. + (https://bugzilla.mozilla.org/show_bug.cgi?id=540986) + - SQLite has been updated to 3.7.15. Note: please apply the patch in + https://bugzilla.mozilla.org/show_bug.cgi?id=837799 if you build NSS with the system SQLite + library and your system SQLite library is older than 3.7.15. + - Bug 816853 - When using libpkix for certificate validation, applications may now supply + additional application-defined trust anchors to be used in addition to those from loaded + security tokens, rather than as an alternative to. + (https://bugzilla.mozilla.org/show_bug.cgi?id=816853) + - Bug 772144 - Basic support for running NSS test suites on Android devices.This is currently + limited to running tests from a Linux host machine using an SSH connection. Only the SSHDroid + app has been tested. + - Bug 373108 - Fixed a bug where, under certain circumstances, when applications supplied + invalid/out-of-bounds parameters for AES encryption, a double free may occur. + - Bug 813857 - Modification of certificate trust flags from multiple threads is now a + thread-safe operation. + - Bug 618418 - C_Decrypt/C_DecryptFinal now correctly validate the PKCS #7 padding when present. + - Bug 807890 - Added support for Microsoft Trust List Signing EKU. + - Bug 822433 - Fixed a crash in dtls_FreeHandshakeMessages. + - Bug 823336 - Reject invalid LDAP AIA URIs sooner. + +.. _bugs_fixed_in_nss_3.14.2: + +`Bugs Fixed in NSS 3.14.2 <#bugs_fixed_in_nss_3.14.2>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - https://bugzilla.mozilla.org/buglist.cgi?list_id=5502456;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.14.2;product=NSS + +`Compatibility <#compatibility>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS 3.14.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.14.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst new file mode 100644 index 0000000000..8844bfec82 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst @@ -0,0 +1,132 @@ +.. _mozilla_projects_nss_nss_3_14_3_release_notes: + +NSS 3.14.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.14.3 is a patch release for NSS 3.14. The bug fixes in NSS + 3.14.3 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The CVS tag is NSS_3_14_3_RTM. NSS 3.14.3 requires NSPR 4.9.5 or newer. + + NSS 3.14.3 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_3_RTM/src/ + +.. _new_in_nss_3.14.3: + +`New in NSS 3.14.3 <#new_in_nss_3.14.3>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - No new major functionality is introduced in this release. This release is a patch release to + address `CVE-2013-1620 `__. + + .. rubric:: New Functions + :name: new_functions + + - *in pk11pub.h* + + - **PK11_SignWithSymKey** - Similar to PK11_Sign, performs a signing operation in a single + operation. However, unlike PK11_Sign, which uses a *SECKEYPrivateKey*, PK11_SignWithSymKey + performs the signature using a symmetric key, such as commonly used for generating MACs. + + .. rubric:: New Types + :name: new_types + + - *CK_NSS_MAC_CONSTANT_TIME_PARAMS* - Parameters for use with *CKM_NSS_HMAC_CONSTANT_TIME* and + *CKM_NSS_SSL3_MAC_CONSTANT_TIME*. + + .. rubric:: New PKCS #11 Mechanisms + :name: new_pkcs_11_mechanisms + + - *CKM_NSS_HMAC_CONSTANT_TIME* - Constant-time HMAC operation for use when verifying a padded, + MAC-then-encrypted block of data. + - *CKM_NSS_SSL3_MAC_CONSTANT_TIME* - Constant-time MAC operation for use when verifying a + padded, MAC-then-encrypted block of data using the SSLv3 MAC. + +.. _notable_changes_in_nss_3.14.3: + +`Notable Changes in NSS 3.14.3 <#notable_changes_in_nss_3.14.3>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `CVE-2013-1620 `__ + + Recent research by Nadhem AlFardan and Kenny Patterson has highlighted a weakness in the + handling of CBC padding as used in SSL, TLS, and DTLS that allows an attacker to exploit + timing differences in MAC processing. The details of their research and the attack can be + found at http://www.isg.rhul.ac.uk/tls/, and has been referred to as "Lucky Thirteen". + + NSS 3.14.3 includes changes to the *softoken* and *ssl* libraries to address and mitigate + these attacks, contributed by Adam Langley of Google. This attack is mitigated when using NSS + 3.14.3 with an NSS Cryptographic Module ("softoken") version 3.14.3 or later. However, this + attack is only partially mitigated if NSS 3.14.3 is used with the current FIPS validated `NSS + Cryptographic + Module `__, version + 3.12.9.1. + + - `Bug 840714 `__ - "certutil -a" was not + correctly producing ASCII output as requested. + + - `Bug 837799 `__ - NSS 3.14.2 broke + compilation with older versions of sqlite that lacked the SQLITE_FCNTL_TEMPFILENAME file + control. NSS 3.14.3 now properly compiles when used with older versions of sqlite. + +`Acknowledgements <#acknowledgements>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The NSS development team would like to thank Nadhem AlFardan and Kenny Patterson (Royal Holloway, + University of London) for responsibly disclosing the issue by providing advance copies of their + research. In addition, thanks to Adam Langley (Google) for the development of a mitigation for + the issues raised in the paper, along with Emilia Kasper and Bodo Möller (Google) for assisting + in the review and improvements to the initial patches. + +.. _bugs_fixed_in_nss_3.14.3: + +`Bugs fixed in NSS 3.14.3 <#bugs_fixed_in_nss_3.14.3>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.14.3;product=NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.14.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.14.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst new file mode 100644 index 0000000000..4177d62377 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst @@ -0,0 +1,82 @@ +.. _mozilla_projects_nss_nss_3_14_4_release_notes: + +NSS 3.14.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.14.4 is a patch release for NSS 3.14. The bug fixes in NSS + 3.14.4 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The CVS tag is NSS_3_14_4_RTM. NSS 3.14.4 requires NSPR 4.9.5 or newer. + + NSS 3.14.4 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_4_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.14.4. Users are encouraged to + upgrade immediately. + + - `Bug 894370 `__ - (CVE-2013-1739) Avoid + uninitialized data read in the event of a decryption failure. + +.. _new_in_nss_3.14.4: + +`New in NSS 3.14.4 <#new_in_nss_3.14.4>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - No new major functionality is introduced in this release. This release is a patch release to + address `CVE-2013-1739 `__. + +.. _bugs_fixed_in_nss_3.14.4: + +`Bugs fixed in NSS 3.14.4 <#bugs_fixed_in_nss_3.14.4>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - https://bugzilla.mozilla.org/buglist.cgi?bug_id=894370%2C832942%2C863947&bug_id_type=anyexact&list_id=8338081&resolution=FIXED&classification=Components&query_format=advanced&product=NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.14.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.14.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst new file mode 100644 index 0000000000..ef32dabec6 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst @@ -0,0 +1,82 @@ +.. _mozilla_projects_nss_nss_3_14_5_release_notes: + +NSS 3.14.5 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.14.5 is a patch release for NSS 3.14. The bug fixes in NSS + 3.14.5 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The CVS tag is NSS_3_14_5_RTM. NSS 3.14.5 requires NSPR 4.9.5 or newer. + + NSS 3.14.5 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_5_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.14.5. Users are encouraged to + upgrade immediately. + + - `Bug 934016 `__ - (CVE-2013-5605) Handle + invalid handshake packets + +.. _new_in_nss_3.14.5: + +`New in NSS 3.14.5 <#new_in_nss_3.14.5>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - No new major functionality is introduced in this release. This release is a patch release to + address `CVE-2013-5605 `__. + +.. _bugs_fixed_in_nss_3.14.5: + +`Bugs fixed in NSS 3.14.5 <#bugs_fixed_in_nss_3.14.5>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - https://bugzilla.mozilla.org/buglist.cgi?bug_id=934016&bug_id_type=anyexact&resolution=FIXED&classification=Components&query_format=advanced&product=NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.14.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.14.5 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst new file mode 100644 index 0000000000..a1974d1562 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst @@ -0,0 +1,174 @@ +.. _mozilla_projects_nss_nss_3_14_release_notes: + +NSS 3.14 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the + following new features: + + - Support for TLS 1.1 (RFC 4346) + - Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) + - Support for AES-CTR, AES-CTS, and AES-GCM + - Support for Keying Material Exporters for TLS (RFC 5705) + + In addition to the above new features, the following major changes have been introduced: + + - Support for certificate signatures using the MD5 hash algorithm is now disabled by default. + - The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL + 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see + http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explantation on GPL/LGPL + compatibility, see security/nss/COPYING in the source code. + - Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites + are enabled by default. + + NSS 3.14 source tarballs can be downloaded from + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_RTM/src/. The CVS tag is + NSS_3_14_RTM. + +.. _new_in_nss_3.14: + +`New in NSS 3.14 <#new_in_nss_3.14>`__ +-------------------------------------- + +.. container:: + + The sections that follow discuss specific changes in NSS 3.14 in more detail. + + - Support for TLS 1.1 (RFC 4346) has been added + (https://bugzilla.mozilla.org/show_bug.cgi?id=565047). + + .. container:: + + To better support TLS 1.1 and future versions of TLS, a new version range API was + introduced to allow applications to specify the desired minimum and maximum versions. These + functions are intended to replace the now-deprecated use of the SSL_ENABLE_SSL3 and + SSL_ENABLE_TLS socket options. The following functions have been added to the libssl + library included in NSS 3.14 + + - SSL_VersionRangeGet (in ssl.h) + - SSL_VersionRangeGetDefault (in ssl.h) + - SSL_VersionRangeGetSupported (in ssl.h) + - SSL_VersionRangeSet (in ssl.h) + - SSL_VersionRangeSetDefault (in ssl.h) + + - To better ensure interoperability with peers that support TLS 1.1, NSS has altered how it + handles certain SSL protocol layer events. Such changes may present interoperability concerns + when enabling TLS 1.1. + + .. container:: + + - When connecting to a server, the record layer version of the initial ClientHello will be + at most { 3, 1 } (TLS 1.0), even when attempting to negotiate TLS 1.1 + (https://bugzilla.mozilla.org/show_bug.cgi?id=774547) + - The choice of client_version sent during renegotiations has changed. See the + "`Changes <#changes>`__" section below. + + - Experimental Support for DTLS (RFC 4347) and DTLS-SRTP (RFC 5764) + + DTLS client and server support has been added in NSS 3.14. Because the test coverage and + interoperability testing is not yet at the same level as other NSS code, this feature should + be considered "experimental" and may contain bugs. + + The following functions have been added to the libssl library included in NSS 3.14: + + - DTLS_ImportFD (in ssl.h) + - DTLS_GetHandshakeTimeout (in ssl.h) + - SSL_GetSRTPCipher (in ssl.h) + - SSL_SetRTPCiphers (in ssl.h) + + - Support for AES-GCM + + .. container:: + + Support for AES-GCM has been added to the NSS PKCS #11 module (softoken), based upon the + draft 7 of PKCS #11 v2.30. + + **WARNING**: Because of ambiguity in the current draft text, applications should ONLY use + GCM in single-part mode (C_Encrypt/C_Decrypt). They should NOT use multi-part APIs + (C_EncryptUpdate/C_DecryptUpdate). + + - Support for application-defined certificate chain validation callback when using libpkix + + .. container:: + + To better support per-application security policies, a new callback has been added for + applications that use libpkix to verify certificates. Applications may use this callback to + inform libpkix whether or not candidate certificate chains meet application-specific + security policies, allowing libpkix to continue discovering certificate paths until it can + find a chain that satisfies the policies. + + The following types have been added in NSS 3.14 + + - CERTChainVerifyCallback (in certt.h) + - CERTChainVerifyCallbackFunc (in certt.h) + - cert_pi_chainVerifyCallback, a new option for CERTValParamInType (in certt.h) + - A new error code: SEC_ERROR_APPLICATION_CALLBACK_ERROR (in secerr.h) + + - New for PKCS #11 + + .. container:: + + PKCS #11 mechanisms: + + - CKM_AES_CTS + - CKM_AES_CTR + - CKM_AES_GCM (see warnings against using C_EncryptUpdate/C_DecryptUpdate above) + - CKM_SHA224_KEY_DERIVATION + - CKM_SHA256_KEY_DERIVATION + - CKM_SHA384_KEY_DERIVATION + - CKM_SHA512_KEY_DERIVATION + + Changes in NSS 3.14 + +.. _changes_in_nss_3.14: + +`Changes in NSS 3.14 <#changes_in_nss_3.14>`__ +---------------------------------------------- + +.. container:: + + - `Bug 333601 `__ - Performance + enhancements for Intel Macs + + When building for Intel Macs, NSS will now take advantage of optimized assembly code for + common operations. These changes have the observed effect of doubling RSA performance. + + - `Bug 792681 `__ - New default cipher + suites + + The default cipher suites in NSS 3.14 have been changed to better reflect the current security + landscape. The defaults now better match the set that most major Web browsers enable by + default. + + - `Bug 783448 `__ - When performing an SSL + renegotiation, the client_version that is sent in the renegotiation ClientHello will be set to + match the client_version that was sent in the initial ClientHello. This is needed for + compatibility with IIS. + + - Certificate signatures that make use of the MD5 hash algorithm will now be rejected by + default. Support for MD5 may be manually enabled (but is discouraged) by setting the + environment variable of "NSS_HASH_ALG_SUPPORT=+MD5" or by using the NSS_SetAlgorithmPolicy + function. Note that SSL cipher suites with "MD5" in their names are NOT disabled by this + change; those cipher suites use HMAC-MD5, not plain MD5, and are still considered safe. + + - Maximum key sizes for RSA and Diffie-Hellman keys have been increased to 16K bits. + + - Command line utilities tstclnt, strsclnt, and selfserv have changed. The old options to + disable SSL 2, SSL 3 and TLS 1.0 have been removed and replaced with a new -V option that + specifies the enabled range of protocol versions (see usage output of those tools). + +.. _bugs_fixed_in_nss_3.14: + +`Bugs fixed in NSS 3.14 <#bugs_fixed_in_nss_3.14>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.14: + + https://bugzilla.mozilla.org/buglist.cgi?list_id=4643675;resolution=FIXED;classification=Components;query_format=advanced;product=NSS;target_milestone=3.14 \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst new file mode 100644 index 0000000000..b78f326a85 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst @@ -0,0 +1,131 @@ +.. _mozilla_projects_nss_nss_3_15_1_release_notes: + +NSS 3.15.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS + 3.15.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/ + +.. _new_in_nss_3.15.1: + +`New in NSS 3.15.1 <#new_in_nss_3.15.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - TLS 1.2: TLS 1.2 (`RFC 5246 `__) is supported. + HMAC-SHA256 cipher suites (`RFC 5246 `__ and + `RFC 5289 `__) are supported, allowing TLS to + be used without MD5 and SHA-1. Note the following limitations. + + - The hash function used in the signature for TLS 1.2 client authentication must be the hash + function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. + - AES GCM cipher suites are not yet supported. + + .. rubric:: New Functions + :name: new_functions + + None. + + .. rubric:: New Types + :name: new_types + + - *in sslprot.h* + + - **SSL_LIBRARY_VERSION_TLS_1_2** - The protocol version of TLS 1.2 on the wire, value + 0x0303. + - **TLS_DHE_RSA_WITH_AES_256_CBC_SHA256**, **TLS_RSA_WITH_AES_256_CBC_SHA256**, + **TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256**, **TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256**, + **TLS_DHE_RSA_WITH_AES_128_CBC_SHA256**, **TLS_RSA_WITH_AES_128_CBC_SHA256**, + **TLS_RSA_WITH_NULL_SHA256** - New TLS 1.2 only HMAC-SHA256 cipher suites. + + - *in sslerr.h* + + - **SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM**, **SSL_ERROR_DIGEST_FAILURE**, + **SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM** - New error codes for TLS 1.2. + + - *in sslt.h* + + - **ssl_hmac_sha256** - A new value in the SSLMACAlgorithm enum type. + - **ssl_signature_algorithms_xtn** - A new value in the SSLExtensionType enum type. + + .. rubric:: New PKCS #11 Mechanisms + :name: new_pkcs_11_mechanisms + + None. + +.. _notable_changes_in_nss_3.15.1: + +`Notable Changes in NSS 3.15.1 <#notable_changes_in_nss_3.15.1>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 856060 `__ - Enforce name + constraints on the common name in libpkix when no subjectAltName is present. + - `Bug 875156 `__ - Add const to the + function arguments of SEC_CertNicknameConflict. + - `Bug 877798 `__ - Fix ssltap to print the + certificate_status handshake message correctly. + - `Bug 882829 `__ - On Windows, NSS + initialization fails if NSS cannot call the RtlGenRandom function. + - `Bug 875601 `__ - + SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious + failures. + - `Bug 884072 `__ - Fix a typo in the + header include guard macro of secmod.h. + - `Bug 876352 `__ - certutil now warns if + importing a PEM file that contains a private key. + - `Bug 565296 `__ - Fix the bug that + shlibsign exited with status 0 even though it failed. + - The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed. + +.. _bugs_fixed_in_nss_3.15.1: + +`Bugs fixed in NSS 3.15.1 <#bugs_fixed_in_nss_3.15.1>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst new file mode 100644 index 0000000000..9f623daff4 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst @@ -0,0 +1,126 @@ +.. _mozilla_projects_nss_nss_3_15_2_release_notes: + +NSS 3.15.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.15.2 is a patch release for NSS 3.15. The bug fixes in NSS + 3.15.2 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + NSS 3.15.2 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_2_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.15.2. Users are encouraged to + upgrade immediately. + + - `Bug 894370 `__ - (CVE-2013-1739) Avoid + uninitialized data read in the event of a decryption failure. + +.. _new_in_nss_3.15.2: + +`New in NSS 3.15.2 <#new_in_nss_3.15.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when + TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported: + + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_RSA_WITH_AES_128_GCM_SHA256 + + .. rubric:: New Functions + :name: new_functions + + PK11_CipherFinal has been introduced, which is a simple alias for PK11_DigestFinal. + + .. rubric:: New Types + :name: new_types + + No new types have been introduced. + + .. rubric:: New PKCS #11 Mechanisms + :name: new_pkcs_11_mechanisms + + No new PKCS#11 mechanisms have been introduced + +.. _notable_changes_in_nss_3.15.2: + +`Notable Changes in NSS 3.15.2 <#notable_changes_in_nss_3.15.2>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 880543 `__ - Support for AES-GCM + ciphersuites that use the SHA-256 PRF + - `Bug 663313 `__ - MD2, MD4, and MD5 + signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general + certificate signatures. + - `Bug 884178 `__ - Add PK11_CipherFinal + macro + +.. _bugs_fixed_in_nss_3.15.2: + +`Bugs fixed in NSS 3.15.2 <#bugs_fixed_in_nss_3.15.2>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 734007 `__ - sizeof() used + incorrectly + - `Bug 900971 `__ - nssutil_ReadSecmodDB() + leaks memory + - `Bug 681839 `__ - Allow + SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. + - `Bug 848384 `__ - Deprecate the SSL + cipher policy code, as it's no longer relevant. It is no longer necessary to call + NSS_SetDomesticPolicy because all cipher suites are now allowed by default. + + A complete list of all bugs resolved in this release can be obtained at + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.2&product=NSS&list_id=7982238 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.15.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.15.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst new file mode 100644 index 0000000000..bb80e44e51 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst @@ -0,0 +1,89 @@ +.. _mozilla_projects_nss_nss_3_15_3_1_release_notes: + +NSS 3.15.3.1 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.15.3.1 is a patch release for NSS 3.15. The bug fixes in NSS + 3.15.3.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_15_3_1_RTM. NSS 3.15.3.1 requires NSPR 4.10.2 or newer. + + NSS 3.15.3.1 source distributions are also available on ftp.mozilla.org for secure HTTPS + download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_3_1_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.15.3.1. Users are encouraged to + upgrade immediately. + + - `Bug 946351 `__ - Misissued Google + certificates from DCSSI + +.. _new_in_nss_3.15.3.1: + +`New in NSS 3.15.3.1 <#new_in_nss_3.15.3.1>`__ +---------------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new major functionality is introduced in this release. This is a patch release to `revoke + trust of a subordinate CA + certificate `__ + that was mis-used to generate a certificate used by a network appliance. + +.. _bugs_fixed_in_nss_3.15.3.1: + +`Bugs fixed in NSS 3.15.3.1 <#bugs_fixed_in_nss_3.15.3.1>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 946351 `__ - Misissued Google + certificates from DCSSI + + A complete list of all bugs resolved in this release can be obtained at + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3.1&product=NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.15.3.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.15.3.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst new file mode 100644 index 0000000000..5a28baf7b0 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst @@ -0,0 +1,94 @@ +.. _mozilla_projects_nss_nss_3_15_3_release_notes: + +NSS 3.15.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.15.3 is a patch release for NSS 3.15. The bug fixes in NSS + 3.15.3 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_15_3_RTM. NSS 3.15.3 requires NSPR 4.10.2 or newer. + + NSS 3.15.3 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_3_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.15.3. Users are encouraged to + upgrade immediately. + + - `Bug 925100 `__ - (CVE-2013-1741) Ensure + a size is <= half of the maximum PRUint32 value + - `Bug 934016 `__ - (CVE-2013-5605) Handle + invalid handshake packets + - `Bug 910438 `__ - (CVE-2013-5606) Return + the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used + +.. _new_in_nss_3.15.3: + +`New in NSS 3.15.3 <#new_in_nss_3.15.3>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new major functionality is introduced in this release. This release is a patch release to + address `CVE-2013-1741 `__, + `CVE- `__\ `2013-5605 `__ + and `CVE-2013-5606 `__. + +.. _bugs_fixed_in_nss_3.15.3: + +`Bugs fixed in NSS 3.15.3 <#bugs_fixed_in_nss_3.15.3>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 850478 `__ - List RC4_128 cipher + suites after AES_128 cipher suites + - `Bug 919677 `__ - Don't advertise TLS + 1.2-only ciphersuites in a TLS 1.1 ClientHello + + A complete list of all bugs resolved in this release can be obtained at + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3&product=NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.15.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.15.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst new file mode 100644 index 0000000000..50f47b4226 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst @@ -0,0 +1,137 @@ +.. _mozilla_projects_nss_nss_3_15_4_release_notes: + +NSS 3.15.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.15.4 is a patch release for NSS 3.15. The bug fixes in NSS + 3.15.4 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_15_4_RTM. NSS 3.15.4 requires NSPR 4.10.2 or newer. + + NSS 3.15.4 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_4_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.15.4. Users are encouraged to + upgrade immediately. + + - `Bug 919877 `__ - (CVE-2013-1740) When + false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from + PR_Recv + +.. _new_in_nss_3.15.4: + +`New in NSS 3.15.4 <#new_in_nss_3.15.4>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall + back to the HTTP POST method. + - Implemented OCSP server functionality for testing purposes (httpserv utility). + - Support SHA-1 signatures with TLS 1.2 client authentication. + - Added the --empty-password command-line option to certutil, to be used with -N: use an empty + password when creating a new database. + - Added the -w command-line option to pp: don't wrap long output lines. + +.. _new_functions: + +`New Functions <#new_functions>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - CERT_ForcePostMethodForOCSP + - CERT_GetSubjectNameDigest + - CERT_GetSubjectPublicKeyDigest + - SSL_PeerCertificateChain + - SSL_RecommendedCanFalseStart + - SSL_SetCanFalseStartCallback + +.. _new_types: + +`New Types <#new_types>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to + use the HTTP GET method for OCSP requests; it will always use POST. + +.. _new_pkcs_11_mechanisms: + +`New PKCS #11 Mechanisms <#new_pkcs_11_mechanisms>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + None. + +.. _notable_changes_in_nss_3.15.4: + +`Notable Changes in NSS 3.15.4 <#notable_changes_in_nss_3.15.4>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best + practices. + - Updated the set of root CA certificates (version 1.96). + - Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an + application must now register a callback using the SSL_SetCanFalseStartCallback function. + - When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build + configuration, specify OS_TARGET=WINNT. + +.. _bugs_fixed_in_nss_3.15.4: + +`Bugs fixed in NSS 3.15.4 <#bugs_fixed_in_nss_3.15.4>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A complete list of all bugs resolved in this release can be obtained at + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.15.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst new file mode 100644 index 0000000000..8bff77b0ef --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst @@ -0,0 +1,93 @@ +.. _mozilla_projects_nss_nss_3_15_5_release_notes: + +NSS 3.15.5 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15. The bug fixes in NSS + 3.15.5 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_15_5_RTM. NSS 3.15.5 requires NSPR 4.10.2 or newer. + + NSS 3.15.5 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_5_RTM/src/ + +.. _new_in_nss_3.15.5: + +`New in NSS 3.15.5 <#new_in_nss_3.15.5>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Added support for the TLS `application layer protocol negotiation (ALPN) + extension `__. Two SSL socket + options, ``SSL_ENABLE_NPN`` and ``SSL_ENABLE_ALPN``, can be used to control whether NPN or + ALPN (or both) should be used for application layer protocol negotiation. + - Added the TLS `padding + extension `__. The extension type + value is 35655, which may change when an official extension type value is assigned by IANA. + NSS automatically adds the padding extension to ClientHello when necessary. + - Added a new macro ``CERT_LIST_TAIL``, defined in ``certt.h``, for getting the tail of a + ``CERTCertList``. + +.. _notable_changes_in_nss_3.15.5: + +`Notable Changes in NSS 3.15.5 <#notable_changes_in_nss_3.15.5>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 950129 `__: Improve the OCSP + fetching policy when verifying OCSP responses + - `Bug 949060 `__: Validate the ``iov`` + input argument (an array of ``PRIOVec`` structures) of ``ssl_WriteV`` (called via + ``PR_Writev``). Applications should still take care when converting ``struct iov`` to + ``PRIOVec`` because the ``iov_len`` members of the two structures have different types + (``size_t`` vs. ``int``). ``size_t`` is unsigned and may be larger than ``int``. + +.. _bugs_fixed_in_nss_3.15.5: + +`Bugs fixed in NSS 3.15.5 <#bugs_fixed_in_nss_3.15.5>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A complete list of all bugs resolved in this release can be obtained at + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.5&product=NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.15.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.15.5 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst new file mode 100644 index 0000000000..2c5353f485 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst @@ -0,0 +1,157 @@ +.. _mozilla_projects_nss_nss_3_15_release_notes: + +NSS 3.15 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.15, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer. + + NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/ + +.. _new_in_nss_3.15: + +`New in NSS 3.15 <#new_in_nss_3.15>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Support for OCSP Stapling (`RFC 6066 `__, + Certificate Status Request) has been added for both client and server sockets. TLS client + applications may enable this via a call to + ``SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);`` + - Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now + declared as obsolete. + - Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via + *PK11_Encrypt* and *PK11_Decrypt*. + - certutil has been updated to support creating name constraints extensions. + + .. rubric:: New Functions + :name: new_functions + + - *in ssl.h* + + - **SSL_PeerStapledOCSPResponse** - Returns the server's stapled OCSP response, when used + with a TLS client socket that negotiated the *status_request* extension. + - **SSL_SetStapledOCSPResponses** - Set's a stapled OCSP response for a TLS server socket to + return when clients send the *status_request* extension. + + - *in ocsp.h* + + - **CERT_PostOCSPRequest** - Primarily intended for testing, permits the sending and + receiving of raw OCSP request/responses. + + - *in secpkcs7.h* + + - **SEC_PKCS7VerifyDetachedSignatureAtTime** - Verifies a PKCS#7 signature at a specific time + other than the present time. + + - *in xconst.h* + + - **CERT_EncodeNameConstraintsExtension** - Matching function for + CERT_DecodeNameConstraintsExtension, added in NSS 3.10. + + - *in secitem.h* + + - **SECITEM_AllocArray** + - **SECITEM_DupArray** + - **SECITEM_FreeArray** + - **SECITEM_ZfreeArray** - Utility functions to handle the allocation and deallocation of + *SECItemArray*\ s + - **SECITEM_ReallocItemV2** - Replaces *SECITEM_ReallocItem*, which is now obsolete. + *SECITEM_ReallocItemV2* better matches caller expectations, in that it updates + ``item->len`` on allocation. For more details of the issues with SECITEM_ReallocItem, see + `Bug 298649 `__ and `Bug 298938 `__. + + - *in pk11pub.h* + + - **PK11_Decrypt** - Performs decryption as a single PKCS#11 operation (eg: not multi-part). + This is necessary for AES-GCM. + - **PK11_Encrypt** - Performs encryption as a single PKCS#11 operation (eg: not multi-part). + This is necessary for AES-GCM. + + .. rubric:: New Types + :name: new_types + + - *in secitem.h* + + - **SECItemArray** - Represents a variable-length array of *SECItem*\ s. + + .. rubric:: New Macros + :name: new_macros + + - *in ssl.h* + + - **SSL_ENABLE_OCSP_STAPLING** - Used with *SSL_OptionSet* to configure TLS client sockets to + request the *certificate_status* extension (eg: OCSP stapling) when set to **PR_TRUE** + +.. _notable_changes_in_nss_3.15: + +`Notable Changes in NSS 3.15 <#notable_changes_in_nss_3.15>`__ +-------------------------------------------------------------- + +.. container:: + + - *SECITEM_ReallocItem* is now deprecated. Please consider using *SECITEM_ReallocItemV2* in all + future code. + + - NSS has migrated from CVS to the Mercurial source control management system. + + Updated build instructions are available at + :ref:`mozilla_projects_nss_reference_building_and_installing_nss_migration_to_hg` + + As part of this migration, the source code directory layout has been re-organized. + + - The list of root CA certificates in the *nssckbi* module has been updated. + + - The default implementation of SSL_AuthCertificate has been updated to add certificate status + responses stapled by the TLS server to the OCSP cache. + + Applications that use SSL_AuthCertificateHook to override the default handler should add + appropriate calls to *SSL_PeerStapledOCSPResponse* and + *CERT_CacheOCSPResponseFromSideChannel*. + + - `Bug 554369 `__: Fixed correctness of + CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour. + + - `Bug 853285 `__: Fixed bugs in AES GCM. + + - `Bug 341127 `__: Fix the invalid read in + rc4_wordconv. + + - `Faster NIST curve P-256 + implementation `__. + + - Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library + ``libfreebl_32int_3.so`` is no longer produced. + +.. _bugs_fixed_in_nss_3.15: + +`Bugs fixed in NSS 3.15 <#bugs_fixed_in_nss_3.15>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.15: + + https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15 \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst new file mode 100644 index 0000000000..7362895fe0 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst @@ -0,0 +1,97 @@ +.. _mozilla_projects_nss_nss_3_16_1_release_notes: + +NSS 3.16.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16. The bug fixes in NSS + 3.16.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_1_RTM. NSS 3.16.1 requires NSPR 4.10.5 or newer. + + NSS 3.16.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_1_RTM/src/ + +.. _new_in_nss_3.16.1: + +`New in NSS 3.16.1 <#new_in_nss_3.16.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Added the "ECC" flag for modutil to select the module used for elliptic curve cryptography + (ECC) operations. + + .. rubric:: New Functions + :name: new_functions + + - *in pk11pub.h* + + - **PK11_ExportDERPrivateKeyInfo and PK11_ExportPrivKeyInfo** - exports a private key in a + DER-encoded ASN.1 PrivateKeyInfo type or a SECKEYPrivateKeyInfo structure. Only RSA private + keys are supported now. + + - *in secmod.h* + + - **SECMOD_InternalToPubMechFlags** - converts from NSS-internal to public representation of + mechanism flags. + + .. rubric:: New Types + :name: new_types + + - *in sslt.h* + + - **ssl_padding_xtn** - the value of this enum constant changed from the experimental value + 35655 to the IANA-assigned value 21. . + + .. rubric:: New Macros + :name: new_macros + + - *in secmod.h* + + - **PUBLIC_MECH_ECC_FLAG** - a public mechanism flag for elliptic curve cryptography (ECC) + operations. + + - *in utilmodt.h* + + - **SECMOD_ECC_FLAG** - an NSS-internal mechanism flag for elliptic curve cryptography (ECC) + operations. This macro has the same numeric value as **PUBLIC_MECH_ECC_FLAG.** + +.. _notable_changes_in_nss_3.16.1: + +`Notable Changes in NSS 3.16.1 <#notable_changes_in_nss_3.16.1>`__ +------------------------------------------------------------------ + +.. container:: + + - Imposed `name constraints `__ on the + French government root CA ANSSI (DCISS). + +.. _bugs_fixed_in_nss_3.16.1: + +`Bugs fixed in NSS 3.16.1 <#bugs_fixed_in_nss_3.16.1>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.16.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.1 \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst new file mode 100644 index 0000000000..f7c10ccb22 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst @@ -0,0 +1,99 @@ +.. _mozilla_projects_nss_nss_3_16_2_1_release_notes: + +NSS 3.16.2.1 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.2.1 is a patch release for NSS 3.16, based on the NSS 3.16.2 + release. The bug fixes in NSS 3.16.2.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_2_1_RTM. NSS 3.16.2.1 requires NSPR 4.10.6 or newer. + + NSS 3.16.2.1 source distributions are also available on ftp.mozilla.org for secure HTTPS + download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_2_1_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.16.2.1. Users are encouraged to + upgrade immediately. + + - `Bug 1064636 `__ - (CVE-2014-1568) RSA + Signature Forgery in NSS. See also `MFSA + 2014-73 `__ for details. + +.. _new_in_nss_3.16.2.1: + +`New in NSS 3.16.2.1 <#new_in_nss_3.16.2.1>`__ +---------------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix a bug that + caused NSS to accept forged RSA signatures. + + A new symbol, \_SGN_VerifyPKCS1DigestInfo is exported in this release. As with all exported NSS + symbols that have a leading underscore '_', this is an internal symbol for NSS use only. + Applications that use or depend on these symbols can and will break in future NSS releases. + +.. _bugs_fixed_in_nss_3.16.2.1: + +`Bugs fixed in NSS 3.16.2.1 <#bugs_fixed_in_nss_3.16.2.1>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 1064636 `__ - (CVE-2014-1568) RSA + Signature Forgery in NSS + +`Acknowledgements <#acknowledgements>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The NSS development team would like to thank Antoine Delignat-Lavaud, security researcher at + Inria Paris in team Prosecco, and the Advanced Threat Research team at Intel Security, who both + independently discovered and reported this issue, for responsibly disclosing the issue by + providing advance copies of their research. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.16.2.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.16.2.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst new file mode 100644 index 0000000000..0a5f766f94 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst @@ -0,0 +1,81 @@ +.. _mozilla_projects_nss_nss_3_16_2_2_release_notes: + +NSS 3.16.2.2 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.2.2 is a patch release for NSS 3.16. The bug fixes in NSS + 3.16.2.2 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_2_2_RTM. NSS 3.16.2.2 requires NSPR 4.10.6 or newer. + + NSS 3.16.2.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_2_2_RTM/src/ + +.. _new_in_nss_3.16.2.2: + +`New in NSS 3.16.2.2 <#new_in_nss_3.16.2.2>`__ +---------------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix a regression. + +.. _notable_changes_in_nss_3.16.2.2: + +`Notable Changes in NSS 3.16.2.2 <#notable_changes_in_nss_3.16.2.2>`__ +---------------------------------------------------------------------- + +.. container:: + + - `Bug 1049435 `__: Change + RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2 + that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated + by other crypto libraries. + +.. _bugs_fixed_in_nss_3.16.2.2: + +`Bugs fixed in NSS 3.16.2.2 <#bugs_fixed_in_nss_3.16.2.2>`__ +------------------------------------------------------------ + +.. container:: + + - `Bug 1049435 `__ - Importing an RSA + private key fails if p < q + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.16.2.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.16.2.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst new file mode 100644 index 0000000000..1b834338e3 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst @@ -0,0 +1,110 @@ +.. _mozilla_projects_nss_nss_3_16_2_3_release_notes: + +NSS 3.16.2.3 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.2.3 is a patch release for NSS 3.16. The bug fixes in NSS + 3.16.2.3 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_2_3_RTM. NSS 3.16.2.3 requires NSPR 4.10.6 or newer. + + NSS 3.16.2.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_2_3_RTM/src/ + +.. _new_in_nss_3.16.2.3: + +`New in NSS 3.16.2.3 <#new_in_nss_3.16.2.3>`__ +---------------------------------------------- + +.. container:: + + This patch release fixes a bug and contains a backport of the TLS_FALLBACK_SCSV feature, which + was originally made available in NSS 3.17.1. + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `TLS_FALLBACK_SCSV `__ + is a signaling cipher suite value that indicates a handshake is the result of TLS version + fallback. + +.. _new_macros: + +`New Macros <#new_macros>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - *in ssl.h* + + - **SSL_ENABLE_FALLBACK_SCSV** - an SSL socket option that enables TLS_FALLBACK_SCSV. Off by + default. + + - *in sslerr.h* + + - **SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT** - a new SSL error code. + + - *in sslproto.h* + + - **TLS_FALLBACK_SCSV** - a signaling cipher suite value that indicates a handshake is the + result of TLS version fallback. + +.. _notable_changes_in_nss_3.16.2.3: + +`Notable Changes in NSS 3.16.2.3 <#notable_changes_in_nss_3.16.2.3>`__ +---------------------------------------------------------------------- + +.. container:: + + - `Bug 1057161 `__: Check that an imported + elliptic curve public key is valid. Previously NSS would only validate the peer's public key + before performing ECDH key agreement. Now EC public keys are validated at import time. + +.. _bugs_fixed_in_nss_3.16.2.3: + +`Bugs fixed in NSS 3.16.2.3 <#bugs_fixed_in_nss_3.16.2.3>`__ +------------------------------------------------------------ + +.. container:: + + - `Bug 1057161 `__ - NSS hangs with 100% + CPU on invalid EC key + - `Bug 1036735 `__ - Add support for + draft-ietf-tls-downgrade-scsv to NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.16.2.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.16.2.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst new file mode 100644 index 0000000000..e4b56a4f64 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst @@ -0,0 +1,114 @@ +.. _mozilla_projects_nss_nss_3_16_2_release_notes: + +NSS 3.16.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16. The bug fixes in NSS + 3.16.2 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_2_RTM. NSS 3.16.2 requires NSPR 4.10.6 or newer. + + NSS 3.16.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_2_RTM/src/ + +.. _new_in_nss_3.16.2: + +`New in NSS 3.16.2 <#new_in_nss_3.16.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - DTLS 1.2 is supported. + - The TLS application layer protocol negotiation (ALPN) extension is also supported on the + server side. + - RSA-OEAP is supported. Use the new PK11_PrivDecrypt and PK11_PubEncrypt functions with the + CKM_RSA_PKCS_OAEP mechanism. + - New Intel AES assembly code for 32-bit and 64-bit Windows, contributed by Shay Gueron and Vlad + Krasnov of Intel. + + .. rubric:: New Functions + :name: new_functions + + - *in cert.h* + + - **CERT_AddExtensionByOID** - adds an extension to a certificate. It is the same as + CERT_AddExtension except that the OID is represented by a SECItem instead of a SECOidTag. + + - *in pk11pub.h* + + - **PK11_PrivDecrypt** - decrypts with a private key. The algorithm is specified with a + CK_MECHANISM_TYPE. + - **PK11_PubEncrypt** - encrypts with a public key. The algorithm is specified with a + CK_MECHANISM_TYPE. + + .. rubric:: New Macros + :name: new_macros + + - *in sslerr.h* + + - **SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK** - An SSL error code that means the next protcol + negotiation extension was enabled, but the callback was cleared prior to being needed. + - **SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL** - An SSL error code that means the server supports + no protocols that the client advertises in the ALPN extension. + +.. _notable_changes_in_nss_3.16.2: + +`Notable Changes in NSS 3.16.2 <#notable_changes_in_nss_3.16.2>`__ +------------------------------------------------------------------ + +.. container:: + + - The btoa command has a new command-line option -w *suffix*, which causes the output to be + wrapped in BEGIN/END lines with the given suffix. Use "c" as a shorthand for the suffix + CERTIFICATE. + - The certutil commands supports additionals types of subject alt name extensions: + + - --extSAN *type:name[,type:name]...* + + - The certutil commands supports generic certificate extensions, by loading binary data from + files, which have been prepared using external tools, or which have been extracted and dumped + to file from other existing certificates: + + - --dump-ext-val *OID* + - --extGeneric *OID:critical-flag:filename[,OID:critical-flag:filename]...* + + - The certutil command has three new certificate usage specifiers: + + - L: certificateUsageSSLCA + - A: certificateUsageAnyCA + - Y: certificateUsageVerifyCA + + - The pp command has a new command-line option -u, which means "use UTF-8". The default is to + show a non-ASCII character as ".". + - On Linux, NSS is built with the -ffunction-sections -fdata-sections compiler flags and the + --gc-sections linker flag to allow unused functions to be discarded. + +.. _bugs_fixed_in_nss_3.16.2: + +`Bugs fixed in NSS 3.16.2 <#bugs_fixed_in_nss_3.16.2>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.16.2: + + | https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.2 \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst new file mode 100644 index 0000000000..4bbf16cc45 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst @@ -0,0 +1,171 @@ +.. _mozilla_projects_nss_nss_3_16_3_release_notes: + +NSS 3.16.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16. The bug fixes in NSS + 3.16.3 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_3_RTM. NSS 3.16.3 requires NSPR 4.10.6 or newer. + + NSS 3.16.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_3_RTM/src/ + +.. _new_in_nss_3.16.3: + +`New in NSS 3.16.3 <#new_in_nss_3.16.3>`__ +------------------------------------------ + +.. container:: + + This release consists primarily of CA certificate changes as listed below, and fixes an issue + with a recently added utility function. + + .. rubric:: New Functions + :name: new_functions + + - *in cert.h* + + - **CERT_GetGeneralNameTypeFromString** - An utlity function to lookup a value of type + CERTGeneralNameType given a human readable string. This function was already added in NSS + 3.16.2, however, it wasn't declared in a public header file. + +.. _notable_changes_in_nss_3.16.3: + +`Notable Changes in NSS 3.16.3 <#notable_changes_in_nss_3.16.3>`__ +------------------------------------------------------------------ + +.. container:: + + - The following **1024-bit** CA certificates were **Removed** + + - CN = Entrust.net Secure Server Certification Authority + + - SHA1 Fingerprint: 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39 + + - CN = GTE CyberTrust Global Root + + - SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 + + - OU = ValiCert Class 1 Policy Validation Authority + + - SHA1 Fingerprint: E5:DF:74:3C:B6:01:C4:9B:98:43:DC:AB:8C:E8:6A:81:10:9F:E4:8E + + - OU = ValiCert Class 2 Policy Validation Authority + + - SHA1 Fingerprint: 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6 + + - OU = ValiCert Class 3 Policy Validation Authority + + - SHA1 Fingerprint: 69:BD:8C:F4:9C:D3:00:FB:59:2E:17:93:CA:55:6A:F3:EC:AA:35:FB + + - Additionally, the following CA certificate was **Removed** as requested by the CA + + - OU = TDC Internet Root CA + + - SHA1 Fingerprint: 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A + + - The following CA certificates were **Added** + + - CN = Certification Authority of WoSign + + - SHA1 Fingerprint: B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB + + - CN = CA 沃通根证书 + + - SHA1 Fingerprint: 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6 + + - CN = DigiCert Assured ID Root G2 + + - SHA1 Fingerprint: A1:4B:48:D9:43:EE:0A:0E:40:90:4F:3C:E0:A4:C0:91:93:51:5D:3F + + - CN = DigiCert Assured ID Root G3 + + - SHA1 Fingerprint: F5:17:A2:4F:9A:48:C6:C9:F8:A2:00:26:9F:DC:0F:48:2C:AB:30:89 + + - CN = DigiCert Global Root G2 + + - SHA1 Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4 + + - CN = DigiCert Global Root G3 + + - SHA1 Fingerprint: 7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E + + - CN = DigiCert Trusted Root G4 + + - SHA1 Fingerprint: DD:FB:16:CD:49:31:C9:73:A2:03:7D:3F:C8:3A:4D:7D:77:5D:05:E4 + + - CN = QuoVadis Root CA 1 G3 + + - SHA1 Fingerprint: 1B:8E:EA:57:96:29:1A:C9:39:EA:B8:0A:81:1A:73:73:C0:93:79:67 + + - CN = QuoVadis Root CA 2 G3 + + - SHA1 Fingerprint: 09:3C:61:F3:8B:8B:DC:7D:55:DF:75:38:02:05:00:E1:25:F5:C8:36 + + - CN = QuoVadis Root CA 3 G3 + + - SHA1 Fingerprint: 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D + + - The **Trust Bits were changed** for the following CA certificates + + - OU = Class 3 Public Primary Certification Authority + + - SHA1 Fingerprint: A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B + - Turned off websites and code signing trust bits (1024-bit root) + + - OU = Class 3 Public Primary Certification Authority + + - SHA1 Fingerprint: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2 + - Turned off websites and code signing trust bits (1024-bit root) + + - OU = Class 2 Public Primary Certification Authority - G2 + + - SHA1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D + - Turned off code signing trust bit (change requested by CA) + + - CN = VeriSign Class 2 Public Primary Certification Authority - G3 + + - SHA-1 Fingerprint: 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11 + - Turned off code signing trust bit (change requested by CA) + + - CN = AC Raíz Certicámara S.A. + + - SHA1 Fingerprint: CB:A1:C5:F8:B0:E3:5E:B8:B9:45:12:D3:F9:34:A2:E9:06:10:D3:36 + - Turned off websites trust bit (change requested by CA) + + - CN = NetLock Uzleti (Class B) Tanusitvanykiado + + - SHA1 Fingerprint: 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF + - Turned off websites and code signing trust bits (1024-bit root) + + - CN = NetLock Expressz (Class C) Tanusitvanykiado + + - SHA1 Fingerprint: E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B + - Turned off websites and code signing trust bits (1024-bit root) + +.. _bugs_fixed_in_nss_3.16.3: + +`Bugs fixed in NSS 3.16.3 <#bugs_fixed_in_nss_3.16.3>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.16.3: + + | https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.3 + | \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst new file mode 100644 index 0000000000..697966fbab --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst @@ -0,0 +1,75 @@ +.. _mozilla_projects_nss_nss_3_16_4_release_notes: + +NSS 3.16.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.4 is a patch release for NSS 3.16. The bug fixes in NSS + 3.16.4 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_4_RTM. NSS 3.16.4 requires NSPR 4.10.6 or newer. + + NSS 3.16.4 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_4_RTM/src/ + +.. _new_in_nss_3.16.4: + +`New in NSS 3.16.4 <#new_in_nss_3.16.4>`__ +------------------------------------------ + +.. container:: + + This release consists primarily of CA certificate changes as listed below, and includes a small + number of bug fixes. + +.. _notable_changes_in_nss_3.16.4: + +`Notable Changes in NSS 3.16.4 <#notable_changes_in_nss_3.16.4>`__ +------------------------------------------------------------------ + +.. container:: + + - The following **1024-bit** root CA certificate was **restored** to allow more time to develop + a better transition strategy for affected sites. It was removed in + :ref:`mozilla_projects_nss_nss_3_16_3_release_notes`, but discussion in the + mozilla.dev.security.policy forum led to the decision to keep this root included longer in + order to give website administrators more time to update their web servers. + + - CN = GTE CyberTrust Global Root + + - SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 + + - In :ref:`mozilla_projects_nss_nss_3_16_3_release_notes`, the **1024-bit** "Entrust.net Secure + Server Certification Authority" root CA certificate (SHA1 Fingerprint: + 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39) was removed. In NSS 3.16.4, a + **2048-bit** intermediate CA certificate has been included, without explicit trust. The + intention is to mitigate the effects of the previous removal of the 1024-bit Entrust.net root + certificate, because many public Internet sites still use the "USERTrust Legacy Secure Server + CA" intermediate certificate that is signed by the 1024-bit Entrust.net root certificate. The + inclusion of the intermediate certificate is a temporary measure to allow those sites to + function, by allowing them to find a trust path to another **2048-bit** root CA certificate. + The temporarily included intermediate certificate expires November 1, 2015. + +.. _bugs_fixed_in_nss_3.16.4: + +`Bugs fixed in NSS 3.16.4 <#bugs_fixed_in_nss_3.16.4>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.16.4: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.4 \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst new file mode 100644 index 0000000000..0814f7f2bf --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst @@ -0,0 +1,98 @@ +.. _mozilla_projects_nss_nss_3_16_5_release_notes: + +NSS 3.16.5 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.5 is a patch release for NSS 3.16. The bug fixes in NSS + 3.16.5 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_5_RTM. NSS 3.16.5 requires NSPR 4.10.6 or newer. + + NSS 3.16.5 source distributions are also available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_5_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.16.5. Users are encouraged to + upgrade immediately. + + - `Bug 1064636 `__ - (CVE-2014-1568) RSA + Signature Forgery in NSS. See also `MFSA + 2014-73 `__ for details. + +.. _new_in_nss_3.16.5: + +`New in NSS 3.16.5 <#new_in_nss_3.16.5>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix a bug that + caused NSS to accept forged RSA signatures. + + A new symbol, \_SGN_VerifyPKCS1DigestInfo is exported in this release. As with all exported NSS + symbols that have a leading underscore '_', this is an internal symbol for NSS use only. + Applications that use or depend on these symbols can and will break in future NSS releases. + +.. _bugs_fixed_in_nss_3.16.5: + +`Bugs fixed in NSS 3.16.5 <#bugs_fixed_in_nss_3.16.5>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 1064636 `__ - (CVE-2014-1568) RSA + Signature Forgery in NSS + +`Acknowledgements <#acknowledgements>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The NSS development team would like to thank Antoine Delignat-Lavaud, security researcher at + Inria Paris in team Prosecco, and the Advanced Threat Research team at Intel Security, who both + independently discovered and reported this issue, for responsibly disclosing the issue by + providing advance copies of their research. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.16.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.16.5 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst new file mode 100644 index 0000000000..0dd9ff3ada --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst @@ -0,0 +1,81 @@ +.. _mozilla_projects_nss_nss_3_16_6_release_notes: + +NSS 3.16.6 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.16.6 is a patch release for NSS 3.16. The bug fixes in NSS + 3.16.6 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_6_RTM. NSS 3.16.6 requires NSPR 4.10.6 or newer. + + NSS 3.16.6 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_6_RTM/src/ + +.. _new_in_nss_3.16.6: + +`New in NSS 3.16.6 <#new_in_nss_3.16.6>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix a regression. + +.. _notable_changes_in_nss_3.16.6: + +`Notable Changes in NSS 3.16.6 <#notable_changes_in_nss_3.16.6>`__ +------------------------------------------------------------------ + +.. container:: + + - `Bug 1049435 `__: Change + RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2 + that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated + by other crypto libraries. + +.. _bugs_fixed_in_nss_3.16.6: + +`Bugs fixed in NSS 3.16.6 <#bugs_fixed_in_nss_3.16.6>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1049435 `__ - Importing an RSA + private key fails if p < q + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.16.6 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.16.6 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst new file mode 100644 index 0000000000..212a599e92 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst @@ -0,0 +1,98 @@ +.. _mozilla_projects_nss_nss_3_16_release_notes: + +NSS 3.16 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.16, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_16_RTM. NSS 3.16 requires NSPR 4.10.3 or newer. + + NSS 3.16 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_16_RTM/src/ + +.. _new_in_nss_3.16: + +`New in NSS 3.16 <#new_in_nss_3.16>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Supports the Linux x32 ABI. (This requires NSPR 4.10.4.) To build for the Linux x32 target, + set the environment variable USE_X32=1 when building NSS. + + .. rubric:: New Functions + :name: new_functions + + - *in cms.h* + + - **NSS_CMSSignerInfo_Verify** - verify the signature of a single SignerInfo. It just + verifies the signature, assuming that the certificate has been verified already. + + .. rubric:: New Macros + :name: new_macros + + - *in sslproto.h* + + - **TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.** - cipher suites that were + first defined in SSL 3.0 can now be referred to with their official IANA names in TLS, with + the TLS\_ prefix. Previously, they had to be referred to with their names in SSL 3.0, with + the SSL\_ prefix. + +.. _notable_changes_in_nss_3.16: + +`Notable Changes in NSS 3.16 <#notable_changes_in_nss_3.16>`__ +-------------------------------------------------------------- + +.. container:: + + - ECC is enabled by default. It is no longer necessary to set the environment variable + NSS_ENABLE_ECC=1 when building NSS. To disable ECC, set the environment variable + NSS_DISABLE_ECC=1 when building NSS. + - `Bug 903885 `__: (CVE-2014-1492) In a + wildcard certificate, the wildcard character should not be embedded within the U-label of an + internationalized domain name. See the last bullet point in `RFC 6125, Section + 7.2 `__. + - `Bug 962760 `__: libpkix should not + include the common name of CA as DNS names when evaluating name constraints. + - `Bug 981170 `__: AESKeyWrap_Decrypt + should not return SECSuccess for invalid keys. + - `Bug 974693 `__: Fix a memory corruption + in sec_pkcs12_new_asafe. + - `Bug 956082 `__: If the NSS_SDB_USE_CACHE + environment variable is set, skip the runtime test sdb_measureAccess. + - The built-in roots module has been updated to version 1.97, which adds, removes, and distrusts + several certificates. + - The atob utility has been improved to automatically ignore lines of text that aren't in base64 + format. + - The certutil utility has been improved to support creation of version 1 and version 2 + certificates, in addition to the existing version 3 support. + +.. _bugs_fixed_in_nss_3.16: + +`Bugs fixed in NSS 3.16 <#bugs_fixed_in_nss_3.16>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.16: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16 \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst new file mode 100644 index 0000000000..cc1f7a711a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst @@ -0,0 +1,132 @@ +.. _mozilla_projects_nss_nss_3_17_1_release_notes: + +NSS 3.17.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.17.1 is a patch release for NSS 3.17. The bug fixes in NSS + 3.17.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_17_1_RTM. NSS 3.17.1 requires NSPR 4.10.7 or newer. + + NSS 3.17.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_1_RTM/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.17.1. Users are encouraged to + upgrade immediately. + + - `Bug 1064636 `__ - (CVE-2014-1568) RSA + Signature Forgery in NSS. See also `MFSA + 2014-73 `__ for details. + +.. _new_in_nss_3.17.1: + +`New in NSS 3.17.1 <#new_in_nss_3.17.1>`__ +------------------------------------------ + +.. container:: + + This patch release adds new functionality and fixes a bug that caused NSS to accept forged RSA + signatures. + + A new symbol, \_SGN_VerifyPKCS1DigestInfo is exported in this release. As with all exported NSS + symbols that have a leading underscore '_', this is an internal symbol for NSS use only. + Applications that use or depend on these symbols can and will break in future NSS releases. + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `TLS_FALLBACK_SCSV `__ + is a signaling cipher suite value that indicates a handshake is the result of TLS version + fallback. + + .. rubric:: New Macros + :name: new_macros + + - *in ssl.h* + + - **SSL_ENABLE_FALLBACK_SCSV** - an SSL socket option that enables TLS_FALLBACK_SCSV. Off by + default. + + - *in sslerr.h* + + - **SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT** - a new SSL error code. + + - *in sslproto.h* + + - **TLS_FALLBACK_SCSV** - a signaling cipher suite value that indicates a handshake is the + result of TLS version fallback. + +.. _notable_changes_in_nss_3.17.1: + +`Notable Changes in NSS 3.17.1 <#notable_changes_in_nss_3.17.1>`__ +------------------------------------------------------------------ + +.. container:: + + - `Signature algorithms now use SHA-256 instead of SHA-1 by + default `__. + - Added support for Linux on little-endian powerpc64. + +.. _bugs_fixed_in_nss_3.17.1: + +`Bugs fixed in NSS 3.17.1 <#bugs_fixed_in_nss_3.17.1>`__ +-------------------------------------------------------- + +.. container:: + + | This Bugzilla query returns all the bugs fixed in NSS 3.17.1: + | https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.1 + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Antoine Delignat-Lavaud, security researcher at + Inria Paris in team Prosecco, and the Advanced Threat Research team at Intel Security, who both + independently discovered and reported this issue, for responsibly disclosing the issue by + providing advance copies of their research. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.17.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.17.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst new file mode 100644 index 0000000000..38a4fc9047 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst @@ -0,0 +1,88 @@ +.. _mozilla_projects_nss_nss_3_17_2_release_notes: + +NSS 3.17.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.17.2 is a patch release for NSS 3.17. The bug fixes in NSS + 3.17.2 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_17_2_RTM. NSS 3.17.2 requires NSPR 4.10.7 or newer. + + NSS 3.17.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_2_RTM/src/ + +.. _new_in_nss_3.17.2: + +`New in NSS 3.17.2 <#new_in_nss_3.17.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix a regression + and other bugs. + +.. _notable_changes_in_nss_3.17.2: + +`Notable Changes in NSS 3.17.2 <#notable_changes_in_nss_3.17.2>`__ +------------------------------------------------------------------ + +.. container:: + + - `Bug 1049435 `__: Change + RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2 + that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated + by other crypto libraries. + - `Bug 1057161 `__: Check that an imported + elliptic curve public key is valid. Previously NSS would only validate the peer's public key + before performing ECDH key agreement. Now EC public keys are validated at import time. + - `Bug 1078669 `__: certutil crashes when + an argument is passed to the --certVersion option. + +.. _bugs_fixed_in_nss_3.17.2: + +`Bugs fixed in NSS 3.17.2 <#bugs_fixed_in_nss_3.17.2>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.17.2: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.2 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.17.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.17.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst new file mode 100644 index 0000000000..f4ee1ca11f --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst @@ -0,0 +1,134 @@ +.. _mozilla_projects_nss_nss_3_17_3_release_notes: + +NSS 3.17.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.17.3 is a patch release for NSS 3.17. The bug fixes in NSS + 3.17.3 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_17_3_RTM. NSS 3.17.3 requires NSPR 4.10.7 or newer. + + NSS 3.17.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_3_RTM/src/ + +.. _new_in_nss_3.17.3: + +`New in NSS 3.17.3 <#new_in_nss_3.17.3>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Support for TLS_FALLBACK_SCSV has been added to the ssltap and tstclnt utilities. + +.. _notable_changes_in_nss_3.17.3: + +`Notable Changes in NSS 3.17.3 <#notable_changes_in_nss_3.17.3>`__ +------------------------------------------------------------------ + +.. container:: + + - The QuickDER decoder now decodes lengths robustly (CVE-2014-1569). + - The following CA certificates were **Removed** + + - CN = GTE CyberTrust Global Root + + - SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 + + - CN = Thawte Server CA + + - SHA1 Fingerprint: 23:E5:94:94:51:95:F2:41:48:03:B4:D5:64:D2:A3:A3:F5:D8:8B:8C + + - CN = Thawte Premium Server CA + + - SHA1 Fingerprint: 62:7F:8D:78:27:65:63:99:D2:7D:7F:90:44:C9:FE:B3:F3:3E:FA:9A + + - CN = America Online Root Certification Authority 1 + + - SHA-1 Fingerprint: 39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A + + - CN = America Online Root Certification Authority 2 + + - SHA-1 Fingerprint: 85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84 + + - The following CA certificates had the Websites and Code Signing **trust bits turned off** + + - OU = Class 3 Public Primary Certification Authority - G2 + + - SHA1 Fingerprint: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F + + - CN = Equifax Secure eBusiness CA-1 + + - SHA1 Fingerprint: DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41 + + - The following CA certificates were **Added** + + - CN = COMODO RSA Certification Authority + + - SHA1 Fingerprint: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 + + - CN = USERTrust RSA Certification Authority + + - SHA1 Fingerprint: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E + + - CN = USERTrust ECC Certification Authority + + - SHA1 Fingerprint: D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0 + + - CN = GlobalSign ECC Root CA - R4 + + - SHA1 Fingerprint: 69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB + + - CN = GlobalSign ECC Root CA - R5 + + - SHA1 Fingerprint: 1F:24:C6:30:CD:A4:18:EF:20:69:FF:AD:4F:DD:5F:46:3A:1B:69:AA + + - The version number of the updated root CA list has been set to 2.2 + +.. _bugs_fixed_in_nss_3.17.3: + +`Bugs fixed in NSS 3.17.3 <#bugs_fixed_in_nss_3.17.3>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.17.3: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.3 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.17.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.17.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst new file mode 100644 index 0000000000..ce46881724 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst @@ -0,0 +1,90 @@ +.. _mozilla_projects_nss_nss_3_17_4_release_notes: + +NSS 3.17.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17. The bug fixes in NSS + 3.17.4 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_17_4_RTM. NSS 3.17.4 requires NSPR 4.10.7 or newer. + + NSS 3.17.4 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_4_RTM/src/ + +.. _new_in_nss_3.17.4: + +`New in NSS 3.17.4 <#new_in_nss_3.17.4>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix multiple bugs. + +.. _notable_changes_in_nss_3.17.4: + +`Notable Changes in NSS 3.17.4 <#notable_changes_in_nss_3.17.4>`__ +------------------------------------------------------------------ + +.. container:: + + - `Bug 1084986 `__: If an SSL/TLS + connection fails, because client and server don't have any common protocol version enabled, + NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting + SSL_ERROR_NO_CYPHER_OVERLAP). + - `Bug 1112461 `__: libpkix was fixed to + prefer the newest certificate, if multiple certificates match. + - `Bug 1094492 `__: fixed a memory + corruption issue during failure of keypair generation. + - `Bug 1113632 `__: fixed a failure to + reload a PKCS#11 module in FIPS mode. + - `Bug 1119983 `__: fixed interoperability + of NSS server code with a LibreSSL client. + +.. _bugs_fixed_in_nss_3.17.4: + +`Bugs fixed in NSS 3.17.4 <#bugs_fixed_in_nss_3.17.4>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.17.4: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.4 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.17.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.17.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst new file mode 100644 index 0000000000..8dff4484ea --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst @@ -0,0 +1,72 @@ +.. _mozilla_projects_nss_nss_3_17_release_notes: + +NSS 3.17 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.17, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_17_RTM. NSS 3.17 requires NSPR 4.10.7 or newer. + + NSS 3.17 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_RTM/src/ + +.. _new_in_nss_3.17: + +`New in NSS 3.17 <#new_in_nss_3.17>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - When using ECDHE, the TLS server code may be configured to generate a fresh ephemeral ECDH key + for each handshake, by setting the SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The + SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means the server's ephemeral ECDH + key is reused for multiple handshakes. This option does not affect the TLS client code, which + always generates a fresh ephemeral ECDH key for each handshake. + + New Macros + + - *in ssl.h* + + - **SSL_REUSE_SERVER_ECDHE_KEY** + +.. _notable_changes_in_nss_3.17: + +`Notable Changes in NSS 3.17 <#notable_changes_in_nss_3.17>`__ +-------------------------------------------------------------- + +.. container:: + + - The manual pages for the certutil and pp tools have been updated to document the new + parameters that had been added in NSS 3.16.2. + - On Windows, the new build variable USE_STATIC_RTL can be used to specify the static C runtime + library should be used. By default the dynamic C runtime library is used. + +.. _bugs_fixed_in_nss_3.17: + +`Bugs fixed in NSS 3.17 <#bugs_fixed_in_nss_3.17>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.17: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17 \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst new file mode 100644 index 0000000000..33d2dae71e --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst @@ -0,0 +1,105 @@ +.. _mozilla_projects_nss_nss_3_18_1_release_notes: + +NSS 3.18.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.18.1 is a patch release for NSS 3.18. The bug fixes in NSS + 3.18.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_18_1_RTM. NSS 3.18.1 requires NSPR 4.10.8 or newer. + + NSS 3.18.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_18_1_RTM/src/ + +.. _new_in_nss_3.18.1: + +`New in NSS 3.18.1 <#new_in_nss_3.18.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to update the list of + root CA certificates. + +.. _notable_changes_in_nss_3.18.1: + +`Notable Changes in NSS 3.18.1 <#notable_changes_in_nss_3.18.1>`__ +------------------------------------------------------------------ + +.. container:: + + - The following CA certificate had the Websites and Code Signing trust **bits restored to their + original state** to allow more time to develop a better transition strategy for affected + sites. The Websites and Code Signing trust bits were turned off in + :ref:`mozilla_projects_nss_nss_3_18_release_notes`. But when Firefox 38 went into Beta, there + was a huge spike in the number of certificate verification errors attributed to this change. + So, to give website administrators more time to update their web servers, we reverted the + trust bits back to being enabled. + + - OU = Equifax Secure Certificate Authority + + - SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A + + - The following CA certificate was **removed** after `discussion about + it `__ + in the mozilla.dev.security.policy forum\ **.** + + - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi + + - SHA1 Fingerprint: DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34 + + - The following intermediate CA certificate has been added as `actively + distrusted `__ + because it was + `misused `__ to + issue certificates for domain names the holder did not own or control. + + - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG + + - SHA1 Fingerprint: E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76 + + - The version number of the updated root CA list has been set to 2.4 + +.. _bugs_fixed_in_nss_3.18.1: + +`Bugs fixed in NSS 3.18.1 <#bugs_fixed_in_nss_3.18.1>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.18.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.18.1 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.18.1 shared libraries are backward compatible with all older NSS 3.18 shared libraries. A + program linked with older NSS 3.18 shared libraries will work with NSS 3.18.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst new file mode 100644 index 0000000000..8be06abbbe --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst @@ -0,0 +1,169 @@ +.. _mozilla_projects_nss_nss_3_18_release_notes: + +NSS 3.18 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.18, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_18_RTM. NSS 3.18 requires NSPR 4.10.8 or newer. + + NSS 3.18 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_18_RTM/src/ + +.. _new_in_nss_3.18: + +`New in NSS 3.18 <#new_in_nss_3.18>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - When importing certificates and keys from a PKCS#12 source, it's now possible to override the + nicknames, prior to importing them into the NSS database, using new API + SEC_PKCS12DecoderRenameCertNicknames. + - The tstclnt test utility program has new command-line options -C, -D, -b and -R. + Use -C one, two or three times to print information about the certificates received from a + server, and information about the locally found and trusted issuer certificates, to diagnose + server side configuration issues. It is possible to run tstclnt without providing a database + (-D). A PKCS#11 library that contains root CA certificates can be loaded by tstclnt, which may + either be the nssckbi library provided by NSS (-b) or another compatible library (-R). + + .. rubric:: New Functions + :name: new_functions + + - *in certdb.h* + + - **SEC_CheckCrlTimes** - Check the validity of a CRL at the given time. + - **SEC_GetCrlTimes** - Extract the validity times from a CRL. + + - *in p12.h* + + - **SEC_PKCS12DecoderRenameCertNicknames** - call an application provided callback for each + certificate found in a SEC_PKCS12DecoderContext. + + - *in pk11pub.h* + + - **\__PK11_SetCertificateNickname** - this is an internal symbol for NSS use only, as with + all exported NSS symbols that have a leading underscore '_'. Applications that use or + depend on these symbols can and will break in future NSS releases. + + .. rubric:: New Types + :name: new_types + + - *in p12.h* + + - **SEC_PKCS12NicknameRenameCallback** - a function pointer definition. An application that + uses SEC_PKCS12DecoderRenameCertNicknames must implement a callback function that + implements this function interface. + +.. _notable_changes_in_nss_3.18: + +`Notable Changes in NSS 3.18 <#notable_changes_in_nss_3.18>`__ +-------------------------------------------------------------- + +.. container:: + + - The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS + 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from + DTLS 1.0 to DTLS 1.2. + - The default key size used by certutil when creating an RSA key pair has been increased from + 1024 bits to 2048 bits. + - On Mac OS X, by default the softokn shared library will link with the sqlite library installed + by the operating system, if it is version 3.5 or newer. + - The following CA certificates had the Websites and Code Signing **trust bits turned off** + + - OU = Equifax Secure Certificate Authority + + - SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A + + - CN = Equifax Secure Global eBusiness CA-1 + + - SHA1 Fingerprint: 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45 + + - CN = TC TrustCenter Class 3 CA II + + - SHA1 Fingerprint: 80:25:EF:F4:6E:70:C8:D4:72:24:65:84:FE:40:3B:8A:8D:6A:DB:F5 + + - The following CA certificates were **Added** + + - CN = Staat der Nederlanden Root CA - G3 + + - SHA1 Fingerprint: D8:EB:6B:41:51:92:59:E0:F3:E7:85:00:C0:3D:B6:88:97:C9:EE:FC + + - CN = Staat der Nederlanden EV Root CA + + - SHA1 Fingerprint: 76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB + + - CN = IdenTrust Commercial Root CA 1 + + - SHA1 Fingerprint: DF:71:7E:AA:4A:D9:4E:C9:55:84:99:60:2D:48:DE:5F:BC:F0:3A:25 + + - CN = IdenTrust Public Sector Root CA 1 + + - SHA1 Fingerprint: BA:29:41:60:77:98:3F:F4:F3:EF:F2:31:05:3B:2E:EA:6D:4D:45:FD + + - CN = S-TRUST Universal Root CA + + - SHA1 Fingerprint: 1B:3D:11:14:EA:7A:0F:95:58:54:41:95:BF:6B:25:82:AB:40:CE:9A + + - CN = Entrust Root Certification Authority - G2 + + - SHA1 Fingerprint: 8C:F4:27:FD:79:0C:3A:D1:66:06:8D:E8:1E:57:EF:BB:93:22:72:D4 + + - CN = Entrust Root Certification Authority - EC1 + + - SHA1 Fingerprint: 20:D8:06:40:DF:9B:25:F5:12:25:3A:11:EA:F7:59:8A:EB:14:B5:47 + + - CN = CFCA EV ROOT + + - SHA1 Fingerprint: E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83 + + - The version number of the updated root CA list has been set to 2.3 + +.. _bugs_fixed_in_nss_3.18: + +`Bugs fixed in NSS 3.18 <#bugs_fixed_in_nss_3.18>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.18: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.18 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.18 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.18 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst new file mode 100644 index 0000000000..c8ddaeb613 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst @@ -0,0 +1,113 @@ +.. _mozilla_projects_nss_nss_3_19_1_release_notes: + +NSS 3.19.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.19.1 is a security release for NSS 3.19. The bug fixes in NSS + 3.19.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_1_RTM. NSS 3.19.1 requires NSPR 4.10.8 or newer. + + NSS 3.19.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_1_RTM/src/ + +.. _security_fixes_in_nss_3.19.1: + +`Security Fixes in NSS 3.19.1 <#security_fixes_in_nss_3.19.1>`__ +---------------------------------------------------------------- + +.. container:: + + - `Bug + 1138554 `__ / `CVE-2015-4000 `__ - + The minimum strength of keys that libssl will accept for finite field algorithms (RSA, + Diffie-Hellman, and DSA) have been increased to 1023 bits. + +.. _new_in_nss_3.19.1: + +`New in NSS 3.19.1 <#new_in_nss_3.19.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This patch release includes a fix for the + recently published `logjam attack `__. + +.. _notable_changes_in_nss_3.19.1: + +`Notable Changes in NSS 3.19.1 <#notable_changes_in_nss_3.19.1>`__ +------------------------------------------------------------------ + +.. container:: + + - NSS reports the bit length of keys more accurately. Thus, the SECKEY_PublicKeyStrength and + SECKEY_PublicKeyStrengthInBits functions could report smaller values for values that have + leading zero values. This affects the key strength values that are reported by + SSL_GetChannelInfo. + - The minimum size of keys that NSS will generate, import, or use has been raised: + + - The minimum modulus size for RSA keys is now 512 bits + - The minimum modulus size for DSA keys is now 1023 bits + - The minimum modulus size for Diffie-Hellman keys is now 1023 bits + +.. _bugs_fixed_in_nss_3.19.1: + +`Bugs fixed in NSS 3.19.1 <#bugs_fixed_in_nss_3.19.1>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.19.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19.1 + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Matthew Green and Karthikeyan Bhargavan for + responsibly disclosing the issue in `bug + 1138554 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.19.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + + **Note:** NSS 3.19.1 increases the minimum size of keys it is willing to use. This has been shown + to break some applications. :ref:`mozilla_projects_nss_nss_3_19_2_release_notes` reverts the + behaviour to the NSS 3.19 and earlier limits. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst new file mode 100644 index 0000000000..1e0c918e40 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst @@ -0,0 +1,88 @@ +.. _mozilla_projects_nss_nss_3_19_2_1_release_notes: + +NSS 3.19.2.1 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.19.2.1 is a patch release for NSS 3.19.2. The bug fixes in NSS + 3.19.2.1 are described in the "Security Advisories" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_2_1_RTM. NSS 3.19.2.1 requires NSPR 4.10.10 or newer. + + NSS 3.19.2.1 and NSPR 4.10.10 source distributions are available on ftp.mozilla.org for secure + HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_1_RTM/src/ + https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.19.2.1. Users are encouraged to + upgrade immediately. + + - `Bug 1192028 `__ (CVE-2015-7181) and + `Bug 1202868 `__ (CVE-2015-7182): + Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data. + While the majority of NSS uses a separate, unaffected DER decoder, several public routines + also accept BER data, and thus are affected. An attacker that successfully exploited these + issues can overflow the heap and may be able to obtain remote code execution. + + | The following security-relevant bugs have been resolved in NSPR 4.10.10, which affect NSS. + | Because NSS includes portions of the affected NSPR code at build time, it is necessary to use + NSPR 4.10.10 when building NSS. + + - `Bug 1205157 `__ (NSPR, CVE-2015-7183): + A logic bug in the handling of large allocations would allow exceptionally large allocations + to be reported as successful, without actually allocating the requested memory. This may allow + attackers to bypass security checks and obtain control of arbitrary memory. + +.. _new_in_nss_3.19.2.1: + +`New in NSS 3.19.2.1 <#new_in_nss_3.19.2.1>`__ +---------------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix + security-relevant bugs. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19.2.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.19.2.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst new file mode 100644 index 0000000000..847ad06446 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst @@ -0,0 +1,84 @@ +.. _mozilla_projects_nss_nss_3_19_2_2_release_notes: + +NSS 3.19.2.2 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.19.2.2 is a security patch release for NSS 3.19.2. The bug + fixes in NSS 3.19.2.2 are described in the "Security Fixes" section below. + + (Current users of NSS 3.19.3 or NSS 3.19.4 are advised to update to + :ref:`mozilla_projects_nss_nss_3_20_2_release_notes`, + :ref:`mozilla_projects_nss_nss_3_21_release_notes`, or a later release.) + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_2_2_RTM. NSS 3.19.2.2 requires NSPR 4.10.10 or newer. + + NSS 3.19.2.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_2_RTM/src/ + +.. _security_fixes_in_nss_3.19.2.2: + +`Security Fixes in NSS 3.19.2.2 <#security_fixes_in_nss_3.19.2.2>`__ +-------------------------------------------------------------------- + +.. container:: + + - `Bug 1158489 `__ + ` `__ / + `CVE-2015-7575 `__ - Prevent + MD5 Downgrade in TLS 1.2 Signatures. + +.. _new_in_nss_3.19.2.2: + +`New in NSS 3.19.2.2 <#new_in_nss_3.19.2.2>`__ +---------------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Karthikeyan Bhargavan from + `INRIA `__ for responsibly disclosing the issue in `Bug + 1158489 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19.2.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.19.2.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst new file mode 100644 index 0000000000..317f0cdd1a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst @@ -0,0 +1,84 @@ +.. _mozilla_projects_nss_nss_3_19_2_3_release_notes: + +NSS 3.19.2.3 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.19.2.3 is a security patch release for NSS 3.19.2. The bug + fixes in NSS 3.19.2.3 are described in the "Security Fixes" section below. + + (Current users of NSS 3.19.3, NSS 3.19.4 or NSS 3.20.x are advised to update to + :ref:`mozilla_projects_nss_nss_3_21_1_release_notes`, + :ref:`mozilla_projects_nss_nss_3_22_2_release_notes`, or a later release.) + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_2_3_RTM. NSS 3.19.2.3 requires NSPR 4.10.10 or newer. + + NSS 3.19.2.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_3_RTM/src/ + +.. _new_in_nss_3.19.2.3: + +`New in NSS 3.19.2.3 <#new_in_nss_3.19.2.3>`__ +---------------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _security_fixes_in_nss_3.19.2.3: + +`Security Fixes in NSS 3.19.2.3 <#security_fixes_in_nss_3.19.2.3>`__ +-------------------------------------------------------------------- + +.. container:: + + - `Bug 1245528 `__ / + `CVE-2016-1950 `__ - Fixed a + heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker + could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or + execution of arbitrary code with the permissions of the user. + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank security researcher Francis Gabriel for responsibly + disclosing the issue in `Bug 1245528 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19.2.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.19.2.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst new file mode 100644 index 0000000000..ffb6c2b177 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst @@ -0,0 +1,82 @@ +.. _mozilla_projects_nss_nss_3_19_2_4_release_notes: + +NSS 3.19.2.4 release notes +========================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.19.2.4 is a security patch release for NSS 3.19.2. The bug + fixed in NSS 3.19.2.4 have been described in the "Security Fixes" section below. + + (Current users of NSS 3.19.3, NSS 3.19.4 or NSS 3.20.x are advised to update to + :ref:`mozilla_projects_nss_nss_3_21_1_release_notes`, + :ref:`mozilla_projects_nss_nss_3_22_2_release_notes` or a later release.) + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_2_4_RTM. NSS 3.19.2.4 requires NSPR 4.10.10 or newer. + + NSS 3.19.2.4 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_4_RTM/src/ + +.. _new_in_nss_3.19.2.4: + +`New in NSS 3.19.2.4 <#new_in_nss_3.19.2.4>`__ +---------------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality has been introduced in this release. + +.. _security_fixes_in_nss_3.19.2.4: + +`Security Fixes in NSS 3.19.2.4 <#security_fixes_in_nss_3.19.2.4>`__ +-------------------------------------------------------------------- + +.. container:: + + The following security fixes from NSS 3.21 have been backported to NSS 3.19.2.4: + + - `Bug 1185033 `__ / + `CVE-2016-1979 `__ - + Use-after-free during processing of DER encoded keys in NSS + - `Bug 1209546 `__ / + `CVE-2016-1978 `__ - + Use-after-free in NSS during SSL connections in low memory + - `Bug 1190248 `__ / + `CVE-2016-1938 `__ - Errors in + mp_div and mp_exptmod cryptographic functions in NSS + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19.2.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.19.2.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict the use of NSS APIs to + the functions listed in NSS Public Functions will remain compatible with future versions of the + NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst new file mode 100644 index 0000000000..be8643aac9 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst @@ -0,0 +1,94 @@ +.. _mozilla_projects_nss_nss_3_19_2_release_notes: + +NSS 3.19.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.19.2 is a patch release for NSS 3.19 that addresses + compatibility issues in NSS 3.19.1. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_2_RTM. NSS 3.19.2 requires NSPR 4.10.8 or newer. + + NSS 3.19.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_2_RTM/src/ + +.. _new_in_nss_3.19.2: + +`New in NSS 3.19.2 <#new_in_nss_3.19.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _notable_changes_in_nss_3.19.2: + +`Notable Changes in NSS 3.19.2 <#notable_changes_in_nss_3.19.2>`__ +------------------------------------------------------------------ + +.. container:: + + - `Bug 1172128 `__ - In NSS 3.19.1, the + minimum key sizes that the freebl cryptographic implementation (part of the softoken + cryptographic module used by default by NSS) was willing to generate or use was increased - + for RSA keys, to 512 bits, and for DH keys, 1023 bits. This was done as part of a security fix + for `Bug 1138554 `__ / + `CVE-2015-4000 `__. + Applications that requested or attempted to use keys smaller then the minimum size would fail. + However, this change in behaviour unintentionally broke existing NSS applications that need to + generate or use such keys, via APIs such as SECKEY_CreateRSAPrivateKey or + SECKEY_CreateDHPrivateKey. + In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix for `Bug + 1138554 `__ has been moved to libssl, + and will now only affect the minimum keystrengths used in SSL/TLS. + **Note:** Future versions of NSS *may* increase the minimum keysizes required by the freebl + module. Consumers of NSS are **strongly** encouraged to migrate to stronger cryptographic + strengths as soon as possible. + +.. _bugs_fixed_in_nss_3.19.2: + +`Bugs fixed in NSS 3.19.2 <#bugs_fixed_in_nss_3.19.2>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.19.2: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19.2 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.19.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst new file mode 100644 index 0000000000..40cd773736 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst @@ -0,0 +1,117 @@ +.. _mozilla_projects_nss_nss_3_19_3_release_notes: + +NSS 3.19.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.19.3 is a patch release for NSS 3.19. The bug fixes in NSS + 3.19.3 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_3_RTM. NSS 3.19.3 requires NSPR 4.10.8 or newer. + + NSS 3.19.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_3_RTM/src/ + +.. _new_in_nss_3.19.3: + +`New in NSS 3.19.3 <#new_in_nss_3.19.3>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to update the list of + root CA certificates. + +.. _notable_changes_in_nss_3.19.3: + +`Notable Changes in NSS 3.19.3 <#notable_changes_in_nss_3.19.3>`__ +------------------------------------------------------------------ + +.. container:: + + - The following CA certificates were **Removed** + + - CN = Buypass Class 3 CA 1 + + - SHA1 Fingerprint: 61:57:3A:11:DF:0E:D8:7E:D5:92:65:22:EA:D0:56:D7:44:B3:23:71 + + - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı + + - SHA1 Fingerprint: 79:98:A3:08:E1:4D:65:85:E6:C2:1E:15:3A:71:9F:BA:5A:D3:4A:D9 + + - CN = SG TRUST SERVICES RACINE + + - SHA1 Fingerprint: 0C:62:8F:5C:55:70:B1:C9:57:FA:FD:38:3F:B0:3D:7B:7D:D7:B9:C6 + + - CN = TC TrustCenter Universal CA I + + - SHA-1 Fingerprint: 6B:2F:34:AD:89:58:BE:62:FD:B0:6B:5C:CE:BB:9D:D9:4F:4E:39:F3 + + - CN = TC TrustCenter Class 2 CA II + + - SHA-1 Fingerprint: AE:50:83:ED:7C:F4:5C:BC:8F:61:C6:21:FE:68:5D:79:42:21:15:6E + + - The following CA certificate had the Websites **trust bit turned off** + + - CN = ComSign Secured CA + + - SHA1 Fingerprint: F9:CD:0E:2C:DA:76:24:C1:8F:BD:F0:F0:AB:B6:45:B8:F7:FE:D5:7A + + - The following CA certificates were **Added** + + - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 + + - SHA1 Fingerprint: C4:18:F6:4D:46:D1:DF:00:3D:27:30:13:72:43:A9:12:11:C6:75:FB + + - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 + + - SHA1 Fingerprint: 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0 + + - CN = Certinomis - Root CA + + - SHA1 Fingerprint: 9D:70:BB:01:A5:A4:A0:18:11:2E:F7:1C:01:B9:32:C5:34:E7:88:A8 + + - The version number of the updated root CA list has been set to 2.5 + +.. _bugs_fixed_in_nss_3.19.3: + +`Bugs fixed in NSS 3.19.3 <#bugs_fixed_in_nss_3.19.3>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.19.3: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19.3 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19.3 shared libraries are backward compatible with all older NSS 3.19 shared libraries. A + program linked with older NSS 3.19 shared libraries will work with NSS 3.19.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst new file mode 100644 index 0000000000..9f778190b1 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst @@ -0,0 +1,88 @@ +.. _mozilla_projects_nss_nss_3_19_4_release_notes: + +NSS 3.19.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.19.4 is a patch release for NSS 3.19. The bug fixes in NSS + 3.19.4 are described in the "Security Advisories" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_4_RTM. NSS 3.19.4 requires NSPR 4.10.10 or newer. + + NSS 3.19.4 and NSPR 4.10.10 source distributions are available on ftp.mozilla.org for secure + HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_4_RTM/src/ + https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.19.4. Users are encouraged to + upgrade immediately. + + - `Bug 1192028 `__ (CVE-2015-7181) and + `Bug 1202868 `__ (CVE-2015-7182): + Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data. + While the majority of NSS uses a separate, unaffected DER decoder, several public routines + also accept BER data, and thus are affected. An attacker that successfully exploited these + issues can overflow the heap and may be able to obtain remote code execution. + + | The following security-relevant bugs have been resolved in NSPR 4.10.10, which affect NSS. + | Because NSS includes portions of the affected NSPR code at build time, it is necessary to use + NSPR 4.10.10 when building NSS. + + - `Bug 1205157 `__ (NSPR, CVE-2015-7183): + A logic bug in the handling of large allocations would allow exceptionally large allocations + to be reported as successful, without actually allocating the requested memory. This may allow + attackers to bypass security checks and obtain control of arbitrary memory. + +.. _new_in_nss_3.19.4: + +`New in NSS 3.19.4 <#new_in_nss_3.19.4>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix + security-relevant bugs. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.19.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst new file mode 100644 index 0000000000..f0da35b220 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst @@ -0,0 +1,119 @@ +.. _mozilla_projects_nss_nss_3_19_release_notes: + +NSS 3.19 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.19, which is a minor + security release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_19_RTM. NSS 3.19 requires NSPR 4.10.8 or newer. + + NSS 3.19 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_RTM/src/ + +.. _security_fixes_in_nss_3.19: + +`Security Fixes in NSS 3.19 <#security_fixes_in_nss_3.19>`__ +------------------------------------------------------------ + +.. container:: + + - `Bug 1086145 `__ / + `CVE-2015-2721 `__ - Fixed a + bug related to the ordering of TLS handshake messages. This was also known + as `SMACK `__. + +.. _new_in_nss_3.19: + +`New in NSS 3.19 <#new_in_nss_3.19>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - For some certificates, such as root CA certificates that don't embed any constraints, NSS + might impose additional constraints such as name constraints. A new API + (`CERT_GetImposedNameConstraints `__) has + been added that allows one to lookup imposed constraints. + - It is possible to override the directory + (`SQLITE_LIB_DIR `__) in which the NSS + build system will look for the sqlite library. + + .. rubric:: New Functions + :name: new_functions + + - *in cert.h* + + - **CERT_GetImposedNameConstraints** - Check if any imposed constraints exist for the given + certificate, and if found, return the constraints as encoded certificate extensions. + +.. _notable_changes_in_nss_3.19: + +`Notable Changes in NSS 3.19 <#notable_changes_in_nss_3.19>`__ +-------------------------------------------------------------- + +.. container:: + + - The SSL 3 protocol has been disabled by default. + - NSS now more strictly validates TLS extensions and will fail a handshake that contains + malformed extensions (`bug 753136 `__). + - In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm in order to be + compatible with TLS servers that use certificates with a SHA512 signature (`bug + 1155922 `__). + +.. _bugs_fixed_in_nss_3.19: + +`Bugs fixed in NSS 3.19 <#bugs_fixed_in_nss_3.19>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.19: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19 + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Karthikeyan Bhargavan from + `INRIA `__ for responsibly disclosing the issue in `bug + 1086145 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.19 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.19 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst new file mode 100644 index 0000000000..3ea1c845f2 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst @@ -0,0 +1,88 @@ +.. _mozilla_projects_nss_nss_3_20_1_release_notes: + +NSS 3.20.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.20.1 is a patch release for NSS 3.20. The bug fixes in NSS + 3.20.1 are described in the "Security Advisories" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_20_1_RTM. NSS 3.20.1 requires NSPR 4.10.10 or newer. + + NSS 3.20.1 and NSPR 4.10.10 source distributions are available on ftp.mozilla.org for secure + HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_1_RTM/src/ + https://ftp.mozilla.org/pub/nspr/releases/v4.10.10/src/ + +.. _security_advisories: + +`Security Advisories <#security_advisories>`__ +---------------------------------------------- + +.. container:: + + The following security-relevant bugs have been resolved in NSS 3.20.1. Users are encouraged to + upgrade immediately. + + - `Bug 1192028 `__ (CVE-2015-7181) and + `Bug 1202868 `__ (CVE-2015-7182): + Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data. + While the majority of NSS uses a separate, unaffected DER decoder, several public routines + also accept BER data, and thus are affected. An attacker that successfully exploited these + issues can overflow the heap and may be able to obtain remote code execution. + + | The following security-relevant bugs have been resolved in NSPR 4.10.10, which affect NSS. + | Because NSS includes portions of the affected NSPR code at build time, it is necessary to use + NSPR 4.10.10 when building NSS. + + - `Bug 1205157 `__ (NSPR, CVE-2015-7183): + A logic bug in the handling of large allocations would allow exceptionally large allocations + to be reported as successful, without actually allocating the requested memory. This may allow + attackers to bypass security checks and obtain control of arbitrary memory. + +.. _new_in_nss_3.20.1: + +`New in NSS 3.20.1 <#new_in_nss_3.20.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix + security-relevant bugs. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.20.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.20.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst new file mode 100644 index 0000000000..feb8de594e --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst @@ -0,0 +1,80 @@ +.. _mozilla_projects_nss_nss_3_20_2_release_notes: + +NSS 3.20.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.20.2 is a security patch release for NSS 3.20. The bug fixes in + NSS 3.20.2 are described in the "Security Fixes" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_20_2_RTM. NSS 3.20.2 requires NSPR 4.10.10 or newer. + + NSS 3.20.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_2_RTM/src/ + +.. _security_fixes_in_nss_3.20.2: + +`Security Fixes in NSS 3.20.2 <#security_fixes_in_nss_3.20.2>`__ +---------------------------------------------------------------- + +.. container:: + + - `Bug 1158489 `__ + ` `__ / + `CVE-2015-7575 `__ - Prevent + MD5 Downgrade in TLS 1.2 Signatures. + +.. _new_in_nss_3.20.2: + +`New in NSS 3.20.2 <#new_in_nss_3.20.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Karthikeyan Bhargavan from + `INRIA `__ for responsibly disclosing the issue in `Bug + 1158489 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.20.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.20.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst new file mode 100644 index 0000000000..49e0f41648 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst @@ -0,0 +1,140 @@ +.. _mozilla_projects_nss_nss_3_20_release_notes: + +NSS 3.20 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.20, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_20_RTM. NSS 3.20 requires NSPR 4.10.8 or newer. + + NSS 3.20 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_RTM/src/ + +.. _new_in_nss_3.20: + +`New in NSS 3.20 <#new_in_nss_3.20>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The TLS library has been extended to support DHE ciphersuites in server applications. + + .. rubric:: New Functions + :name: new_functions + + - *in ssl.h* + + - **SSL_DHEGroupPrefSet** - Configure the set of allowed/enabled DHE group parameters that + can be used by NSS for a server socket. + - **SSL_EnableWeakDHEPrimeGroup** - Enable the use of weak DHE group parameters that are + smaller than default minimum size of the library. + + .. rubric:: New Types + :name: new_types + + - *in sslt.h* + + - **SSLDHEGroupType** - Enumerates the set of DHE parameters embedded in NSS that can be used + with function SSL_DHEGroupPrefSet + + .. rubric:: New Macros + :name: new_macros + + - *in ssl.h* + + - **SSL_ENABLE_SERVER_DHE** - A socket option user to enable or disable DHE ciphersuites for + a server socket + +.. _notable_changes_in_nss_3.20: + +`Notable Changes in NSS 3.20 <#notable_changes_in_nss_3.20>`__ +-------------------------------------------------------------- + +.. container:: + + - The TLS library has been extended to support DHE ciphersuites in server applications. + - For backward compatibility reasons, the server side implementation of the TLS library keeps + all DHE ciphersuites disabled by default. They can be enabled with the new socket option + SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API. + - The server side implementation of the TLS does not support session tickets while using a DHE + ciphersuite (see `bug 1174677 `__). + - Support for the following ciphersuites has been added: + + - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 + - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 + - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 + + - By default, the server side TLS implementation will use DHE parameters with a size of 2048 + bits when using DHE ciphersuites. + - NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and 8192 bits, which were copied + from version 08 of the Internet-Draft `"Negotiated Finite Field Diffie-Hellman Ephemeral + Parameters for + TLS" `__, Appendix + A. + - A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a server application to + select one or multiple of the embedded DHE parameters as the preferred parameters. The current + implementation of NSS will always use the first entry in the array that is passed as a + parameter to the SSL_DHEGroupPrefSet API. In future versions of the TLS implementation, a TLS + client might show a preference for certain DHE parameters, and the NSS TLS server side + implementation might select a matching entry from the set of parameters that have been + configured as preferred on the server side. + - NSS optionally supports the use of weak DHE parameters with DHE ciphersuites in order to + support legacy clients. To enable this support, the new API SSL_EnableWeakDHEPrimeGroup must + be used. Each time this API is called for the first time in a process, a fresh set of weak DHE + parameters will be randomly created, which may take a long amount of time. Please refer to the + comments in the header file that declares the SSL_EnableWeakDHEPrimeGroup API for additional + details. + - The size of the default PQG parameters used by certutil when creating DSA keys has been + increased to use 2048 bit parameters. + - The selfserv utility has been enhanced to support the new DHE features. + - NSS no longer supports C compilers that predate the ANSI C standard (C89). + +.. _bugs_fixed_in_nss_3.20: + +`Bugs fixed in NSS 3.20 <#bugs_fixed_in_nss_3.20>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.20: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.20 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.20 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.20 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report + at ` bugzilla.mozilla.org `__ (product + NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst new file mode 100644 index 0000000000..10f0016420 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst @@ -0,0 +1,80 @@ +.. _mozilla_projects_nss_nss_3_21_1_release_notes: + +NSS 3.21.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.21.1 is a security patch release for NSS 3.21. The bug fixes in + NSS 3.21.1 are described in the "Security Fixes" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_21_1_RTM. NSS 3.21.1 requires NSPR 4.10.10 or newer. + + NSS 3.21.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_1_RTM/src/ + +.. _new_in_nss_3.21.1: + +`New in NSS 3.21.1 <#new_in_nss_3.21.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _security_fixes_in_nss_3.21.1: + +`Security Fixes in NSS 3.21.1 <#security_fixes_in_nss_3.21.1>`__ +---------------------------------------------------------------- + +.. container:: + + - `Bug 1245528 `__ / + `CVE-2016-1950 `__ - Fixed a + heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker + could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or + execution of arbitrary code with the permissions of the user. + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank security researcher Francis Gabriel for responsibly + disclosing the issue in `Bug 1245528 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.21.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.21.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst new file mode 100644 index 0000000000..f1db6bbd4e --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst @@ -0,0 +1,70 @@ +.. _mozilla_projects_nss_nss_3_21_2_release_notes: + +NSS 3.21.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.21.2 is a security patch release for NSS 3.21.1. The bug fixes + in NSS 3.21.2 are described in the "Security Fixes" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_21_2_RTM. NSS 3.21.2 requires NSPR 4.10.10 or newer. + + NSS 3.21.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_2_RTM/src/ + +.. _new_in_nss_3.21.2: + +`New in NSS 3.21.2 <#new_in_nss_3.21.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _security_fixes_in_nss_3.21.2: + +`Security Fixes in NSS 3.21.2 <#security_fixes_in_nss_3.21.2>`__ +---------------------------------------------------------------- + +.. container:: + + - `Bug 1293334 `__ / + `CVE-2016-9074 `__ - Fixed + a timing side channel in the TLS CBC code. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.21.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.21.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst new file mode 100644 index 0000000000..cccdd61aa0 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst @@ -0,0 +1,78 @@ +.. _mozilla_projects_nss_nss_3_21_3_release_notes: + +NSS 3.21.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.21.3 is a security patch release for NSS 3.21.2. The bug fixes + in NSS 3.21.3 are described in the "Security Fixes" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_21_3_RTM. NSS 3.21.3 requires NSPR 4.10.10 or newer. + + NSS 3.21.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_3_RTM/src/ + +.. _new_in_nss_3.21.3: + +`New in NSS 3.21.3 <#new_in_nss_3.21.3>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _security_fixes_in_nss_3.21.3: + +`Security Fixes in NSS 3.21.3 <#security_fixes_in_nss_3.21.3>`__ +---------------------------------------------------------------- + +.. container:: + + - `Bug 1306103 `__ / + `CVE-2016-5285 `__ - Fixed a + possible DOS on NSS servers due to a missing NULL check. + - `Bug 1221620 `__ - Fixed a possible left-shift of a negative + integer value when parsing DER. + - `Bug 1206283 `__ - Fixed an out-of-bound + read when parsing invalid UTF-16. + - `Bug 1241034 `__ - Fixed an + out-of-bounds write when parsing invalid UTF-16. + - `Bug 1241037 `__ - Fixed bogus surrogate + detection when parsing invalid UTF-16. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.21.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.21.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst new file mode 100644 index 0000000000..194e39c6d8 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst @@ -0,0 +1,75 @@ +.. _mozilla_projects_nss_nss_3_21_4_release_notes: + +NSS 3.21.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.21.4 is a security patch release for NSS 3.21. The bug fixes in + NSS 3.21.4 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_21_4_RTM. NSS 3.21.4 requires NSPR 4.12 or newer. + + NSS 3.21.4 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_4_RTM/src/ + +.. _new_in_nss_3.21.4: + +`New in NSS 3.21.4 <#new_in_nss_3.21.4>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.21.4: + +`Bugs fixed in NSS 3.21.4 <#bugs_fixed_in_nss_3.21.4>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1344380 `__ / Out-of-bounds write + in Base64 encoding in NSS + (`CVE-2017-5461 `__) + - `Bug 1345089 `__ / DRBG flaw in NSS + (`CVE-2017-5462 `__) + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Ronald Crane and Vladimir Klebanov for responsibly + disclosing the issues by providing advance copies of their research. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.21.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.21.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst new file mode 100644 index 0000000000..9bd12981ab --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst @@ -0,0 +1,277 @@ +.. _mozilla_projects_nss_nss_3_21_release_notes: + +NSS 3.21 release notes +====================== + +.. container:: + + 2016-01-07, this page has been updated to include additional information about the release. The + sections "Security Fixes" and "Acknowledgements" have been added. + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.21, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_21_RTM. NSS 3.21 requires NSPR 4.10.10 or newer. + + NSS 3.21 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_RTM/src/ + +.. _security_fixes_in_nss_3.21: + +`Security Fixes in NSS 3.21 <#security_fixes_in_nss_3.21>`__ +------------------------------------------------------------ + +.. container:: + + - `Bug 1158489 `__ + ` `__ / + `CVE-2015-7575 `__ - Prevent + MD5 Downgrade in TLS 1.2 Signatures. + +.. _new_in_nss_3.21: + +`New in NSS 3.21 <#new_in_nss_3.21>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - ``certutil`` now supports a ``--rename`` option to change a nickname (`bug + 1142209 `__) + - TLS extended master secret extension (`RFC + 7627 `__) is supported (`bug + 1117022 `__) + - New info functions added for use during mid-handshake callbacks (`bug + 1084669 `__) + + .. rubric:: New Functions + :name: new_functions + + - *in nss.h* + + - **NSS_OptionSet** - sets NSS global options + - **NSS_OptionGet** - gets the current value of NSS global options + + - *in secmod.h* + + - **SECMOD_CreateModuleEx** - Create a new SECMODModule structure from module name string, + module parameters string, NSS specific parameters string, and NSS configuration parameter + string. The module represented by the module structure is not loaded. The difference with + **SECMOD_CreateModule** is the new function handles NSS configuration parameter strings. + + - *in ssl.h* + + - **SSL_GetPreliminaryChannelInfo** - obtains information about a TLS channel prior to the + handshake being completed, for use with the callbacks that are invoked during the handshake + - **SSL_SignaturePrefSet** - configures the enabled signature and hash algorithms for TLS + - **SSL_SignaturePrefGet** - retrieves the currently configured signature and hash algorithms + - **SSL_SignatureMaxCount** - obtains the maximum number signature algorithms that can be + configured with **SSL_SignaturePrefSet** + + - *in utilpars.h* + + - **NSSUTIL_ArgParseModuleSpecEx** - takes a module spec and breaks it into shared library + string, module name string, module parameters string, NSS specific parameters string, and + NSS configuration parameter strings. The returned strings must be freed by the caller. The + difference with **NSS_ArgParseModuleSpec** is the new function handles NSS configuration + parameter strings. + - **NSSUTIL_MkModuleSpecEx** - take a shared library string, module name string, module + parameters string, NSS specific parameters string, and NSS configuration parameter string + and returns a module string which the caller must free when it is done. The difference with + **NSS_MkModuleSpec** is the new function handles NSS configuration parameter strings. + + .. rubric:: New Types + :name: new_types + + - *in pkcs11t.h* + + - **CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR}** - parameters {or pointer} for + **CKM_TLS12_MASTER_KEY_DERIVE** + - **CK_TLS12_KEY_MAT_PARAMS{_PTR}** - parameters {or pointer} for + **CKM_TLS12_KEY_AND_MAC_DERIVE** + - **CK_TLS_KDF_PARAMS{_PTR}** - parameters {or pointer} for **CKM_TLS_KDF** + - **CK_TLS_MAC_PARAMS{_PTR}** - parameters {or pointer} for **CKM_TLS_MAC** + + - *in sslt.h* + + - **SSLHashType** - identifies a hash function + - **SSLSignatureAndHashAlg** - identifies a signature and hash function + - **SSLPreliminaryChannelInfo** - provides information about the session state prior to + handshake completion + + .. rubric:: New Macros + :name: new_macros + + - *in nss.h* + + - **NSS_RSA_MIN_KEY_SIZE** - used with NSS_OptionSet and NSS_OptionGet to set or get the + minimum RSA key size + - **NSS_DH_MIN_KEY_SIZE** - used with NSS_OptionSet and NSS_OptionGet to set or get the + minimum DH key size + - **NSS_DSA_MIN_KEY_SIZE** - used with NSS_OptionSet and NSS_OptionGet to set or get the + minimum DSA key size + + - *in pkcs11t.h* + + - **CKM_TLS12_MASTER_KEY_DERIVE** - derives TLS 1.2 master secret + - **CKM_TLS12_KEY_AND_MAC_DERIVE** - derives TLS 1.2 traffic key and IV + - **CKM_TLS12_MASTER_KEY_DERIVE_DH** - derives TLS 1.2 master secret for DH (and ECDH) cipher + suites + - **CKM_TLS12_KEY_SAFE_DERIVE** and **CKM_TLS_KDF** are identifiers for additional PKCS#12 + mechanisms for TLS 1.2 that are currently unused in NSS. + - **CKM_TLS_MAC** - computes TLS Finished MAC + + - *in secoidt.h* + + - **NSS_USE_ALG_IN_SSL_KX** - policy flag indicating that keys are used in TLS key exchange + + - *in sslerr.h* + + - **SSL_ERROR_RX_SHORT_DTLS_READ** - error code for failure to include a complete DTLS record + in a UDP packet + - **SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM** - error code for when no valid signature and + hash algorithm is available + - **SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM** - error code for when an unsupported + signature and hash algorithm is configured + - **SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET** - error code for when the extended master + secret is missing after having been negotiated + - **SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET** - error code for receiving an extended + master secret when previously not negotiated + + - *in sslt.h* + + - **SSL_ENABLE_EXTENDED_MASTER_SECRET** - configuration to enable the TLS extended master + secret extension (`RFC 7627 `__) + - **ssl_preinfo_version** - used with **SSLPreliminaryChannelInfo** to indicate that a TLS + version has been selected + - **ssl_preinfo_cipher_suite** - used with **SSLPreliminaryChannelInfo** to indicate that a + TLS cipher suite has been selected + - **ssl_preinfo_all** - used with **SSLPreliminaryChannelInfo** to indicate that all + preliminary information has been set + +.. _notable_changes_in_nss_3.21: + +`Notable Changes in NSS 3.21 <#notable_changes_in_nss_3.21>`__ +-------------------------------------------------------------- + +.. container:: + + - NSS now builds with elliptic curve ciphers enabled by default (`bug + 1205688 `__) + - NSS now builds with warnings as errors (`bug + 1182667 `__) + - The following CA certificates were **Removed** + + - CN = VeriSign Class 4 Public Primary Certification Authority - G3 + + - SHA1 Fingerprint: C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D + + - CN = UTN-USERFirst-Network Applications + + - SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1 + + - CN = TC TrustCenter Universal CA III + + - SHA1 Fingerprint: 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87 + + - CN = A-Trust-nQual-03 + + - SHA-1 Fingerprint: D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2 + + - CN = USERTrust Legacy Secure Server CA + + - SHA-1 Fingerprint: 7C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48 + + - Friendly Name: Digital Signature Trust Co. Global CA 1 + + - SHA-1 Fingerprint: 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3 + + - Friendly Name: Digital Signature Trust Co. Global CA 3 + + - SHA-1 Fingerprint: AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46 + + - CN = UTN - DATACorp SGC + + - SHA-1 Fingerprint: 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4 + + - O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005 + + - SHA-1 Fingerprint: B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7 + + - The following CA certificate had the Websites **trust bit turned off** + + - OU = Equifax Secure Certificate Authority + + - SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A + + - The following CA certificates were **Added** + + - CN = Certification Authority of WoSign G2 + + - SHA1 Fingerprint: FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1 + + - CN = CA WoSign ECC Root + + - SHA1 Fingerprint: D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B + + - CN = OISTE WISeKey Global Root GB CA + + - SHA1 Fingerprint: 0F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED + + - The version number of the updated root CA list has been set to 2.6 + +.. _bugs_fixed_in_nss_3.21: + +`Bugs fixed in NSS 3.21 <#bugs_fixed_in_nss_3.21>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.21: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.21 + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Karthikeyan Bhargavan from + `INRIA `__ for responsibly disclosing the issue in `Bug + 1158489 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.21 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.21 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst new file mode 100644 index 0000000000..45efc4f22d --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst @@ -0,0 +1,69 @@ +.. _mozilla_projects_nss_nss_3_22_1_release_notes: + +NSS 3.22.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.22.1 is a patch release for NSS 3.22. The bug fixes in NSS + 3.22.1 are described in the "Notable Changes" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_22_1_RTM. NSS 3.22.1 requires NSPR 4.12 or newer. + + NSS 3.22.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_1_RTM/src/ + +.. _new_in_nss_3.22.1: + +`New in NSS 3.22.1 <#new_in_nss_3.22.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _notable_changes_in_nss_3.22.1: + +`Notable Changes in NSS 3.22.1 <#notable_changes_in_nss_3.22.1>`__ +------------------------------------------------------------------ + +.. container:: + + - `bug 1194680 `__: NSS has been changed + to use the PR_GetEnvSecure function that was made available in NSPR 4.12 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.22.1 shared libraries are backward compatible with all older NSS 3.22 shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.22.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst new file mode 100644 index 0000000000..598dfdde3b --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst @@ -0,0 +1,90 @@ +.. _mozilla_projects_nss_nss_3_22_2_release_notes: + +NSS 3.22.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.22.2 is a security patch release for NSS 3.22. The bug fixes in + NSS 3.22.2 are described in the "Security Fixes" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_22_2_RTM. NSS 3.22.2 requires NSPR 4.12 or newer. + + NSS 3.22.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_2_RTM/src/ + +.. _new_in_nss_3.22.2: + +`New in NSS 3.22.2 <#new_in_nss_3.22.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _security_fixes_in_nss_3.22.2: + +`Security Fixes in NSS 3.22.2 <#security_fixes_in_nss_3.22.2>`__ +---------------------------------------------------------------- + +.. container:: + + - `Bug 1245528 `__ / + `CVE-2016-1950 `__ - Fixed a + heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker + could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or + execution of arbitrary code with the permissions of the user. + +.. _notable_changes_in_nss_3.22.2: + +`Notable Changes in NSS 3.22.2 <#notable_changes_in_nss_3.22.2>`__ +------------------------------------------------------------------ + +.. container:: + + - `Bug 1247990 `__ - The root CA changes + from :ref:`mozilla_projects_nss_nss_3_23_release_notes` have been backported. + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank security researcher Francis Gabriel for responsibly + disclosing the issue in `Bug 1245528 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.22.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.22.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst new file mode 100644 index 0000000000..c31cb417e2 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst @@ -0,0 +1,70 @@ +.. _mozilla_projects_nss_nss_3_22_3_release_notes: + +NSS 3.22.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.22.3 is a patch release for NSS 3.22. The bug fixes in NSS + 3.22.3 are described in the "Bugs fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_22_3_RTM. NSS 3.22.3 requires NSPR 4.12 or newer. + + NSS 3.22.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_3_RTM/src/ + +.. _new_in_nss_3.22.3: + +`New in NSS 3.22.3 <#new_in_nss_3.22.3>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.22.3: + +`Bugs fixed in NSS 3.22.3 <#bugs_fixed_in_nss_3.22.3>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1243641 `__ - Increase + compatibility of TLS extended master secret, don't send an empty TLS extension last in the + handshake + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.22.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.22.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst new file mode 100644 index 0000000000..2f57e2715c --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst @@ -0,0 +1,194 @@ +.. _mozilla_projects_nss_nss_3_22_release_notes: + +NSS 3.22 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.22, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer. + + NSS 3.22 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_RTM/src/ + +.. _new_in_nss_3.22: + +`New in NSS 3.22 <#new_in_nss_3.22>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - RSA-PSS signatures are now supported (`bug + 1215295 `__) + + - New functions ``PK11_SignWithMechanism()`` and ``PK11_SignWithMechanism()`` are provided to + allow RSA keys to be used with PSS. + + - Pseudorandom functions based on hashes other than SHA-1 are now supported with PBKDF (`bug + 554827 `__). + + - ``PK11_CreatePBEV2AlgorithmID()`` now supports ``SEC_OID_PKCS5_PBKDF2`` with + ``cipherAlgTag`` and ``prfAlgTag`` set to ``SEC_OID_HMAC_SHA256``, ``SEC_OID_HMAC_SHA224``, + ``SEC_OID_HMAC_SHA384``, or ``SEC_OID_HMAC_SHA512``. + + - Enforce an External Policy on NSS from a config file (`bug + 1009429 `__) + + - you can now add a config= line to pkcs11.txt (assuming you are using sql databases), which + will force NSS to restrict the application to certain cryptographic algorithms and + protocols. A complete list can be found in :ref:`mozilla_projects_nss_nss_config_options`. + + .. rubric:: New Functions + :name: new_functions + + - *in pk11pub.h* + + - **PK11_SignWithMechanism** - This function is an extended version ``PK11_Sign()``. + - **PK11_VerifyWithMechanism** - This function is an extended version of ``PK11_Verify()``. + + - These functions take an explicit mechanism and parameters as arguments rather than + inferring it from the key type using ``PK11_MapSignKeyType()``. The mechanism type + CKM_RSA_PKCS_PSS is now supported for RSA in addition to CKM_RSA_PKCS. The + CK_RSA_PKCS_PSS mechanism takes a parameter of type CK_RSA_PKCS_PSS_PARAMS. + + - *in ssl.h* + + - **SSL_PeerSignedCertTimestamps** - Get signed_certificate_timestamp TLS extension data + - **SSL_SetSignedCertTimestamps** - Set signed_certificate_timestamp TLS extension data + + .. rubric:: New Types + :name: new_types + + - *in secoidt.h* + + - The following are added to SECOidTag: + + - SEC_OID_AES_128_GCM + - SEC_OID_AES_192_GCM + - SEC_OID_AES_256_GCM + - SEC_OID_IDEA_CBC + - SEC_OID_RC2_40_CBC + - SEC_OID_DES_40_CBC + - SEC_OID_RC4_40 + - SEC_OID_RC4_56 + - SEC_OID_NULL_CIPHER + - SEC_OID_HMAC_MD5 + - SEC_OID_TLS_RSA + - SEC_OID_TLS_DHE_RSA + - SEC_OID_TLS_DHE_DSS + - SEC_OID_TLS_DH_RSA + - SEC_OID_TLS_DH_DSS + - SEC_OID_TLS_DH_ANON + - SEC_OID_TLS_ECDHE_ECDSA + - SEC_OID_TLS_ECDHE_RSA + - SEC_OID_TLS_ECDH_ECDSA + - SEC_OID_TLS_ECDH_RSA + - SEC_OID_TLS_ECDH_ANON + - SEC_OID_TLS_RSA_EXPORT + - SEC_OID_TLS_DHE_RSA_EXPORT + - SEC_OID_TLS_DHE_DSS_EXPORT + - SEC_OID_TLS_DH_RSA_EXPORT + - SEC_OID_TLS_DH_DSS_EXPORT + - SEC_OID_TLS_DH_ANON_EXPORT + - SEC_OID_APPLY_SSL_POLICY + + - in sslt.h + + - **ssl_signed_cert_timestamp_xtn** is added to ``SSLExtensionType``. + + .. rubric:: New Macros + :name: new_macros + + - in nss.h + + - NSS_RSA_MIN_KEY_SIZE + - NSS_DH_MIN_KEY_SIZE + - NSS_DSA_MIN_KEY_SIZE + - NSS_TLS_VERSION_MIN_POLICY + - NSS_TLS_VERSION_MAX_POLICY + - NSS_DTLS_VERSION_MIN_POLICY + - NSS_DTLS_VERSION_MAX_POLICY + + - *in pkcs11t.h* + + - **CKP_PKCS5_PBKD2_HMAC_GOSTR3411** - PRF based on HMAC with GOSTR3411 for PBKDF (not + supported) + - **CKP_PKCS5_PBKD2_HMAC_SHA224** - PRF based on HMAC with SHA-224 for PBKDF + - **CKP_PKCS5_PBKD2_HMAC_SHA256** - PRF based on HMAC with SHA-256 for PBKDF + - **CKP_PKCS5_PBKD2_HMAC_SHA384** - PRF based on HMAC with SHA-256 for PBKDF + - **CKP_PKCS5_PBKD2_HMAC_SHA512** - PRF based on HMAC with SHA-256 for PBKDF + - **CKP_PKCS5_PBKD2_HMAC_SHA512_224** - PRF based on HMAC with SHA-512 truncated to 224 bits + for PBKDF (not supported) + - **CKP_PKCS5_PBKD2_HMAC_SHA512_256** - PRF based on HMAC with SHA-512 truncated to 256 bits + for PBKDF (not supported) + + - *in secoidt.h* + + - NSS_USE_ALG_IN_SSL + - NSS_USE_POLICY_IN_SSL + + - *in ssl.h* + + - **SSL_ENABLE_SIGNED_CERT_TIMESTAMPS** + + - *in sslt.h* + + - **SSL_MAX_EXTENSIONS** is updated to 13 + +.. _notable_changes_in_nss_3.22: + +`Notable Changes in NSS 3.22 <#notable_changes_in_nss_3.22>`__ +-------------------------------------------------------------- + +.. container:: + + - NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS + variable to 1 to disable building these tests. + +.. _bugs_fixed_in_nss_3.22: + +`Bugs fixed in NSS 3.22 <#bugs_fixed_in_nss_3.22>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.22: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.22 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.22 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.22 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst new file mode 100644 index 0000000000..78cd188db3 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst @@ -0,0 +1,192 @@ +.. _mozilla_projects_nss_nss_3_23_release_notes: + +NSS 3.23 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.23, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_23_RTM. NSS 3.23 requires NSPR 4.12 or newer. + + NSS 3.23 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/ + +.. _new_in_nss_3.23: + +`New in NSS 3.23 <#new_in_nss_3.23>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - ChaCha20/Poly1305 cipher and TLS cipher suites now supported (`bug + 917571 `__, `bug + 1227905 `__) + + - + + .. container:: + + Experimental-only support TLS 1.3 1-RTT mode (draft-11). This code is not ready for + production use. + + .. rubric:: New Functions + :name: new_functions + + - *in ssl.h* + + - **SSL_SetDowngradeCheckVersion** - Set maximum version for new ServerRandom anti-downgrade + mechanism. Clients that perform a version downgrade (which is a dangerous practice) call + this with the highest version number that they possibly support. This gives them access to + the `version downgrade protection from TLS + 1.3 `__. + +.. _notable_changes_in_nss_3.23: + +`Notable Changes in NSS 3.23 <#notable_changes_in_nss_3.23>`__ +-------------------------------------------------------------- + +.. container:: + + - The copy of SQLite shipped with NSS has been updated to version 3.10.2 (`bug + 1234698 `__) + - The list of TLS extensions sent in the TLS handshake has been reordered to increase + compatibility of the Extended Master Secret with servers (`bug + 1243641 `__) + - The build time environment variable NSS_ENABLE_ZLIB has been renamed to NSS_SSL_ENABLE_ZLIB + (`Bug 1243872 `__). + - The build time environment variable NSS_DISABLE_CHACHAPOLY was added, which can be used to + prevent compilation of the ChaCha20/Poly1305 code. + - The following CA certificates were **Removed** + + - CN = Staat der Nederlanden Root CA + + - SHA-256 Fingerprint: + D4:1D:82:9E:8C:16:59:82:2A:F9:3F:CE:62:BF:FC:DE:26:4F:C8:4E:8B:95:0C:5F:F2:75:D0:52:35:46:95:A3 + + - CN = NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado + + - SHA-256 Fingerprint: + E6:06:DD:EE:E2:EE:7F:5C:DE:F5:D9:05:8F:F8:B7:D0:A9:F0:42:87:7F:6A:17:1E:D8:FF:69:60:E4:CC:5E:A5 + + - CN = NetLock Kozjegyzoi (Class A) Tanusitvanykiado + + - SHA-256 Fingerprint: + 7F:12:CD:5F:7E:5E:29:0E:C7:D8:51:79:D5:B7:2C:20:A5:BE:75:08:FF:DB:5B:F8:1A:B9:68:4A:7F:C9:F6:67 + + - CN = NetLock Uzleti (Class B) Tanusitvanykiado + + - SHA-256 Fingerprint: + 39:DF:7B:68:2B:7B:93:8F:84:71:54:81:CC:DE:8D:60:D8:F2:2E:C5:98:87:7D:0A:AA:C1:2B:59:18:2B:03:12 + + - CN = NetLock Expressz (Class C) Tanusitvanykiado + + - SHA-256 Fingerprint: + 0B:5E:ED:4E:84:64:03:CF:55:E0:65:84:84:40:ED:2A:82:75:8B:F5:B9:AA:1F:25:3D:46:13:CF:A0:80:FF:3F + + - Friendly Name: VeriSign Class 1 Public PCA – G2 + + - SHA-256 Fingerprint: + 34:1D:E9:8B:13:92:AB:F7:F4:AB:90:A9:60:CF:25:D4:BD:6E:C6:5B:9A:51:CE:6E:D0:67:D0:0E:C7:CE:9B:7F + + - Friendly Name: VeriSign Class 3 Public PCA + + - SHA-256 Fingerprint: + A4:B6:B3:99:6F:C2:F3:06:B3:FD:86:81:BD:63:41:3D:8C:50:09:CC:4F:A3:29:C2:CC:F0:E2:FA:1B:14:03:05 + + - Friendly Name: VeriSign Class 3 Public PCA – G2 + + - SHA-256 Fingerprint: + 83:CE:3C:12:29:68:8A:59:3D:48:5F:81:97:3C:0F:91:95:43:1E:DA:37:CC:5E:36:43:0E:79:C7:A8:88:63:8B + + - CN = CA Disig + + - SHA-256 Fingerprint: + 92:BF:51:19:AB:EC:CA:D0:B1:33:2D:C4:E1:D0:5F:BA:75:B5:67:90:44:EE:0C:A2:6E:93:1F:74:4F:2F:33:CF + + - The following CA certificates were **Added** + + - CN = SZAFIR ROOT CA2 + + - SHA-256 Fingerprint: + A1:33:9D:33:28:1A:0B:56:E5:57:D3:D3:2B:1C:E7:F9:36:7E:B0:94:BD:5F:A7:2A:7E:50:04:C8:DE:D7:CA:FE + + - CN = Certum Trusted Network CA 2 + + - SHA-256 Fingerprint: + B6:76:F2:ED:DA:E8:77:5C:D3:6C:B0:F6:3C:D1:D4:60:39:61:F4:9E:62:65:BA:01:3A:2F:03:07:B6:D0:B8:04 + + - The following CA certificate had the Email **trust bit turned on** + + - CN = Actalis Authentication Root CA + + - SHA-256 Fingerprint: + 55:92:60:84:EC:96:3A:64:B9:6E:2A:BE:01:CE:0B:A8:6A:64:FB:FE:BC:C7:AA:B5:AF:C1:55:B3:7F:D7:60:66 + +.. _security_fixes_in_nss_3.23: + +`Security Fixes in NSS 3.23 <#security_fixes_in_nss_3.23>`__ +------------------------------------------------------------ + +.. container:: + + - `Bug 1245528 `__ / + `CVE-2016-1950 `__ - Fixed a + heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker + could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or + execution of arbitrary code with the permissions of the user. + +.. _bugs_fixed_in_nss_3.23: + +`Bugs fixed in NSS 3.23 <#bugs_fixed_in_nss_3.23>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.23: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.23 + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank security researcher Francis Gabriel for responsibly + disclosing the issue in `Bug 1245528 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.23 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.23 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst new file mode 100644 index 0000000000..ac7bd6ef7a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst @@ -0,0 +1,201 @@ +.. _mozilla_projects_nss_nss_3_24_release_notes: + +NSS 3.24 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.24, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_24_RTM. NSS 3.24 requires Netscape Portable Runtime(NSPR) 4.12 or newer. + + NSS 3.24 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/ + +.. _new_in_nss_3.24: + +`New in NSS 3.24 <#new_in_nss_3.24>`__ +-------------------------------------- + +.. container:: + + NSS 3.24 includes two NSS softoken updates, a new function to configure SSL/TLS server sockets, + and two functions to improve the use of temporary arenas. + +.. _new_functionality: + +`New functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - NSS softoken has been updated with the latest National Institute of Standards and Technology + (NIST) guidance (as of 2015): + + - Software integrity checks and POST functions are executed on shared library load. These + checks have been disabled by default, as they can cause a performance regression. To enable + these checks, you must define symbol NSS_FORCE_FIPS when building NSS. + - Counter mode and Galois/Counter Mode (GCM) have checks to prevent counter overflow. + - Additional CSPs are zeroed in the code. + - NSS softoken uses new guidance for how many Rabin-Miller tests are needed to verify a prime + based on prime size. + + - NSS softoken has also been updated to allow NSS to run in FIPS Level 1 (no password). This + mode is triggered by setting the database password to the empty string. In FIPS mode, you may + move from Level 1 to Level 2 (by setting an appropriate password), but not the reverse. + - A SSL_ConfigServerCert function has been added for configuring SSL/TLS server sockets with a + certificate and private key. Use this new function in place of SSL_ConfigSecureServer, + SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and + SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically determines the certificate + type from the certificate and private key. The caller is no longer required to use SSLKEAType + explicitly to select a "slot" into which the certificate is configured (which incorrectly + identifies a key agreement type rather than a certificate). Separate functions for configuring + Online Certificate Status Protocol (OCSP) responses or Signed Certificate Timestamps are not + needed, since these can be added to the optional SSLExtraServerCertData struct provided to + SSL_ConfigServerCert. Also, partial support for RSA Probabilistic Signature Scheme (RSA-PSS) + certificates has been added. Although these certificates can be configured, they will not be + used by NSS in this version. + - For functions that use temporary arenas, allocating a PORTCheapArena on the stack is more + performant than allocating a PLArenaPool on the heap. Rather than declaring a PLArenaPool + pointer and calling PORT_NewArena/PORT_FreeArena to allocate or free an instance on the heap, + declare a PORTCheapArenaPool on the stack and use PORT_InitCheapArena/PORT_DestroyCheapArena + to initialize and destroy it. Items allocated from the arena are still created on the heap, + only the arena itself is stack-allocated. Note: This approach is only useful when the arena + use is tightly bounded, for example, if it is only used in a single function. + +.. _new_elements: + +`New elements <#new_elements>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This section lists and briefly describes the new functions, types, and macros in NSS 3.24. + + .. rubric:: New functions + :name: new_functions + + - *In ssl.h* + + - SSL_ConfigServerCert - Configures an SSL/TLS socket with a certificate, private key, and + other information. + + - *In secport.h* + + - PORT_InitCheapArena - Initializes an arena that was created on the stack. (See + PORTCheapArenaPool.) + - PORT_DestroyCheapArena - Destroys an arena that was created on the stack. (See + PORTCheapArenaPool.) + + .. rubric:: New types + :name: new_types + + - *In sslt.h* + + - SSLExtraServerCertData - Optionally passed as an argument to SSL_ConfigServerCert. This + struct contains supplementary information about a certificate, such as the intended type of + the certificate, stapled OCSP responses, or Signed Certificate Timestamps (used for + `certificate transparency `__). + + - *In secport.h* + + - PORTCheapArenaPool - A stack-allocated arena pool, to be used for temporary arena + allocations. + + .. rubric:: New macros + :name: new_macros + + - *In pkcs11t.h* + + - CKM_TLS12_MAC + + - *In secoidt.h* + + - SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the + TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used only for session + resumption in TLS 1.3. + +.. _notable_changes_in_nss_3.24: + +`Notable changes in NSS 3.24 <#notable_changes_in_nss_3.24>`__ +-------------------------------------------------------------- + +.. container:: + + Additions, deprecations, and other changes in NSS 3.24 are listed below. + + - Deprecate the following functions. (Applications should instead use the new + SSL_ConfigServerCert function.) + + - SSL_SetStapledOCSPResponses + - SSL_SetSignedCertTimestamps + - SSL_ConfigSecureServer + - SSL_ConfigSecureServerWithCertChain + + - Deprecate the NSS_FindCertKEAType function, as it reports a misleading value for certificates + that might be used for signing rather than key exchange. + - Update SSLAuthType to define a larger number of authentication key types. + - Deprecate the member attribute **authAlgorithm** of type SSLCipherSuiteInfo. Instead, + applications should use the newly added attribute **authType**. + - Rename ssl_auth_rsa to ssl_auth_rsa_decrypt. + - Add a shared library (libfreeblpriv3) on Linux platforms that define FREEBL_LOWHASH. + - Remove most code related to SSL v2, including the ability to actively send a SSLv2-compatible + client hello. However, the server-side implementation of the SSL/TLS protocol still supports + processing of received v2-compatible client hello messages. + - Disable (by default) NSS support in optimized builds for logging SSL/TLS key material to a + logfile if the SSLKEYLOGFILE environment variable is set. To enable the functionality in + optimized builds, you must define the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS. + - Update NSS to protect it against the Cachebleed attack. + - Disable support for DTLS compression. + - Improve support for TLS 1.3. This includes support for DTLS 1.3. Note that TLS 1.3 support is + experimental and not suitable for production use. + +.. _bugs_fixed_in_nss_3.24: + +`Bugs fixed in NSS 3.24 <#bugs_fixed_in_nss_3.24>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.24: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.24 + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Yuval Yarom for responsibly disclosing the + Cachebleed attack by providing advance copies of their research. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.24 shared libraries are backward-compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.24 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst new file mode 100644 index 0000000000..213e02169b --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst @@ -0,0 +1,80 @@ +.. _mozilla_projects_nss_nss_3_25_1_release_notes: + +NSS 3.25.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.25.1 is a patch release for NSS 3.25. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_25_1_RTM. NSS 3.25.1 requires NSPR 4.12 or newer. + + NSS 3.25.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_25_1_RTM/src/ + +.. _new_in_nss_3.25.1: + +`New in NSS 3.25.1 <#new_in_nss_3.25.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to address a TLS + compatibility issue that some client applications experienced with NSS 3.25. + +.. _notable_changes_in_nss_3.25.1: + +`Notable Changes in NSS 3.25.1 <#notable_changes_in_nss_3.25.1>`__ +------------------------------------------------------------------ + +.. container:: + + MD5 signature algorithms sent by the server in CertificateRequest messages are now properly + ignored. Previously, with rare server configurations, an MD5 signature algorithm might have been + selected for client authentication and caused the client to abort the connection soon after. + +.. _bugs_fixed_in_nss_3.25.1: + +`Bugs fixed in NSS 3.25.1 <#bugs_fixed_in_nss_3.25.1>`__ +-------------------------------------------------------- + +.. container:: + + - The following bug has been fixed in NSS 3.25.1: `Ignore MD5 signature algorithms in + certificate requests `__ + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.25.1 shared libraries are backwards compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.25.1 shared libraries + without recompiling or relinking. Applications that restrict their use of NSS APIs to the + functions listed in NSS Public Functions will remain compatible with future versions of the NSS + shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst new file mode 100644 index 0000000000..a65360f257 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst @@ -0,0 +1,140 @@ +.. _mozilla_projects_nss_nss_3_25_release_notes: + +NSS 3.25 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.25, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_25_RTM. NSS 3.25 requires Netscape Portable Runtime(NSPR) 4.12 or newer. + + NSS 3.25 source distributions are available on ftp.mozilla.org for secure HTTPS download at the + following location. + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_25_RTM/src/ + +.. _new_in_nss_3.25: + +`New in NSS 3.25 <#new_in_nss_3.25>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Implemented DHE key agreement for TLS 1.3. + - Added support for ChaCha with TLS 1.3. + - Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF. + - Removed the limitation that allowed NSS to only support certificate_verify messages that used + the same signature hash algorithm as the PRF when using TLS 1.2 client authentication. + - Several functions have been added to the public API of the NSS Cryptoki Framework. + + .. rubric:: New Functions + :name: new_functions + + - *in nssckfw.h* + + - **NSSCKFWSlot_GetSlotID** + - **NSSCKFWSession_GetFWSlot** + - **NSSCKFWInstance_DestroySessionHandle** + - **NSSCKFWInstance_FindSessionHandle** + +.. _notable_changes_in_nss_3.25: + +`Notable Changes in NSS 3.25 <#notable_changes_in_nss_3.25>`__ +-------------------------------------------------------------- + +.. container:: + + - An SSL socket can no longer be configured to allow both TLS 1.3 and SSL v3. + - Regression fix: NSS no longer reports a failure if an application attempts to disable the SSL + v2 protocol. + - The trusted CA certificate list has been updated to version 2.8. + - The following CA certificate was **Removed** + + - CN = Sonera Class1 CA + + - SHA-256 Fingerprint: + CD:80:82:84:CF:74:6F:F2:FD:6E:B5:8A:A1:D5:9C:4A:D4:B3:CA:56:FD:C6:27:4A:89:26:A7:83:5F:32:31:3D + + - The following CA certificates were **Added** + + - CN = Hellenic Academic and Research Institutions RootCA 2015 + + - SHA-256 Fingerprint: + A0:40:92:9A:02:CE:53:B4:AC:F4:F2:FF:C6:98:1C:E4:49:6F:75:5E:6D:45:FE:0B:2A:69:2B:CD:52:52:3F:36 + + - CN = Hellenic Academic and Research Institutions ECC RootCA 2015 + + - SHA-256 Fingerprint: + 44:B5:45:AA:8A:25:E6:5A:73:CA:15:DC:27:FC:36:D2:4C:1C:B9:95:3A:06:65:39:B1:15:82:DC:48:7B:48:33 + + - CN = Certplus Root CA G1 + + - SHA-256 Fingerprint: + 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E + + - CN = Certplus Root CA G2 + + - SHA-256 Fingerprint: + 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17 + + - CN = OpenTrust Root CA G1 + + - SHA-256 Fingerprint: + 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4 + + - CN = OpenTrust Root CA G2 + + - SHA-256 Fingerprint: + 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2 + + - CN = OpenTrust Root CA G3 + + - SHA-256 Fingerprint: + B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92 + +.. _bugs_fixed_in_nss_3.25: + +`Bugs fixed in NSS 3.25 <#bugs_fixed_in_nss_3.25>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.25: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.25 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.25 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.25 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst new file mode 100644 index 0000000000..485527b6c8 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst @@ -0,0 +1,80 @@ +.. _mozilla_projects_nss_nss_3_26_2_release_notes: + +NSS 3.26.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.26.2 is a patch release for NSS 3.26. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_26_2_RTM. NSS 3.26.2 requires NSPR 4.12 or newer. + + NSS 3.26.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_26_2_RTM/src/ + +.. _new_in_nss_3.26.2: + +`New in NSS 3.26.2 <#new_in_nss_3.26.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to address a TLS + compatibility issue that some client applications experienced with NSS 3.26.1. + +.. _notable_changes_in_nss_3.26.2: + +`Notable Changes in NSS 3.26.2 <#notable_changes_in_nss_3.26.2>`__ +------------------------------------------------------------------ + +.. container:: + + MD5 signature algorithms sent by the server in CertificateRequest messages are now properly + ignored. Previously, with rare server configurations, an MD5 signature algorithm might have been + selected for client authentication and caused the client to abort the connection soon after. + +.. _bugs_fixed_in_nss_3.26.2: + +`Bugs fixed in NSS 3.26.2 <#bugs_fixed_in_nss_3.26.2>`__ +-------------------------------------------------------- + +.. container:: + + - The following bug has been fixed in NSS 3.26.2: `Ignore MD5 signature algorithms in + certificate requests `__ + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.26.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.26.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst new file mode 100644 index 0000000000..9c47dcf087 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst @@ -0,0 +1,91 @@ +.. _mozilla_projects_nss_nss_3_26_release_notes: + +NSS 3.26 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.26, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_26_RTM. NSS 3.26 requires Netscape Portable Runtime(NSPR) 4.12 or newer. + + NSS 3.26 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_26_RTM/src/ + +.. _new_in_nss_3.26: + +`New in NSS 3.26 <#new_in_nss_3.26>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - the selfserv test utility has been enhanced to support ALPN (HTTP/1.1) and 0-RTT + - added support for the System-wide crypto policy available on Fedora Linux, see + http://fedoraproject.org/wiki/Changes/CryptoPolicy + - introduced build flag NSS_DISABLE_LIBPKIX which allows compilation of NSS without the libpkix + library + +.. _notable_changes_in_nss_3.26: + +`Notable Changes in NSS 3.26 <#notable_changes_in_nss_3.26>`__ +-------------------------------------------------------------- + +.. container:: + + - The following CA certificate was **Added** + + - CN = ISRG Root X1 + + - SHA-256 Fingerprint: + 96:BC:EC:06:26:49:76:F3:74:60:77:9A:CF:28:C5:A7:CF:E8:A3:C0:AA:E1:1A:8F:FC:EE:05:C0:BD:DF:08:C6 + + - NPN is disabled, and ALPN is enabled by default + - the NSS test suite now completes with the experimental TLS 1.3 code enabled + - several test improvements and additions, including a NIST known answer test + +.. _bugs_fixed_in_nss_3.26: + +`Bugs fixed in NSS 3.26 <#bugs_fixed_in_nss_3.26>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.26: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.26 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.26 shared libraries are backwards compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.26 shared libraries + without recompiling or relinking. Applications that restrict their use of NSS APIs, to the + functions listed in NSS Public Functions, will remain compatible with future versions of the NSS + shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst new file mode 100644 index 0000000000..bebbb52ef2 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst @@ -0,0 +1,92 @@ +.. _mozilla_projects_nss_nss_3_27_1_release_notes: + +NSS 3.27.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.27.1 is a patch release for NSS 3.27. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_27_1_RTM. NSS 3.27.1 requires NSPR 4.13 or newer. + + NSS 3.27.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_27_1_RTM/src/ + +.. _new_in_nss_3.27.1: + +`New in NSS 3.27.1 <#new_in_nss_3.27.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to address a TLS + compatibility issue which some applications experienced with NSS 3.27. + +.. _notable_changes_in_nss_3.27.1: + +`Notable Changes in NSS 3.27.1 <#notable_changes_in_nss_3.27.1>`__ +------------------------------------------------------------------ + +.. container:: + + Availability of the TLS 1.3 (draft) implementation has been re-disabled in the default build. + + Previous versions of NSS made TLS 1.3 (draft) available only when compiled with + NSS_ENABLE_TLS_1_3. NSS 3.27 set this value on by default, allowing TLS 1.3 (draft) to be + disabled using NSS_DISABLE_TLS_1_3, although the maximum version used by default remained TLS + 1.2. + + However, some applications query the list of protocol versions that are supported by the NSS + library, enabling all supported TLS protocol versions. Because NSS 3.27 enabled compilation of + TLS 1.3 (draft) by default, it caused those applications to enable TLS 1.3 (draft). This resulted + in connectivity failures, as some TLS servers are version 1.3 intolerant, and failed to negotiate + an earlier TLS version with NSS 3.27 clients. + + NSS 3.27.1 once again requires NSS_ENABLE_TLS_1_3 to be deliberately set to enable TLS 1.3 + (draft). + +.. _bugs_fixed_in_nss_3.27.1: + +`Bugs fixed in NSS 3.27.1 <#bugs_fixed_in_nss_3.27.1>`__ +-------------------------------------------------------- + +.. container:: + + - The following bug has been fixed in NSS 3.27.1: `Re-disable TLS 1.3 by + default `__ + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.27.1 shared libraries are backwards compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.27.1 shared libraries + without recompiling or relinking. Applications that restrict their use of NSS APIs to the + functions listed in NSS Public Functions will remain compatible with future versions of the NSS + shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst new file mode 100644 index 0000000000..06c03b0644 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst @@ -0,0 +1,84 @@ +.. _mozilla_projects_nss_nss_3_27_2_release_notes: + +NSS 3.27.2 Release Notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.27.2 is a patch release for NSS 3.27. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_27_2_RTM. NSS 3.27.2 requires NSPR 4.13 or newer. + + NSS 3.27.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + `https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_27_2_RTM/src/ `__ + +.. _new_in_nss_3.27.2: + +`New in NSS 3.27.2 <#new_in_nss_3.27.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to address a memory + leak in the ``SSL_SetTrustAnchors()`` function. + +.. _notable_changes_in_nss_3.27.2: + +`Notable Changes in NSS 3.27.2 <#notable_changes_in_nss_3.27.2>`__ +------------------------------------------------------------------ + +.. container:: + + The ``SSL_SetTrustAnchors()`` function is used to set the distinguished names that an NSS server + includes in its TLS CertificateRequest message. If this function is not used, NSS will include + the distinguished names for all trust anchors installed in the database. This can be a lengthy + list. + + Previous versions of NSS leaked the memory used to store distinguished names when + ``SSL_SetTrustAnchors()`` was used. This release fixes that error. + +.. _bugs_fixed_in_nss_3.27.2: + +`Bugs fixed in NSS 3.27.2 <#bugs_fixed_in_nss_3.27.2>`__ +-------------------------------------------------------- + +.. container:: + + - The following bug has been fixed in NSS 3.27.2: `Bug 1318561 - SSL_SetTrustAnchors + leaks `__ + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.27.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.27.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst new file mode 100644 index 0000000000..5fd0b1bfff --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst @@ -0,0 +1,149 @@ +.. _mozilla_projects_nss_nss_3_27_release_notes: + +NSS 3.27 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.27, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_27_RTM. NSS 3.27 requires Netscape Portable Runtime(NSPR) 4.13 or newer. + + NSS 3.27 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_27_RTM/src/ + +.. _new_in_nss_3.27: + +`New in NSS 3.27 <#new_in_nss_3.27>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Allow custom named group priorities for TLS key exchange handshake (SSL_NamedGroupConfig). + - Added support for RSA-PSS signatures in TLS 1.2 and TLS 1.3 + + .. rubric:: New Functions + :name: new_functions + + - in ssl.h + + - SSL_NamedGroupConfig + +.. _notable_changes_in_nss_3.27: + +`Notable Changes in NSS 3.27 <#notable_changes_in_nss_3.27>`__ +-------------------------------------------------------------- + +.. container:: + + - *UPDATE 2016-10-02:* + + - The maximum TLS version supported has been increased to TLS 1.3 (draft). + - Although the maximum TLS version enabled by default is still TLS 1.2, there are + applications that query the list of TLS protocol versions supported by NSS, and enable all + supported versions. For those applications, updating to NSS 3.27 may result in TLS 1.3 + (draft) to be enabled. + - The TLS 1.3 (draft) protocol can be disabled, by defining symbol NSS_DISABLE_TLS_1_3 when + building NSS. + + - NPN can not be enabled anymore. + - Hard limits on the maximum number of TLS records encrypted with the same key are enforced. + - Disabled renegotiation in DTLS. + - The following CA certificates were **Removed** + + - CN = IGC/A, O = PM/SGDN, OU = DCSSI + + - SHA256 Fingerprint: + B9:BE:A7:86:0A:96:2E:A3:61:1D:AB:97:AB:6D:A3:E2:1C:10:68:B9:7D:55:57:5E:D0:E1:12:79:C1:1C:89:32 + + - CN = Juur-SK, O = AS Sertifitseerimiskeskus + + - SHA256 Fingerprint: + EC:C3:E9:C3:40:75:03:BE:E0:91:AA:95:2F:41:34:8F:F8:8B:AA:86:3B:22:64:BE:FA:C8:07:90:15:74:E9:39 + + - CN = EBG Elektronik Sertifika Hizmet Sağlayıcısı + + - SHA-256 Fingerprint: + 35:AE:5B:DD:D8:F7:AE:63:5C:FF:BA:56:82:A8:F0:0B:95:F4:84:62:C7:10:8E:E9:A0:E5:29:2B:07:4A:AF:B2 + + - CN = S-TRUST Authentication and Encryption Root CA 2005:PN + + - SHA-256 Fingerprint: + 37:D8:DC:8A:F7:86:78:45:DA:33:44:A6:B1:BA:DE:44:8D:8A:80:E4:7B:55:79:F9:6B:F6:31:76:8F:9F:30:F6 + + - O = VeriSign, Inc., OU = Class 1 Public Primary Certification Authority + + - SHA-256 Fingerprint: + 51:84:7C:8C:BD:2E:9A:72:C9:1E:29:2D:2A:E2:47:D7:DE:1E:3F:D2:70:54:7A:20:EF:7D:61:0F:38:B8:84:2C + + - O = VeriSign, Inc., OU = Class 2 Public Primary Certification Authority - G2 + + - SHA-256 Fingerprint: + 3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1 + + - O = VeriSign, Inc., OU = Class 3 Public Primary Certification Authority + + - SHA-256 Fingerprint: + E7:68:56:34:EF:AC:F6:9A:CE:93:9A:6B:25:5B:7B:4F:AB:EF:42:93:5B:50:A2:65:AC:B5:CB:60:27:E4:4E:70 + + - O = Equifax, OU = Equifax Secure Certificate Authority + + - SHA-256 Fingerprint: + 08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78 + + - CN = Equifax Secure eBusiness CA-1 + + - SHA-256 Fingerprint: + CF:56:FF:46:A4:A1:86:10:9D:D9:65:84:B5:EE:B5:8A:51:0C:42:75:B0:E5:F9:4F:40:BB:AE:86:5E:19:F6:73 + + - CN = Equifax Secure Global eBusiness CA-1 + + - SHA-256 Fingerprint: + 5F:0B:62:EA:B5:E3:53:EA:65:21:65:16:58:FB:B6:53:59:F4:43:28:0A:4A:FB:D1:04:D7:7D:10:F9:F0:4C:07 + +.. _bugs_fixed_in_nss_3.27: + +`Bugs fixed in NSS 3.27 <#bugs_fixed_in_nss_3.27>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.27: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.27 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.27 shared libraries are backwards compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.27 shared libraries + without recompiling or relinking. Applications that restrict their use of NSS APIs to the + functions listed in NSS Public Functions will remain compatible with future versions of the NSS + shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst new file mode 100644 index 0000000000..3a8f749afc --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst @@ -0,0 +1,148 @@ +.. _mozilla_projects_nss_nss_3_28_1_release_notes: + +NSS 3.28.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.28.1 is a patch release for NSS 3.28. The bug fixes in NSS + 3.28.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_28_1_RTM. NSS 3.28.1 requires NSPR 4.13.1 or newer. + + NSS 3.28.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_1_RTM/src/ + +.. _new_in_nss_3.28.1: + +`New in NSS 3.28.1 <#new_in_nss_3.28.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to update the list of + root CA certificates, and address a minor TLS compatibility issue, that some applications + experienced with NSS 3.28. + +.. _notable_changes_in_nss_3.28.1: + +`Notable Changes in NSS 3.28.1 <#notable_changes_in_nss_3.28.1>`__ +------------------------------------------------------------------ + +.. container:: + + - The following CA certificates were **Removed** + + - CN = Buypass Class 2 CA 1 + + - SHA-256 Fingerprint: + 0F:4E:9C:DD:26:4B:02:55:50:D1:70:80:63:40:21:4F:E9:44:34:C9:B0:2F:69:7E:C7:10:FC:5F:EA:FB:5E:38 + + - CN = Root CA Generalitat Valenciana + + - SHA-256 Fingerprint: + 8C:4E:DF:D0:43:48:F3:22:96:9E:7E:29:A4:CD:4D:CA:00:46:55:06:1C:16:E1:B0:76:42:2E:F3:42:AD:63:0E + + - OU = RSA Security 2048 V3 + + - SHA-256 Fingerprint: + AF:8B:67:62:A1:E5:28:22:81:61:A9:5D:5C:55:9E:E2:66:27:8F:75:D7:9E:83:01:89:A5:03:50:6A:BD:6B:4C + + - The following CA certificates were **Added** + + - OU = AC RAIZ FNMT-RCM + + - SHA-256 Fingerprint: + EB:C5:57:0C:29:01:8C:4D:67:B1:AA:12:7B:AF:12:F7:03:B4:61:1E:BC:17:B7:DA:B5:57:38:94:17:9B:93:FA + + - CN = Amazon Root CA 1 + + - SHA-256 Fingerprint: + 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E + + - CN = Amazon Root CA 2 + + - SHA-256 Fingerprint: + 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4 + + - CN = Amazon Root CA 3 + + - SHA-256 Fingerprint: + 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4 + + - CN = Amazon Root CA 4 + + - SHA-256 Fingerprint: + E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92 + + - CN = LuxTrust Global Root 2 + + - SHA-256 Fingerprint: + 54:45:5F:71:29:C2:0B:14:47:C4:18:F9:97:16:8F:24:C5:8F:C5:02:3B:F5:DA:5B:E2:EB:6E:1D:D8:90:2E:D5 + + - CN = Symantec Class 1 Public Primary Certification Authority - G4 + + - SHA-256 Fingerprint: + 36:3F:3C:84:9E:AB:03:B0:A2:A0:F6:36:D7:B8:6D:04:D3:AC:7F:CF:E2:6A:0A:91:21:AB:97:95:F6:E1:76:DF + + - CN = Symantec Class 1 Public Primary Certification Authority - G6 + + - SHA-256 Fingerprint: + 9D:19:0B:2E:31:45:66:68:5B:E8:A8:89:E2:7A:A8:C7:D7:AE:1D:8A:AD:DB:A3:C1:EC:F9:D2:48:63:CD:34:B9 + + - CN = Symantec Class 2 Public Primary Certification Authority - G4 + + - SHA-256 Fingerprint: + FE:86:3D:08:22:FE:7A:23:53:FA:48:4D:59:24:E8:75:65:6D:3D:C9:FB:58:77:1F:6F:61:6F:9D:57:1B:C5:92 + + - CN = Symantec Class 2 Public Primary Certification Authority - G6 + + - SHA-256 Fingerprint: + CB:62:7D:18:B5:8A:D5:6D:DE:33:1A:30:45:6B:C6:5C:60:1A:4E:9B:18:DE:DC:EA:08:E7:DA:AA:07:81:5F:F0 + + - The version number of the updated root CA list has been set to 2.11 + - A misleading assertion/alert has been removed, when NSS tries to flush data to the peer but + the connection was already reset. + +.. _bugs_fixed_in_nss_3.28.1: + +`Bugs fixed in NSS 3.28.1 <#bugs_fixed_in_nss_3.28.1>`__ +-------------------------------------------------------- + +.. container:: + + | `Bug 1296697 - December 2016 batch of root CA + changes `__ + | `Bug 1322496 - Internal error assert when the other side closes connection before reading + EOED `__ + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.28.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.28.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst new file mode 100644 index 0000000000..6bfa1fe610 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst @@ -0,0 +1,79 @@ +.. _mozilla_projects_nss_nss_3_28_2_release_notes: + +NSS 3.28.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.28.2 is a patch release for NSS 3.28. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_28_2_RTM. NSS 3.28.2 requires NSPR 4.13.1 or newer. + + NSS 3.28.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_2_RTM/src/ + +.. _incorrect_version_number: + +`Incorrect version number <#incorrect_version_number>`__ +-------------------------------------------------------- + +.. container:: + + - Note the version numbers embedded in the NSS 3.28.2 are wrong (it reports itself as version + 3.28.1). + +.. _new_in_nss_3.28.2: + +`New in NSS 3.28.2 <#new_in_nss_3.28.2>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. This is a patch release includes bug fixes + and addresses some compatibility issues with TLS. + +.. _bugs_fixed_in_nss_3.28.2: + +`Bugs fixed in NSS 3.28.2 <#bugs_fixed_in_nss_3.28.2>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1334114 - NSS 3.28 regression in signature scheme flexibility, causes connectivity issue + between iOS 8 clients and NSS servers with ECDSA + certificates `__ + - `Bug 1330612 - X25519 is the default curve for ECDHE in + NSS `__ + - `Bug 1323150 - Crash [@ ReadDBEntry + ] `__ + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.28.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.28.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst new file mode 100644 index 0000000000..272516d5a6 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst @@ -0,0 +1,95 @@ +.. _mozilla_projects_nss_nss_3_28_3_release_notes: + +NSS 3.28.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.28.3 is a patch release for NSS 3.28. The bug fixes in NSS + 3.28.3 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_28_3_RTM. NSS 3.28.3 requires Netscape Portable Runtime(NSPR) 4.13.1 or + newer. + + NSS 3.28.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_28_3_RTM/src/ + +.. _new_in_nss_3.28.3: + +`New in NSS 3.28.3 <#new_in_nss_3.28.3>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix binary + compatibility issues. + +.. _bugs_fixed_in_nss_3.28.3: + +`Bugs fixed in NSS 3.28.3 <#bugs_fixed_in_nss_3.28.3>`__ +-------------------------------------------------------- + +.. container:: + + NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were in violation with the NSS + compatibility promise. + + ECParams, which is part of the public API of the freebl/softokn parts of NSS, had been changed to + include an additional attribute. That size increase caused crashes or malfunctioning with + applications that use that data structure directly, or indirectly through ECPublicKey, + ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially other data structures that + reference ECParams. The change has been reverted to the original state in `bug + 1334108 `__. + + SECKEYECPublicKey had been extended with a new attribute, named "encoding". If an application + passed type SECKEYECPublicKey to NSS (as part of SECKEYPublicKey), the NSS library read the + uninitialized attribute. With this NSS release SECKEYECPublicKey.encoding is deprecated. NSS no + longer reads the attribute, and will always set it to ECPoint_Undefined. See `bug + 1340103 `__. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.28.3 shared libraries are backward compatible with most older NSS 3.x shared libraries, but + depending on your application, may be incompatible, if you application has been compiled against + header files of versions 3.28, 3.28.1, or 3.28.2. + + A program linked with most older NSS 3.x shared libraries (excluding the exceptions mentioned + above), will work with NSS 3.28.3 shared libraries without recompiling or relinking. Furthermore, + applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions + will remain compatible with future versions of the NSS shared libraries. + + If you had compiled your application against header files of NSS 3.28, NSS 3.28.1 or NSS 3.28.2, + it is recommended that you recompile your application against NSS 3.28.3, at the time you upgrade + to NSS 3.28.3. + + Please note that NSS 3.29 also contained the incorrect change. You should avoid using NSS 3.29, + and rather use NSS 3.29.1 or a newer version. See also the + :ref:`mozilla_projects_nss_nss_3_29_1_release_notes` + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst new file mode 100644 index 0000000000..9b213e5456 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst @@ -0,0 +1,77 @@ +.. _mozilla_projects_nss_nss_3_28_4_release_notes: + +NSS 3.28.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.28.4 is a security patch release for NSS 3.28. The bug fixes in + NSS 3.28.4 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_28_4_RTM. NSS 3.28.4 requires NSPR 4.13.1 or newer. + + NSS 3.28.4 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_4_RTM/src/ + +.. _new_in_nss_3.28.4: + +`New in NSS 3.28.4 <#new_in_nss_3.28.4>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.28.4: + +`Bugs fixed in NSS 3.28.4 <#bugs_fixed_in_nss_3.28.4>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1344380 `__ / Out-of-bounds write + in Base64 encoding in NSS + (`CVE-2017-5461 `__) + - `Bug 1345089 `__ / DRBG flaw in NSS + (`CVE-2017-5462 `__) + - `Bug 1342358 - Crash in + tls13_DestroyKeyShares `__ + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Ronald Crane and Vladimir Klebanov for responsibly + disclosing the issues by providing advance copies of their research. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.28.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.28.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst new file mode 100644 index 0000000000..224649d596 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst @@ -0,0 +1,116 @@ +.. _mozilla_projects_nss_nss_3_28_5_release_notes: + +NSS 3.28.5 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.28.5 is a patch release for NSS 3.28. The bug fixes in NSS + 3.28.5 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_28_5_RTM. NSS 3.28.5 requires NSPR 4.13.1 or newer. + + NSS 3.28.5 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_5_RTM/src/ + +.. _new_in_nss_3.28.5: + +`New in NSS 3.28.5 <#new_in_nss_3.28.5>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to update the list of + root CA certificates. It backports the changes that were initially released in + :ref:`mozilla_projects_nss_nss_3_30_2_release_notes`. + +.. _notable_changes_in_nss_3.28.5: + +`Notable Changes in NSS 3.28.5 <#notable_changes_in_nss_3.28.5>`__ +------------------------------------------------------------------ + +.. container:: + + - The following CA certificates were **Removed:** + + - O = Japanese Government, OU = ApplicationCA + + - SHA-256 Fingerprint: + 2D:47:43:7D:E1:79:51:21:5A:12:F3:C5:8E:51:C7:29:A5:80:26:EF:1F:CC:0A:5F:B3:D9:DC:01:2F:60:0D:19 + + - CN = WellsSecure Public Root Certificate Authority + + - SHA-256 Fingerprint: + A7:12:72:AE:AA:A3:CF:E8:72:7F:7F:B3:9F:0F:B3:D1:E5:42:6E:90:60:B0:6E:E6:F1:3E:9A:3C:58:33:CD:43 + + - CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 + + - SHA-256 Fingerprint: + 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 + + - CN=Microsec e-Szigno Root + + - SHA-256 Fingerprint: + 32:7A:3D:76:1A:BA:DE:A0:34:EB:99:84:06:27:5C:B1:A4:77:6E:FD:AE:2F:DF:6D:01:68:EA:1C:4F:55:67:D0 + + - The following CA certificates were **Added:** + + - CN = D-TRUST Root CA 3 2013 + + - SHA-256 Fingerprint: + A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 + - Trust Flags: Email + + - CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 + + - SHA-256 Fingerprint: + 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 + - Trust Flags: Websites + - Technically constrained to: gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr, + edu.tr, org.tr + + - The version number of the updated root CA list has been set to 2.14. + (The version numbers 2.12 and 2.13 for the root CA list have been skipped.) + +.. _bugs_fixed_in_nss_3.28.5: + +`Bugs fixed in NSS 3.28.5 <#bugs_fixed_in_nss_3.28.5>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1350859 `__ - March 2017 batch of + root CA changes. + - `Bug 1349705 `__ - Implemented domain + name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.28.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.28.5 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst new file mode 100644 index 0000000000..6e5f14573a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst @@ -0,0 +1,170 @@ +.. _mozilla_projects_nss_nss_3_28_release_notes: + +NSS 3.28 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.28, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_28_RTM. NSS 3.28 requires Netscape Portable Runtime(NSPR) 4.13.1 or newer. + + NSS 3.28 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_28_RTM/src/ + +.. _new_in_nss_3.28: + +`New in NSS 3.28 <#new_in_nss_3.28>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - NSS includes support for `TLS 1.3 draft + -18 `__. This includes a + number of improvements to TLS 1.3: + + - The signed certificate timestamp, used in certificate transparency, is supported in TLS 1.3 + (`bug 1252745 `__). + - Key exporters for TLS 1.3 are supported (`bug + 1310610 `__). This includes the + early key exporter, which can be used if 0-RTT is enabled. Note that there is a difference + between TLS 1.3 and key exporters in older versions of TLS. TLS 1.3 does not distinguish + between an empty context and no context. + - The TLS 1.3 (draft) protocol can be enabled, by defining NSS_ENABLE_TLS_1_3=1 when building + NSS. + + - NSS includes support for `the X25519 key exchange + algorithm `__ (`bug + 957105 `__), which is supported and + enabled by default in all versions of TLS. + + .. rubric:: New Functions + :name: new_functions + + - in ssl.h + + - **SSL_ExportEarlyKeyingMaterial** implements a key exporter based on the TLS 1.3 early + exporter secret. This API is equivalent in function to SSL_ExportKeyingMaterial, but it + can only succeed if 0-RTT was attempted (on the client) or accepted (on the server). + + - **SSL_SendAdditionalKeyShares** configures a TLS 1.3 client so that it generates additional + key shares when sending a ClientHello. + + - **SSL_SignatureSchemePrefSet** allows an application to set which signature schemes should + be supported in TLS and to specify the preference order of those schemes. + + - **SSL_SignatureSchemePrefGet** allows an application to learn the currently supported and + enabled signature schemes for a socket. + +.. _request_to_test_and_prepare_for_tls_1.3: + +`Request to test and prepare for TLS 1.3 <#request_to_test_and_prepare_for_tls_1.3>`__ +-------------------------------------------------------------------------------------- + +.. container:: + + This release contains improved support for TLS 1.3, however, the code that supports TLS 1.3 is + still disabled by default (not built). + + For the future NSS 3.29 release, it is planned that standard builds of NSS will support the TLS + 1.3 protocol (although the maximum TLS protocol version enabled by default will remain at TLS + 1.2). + + We know that some applications which use NSS, query NSS for the supported range of SSL/TLS + protocols, and will enable the maximum enabled protocol version. In NSS 3.29, those applications + will therefore enable support for the TLS 1.3 protocol. + + In order to prepare for this future change, we'd like to encourage all users of NSS to override + the standard NSS 3.28 build configuration, by defining NSS_ENABLE_TLS_1_3=1 at build time. This + will enable support for TLS 1.3. Please give feedback to the NSS developers for any compatibility + issues that you encounter in your tests. + +.. _notable_changes_in_nss_3.28: + +`Notable Changes in NSS 3.28 <#notable_changes_in_nss_3.28>`__ +-------------------------------------------------------------- + +.. container:: + + - NSS can no longer be compiled with support for additional elliptic curves (the + NSS_ECC_MORE_THAN_SUITE_B option, `bug + 1253912 `__). This was previously + possible by replacing certain NSS source files. + - NSS will now detect the presence of tokens that support additional elliptic curves and enable + those curves for use in TLS (`bug + 1303648 `__). Note that this detection + has a one-off performance cost, which can be avoided by using the SSL_NamedGroupConfig + function, to limit supported groups to those that NSS provides. + - PKCS#11 bypass for TLS is no longer supported and has been removed (`bug + 1303224 `__). + - Support for "export" grade SSL/TLS cipher suites has been removed (`bug + 1252849 `__). + - NSS now uses the signature schemes definition in TLS 1.3 (`bug + 1309446 `__). This also affects TLS + 1.2. NSS will now only generate signatures with the combinations of hash and signature scheme + that are defined in TLS 1.3, even when negotiating TLS 1.2. + + - This means that SHA-256 will only be used with P-256 ECDSA certificates, SHA-384 with P-384 + certificates, and SHA-512 with P-521 certificates. SHA-1 is permitted (in TLS 1.2 only) + with any certificate for backward compatibility reasons. + - New functions to configure signature schemes are provided: **SSL_SignatureSchemePrefSet, + SSL_SignatureSchemePrefGet**. The old SSL_SignaturePrefSet and SSL_SignaturePrefSet + functions are now deprecated. + - NSS will now no longer assume that default signature schemes are supported by a peer if + there was no commonly supported signature scheme. + + - NSS will now check if RSA-PSS signing is supported by the token that holds the private key + prior to using it for TLS (`bug + 1311950 `__). + - The certificate validation code contains checks to no longer trust certificates that are + issued by old WoSign and StartCom CAs, after October 21, 2016. This is equivalent to the + behavior that Mozilla will release with Firefox 51. Background information can be found in + `Mozilla's blog + post `__. + +.. _bugs_fixed_in_nss_3.28: + +`Bugs fixed in NSS 3.28 <#bugs_fixed_in_nss_3.28>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.28: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.28 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.28 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.28 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst new file mode 100644 index 0000000000..7bd3ccee49 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst @@ -0,0 +1,94 @@ +.. _mozilla_projects_nss_nss_3_29_1_release_notes: + +NSS 3.29.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.29.1 is a patch release for NSS 3.29. The bug fixes in NSS + 3.29.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_29_1_RTM. NSS 3.29.1 requires Netscape Portable Runtime(NSPR) 4.13.1 or + newer. + + NSS 3.29.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_29_1_RTM/src/ + +.. _new_in_nss_3.29.1: + +`New in NSS 3.29.1 <#new_in_nss_3.29.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix binary + compatibility issues. + +.. _bugs_fixed_in_nss_3.29.1: + +`Bugs fixed in NSS 3.29.1 <#bugs_fixed_in_nss_3.29.1>`__ +-------------------------------------------------------- + +.. container:: + + NSS version 3.28, 3.28.1, 3.28.2 and 3.29 contained changes that were in violation with the NSS + compatibility promise. + + ECParams, which is part of the public API of the freebl/softokn parts of NSS, had been changed to + include an additional attribute. That size increase caused crashes or malfunctioning with + applications that use that data structure directly, or indirectly through ECPublicKey, + ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially other data structures that + reference ECParams. The change has been reverted to the original state in `bug + 1334108 `__. + + SECKEYECPublicKey had been extended with a new attribute, named "encoding". If an application + passed type SECKEYECPublicKey to NSS (as part of SECKEYPublicKey), the NSS library read the + uninitialized attribute. With this NSS release SECKEYECPublicKey.encoding is deprecated. NSS no + longer reads the attribute, and will always set it to ECPoint_Undefined. See `bug + 1340103 `__. + + Note that NSS 3.28.3 from the older NSS 3.28.x branch + :ref:`mozilla_projects_nss_nss_3_28_3_release_notes` with the identical fixes. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.29.1 shared libraries are backward compatible with most older NSS 3.x shared libraries, but + depending on your application, may be incompatible, if you application has been compiled against + header files of versions 3.28, 3.28.1, 3.28.2 NSS 3.29.1. + + A program linked with most older NSS 3.x shared libraries (excluding the exceptions mentioned + above), will work with NSS 3.29.1 shared libraries without recompiling or relinking. Furthermore, + applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions + will remain compatible with future versions of the NSS shared libraries. + + If you had compiled your application against header files of NSS 3.28, NSS 3.28.1, NSS 3.28.2 or + NSS 3.29, it is recommended that you recompile your application against NSS 3.29.1 (or NSS + 3.28.3), at the time you upgrade to NSS 3.29.1 (or NSS 3.28.3). + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst new file mode 100644 index 0000000000..330728d9e7 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst @@ -0,0 +1,71 @@ +.. _mozilla_projects_nss_nss_3_29_2_release_notes: + +NSS 3.29.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.29.2 is a patch release for NSS 3.29. The bug fixes in NSS + 3.29.2 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_29_2_RTM. NSS 3.29.2 requires Netscape Portable Runtime(NSPR) 4.13.1 or + newer. + + NSS 3.29.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_29_2_RTM/src/ + +.. _new_in_nss_3.29.2: + +`New in NSS 3.29.2 <#new_in_nss_3.29.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.29.2: + +`Bugs fixed in NSS 3.29.2 <#bugs_fixed_in_nss_3.29.2>`__ +-------------------------------------------------------- + +.. container:: + + NSS 3.29 and 3.29.1 included a change that reduced the time that NSS considered a TLS session + ticket to be valid. This release restores the session ticket lifetime to the intended value. See + `Bug 1340841 `__ for details. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.29.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.29.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst new file mode 100644 index 0000000000..bae366b96e --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst @@ -0,0 +1,73 @@ +.. _mozilla_projects_nss_nss_3_29_3_release_notes: + +NSS 3.29.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.29.3 is a patch release for NSS 3.29. The bug fixes in NSS + 3.29.3 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_29_3_RTM. NSS 3.29.3 requires NSPR 4.13.1 or newer. + + NSS 3.29.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_3_RTM/src/ + +.. _new_in_nss_3.29.3: + +`New in NSS 3.29.3 <#new_in_nss_3.29.3>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _notable_changes_in_nss_3.29.3: + +`Notable Changes in NSS 3.29.3 <#notable_changes_in_nss_3.29.3>`__ +------------------------------------------------------------------ + +.. container:: + + - A rare crash when initializing an SSL socket fails has been fixed. + +.. _bugs_fixed_in_nss_3.29.3: + +`Bugs fixed in NSS 3.29.3 <#bugs_fixed_in_nss_3.29.3>`__ +-------------------------------------------------------- + +.. container:: + + `Bug 1342358 - Crash in + tls13_DestroyKeyShares `__ + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.29.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.29.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst new file mode 100644 index 0000000000..d4dd1eafd7 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst @@ -0,0 +1,75 @@ +.. _mozilla_projects_nss_nss_3_29_5_release_notes: + +NSS 3.29.5 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.29.5 is a security patch release for NSS 3.29. The bug fixes in + NSS 3.29.5 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_29_5_RTM. NSS 3.29.5 requires NSPR 4.13.1 or newer. + + NSS 3.29.5 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/ + +.. _new_in_nss_3.29.5: + +`New in NSS 3.29.5 <#new_in_nss_3.29.5>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.29.5: + +`Bugs fixed in NSS 3.29.5 <#bugs_fixed_in_nss_3.29.5>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1344380 `__ / Out-of-bounds write + in Base64 encoding in NSS + (`CVE-2017-5461 `__) + - `Bug 1345089 `__ / DRBG flaw in NSS + (`CVE-2017-5462 `__) + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Ronald Crane and Vladimir Klebanov for responsibly + disclosing the issues by providing advance copies of their research. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.29.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.29.5 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst new file mode 100644 index 0000000000..d43a743c70 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst @@ -0,0 +1,68 @@ +.. _mozilla_projects_nss_nss_3_29_release_notes: + +NSS 3.29 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.29, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_29_RTM. NSS 3.29 requires Netscape Portable Runtime(NSPR) 4.13.1 or newer. + + NSS 3.29 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_RTM/src/ + +.. _notable_changes_in_nss_3.29: + +`Notable Changes in NSS 3.29 <#notable_changes_in_nss_3.29>`__ +-------------------------------------------------------------- + +.. container:: + + - Fixed a NSS 3.28 regression in the signature scheme flexibility that causes connectivity + issues between iOS 8 clients and NSS servers with ECDSA certificates + (`bug1334114 `__). + - TLS 1.3 is now enabled by default in + (`bug1311296 `__). + +.. _bugs_fixed_in_nss_3.29: + +`Bugs fixed in NSS 3.29 <#bugs_fixed_in_nss_3.29>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.29: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.29 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.29 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.29 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst new file mode 100644 index 0000000000..cafb0f58b8 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst @@ -0,0 +1,73 @@ +.. _mozilla_projects_nss_nss_3_30_1_release_notes: + +NSS 3.30.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.30.1 is a security patch release for NSS 3.30. The bug fixes in + NSS 3.30.1 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_30_1_RTM. NSS 3.30.1 requires NSPR 4.14 or newer. + + NSS 3.30.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_1_RTM/src/ + +.. _new_in_nss_3.30.1: + +`New in NSS 3.30.1 <#new_in_nss_3.30.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.30.1: + +`Bugs fixed in NSS 3.30.1 <#bugs_fixed_in_nss_3.30.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1344380 `__ / Out-of-bounds write + in Base64 encoding in NSS + (`CVE-2017-5461 `__) + +`Acknowledgements <#acknowledgements>`__ +---------------------------------------- + +.. container:: + + The NSS development team would like to thank Ronald Crane for responsibly disclosing the issue by + providing advance copies of their research. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.30.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.30.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst new file mode 100644 index 0000000000..cd3c9edf05 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst @@ -0,0 +1,115 @@ +.. _mozilla_projects_nss_nss_3_30_2_release_notes: + +NSS 3.30.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.30.2 is a patch release for NSS 3.30. The bug fixes in NSS + 3.30.2 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_30_2_RTM. NSS 3.30.2 requires NSPR 4.14 or newer. + + NSS 3.30.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_2_RTM/src/ + +.. _new_in_nss_3.30.2: + +`New in NSS 3.30.2 <#new_in_nss_3.30.2>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to update the list of + root CA certificates. + +.. _notable_changes_in_nss_3.30.2: + +`Notable Changes in NSS 3.30.2 <#notable_changes_in_nss_3.30.2>`__ +------------------------------------------------------------------ + +.. container:: + + - The following CA certificates were **Removed**: + + - O = Japanese Government, OU = ApplicationCA + + - SHA-256 Fingerprint: + 2D:47:43:7D:E1:79:51:21:5A:12:F3:C5:8E:51:C7:29:A5:80:26:EF:1F:CC:0A:5F:B3:D9:DC:01:2F:60:0D:19 + + - CN = WellsSecure Public Root Certificate Authority + + - SHA-256 Fingerprint: + A7:12:72:AE:AA:A3:CF:E8:72:7F:7F:B3:9F:0F:B3:D1:E5:42:6E:90:60:B0:6E:E6:F1:3E:9A:3C:58:33:CD:43 + + - CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 + + - SHA-256 Fingerprint: + 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00 + + - CN=Microsec e-Szigno Root + + - SHA-256 Fingerprint: + 32:7A:3D:76:1A:BA:DE:A0:34:EB:99:84:06:27:5C:B1:A4:77:6E:FD:AE:2F:DF:6D:01:68:EA:1C:4F:55:67:D0 + + - The following CA certificates were **Added**: + + - CN = D-TRUST Root CA 3 2013 + + - SHA-256 Fingerprint: + A1:A8:6D:04:12:1E:B8:7F:02:7C:66:F5:33:03:C2:8E:57:39:F9:43:FC:84:B3:8A:D6:AF:00:90:35:DD:94:57 + - Trust Flags: Email + + - CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 + + - SHA-256 Fingerprint: + 46:ED:C3:68:90:46:D5:3A:45:3F:B3:10:4A:B8:0D:CA:EC:65:8B:26:60:EA:16:29:DD:7E:86:79:90:64:87:16 + - Trust Flags: Websites + - Technically constrained to: gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr, + edu.tr, org.tr + + - The version number of the updated root CA list has been set to 2.14 + (The version numbers 2.12 and 2.13 for the root CA list have been skipped.) + +.. _bugs_fixed_in_nss_3.30.2: + +`Bugs fixed in NSS 3.30.2 <#bugs_fixed_in_nss_3.30.2>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1350859 `__ - March 2017 batch of + root CA changes + - `Bug 1349705 `__ - Implemented domain + name constraints for CA: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.30.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.30.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst new file mode 100644 index 0000000000..3a2a0e0e12 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst @@ -0,0 +1,125 @@ +.. _mozilla_projects_nss_nss_3_30_release_notes: + +NSS 3.30 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.30, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_30_RTM. NSS 3.30 requires Netscape Portable Runtime (NSPR); 4.13.1 or newer. + + NSS 3.30 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_RTM/src/ + +.. _new_in_nss_3.30: + +`New in NSS 3.30 <#new_in_nss_3.30>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - In the PKCS#11 root CA module (nssckbi), CAs with positive trust are marked with a new boolean + attribute, CKA_NSS_MOZILLA_CA_POLICY, set to true. Applications that need to distinguish them + from other root CAs, may use the exported function PK11_HasAttributeSet. + - Support for callback functions that can be used to monitor SSL/TLS alerts that are sent or + received. + + .. rubric:: New Functions + :name: new_functions + + - *in cert.h* + + - **CERT_CompareAVA** - performs a comparison of two CERTAVA structures, and returns a + SECComparison result. + + - *in pk11pub.h* + + - **PK11_HasAttributeSet** - allows to check if a PKCS#11 object in a given slot has a + specific boolean attribute set. + + - *in ssl.h* + + - **SSL_AlertReceivedCallback** - register a callback function, that will be called whenever + an SSL/TLS alert is received + - **SSL_AlertSentCallback** - register a callback function, that will be called whenever an + SSL/TLS alert is sent + - **SSL_SetSessionTicketKeyPair** - configures an asymmetric key pair, for use in wrapping + session ticket keys, used by the server. This function currently only accepts an RSA + public/private key pair. + + .. rubric:: New Macros + :name: new_macros + + - *in ciferfam.h* + + - **PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256** - cipher family identifiers + corresponding to the PKCS#5 v2.1 AES based encryption schemes used in the PKCS#12 support + in NSS + + - *in pkcs11n.h* + + - **CKA_NSS_MOZILLA_CA_POLICY** - identifier for a boolean PKCS#11 attribute, that should be + set to true, if a CA is present because of it's acceptance according to the Mozilla CA + Policy + +.. _notable_changes_in_nss_3.30: + +`Notable Changes in NSS 3.30 <#notable_changes_in_nss_3.30>`__ +-------------------------------------------------------------- + +.. container:: + + - The TLS server code has been enhanced to support session tickets when no RSA certificate (e.g. + only an ECDSA certificate) is configured. + - RSA-PSS signatures produced by key pairs with a modulus bit length that is not a multiple of 8 + are now supported. + - The pk12util tool now supports importing and exporting data encrypted in the AES based schemes + defined in PKCS#5 v2.1. + +.. _bugs_fixed_in_nss_3.30: + +`Bugs fixed in NSS 3.30 <#bugs_fixed_in_nss_3.30>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.30: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.30 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.30 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.30 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst new file mode 100644 index 0000000000..19f938d942 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst @@ -0,0 +1,71 @@ +.. _mozilla_projects_nss_nss_3_31_1_release_notes: + +NSS 3.31.1 release notes +======================== + +.. container:: + + .. note:: + + **This is a DRAFT document.** This notice will be removed when completed. + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.31.1, which is a patch release for + NSS 3.31. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_31_1_RTM. NSS 3.31.1 requires Netscape Portable Runtime (NSPR) 4.15, or + newer. + + NSS 3.31.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_31_1_RTM/src/ + +.. _new_in_nss_3.31.1: + +`New in NSS 3.31.1 <#new_in_nss_3.31.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.31.1: + +`Bugs fixed in NSS 3.31.1 <#bugs_fixed_in_nss_3.31.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1381784 `__ - Potential deadlock + when using an external PKCS#11 token. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.31.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.31.1 shared libraries, + without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst new file mode 100644 index 0000000000..105ac86f1d --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst @@ -0,0 +1,129 @@ +.. _mozilla_projects_nss_nss_3_31_release_notes: + +NSS 3.31 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.31, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_31_RTM. NSS 3.31 requires Netscape Portable Runtime (NSPR) 4.15 or newer. + + NSS 3.31 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_31_RTM/src/ + +.. _new_in_nss_3.31: + +`New in NSS 3.31 <#new_in_nss_3.31>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Allow certificates to be specified by RFC7512 PKCS#11 URIs. + - Allow querying a certificate object for its temporary or permanent storage status in a thread + safe way. + + .. rubric:: New Functions + :name: new_functions + + - *in cert.h* + + - **CERT_GetCertIsPerm** - retrieve the permanent storage status attribute of a certificate + in a thread safe way. + - **CERT_GetCertIsTemp** - retrieve the temporary storage status attribute of a certificate + in a thread safe way. + + - *in pk11pub.h* + + - **PK11_FindCertFromURI** - find a certificate identified by the given URI. + - **PK11_FindCertsFromURI** - find a list of certificates identified by the given URI. + - **PK11_GetModuleURI** - retrieve the URI of the given module. + - **PK11_GetTokenURI** - retrieve the URI of a token based on the given slot information. + + - *in pkcs11uri.h* + + - **PK11URI_CreateURI** - create a new PK11URI object from a set of attributes. + - **PK11URI_DestroyURI** - destroy a PK11URI object. + - **PK11URI_FormatURI** - format a PK11URI object to a string. + - **PK11URI_GetPathAttribute** - retrieve a path attribute with the given name. + - **PK11URI_GetQueryAttribute** - retrieve a query attribute with the given name. + - **PK11URI_ParseURI** - parse PKCS#11 URI and return a new PK11URI object. + + .. rubric:: New Macros + :name: new_macros + + - *in pkcs11uri.h* + + - Several new macros that start with **PK11URI_PATTR\_** for path attributes defined in + RFC7512. + - Several new macros that start with **PK11URI_QATTR\_** for query attributes defined in + RFC7512. + +.. _notable_changes_in_nss_3.31: + +`Notable Changes in NSS 3.31 <#notable_changes_in_nss_3.31>`__ +-------------------------------------------------------------- + +.. container:: + + - The APIs that set a TLS version range have been changed to trim the requested range to the + overlap with a systemwide crypto policy, if configured. **SSL_VersionRangeGetSupported** can + be used to query the overlap between the library's supported range of TLS versions and the + systemwide policy. + - Previously, **SSL_VersionRangeSet** and **SSL_VersionRangeSetDefault** returned a failure if + the requested version range wasn't fully allowed by the systemwide crypto policy. They have + been changed to return success, if at least one TLS version overlaps between the requested + range and the systemwide policy. An application may call **SSL_VersionRangeGet** + and **SSL_VersionRangeGetDefault** to query the TLS version range that was effectively + activated. + - Corrected the encoding of Domain Name Constraints extensions created by certutil + - NSS supports a clean seeding mechanism for \*NIX systems now using only /dev/urandom. This is + used only when SEED_ONLY_DEV_URANDOM is set at compile time. + - CERT_AsciiToName can handle OIDs in dotted decimal form now. + +.. _bugs_fixed_in_nss_3.31: + +`Bugs fixed in NSS 3.31 <#bugs_fixed_in_nss_3.31>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.31: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.31 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.31 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.31 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst new file mode 100644 index 0000000000..3fe3beaf2b --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst @@ -0,0 +1,143 @@ +.. _mozilla_projects_nss_nss_3_32_release_notes: + +NSS 3.32 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.32, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_32_RTM. NSS 3.32 requires Netscape Portable Runtime (NSPR) 4.16, or newer. + + NSS 3.32 source distributions are available on ftp.mozilla.org, for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_32_RTM/src/ + +.. _notable_changes_in_nss_3.32: + +`Notable Changes in NSS 3.32 <#notable_changes_in_nss_3.32>`__ +-------------------------------------------------------------- + +.. container:: + + - Various minor improvements and correctness fixes. + - The Code Signing trust bit was **turned off** for all, included root certificates. + - The Websites (TLS/SSL) trust bit was **turned off** for the following root certificates. + + - CN = AddTrust Class 1 CA Root + + - SHA-256 Fingerprint: + 8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7 + + - CN = Swisscom Root CA 2 + + - SHA-256 Fingerprint: + F0:9B:12:2C:71:14:F4:A0:9B:D4:EA:4F:4A:99:D5:58:B4:6E:4C:25:CD:81:14:0D:29:C0:56:13:91:4C:38:41 + + - The following CA certificates were **Removed**: + + - CN = AddTrust Public CA Root + + - SHA-256 Fingerprint: + 07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27 + + - CN = AddTrust Qualified CA Root + + - SHA-256 Fingerprint: + 80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16 + + - CN = China Internet Network Information Center EV Certificates Root + + - SHA-256 Fingerprint: + 1C:01:C6:F4:DB:B2:FE:FC:22:55:8B:2B:CA:32:56:3F:49:84:4A:CF:C3:2B:7B:E4:B0:FF:59:9F:9E:8C:7A:F7 + + - CN = CNNIC ROOT + + - SHA-256 Fingerprint: + E2:83:93:77:3D:A8:45:A6:79:F2:08:0C:C7:FB:44:A3:B7:A1:C3:79:2C:B7:EB:77:29:FD:CB:6A:8D:99:AE:A7 + + - CN = ComSign Secured CA + + - SHA-256 Fingerprint: + 50:79:41:C7:44:60:A0:B4:70:86:22:0D:4E:99:32:57:2A:B5:D1:B5:BB:CB:89:80:AB:1C:B1:76:51:A8:44:D2 + + - CN = GeoTrust Global CA 2 + + - SHA-256 Fingerprint: + CA:2D:82:A0:86:77:07:2F:8A:B6:76:4F:F0:35:67:6C:FE:3E:5E:32:5E:01:21:72:DF:3F:92:09:6D:B7:9B:85 + + - CN = Secure Certificate Services + + - SHA-256 Fingerprint: + BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8 + + - CN = Swisscom Root CA 1 + + - SHA-256 Fingerprint: + 21:DB:20:12:36:60:BB:2E:D4:18:20:5D:A1:1E:E7:A8:5A:65:E2:BC:6E:55:B5:AF:7E:78:99:C8:A2:66:D9:2E + + - CN = Swisscom Root EV CA 2 + + - SHA-256 Fingerprint: + D9:5F:EA:3C:A4:EE:DC:E7:4C:D7:6E:75:FC:6D:1F:F6:2C:44:1F:0F:A8:BC:77:F0:34:B1:9E:5D:B2:58:01:5D + + - CN = Trusted Certificate Services + + - SHA-256 Fingerprint: + 3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69 + + - CN = UTN-USERFirst-Hardware + + - SHA-256 Fingerprint: + 6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37 + + - CN = UTN-USERFirst-Object + + - SHA-256 Fingerprint: + 6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F + +.. _bugs_fixed_in_nss_3.32: + +`Bugs fixed in NSS 3.32 <#bugs_fixed_in_nss_3.32>`__ +---------------------------------------------------- + +.. container:: + + NSS versions 3.28.x, 3.29.x. 3.30.x and 3.31.x contained a bug in function CERT_CompareName, + which caused the first RDN to be ignored. NSS version 3.32 fixed this bug. (CVE-2018-5149, `Bug + 1361197 `__) + + This Bugzilla query returns all the bugs fixed in NSS 3.32: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.32 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.32 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.32 shared libraries, + without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (select the + product 'NSS'). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst new file mode 100644 index 0000000000..aad5033f95 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst @@ -0,0 +1,115 @@ +.. _mozilla_projects_nss_nss_3_33_release_notes: + +NSS 3.33 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.33, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_33_RTM. NSS 3.33 requires Netscape Portable Runtime (NSPR) 4.17, or newer. + + NSS 3.33 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_33_RTM/src/ + +.. _notable_changes_in_nss_3.33: + +`Notable Changes in NSS 3.33 <#notable_changes_in_nss_3.33>`__ +-------------------------------------------------------------- + +.. container:: + + - TLS compression is no longer supported. API calls that attempt to enable compression are + accepted without failure. However, TLS compression will remain disabled. + - This version of NSS uses a `formally verified + implementation `__ + of Curve25519 on 64-bit systems. + - The compile time flag DISABLE_ECC has been removed. + - When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are no longer performed. + - Fixes CVE-2017-7805, a potential use-after-free in TLS 1.2 server, when verifying client + authentication. + - Various minor improvements and correctness fixes. + +.. _new_in_nss_3.33: + +`New in NSS 3.33 <#new_in_nss_3.33>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - When listing an NSS database, using certutil -L, and the database hasn't yet been initialized + with any non-empty or empty password, the text "Database needs user init" will be included in + the listing. + - When using certutil to set an inacceptable password in FIPS mode, a correct explanation of + acceptable passwords will be printed. + + .. rubric:: New Functions + :name: new_functions + + - *in cert.h* + + - **CERT_FindCertByIssuerAndSNCX** - a variation of existing function + CERT_FindCertByIssuerAndSN that accepts an additional password context parameter. + - **CERT_FindCertByNicknameOrEmailAddrCX** - a variation of existing function + CERT_FindCertByNicknameOrEmailAddr that accepts an additional password context parameter. + - **CERT_FindCertByNicknameOrEmailAddrForUsageCX** - a variation of existing function + CERT_FindCertByNicknameOrEmailAddrForUsage that accepts an additional password context + parameter. + + - *in secport.h* + + - **NSS_SecureMemcmpZero** - check if a memory region is all zero in constant time. + - **PORT_ZAllocAligned** - allocate aligned memory. + - **PORT_ZAllocAlignedOffset** - allocate aligned memory for structs. + + - *in ssl.h* + + - **SSL_GetExperimentalAPI** - access experimental APIs in libssl. + +.. _bugs_fixed_in_nss_3.33: + +`Bugs fixed in NSS 3.33 <#bugs_fixed_in_nss_3.33>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.33: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.33 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.33 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.33 shared libraries, + without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (select product + 'NSS'). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst new file mode 100644 index 0000000000..41eefa1489 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst @@ -0,0 +1,94 @@ +.. _mozilla_projects_nss_nss_3_34_1_release_notes: + +NSS 3.34.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.34.1, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_34.1_RTM. NSS 3.34.1 requires Netscape Portable Runtime (NSPR) 4.17, or + newer. + + NSS 3.34.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_34_1_RTM/src/ + +.. _notable_changes_in_nss_3.34.1: + +`Notable Changes in NSS 3.34.1 <#notable_changes_in_nss_3.34.1>`__ +------------------------------------------------------------------ + +.. container:: + + - The following CA certificate was **Re-Added**. It was previously removed in NSS 3.34, but now + re-added with only the Email trust bit set. (`bug + 1418678 `__) + + - CN = Certum CA, O=Unizeto Sp. z o.o. + + - SHA-256 Fingerprint: + D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24 + + - Removed entries from certdata.txt for actively distrusted certificates that have expired (`bug + 1409872 `__). + - The version of the CA list was set to 2.20. + +.. _new_in_nss_3.34: + +`New in NSS 3.34 <#new_in_nss_3.34>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - None + + .. rubric:: New Functions + :name: new_functions + +.. _bugs_fixed_in_nss_3.34.1: + +`Bugs fixed in NSS 3.34.1 <#bugs_fixed_in_nss_3.34.1>`__ +-------------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.34.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.34.1 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.34.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.34 shared libraries, + without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (select product + 'NSS'). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst new file mode 100644 index 0000000000..faa36b9f3e --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst @@ -0,0 +1,215 @@ +.. _mozilla_projects_nss_nss_3_34_release_notes: + +NSS 3.34 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The Network Security Services (NSS) team has released NSS 3.34, which is a minor release. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The hg tag is NSS_3_34_RTM. NSS 3.34 requires Netscape Portable Runtime (NSPR) 4.17, or newer. + + NSS 3.34 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_34_RTM/src/ + +.. _notable_changes_in_nss_3.34: + +`Notable Changes in NSS 3.34 <#notable_changes_in_nss_3.34>`__ +-------------------------------------------------------------- + +.. container:: + + - The following CA certificates were **Added**: + + - CN = GDCA TrustAUTH R5 ROOT + + - SHA-256 Fingerprint: + BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93 + - Trust Flags: Websites + + - CN = SSL.com Root Certification Authority RSA + + - SHA-256 Fingerprint: + 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69 + - Trust Flags: Websites, Email + + - CN = SSL.com Root Certification Authority ECC + + - SHA-256 Fingerprint: + 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65 + - Trust Flags: Websites, Email + + - CN = SSL.com EV Root Certification Authority RSA R2 + + - SHA-256 Fingerprint: + 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C + - Trust Flags: Websites + + - CN = SSL.com EV Root Certification Authority ECC + + - SHA-256 Fingerprint: + 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8 + - Trust Flags: Websites + + - CN = TrustCor RootCert CA-1 + + - SHA-256 Fingerprint: + D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C + - Trust Flags: Websites, Email + + - CN = TrustCor RootCert CA-2 + + - SHA-256 Fingerprint: + 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65 + - Trust Flags: Websites, Email + + - CN = TrustCor ECA-1 + + - SHA-256 Fingerprint: + 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C + - Trust Flags: Websites, Email + + - The following CA certificates were **Removed**: + + - CN = Certum CA, O=Unizeto Sp. z o.o. + + - SHA-256 Fingerprint: + D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24 + + - CN = StartCom Certification Authority + + - SHA-256 Fingerprint: + C7:66:A9:BE:F2:D4:07:1C:86:3A:31:AA:49:20:E8:13:B2:D1:98:60:8C:B7:B7:CF:E2:11:43:B8:36:DF:09:EA + + - CN = StartCom Certification Authority + + - SHA-256 Fingerprint: + E1:78:90:EE:09:A3:FB:F4:F4:8B:9C:41:4A:17:D6:37:B7:A5:06:47:E9:BC:75:23:22:72:7F:CC:17:42:A9:11 + + - CN = StartCom Certification Authority G2 + + - SHA-256 Fingerprint: + C7:BA:65:67:DE:93:A7:98:AE:1F:AA:79:1E:71:2D:37:8F:AE:1F:93:C4:39:7F:EA:44:1B:B7:CB:E6:FD:59:95 + + - CN = TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 + + - SHA-256 Fingerprint: + E4:C7:34:30:D7:A5:B5:09:25:DF:43:37:0A:0D:21:6E:9A:79:B9:D6:DB:83:73:A0:C6:9E:B1:CC:31:C7:C5:2A + + - CN = ACEDICOM Root + + - SHA-256 Fingerprint: + 03:95:0F:B4:9A:53:1F:3E:19:91:94:23:98:DF:A9:E0:EA:32:D7:BA:1C:DD:9B:C8:5D:B5:7E:D9:40:0B:43:4A + + - CN = Certinomis - Autorité Racine + + - SHA-256 Fingerprint: + FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17 + + - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı + + - SHA-256 Fingerprint: + 97:8C:D9:66:F2:FA:A0:7B:A7:AA:95:00:D9:C0:2E:9D:77:F2:CD:AD:A6:AD:6B:A7:4A:F4:B9:1C:66:59:3C:50 + + - CN = PSCProcert + + - SHA-256 Fingerprint: + 3C:FC:3C:14:D1:F6:84:FF:17:E3:8C:43:CA:44:0C:00:B9:67:EC:93:3E:8B:FE:06:4C:A1:D7:2C:90:F2:AD:B0 + + - CN = CA 沃通根证书, O=WoSign CA Limited + + - SHA-256 Fingerprint: + D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 + + - CN = Certification Authority of WoSign + + - SHA-256 Fingerprint: + 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08 + + - CN = Certification Authority of WoSign G2 + + - SHA-256 Fingerprint: + D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16 + + - CN = CA WoSign ECC Root + + - SHA-256 Fingerprint: + 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02 + + - libfreebl no longer requires SSE2 instructions. + +.. _new_in_nss_3.34: + +`New in NSS 3.34 <#new_in_nss_3.34>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - When listing an NSS database. using ``certutil -L``, and the database hasn't yet been + initialized with any non-empty or empty password, the text "Database needs user init" will be + included in the listing. + - When using certutil, to set an inacceptable password in FIPS mode, a correct explanation of + acceptable passwords will be printed. + - SSLKEYLOGFILE is now supported with TLS 1.3, see `Bug + 1287711 `__ for details. + - ``SSLChannelInfo`` has two new fields (Bug + `1396525 `__) + + - ``SSLNamedGroup originalKeaGroup`` holds the key exchange group of the original handshake, + when the session was resumed. + - ``PRBool resumed`` is ``PR_TRUE`` when the session is resumed, and ``PR_FALSE`` otherwise. + + - RSA-PSS signatures are now supported on certificates. Certificates with RSA-PSS or + RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS signature on a certificate, using the + ``--pss-sign`` argument to ``certutil``. + + .. rubric:: New Functions + :name: new_functions + +.. _bugs_fixed_in_nss_3.34: + +`Bugs fixed in NSS 3.34 <#bugs_fixed_in_nss_3.34>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.34: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.34 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.34 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.34 shared libraries, + without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (select product + 'NSS'). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst new file mode 100644 index 0000000000..08ee8643da --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst @@ -0,0 +1,273 @@ +.. _mozilla_projects_nss_nss_3_35_release_notes: + +NSS 3.35 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.35, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_35_RTM. NSS 3.35 requires NSPR 4.18, or newer. + + NSS 3.35 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_35_RTM/src/ + +.. _new_in_nss_3.35: + +`New in NSS 3.35 <#new_in_nss_3.35>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - TLS 1.3 support has been updated to draft -23. This includes a large number of changes since + 3.34, which supported only draft -18. See below for details. + + .. rubric:: New Types + :name: new_types + + - *in sslt.h* + + - **SSLHandshakeType** - The type of a TLS handshake message. + - For the **SSLSignatureScheme** enum, the enumerated values ssl_sig_rsa_pss_sha\* are + deprecated in response to a change in TLS 1.3. Please use the equivalent + ssl_sig_rsa_pss_rsae_sha\* for rsaEncryption keys, or ssl_sig_rsa_pss_pss_sha\* for PSS + keys. Note that this release does not include support for the latter. + +.. _notable_changes_in_nss_3.35: + +`Notable Changes in NSS 3.35 <#notable_changes_in_nss_3.35>`__ +-------------------------------------------------------------- + +.. container:: + + - Previously, NSS used the DBM file format by default. Starting with version 3.35, NSS uses the + SQL file format by default. Below, are explanations that could be helpful for environments + that need to adopt to the new default. + + - If NSS is initialized, in read-write mode with a database directory provided, it uses + database files to store certificates, key, trust, and other information. NSS supports two + different database file formats: + + - DBM: The legacy file format, based on Berkeley DB, using filenames cert8.db, key3.db and + secmod.db. Parallel database access, by multiple applications, is forbidden as it will + likely result in data corruption. + - SQL: The newer file format, based on SQLite, using filenames cert9.db, key4.db and + pkcs11.txt. Parallel database access, by multiple applications, is supported. + + - Applications using NSS may explicitly request to use a specific database format, by adding + a type prefix to the database directory, provided at NSS initialization time. Without a + prefix, the default database type will be used (DBM in versions prior to 3.35, and SQL in + version 3.35 and later.) + - When using the SQL type (either explicitly, or because of the new default), with a database + directory which already contains a DBM type database, NSS will automatically perform a one + time migration of the information contained in the DBM files to the newer SQL files. If a + master password was set on the DBM database, then the initial migration may be partial, and + migration of keys from DBM to SQL will be delayed, until this master password is provided + to NSS. (Conversely, NSS will never synchronize data from SQL to DBM format.) + - Additional information can be found on this Fedora Linux project page: + https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql + + - Added formally verified implementations of non-vectorized Chacha20 and non-vectorized Poly1305 + 64-bit. + - For stronger security, when creating encrypted PKCS#7 or PKCS#12 data, the iteration count for + the password based encryption algorithm has been increased to one million iterations. Note + that debug builds will use a lower count, for better performance in test environments. As a + reminder, debug builds should not be used for production purposes. + - NSS 3.30 had introduced a regression, preventing NSS from reading some AES encrypted data, + produced by older versions of NSS. NSS 3.35 fixes this regression and restores the ability to + read affected data. + - The following CA certificates were **Removed**: + + - OU = Security Communication EV RootCA1 + + - SHA-256 Fingerprint: + A2:2D:BA:68:1E:97:37:6E:2D:39:7D:72:8A:AE:3A:9B:62:96:B9:FD:BA:60:BC:2E:11:F6:47:F2:C6:75:FB:37 + + - CN = CA Disig Root R1 + + - SHA-256 Fingerprint: + F9:6F:23:F4:C3:E7:9C:07:7A:46:98:8D:5A:F5:90:06:76:A0:F0:39:CB:64:5D:D1:75:49:B2:16:C8:24:40:CE + + - CN = DST ACES CA X6 + + - SHA-256 Fingerprint: + 76:7C:95:5A:76:41:2C:89:AF:68:8E:90:A1:C7:0F:55:6C:FD:6B:60:25:DB:EA:10:41:6D:7E:B6:83:1F:8C:40 + + - Subject CN = VeriSign Class 3 Secure Server CA - G2 + + - SHA-256 Fingerprint: + 0A:41:51:D5:E5:8B:84:B8:AC:E5:3A:5C:12:12:2A:C9:59:CD:69:91:FB:B3:8E:99:B5:76:C0:AB:DA:C3:58:14 + - This intermediate cert had been directly included to help with transition from 1024-bit + roots per `Bug #1045189 `__. + + - The Websites (TLS/SSL) trust bit was turned **off** for the following CA certificates: + + - CN = Chambers of Commerce Root + + - SHA-256 Fingerprint: + 0C:25:8A:12:A5:67:4A:EF:25:F2:8B:A7:DC:FA:EC:EE:A3:48:E5:41:E6:F5:CC:4E:E6:3B:71:B3:61:60:6A:C3 + + - CN = Global Chambersign Root + + - SHA-256 Fingerprint: + EF:3C:B4:17:FC:8E:BF:6F:97:87:6C:9E:4E:CE:39:DE:1E:A5:FE:64:91:41:D1:02:8B:7D:11:C0:B2:29:8C:ED + + - Significant changes to TLS 1.3 were made, along with the update from draft -18 to draft -23: + + - Support for KeyUpdate was added. KeyUpdate will be used automatically, if a cipher is used + for a sufficient number of records. + - SSL_KEYLOGFILE support was updated for TLS 1.3. + - An option to enable TLS 1.3 compatibility mode, SSL_ENABLE_TLS13_COMPAT_MODE, was added. + - Note: In this release, support for new rsa_pss_pss_shaX signature schemes have been + disabled; end-entity certificates with RSA-PSS keys will still be used to produce + signatures, but they will use the rsa_pss_rsae_shaX codepoints. + - Note: The value of ssl_tls13_key_share_xtn value, from the SSLExtensionType, has been + renumbered to match changes in TLS 1.3. This is not expected to cause problems; code + compiled against previous versions of TLS will now refer to an unsupported codepoint, if + this value was used. Recompilation should correct any mismatches. + - Note: DTLS support is promoted in draft -23, but this is currently not compliant with the + DTLS 1.3 draft -23 specification. + + - TLS servers are able to handle a ClientHello statelessly, if the client supports TLS 1.3. If + the server sends a HelloRetryRequest, it is possible to discard the server socket, and make a + new socket to handle any subsequent ClientHello. This better enables stateless server + operation. (This feature is added in support of QUIC, but it also has utility for DTLS 1.3 + servers.) + - The tstclnt utility now supports DTLS, using the -P option. Note that a DTLS server is also + provided in tstclnt. + - TLS compression is no longer possible with NSS. The option can be enabled, but NSS will no + longer negotiate compression. + - The signatures of functions SSL_OptionSet, SSL_OptionGet, SSL_OptionSetDefault and + SSL_OptionGetDefault have been modified, to take a PRIntn argument rather than PRBool. This + makes it clearer, that options can have values other than 0 or 1. Note this does not affect + ABI compatibility, because PRBool is a typedef for PRIntn. + +.. _experimental_apis_and_functionality: + +`Experimental APIs and Functionality <#experimental_apis_and_functionality>`__ +------------------------------------------------------------------------------ + +.. container:: + + The functionality and the APIs listed in this section are experimental. Any of these APIs may be + removed from future NSS versions. Applications *must not* rely on these APIs to be present. If an + application is linked at runtime to a later version of NSS, which no longer provides any of these + APIs, the application *must* handle the scenario gracefully. + + In order to ease transitions, experimental functions return SECFailure and set the + SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API code if the selected API is not available. Experimental + functions will always return this result if they are disabled or removed from a later NSS + release. If these experimental functions are made permanent in a later NSS release, no change to + code is necessary. + + (Only APIs exported in \*.def files are stable APIs.) + +.. _new_experimental_functionality_provided: + +`New experimental functionality provided <#new_experimental_functionality_provided>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Below are descriptions of experimental functionality, which might not be available in future + releases of NSS. + + - Users of TLS are now able to provide implementations of TLS extensions, through an + experimental custom extension API. See the documentation in sslexp.h for + SSL_InstallExtensionHooks for more information on this feature. + - Several experimental APIs were added in support of TLS 1.3 features: + + - TLS servers are able to send session tickets to clients on demand, using the experimental + SSL_SendSessionTicket function. This ticket can include arbitrary application-chosen + content. + - An anti-replay mechanism was added for 0-RTT, through the experimental SSL_SetupAntiReplay + function. *This mechanism must be enabled for 0-RTT to be accepted when NSS is being used + as a server.* + - KeyUpdate can be triggered by the experimental SSL_KeyUpdate() function. + - TLS servers can screen new TLS 1.3 connections, as they are made using the experimental + SSL_HelloRetryRequestCallback function. This function allows for callbacks to be + installed, which are called when a server receives a new TLS ClientHello. The application + is then able to examine application-chosen content from the session tickets, or + HelloRetryRequest cookie, and decide whether to proceed with the connection. For an + initial ClientHello, an application can control whether NSS sends a HelloRetryRequest, and + include application-chosen content in the cookie. + +.. _new_experimental_apis: + +`New experimental APIs <#new_experimental_apis>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Below is a list of experimental functions, which might not be available in future releases of + NSS. + + - *in sslexp.h* + + - *experimental:* **SSL_KeyUpdate** - prompt NSS to update traffic keys (TLS 1.3 only). + - *experimental:* **SSL_GetExtensionSupport** - query NSS support for a TLS extension. + - *experimental:* **SSL_InstallExtensionHooks** - install custom handlers for a TLS + extension. + - *experimental:* **SSL_SetupAntiReplay** - configure a TLS server for 0-RTT anti-replay (TLS + 1.3 server only). + - *experimental:* **SSL_SendSessionTicket** - send a session ticket (TLS 1.3 server only). + +.. _removed_experimental_apis: + +`Removed experimental APIs <#removed_experimental_apis>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Note that experimental APIs might get removed from NSS without announcing removals in the release + notes. This section might be incomplete. + + - The experimental API SSL_UseAltServerHelloType has been disabled. + +.. _bugs_fixed_in_nss_3.35: + +`Bugs fixed in NSS 3.35 <#bugs_fixed_in_nss_3.35>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.35: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.35 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.35 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.35 shared libraries, + without recompiling, or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (select product + 'NSS'). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst new file mode 100644 index 0000000000..24110acdd6 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst @@ -0,0 +1,84 @@ +.. _mozilla_projects_nss_nss_3_36_1_release_notes: + +NSS 3.36.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.36.1 is a patch release for NSS 3.36. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_36_1_RTM. NSS 3.36.1 requires NSPR 4.19 or newer. + + NSS 3.36.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_36_1_RTM/src/ + +.. _new_in_nss_3.xx: + +`New in NSS 3.XX <#new_in_nss_3.xx>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix regression + bugs. + +.. _notable_changes_in_nss_3.36.1: + +`Notable Changes in NSS 3.36.1 <#notable_changes_in_nss_3.36.1>`__ +------------------------------------------------------------------ + +.. container:: + + - In NSS version 3.35 the iteration count in optimized builds, which is used for password based + encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million + iterations. That change had caused an interoperability regression with operating systems that + are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit. + +.. _bugs_fixed_in_nss_3.36.1: + +`Bugs fixed in NSS 3.36.1 <#bugs_fixed_in_nss_3.36.1>`__ +-------------------------------------------------------- + +.. container:: + + - Certain smartcard operations could result in a deadlock. + + This Bugzilla query returns all the bugs fixed in NSS 3.36.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.1 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.36.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.36.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst new file mode 100644 index 0000000000..3f7b458576 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst @@ -0,0 +1,75 @@ +.. _mozilla_projects_nss_nss_3_36_2_release_notes: + +NSS 3.36.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.36.2 is a patch release for NSS 3.36. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_36_2_RTM. NSS 3.36.2 requires NSPR 4.19 or newer. + + NSS 3.36.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_36_2_RTM/src/ + +.. _new_in_nss_3.36.2: + +`New in NSS 3.36.2 <#new_in_nss_3.36.2>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix regression + bugs. + +.. _bugs_fixed_in_nss_3.36.2: + +`Bugs fixed in NSS 3.36.2 <#bugs_fixed_in_nss_3.36.2>`__ +-------------------------------------------------------- + +.. container:: + + - Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3 would result in a + SSL_RX_MALFORMED_SERVER_HELLO error. + + - Bug 1460673 - Fix a rare bug with PKCS#12 files. + + This Bugzilla query returns all the bugs fixed in NSS 3.36.2: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.2 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.36.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.36.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst new file mode 100644 index 0000000000..6067a87db8 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst @@ -0,0 +1,68 @@ +.. _mozilla_projects_nss_nss_3_36_4_release_notes: + +NSS 3.36.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.36.4 is a patch release for NSS 3.36. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_36_4_RTM. NSS 3.36.4 requires NSPR 4.19 or newer. + + NSS 3.36.4 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_36_4_RTM/src/ + +.. _new_in_nss_3.36.4: + +`New in NSS 3.36.4 <#new_in_nss_3.36.4>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix regression + bugs. + +.. _bugs_fixed_in_nss_3.36.4: + +`Bugs fixed in NSS 3.36.4 <#bugs_fixed_in_nss_3.36.4>`__ +-------------------------------------------------------- + +.. container:: + + - Bug 1461731 - Fix crash on macOS related to authentication tokens, e.g. PK11or WebAuthn. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.36.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.36.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst new file mode 100644 index 0000000000..95b6928aa5 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst @@ -0,0 +1,69 @@ +.. _mozilla_projects_nss_nss_3_36_5_release_notes: + +NSS 3.36.5 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.36.5 is a patch release for NSS 3.36. The bug fixes in NSS + 3.36.5 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_36_5_RTM. NSS 3.36.5 requires NSPR 4.19 or newer. + + NSS 3.36.5 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_5_RTM/src/ + +.. _new_in_nss_3.36.5: + +`New in NSS 3.36.5 <#new_in_nss_3.36.5>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix CVE-2018-12384 + +.. _bugs_fixed_in_nss_3.36.5: + +`Bugs fixed in NSS 3.36.5 <#bugs_fixed_in_nss_3.36.5>`__ +-------------------------------------------------------- + +.. container:: + + `Bug 1483128 `__ - NSS responded to an + SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.36.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.36.5 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst new file mode 100644 index 0000000000..eb66bbf0f1 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst @@ -0,0 +1,73 @@ +.. _mozilla_projects_nss_nss_3_36_6_release_notes: + +NSS 3.36.6 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.36.6 is a patch release for NSS 3.36. The bug fixes in NSS + 3.36.6 are described in the "Bugs Fixed" section below. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_36_6_RTM. NSS 3.36.6 requires NSPR 4.19 or newer. + + NSS 3.36.6 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_6_RTM/src/ + +.. _new_in_nss_3.36.6: + +`New in NSS 3.36.6 <#new_in_nss_3.36.6>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix CVE-2018-12404 + +.. _bugs_fixed_in_nss_3.36.6: + +`Bugs fixed in NSS 3.36.6 <#bugs_fixed_in_nss_3.36.6>`__ +-------------------------------------------------------- + +.. container:: + + `Bug 1485864 `__ - Cache side-channel + variant of the Bleichenbacher attack (CVE-2018-12404) + + `Bug 1389967 `__ and `Bug + 1448748 `__ - Fixes for MinGW on x64 + platforms. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.36.6 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.36.6 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst new file mode 100644 index 0000000000..415f608d49 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst @@ -0,0 +1,74 @@ +.. _mozilla_projects_nss_nss_3_36_7_release_notes: + +NSS 3.36.7 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.36.7 is a patch release for NSS 3.36. The bug fixes in NSS + 3.36.7 are described in the "Bugs Fixed" section below. It was released on 19 January 2019. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_36_7_RTM. NSS 3.36.7 requires NSPR 4.19 or newer. + + NSS 3.36.7 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_7_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.36.7: + +`New in NSS 3.36.7 <#new_in_nss_3.36.7>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix bugs. + +.. _bugs_fixed_in_nss_3.36.7: + +`Bugs fixed in NSS 3.36.7 <#bugs_fixed_in_nss_3.36.7>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1507135 `__ and `Bug + 1507174 `__ - Add additional null checks + to several CMS functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak + for the discovery and fixes. + (`CVE-2018-18508 `__) + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.36.7 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.36.7 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst new file mode 100644 index 0000000000..d5996b8ff0 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst @@ -0,0 +1,90 @@ +.. _mozilla_projects_nss_nss_3_36_8_release_notes: + +NSS 3.36.8 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.36.8 is a patch release for NSS 3.36. The bug fixes in NSS + 3.36.8 are described in the "Bugs Fixed" section below. It was released on 21 June 2019. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_36_8_RTM. NSS 3.36.8 requires NSPR 4.19 or newer. + + NSS 3.36.8 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_8_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.36.8: + +`New in NSS 3.36.8 <#new_in_nss_3.36.8>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix bugs. + +.. _bugs_fixed_in_nss_3.36.8: + +`Bugs fixed in NSS 3.36.8 <#bugs_fixed_in_nss_3.36.8>`__ +-------------------------------------------------------- + +.. container:: + + - + + .. container:: + + `1554336 `__ - Optimize away unneeded + loop in mpi.c + + - + + .. container:: + + `1515342 `__ - More thorough input + checking (`CVE-2019-11729) `__ + + - + + .. container:: + + `1540541 `__ - Don't unnecessarily + strip leading 0's from key material during PKCS11 import + (`CVE-2019-11719 `__) + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.36.8 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.36.8 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst new file mode 100644 index 0000000000..6efeeb38f4 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst @@ -0,0 +1,78 @@ +.. _mozilla_projects_nss_nss_3_36_release_notes: + +NSS 3.36 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.36, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_36_RTM. NSS 3.36 requires NSPR 4.19 or newer. + + NSS 3.36 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_36_RTM/src/ (make a link) + +.. _new_in_nss_3.36: + +`New in NSS 3.36 <#new_in_nss_3.36>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Experimental APIs for TLS session cache handling. + +.. _notable_changes_in_nss_3.36: + +`Notable Changes in NSS 3.36 <#notable_changes_in_nss_3.36>`__ +-------------------------------------------------------------- + +.. container:: + + - Replaced existing vectorized ChaCha20 code with verified HACL\* implementation. + +.. _bugs_fixed_in_nss_3.36: + +`Bugs fixed in NSS 3.36 <#bugs_fixed_in_nss_3.36>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.36: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.36 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.36 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst new file mode 100644 index 0000000000..46d06be579 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst @@ -0,0 +1,75 @@ +.. _mozilla_projects_nss_nss_3_37_1_release_notes: + +NSS 3.37.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.37.1 is a patch release for NSS 3.37. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_37_1_RTM. NSS 3.37.1 requires NSPR 4.19 or newer. + + NSS 3.37.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_37_1_RTM/src/ + +.. _new_in_nss_3.37.1: + +`New in NSS 3.37.1 <#new_in_nss_3.37.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix regression + bugs. + +.. _bugs_fixed_in_nss_3.37.1: + +`Bugs fixed in NSS 3.37.1 <#bugs_fixed_in_nss_3.37.1>`__ +-------------------------------------------------------- + +.. container:: + + - Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3 would result in a + SSL_RX_MALFORMED_SERVER_HELLO error. + + - Bug 1460673 - Fix a rare bug with PKCS#12 files. + + This Bugzilla query returns all the bugs fixed in NSS 3.37.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.37.1 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.37.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.37.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst new file mode 100644 index 0000000000..9d3e3fd1fa --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst @@ -0,0 +1,112 @@ +.. _mozilla_projects_nss_nss_3_37_release_notes: + +NSS 3.37 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.37, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_37_RTM. NSS 3.37 requires NSPR 4.19 or newer. + + NSS 3.37 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_37_RTM/src/ + +.. _notable_changes_in_nss_3.37: + +`Notable Changes in NSS 3.37 <#notable_changes_in_nss_3.37>`__ +-------------------------------------------------------------- + +.. container:: + + - The TLS 1.3 implementation was updated to Draft 28. + + - An issue where NSS erroneously accepted HRR requests was resolved. This issue was found by + `OSS fuzz `__. + + - Added HACL\* Poly1305 32-bit + + - The code to support the NPN protocol, which had already been disabled in a previous release, + has been fully removed. + + - NSS allows servers now to register ALPN handling callbacks to select a protocol. + + - NSS supports opening SQL databases in read-only mode. NSS now requires the SQLite APIs of + version 3.5.0 or newer. + + - Starting with NSS version 3.31, an alternative implementation for RNG seeding on the + Linux/UNIX platform was available (bug 1346735), which performed seeding exclusively based on + /dev/urandom. This alternative implementation is selected at build time by defining the + SEED_ONLY_DEV_URANDOM symbol. + + (The classic implementation for RNG seeding on the Linux/Unix platform, which may use + additional sources for the default seeding, is still available and will be used if + SEED_ONLY_DEV_URANDOM is undefined.) + + With NSS 3.37, this alternative implementation for Linux/Unix can be selected in "make" builds + by defining the environment variable NSS_SEED_ONLY_DEV_URANDOM. + + With NSS 3.37, this alternative implementation for Linux has been enhanced to use the glibc + function getentropy(), instead of reading from /dev/urandom directly, if the build and runtime + Linux platform supports it. + + - The CA certificates list was updated to version 2.24. + + - The following CA certificates were **Removed**: + + - CN = S-TRUST Universal Root CA + + - SHA-256 Fingerprint: + D8:0F:EF:91:0A:E3:F1:04:72:3B:04:5C:EC:2D:01:9F:44:1C:E6:21:3A:DF:15:67:91:E7:0C:17:90:11:0A:31 + + - CN = TC TrustCenter Class 3 CA II + + - SHA-256 Fingerprint: + 8D:A0:84:FC:F9:9C:E0:77:22:F8:9B:32:05:93:98:06:FA:5C:B8:11:E1:C8:13:F6:A1:08:C7:D3:36:B3:40:8E + + - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 + + - SHA-256 Fingerprint: + 49:35:1B:90:34:44:C1:85:CC:DC:5C:69:3D:24:D8:55:5C:B2:08:D6:A8:14:13:07:69:9F:4A:F0:63:19:9D:78 + +.. _bugs_fixed_in_nss_3.37: + +`Bugs fixed in NSS 3.37 <#bugs_fixed_in_nss_3.37>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.37: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.37 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.37 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.37 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst new file mode 100644 index 0000000000..6b962ab560 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst @@ -0,0 +1,106 @@ +.. _mozilla_projects_nss_nss_3_38_release_notes: + +NSS 3.38 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.38, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_38_RTM. NSS 3.38 requires NSPR 4.19 or newer. + + NSS 3.38 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_38_RTM/src/ + +.. _new_in_nss_3.38: + +`New in NSS 3.38 <#new_in_nss_3.38>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Added support for the TLS Record Size Limit Extension. + - When creating a certificate request (CSR) using certutil -R, an existing orphan private key + can be reused. Parameter -k may be used to specify the ID of an existing orphan key. The + available orphan key IDs can be displayed using command certutil -K. + - When using certutil -O to print the chain for a given certificate nickname, the new parameter + --simple-self-signed may be provided, which can avoid ambiguous output in some scenarios. + + .. rubric:: New Functions + :name: new_functions + + - *in secitem.h* + + - **SECITEM_MakeItem** - Allocate and make an item with the requested contents + + .. rubric:: New Macros + :name: new_macros + + - *in ssl.h* + + - **SSL_RECORD_SIZE_LIMIT** - used to control the TLS Record Size Limit Extension + +.. _notable_changes_in_nss_3.38: + +`Notable Changes in NSS 3.38 <#notable_changes_in_nss_3.38>`__ +-------------------------------------------------------------- + +.. container:: + + - Fixed `CVE-2018-0495 `__ in `bug + 1464971 `__. + + - Various security fixes in the ASN.1 code. + + - NSS automatically enables caching for SQL database storage on Linux, if it is located on a + network filesystem that's known to benefit from caching. + + - When repeatedly importing the same certificate into an SQL database, the existing nickname + will be kept. + +.. _bugs_fixed_in_nss_3.38: + +`Bugs fixed in NSS 3.38 <#bugs_fixed_in_nss_3.38>`__ +---------------------------------------------------- + +.. container:: + + This Bugzilla query returns all the bugs fixed in NSS 3.38: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.38 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.38 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.38 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst new file mode 100644 index 0000000000..5c6347e2fe --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst @@ -0,0 +1,149 @@ +.. _mozilla_projects_nss_nss_3_39_release_notes: + +NSS 3.39 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.39, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_39_RTM. NSS 3.39 requires NSPR 4.20 or newer. + + NSS 3.39 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_39_RTM/src/ + +.. _new_in_nss_3.39: + +`New in NSS 3.39 <#new_in_nss_3.39>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The ``tstclnt`` and ``selfserv`` utilities added support for configuring the enabled TLS + signature schemes using the ``-J`` parameter. + + - NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by + default but can be enabled using ``SSL_SignatureSchemePrefSet()``. + + - ``certutil`` added the ability to delete an orphan private key from an NSS key database. + + - Added the ``nss-policy-check`` utility, which can be used to check an NSS policy configuration + for problems. + + - A PKCS#11 URI can be used as an identifier for a PKCS#11 token. + + .. rubric:: New Functions + :name: new_functions + + - in cert.h + + - **CERT_GetCertKeyType** - Query the Key Type associated with the given certificate. + + - utilpars.h + + - **NSSUTIL_AddNSSFlagToModuleSpec** - A helper function for modifying the PKCS#11 module + configuration. It can be used to add a single flag to the Flags= section inside the spec's + NSS= section. + +.. _notable_changes_in_nss_3.39: + +`Notable Changes in NSS 3.39 <#notable_changes_in_nss_3.39>`__ +-------------------------------------------------------------- + +.. container:: + + - The TLS 1.3 implementation uses the final version number from `RFC + 8446 `__. + - Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature where the DigestInfo structure + was missing the NULL parameter. + Starting with version 3.39, NSS requires the encoding to contain the NULL parameter. + - The ``tstclnt`` and ``selfserv`` test utilities no longer accept the -z parameter, as support + for TLS compression was removed in a previous NSS version. + - The CA certificates list was updated to version 2.26. + - The following CA certificates were **Added**: + + - OU = GlobalSign Root CA - R6 + + - SHA-256 Fingerprint: 2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69 + + - CN = OISTE WISeKey Global Root GC CA + + - SHA-256 Fingerprint: 8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D + + - The following CA certificate was **Removed**: + + - CN = ComSign + + - SHA-256 Fingerprint: AE4457B40D9EDA96677B0D3C92D57B5177ABD7AC1037958356D1E094518BE5F2 + + - The following CA certificates had the **Websites trust bit disabled**: + + - CN = Certplus Root CA G1 + + - SHA-256 Fingerprint: 152A402BFCDF2CD548054D2275B39C7FCA3EC0978078B0F0EA76E561A6C7433E + + - CN = Certplus Root CA G2 + + - SHA-256 Fingerprint: 6CC05041E6445E74696C4CFBC9F80F543B7EABBB44B4CE6F787C6A9971C42F17 + + - CN = OpenTrust Root CA G1 + + - SHA-256 Fingerprint: 56C77128D98C18D91B4CFDFFBC25EE9103D4758EA2ABAD826A90F3457D460EB4 + + - CN = OpenTrust Root CA G2 + + - SHA-256 Fingerprint: 27995829FE6A7515C1BFE848F9C4761DB16C225929257BF40D0894F29EA8BAF2 + + - CN = OpenTrust Root CA G3 + + - SHA-256 Fingerprint: B7C36231706E81078C367CB896198F1E3208DD926949DD8F5709A410F75B6292 + +.. _bugs_fixed_in_nss_3.39: + +`Bugs fixed in NSS 3.39 <#bugs_fixed_in_nss_3.39>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1483128 `__ - NSS responded to an + SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) + + This Bugzilla query returns all the bugs fixed in NSS 3.39: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.39 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.39 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.39 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst new file mode 100644 index 0000000000..6b8c40bd56 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst @@ -0,0 +1,81 @@ +.. _mozilla_projects_nss_nss_3_40_1_release_notes: + +NSS 3.40.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.40.1, which is a patch release for + NSS 3.40 + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_40_1_RTM. NSS 3.40.1 requires NSPR 4.20 or newer. + + NSS 3.40 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_40_1_RTM/src/ + +.. _new_in_nss_3.40.1: + +`New in NSS 3.40.1 <#new_in_nss_3.40.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - No new functionality is introduced in this release. This is a patch release to fix + CVE-2018-12404 + + .. rubric:: New Functions + :name: new_functions + + - none + +.. _bugs_fixed_in_nss_3.40.1: + +`Bugs fixed in NSS 3.40.1 <#bugs_fixed_in_nss_3.40.1>`__ +-------------------------------------------------------- + +.. container:: + + - + + .. container:: field indent + + .. container:: + + `Bug 1485864 `__ - Cache + side-channel variant of the Bleichenbacher attack (CVE-2018-12404) + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.40.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.40.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst new file mode 100644 index 0000000000..c63a6ab56a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst @@ -0,0 +1,102 @@ +.. _mozilla_projects_nss_nss_3_40_release_notes: + +NSS 3.40 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.40, which is a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_40_RTM. NSS 3.40 requires NSPR 4.20 or newer. + + NSS 3.40 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_40_RTM/src/ + +.. _new_in_nss_3.40: + +`New in NSS 3.40 <#new_in_nss_3.40>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The draft-00 version of encrypted SNI support is implemented + + - ``tstclnt`` now takes ``-N`` option to specify encrypted SNI key + + .. rubric:: New Functions + :name: new_functions + + - none + +.. _notable_changes_in_nss_3.40: + +`Notable Changes in NSS 3.40 <#notable_changes_in_nss_3.40>`__ +-------------------------------------------------------------- + +.. container:: + + - The mozilla::pkix library has been ported from Mozilla PSM to NSS. This is a C++ library for + building certification paths. mozilla::pkix APIs are not exposed in the libraries NSS builds. + - It is easier to build NSS on Windows in + `mozilla-build `__ environments. + - The following CA certificates were **Removed**: + + - CN = Visa eCommerce Root + + - SHA-256 Fingerprint: 69FAC9BD55FB0AC78D53BBEE5CF1D597989FD0AAAB20A25151BDF1733EE7D122 + +.. _bugs_fixed_in_nss_3.40: + +`Bugs fixed in NSS 3.40 <#bugs_fixed_in_nss_3.40>`__ +---------------------------------------------------- + +.. container:: + + - + + .. container:: field indent + + .. container:: + + `Bug 1478698 `__ - FFDHE key + exchange sometimes fails with decryption failure + + This Bugzilla query returns all the bugs fixed in NSS 3.40: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.40 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.40 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.40 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst new file mode 100644 index 0000000000..83a2f66301 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst @@ -0,0 +1,76 @@ +.. _mozilla_projects_nss_nss_3_41_1_release_notes: + +NSS 3.41.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.41.1 is a patch release for NSS 3.41. The bug fixes in NSS + 3.41.1 are described in the "Bugs Fixed" section below. It was released on 22 January 2019. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_41_1_RTM. NSS 3.41.1 requires NSPR 4.20 or newer. + + NSS 3.41.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_41_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.41.1: + +`New in NSS 3.41.1 <#new_in_nss_3.41.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + No new functionality is introduced in this release. This is a patch release to fix bugs. + +.. _bugs_fixed_in_nss_3.41.1: + +`Bugs fixed in NSS 3.41.1 <#bugs_fixed_in_nss_3.41.1>`__ +-------------------------------------------------------- + +.. container:: + + - Bug 1507135 and Bug 1507174 - Add additional null checks to several CMS functions to fix a + rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak for the discovery and fixes. + (CVE-2018-18508) + + This bugzilla query returns all bugs fixed in 3.41.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.41.1 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.41.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.41.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst new file mode 100644 index 0000000000..617a6c40cf --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst @@ -0,0 +1,163 @@ +.. _mozilla_projects_nss_nss_3_41_release_notes: + +NSS 3.41 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.41 on 7 December 2018, which is a + minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_41_RTM. NSS 3.41 requires NSPR 4.20 or newer. + + NSS 3.41 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_41_RTM/src/ + +.. _new_in_nss_3.41: + +`New in NSS 3.41 <#new_in_nss_3.41>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 1252891 `__ - Implemented EKU + handling for IPsec IKE. + - `Bug 1423043 `__ - Enable half-closed + states for TLS. + - `Bug 1493215 `__ - Enabled the following + ciphersuites by default: + + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + + .. rubric:: New Functions + :name: new_functions + + - none + +.. _notable_changes_in_nss_3.41: + +`Notable Changes in NSS 3.41 <#notable_changes_in_nss_3.41>`__ +-------------------------------------------------------------- + +.. container:: + + - The following CA certificates were **Added**: + + - CN = Certigna Root CA + + - SHA-256 Fingerprint: D48D3D23EEDB50A459E55197601C27774B9D7B18C94D5A059511A10250B93168 + + - CN = GTS Root R1 + + - SHA-256 Fingerprint: 2A575471E31340BC21581CBD2CF13E158463203ECE94BCF9D3CC196BF09A5472 + + - CN = GTS Root R2 + + - SHA-256 Fingerprint: C45D7BB08E6D67E62E4235110B564E5F78FD92EF058C840AEA4E6455D7585C60 + + - CN = GTS Root R3 + + - SHA-256 Fingerprint: 15D5B8774619EA7D54CE1CA6D0B0C403E037A917F131E8A04E1E6B7A71BABCE5 + + - CN = GTS Root R4 + + - SHA-256 Fingerprint: 71CCA5391F9E794B04802530B363E121DA8A3043BB26662FEA4DCA7FC951A4BD + + - CN = UCA Global G2 Root + + - SHA-256 Fingerprint: 9BEA11C976FE014764C1BE56A6F914B5A560317ABD9988393382E5161AA0493C + + - CN = UCA Extended Validation Root + + - SHA-256 Fingerprint: D43AF9B35473755C9684FC06D7D8CB70EE5C28E773FB294EB41EE71722924D24 + + - The following CA certificates were **Removed**: + + - CN = AC Raíz Certicámara S.A. + + - SHA-256 Fingerprint: A6C51E0DA5CA0A9309D2E4C0E40C2AF9107AAE8203857FE198E3E769E343085C + + - CN = Certplus Root CA G1 + + - SHA-256 Fingerprint: 152A402BFCDF2CD548054D2275B39C7FCA3EC0978078B0F0EA76E561A6C7433E + + - CN = Certplus Root CA G2 + + - SHA-256 Fingerprint: 6CC05041E6445E74696C4CFBC9F80F543B7EABBB44B4CE6F787C6A9971C42F17 + + - CN = OpenTrust Root CA G1 + + - SHA-256 Fingerprint: 56C77128D98C18D91B4CFDFFBC25EE9103D4758EA2ABAD826A90F3457D460EB4 + + - CN = OpenTrust Root CA G2 + + - SHA-256 Fingerprint: 27995829FE6A7515C1BFE848F9C4761DB16C225929257BF40D0894F29EA8BAF2 + + - CN = OpenTrust Root CA G3 + + - SHA-256 Fingerprint: B7C36231706E81078C367CB896198F1E3208DD926949DD8F5709A410F75B6292 + +.. _bugs_fixed_in_nss_3.41: + +`Bugs fixed in NSS 3.41 <#bugs_fixed_in_nss_3.41>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1412829 `__, Reject empty + supported_signature_algorithms in Certificate Request in TLS 1.2 + + - `Bug 1485864 `__ - Cache side-channel + variant of the Bleichenbacher attack (CVE-2018-12404) + + - `Bug 1481271 `__ - Resend the same + ticket in ClientHello after HelloRetryRequest + + - `Bug 1493769 `__ - Set session_id for + external resumption tokens + + - `Bug 1507179 `__ - Reject CCS after + handshake is complete in TLS 1.3 + + This Bugzilla query returns all the bugs fixed in NSS 3.41: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.41 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.41 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.41 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst new file mode 100644 index 0000000000..4840c8cb9f --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst @@ -0,0 +1,65 @@ +.. _mozilla_projects_nss_nss_3_42_1_release_notes: + +NSS 3.42.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.42.1 on 31 January 2019, which is a + patch release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_42_1_RTM. NSS 3.42.1 requires NSPR 4.20 or newer. + + NSS 3.42.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_42_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _bugs_fixed_in_nss_3.42.1: + +`Bugs fixed in NSS 3.42.1 <#bugs_fixed_in_nss_3.42.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1507135 `__ and `Bug + 1507174 `__ - Add additional null checks + to several CMS functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak + for the discovery and fixes. This was originally announced in + :ref:`mozilla_projects_nss_nss_3_42_release_notes`, but was mistakenly not included in the + release. (`CVE-2018-18508 `__) + + This Bugzilla query returns all the bugs fixed in NSS 3.42.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.42.1 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.42.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.42.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst new file mode 100644 index 0000000000..bc8596affd --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst @@ -0,0 +1,143 @@ +.. _mozilla_projects_nss_nss_3_42_release_notes: + +NSS 3.42 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.42 on 25 January 2019, which is a + minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_42_RTM. NSS 3.42 requires NSPR 4.20 or newer. + + NSS 3.42 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_42_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.42: + +`New in NSS 3.42 <#new_in_nss_3.42>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Bug 818686 `__ - Support XDG basedir + specification + + .. rubric:: New Functions + :name: new_functions + + - none + +.. _notable_changes_in_nss_3.42: + +`Notable Changes in NSS 3.42 <#notable_changes_in_nss_3.42>`__ +-------------------------------------------------------------- + +.. container:: + + - The following CA certificates were **Added**: + + - None + + - The following CA certificates were **Removed**: + + - None + + - Added support for some of the test cases from the `Wycheproof + project `__: + + - `Bug 1508666 `__ - Added AES-GCM test + cases + + - + + .. container:: field indent + + .. container:: + + .. container:: + + `Bug 1508673 `__ - Added + ChaCha20-Poly1305 test cases + + - + + .. container:: field indent + + .. container:: + + .. container:: + + `Bug 1514999 `__ - Added the + Curve25519 test cases + + - Thanks to Jonas Allmann for adapting these tests. + +.. _bugs_fixed_in_nss_3.42: + +`Bugs fixed in NSS 3.42 <#bugs_fixed_in_nss_3.42>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1490006 `__ - Reject invalid + CH.legacy_version in TLS 1.3 + + - `Bug 1507135 `__\ [STRIKEOUT:and]\ `Bug + 1507174 `__\ [STRIKEOUT:- Add additional + null checks to several CMS functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian + Poddebniak for the discovery and fixes.] Note: This was mistakenly not in release 3.42, and is + instead in :ref:`mozilla_projects_nss_nss_3_42_1_release_notes`. + + - + + .. container:: field indent + + .. container:: + + .. container:: + + `Bug 1513913 `__ - A fix for + Solaris where Firefox 60 core dumps during start when using profile from version 52 + + This Bugzilla query returns all the bugs fixed in NSS 3.42: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.42 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.42 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.42 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst new file mode 100644 index 0000000000..f4e82bc29d --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst @@ -0,0 +1,151 @@ +.. _mozilla_projects_nss_nss_3_43_release_notes: + +NSS 3.43 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.43 on 16 March 2019, which is a minor + release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_43_RTM. NSS 3.43 requires NSPR 4.21 or newer. + + NSS 3.43 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_43_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.43: + +`New in NSS 3.43 <#new_in_nss_3.43>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: New Functions + :name: new_functions + + - *in sechash.h* + + - **HASH_GetHashOidTagByHashType** - convert type HASH_HashType to type SECOidTag + + - *in sslexp.h* + + - **SSL_SendCertificateRequest** - allow server to request post-handshake client + authentication. To use this both peers need to enable the + **SSL_ENABLE_POST_HANDSHAKE_AUTH** option. Note that while the mechanism is present, + post-handshake authentication is currently not TLS 1.3 compliant due to `Bug + 1532312 `__ + +.. _notable_changes_in_nss_3.43: + +`Notable Changes in NSS 3.43 <#notable_changes_in_nss_3.43>`__ +-------------------------------------------------------------- + +.. container:: + + - + + .. container:: field indent + + .. container:: + + .. container:: + + The following CA certificates were **Added**: + + - CN = emSign Root CA - G1 + + - SHA-256 Fingerprint: 40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367 + + - CN = emSign ECC Root CA - G3 + + - SHA-256 Fingerprint: 86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B + + - CN = emSign Root CA - C1 + + - SHA-256 Fingerprint: 125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F + + - CN = emSign ECC Root CA - C3 + + - SHA-256 Fingerprint: BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3 + + - CN = Hongkong Post Root CA 3 + + - SHA-256 Fingerprint: 5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6 + + - The following CA certificates were **Removed**: + + - None + +.. _bugs_fixed_in_nss_3.43: + +`Bugs fixed in NSS 3.43 <#bugs_fixed_in_nss_3.43>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1528669 `__ and `Bug + 1529308 `__ - Improve Gyp build system + handling + - `Bug 1529950 `__ and `Bug + 1521174 `__ - Improve NSS S/MIME tests + for Thunderbird + - `Bug 1530134 `__ - If Docker isn't + installed, try running a local clang-format as a fallback + - `Bug 1531267 `__ - Enable FIPS mode + automatically if the system FIPS mode flag is set + - `Bug 1528262 `__ - Add a -J option to + the strsclnt command to specify sigschemes + - `Bug 1513909 `__ - Add manual for + nss-policy-check + - `Bug 1531074 `__ - Fix a deref after a + null check in SECKEY_SetPublicValue + - `Bug 1517714 `__ - Properly handle ESNI + with HRR + - `Bug 1529813 `__ - Expose + HKDF-Expand-Label with mechanism + - `Bug 1535122 `__ - Align TLS 1.3 HKDF + trace levels + - `Bug 1530102 `__ - Use getentropy on + compatible versions of FreeBSD. + + This Bugzilla query returns all the bugs fixed in NSS 3.43: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.43 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.43 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.43 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst new file mode 100644 index 0000000000..2500f55c57 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst @@ -0,0 +1,140 @@ +.. _mozilla_projects_nss_nss_3_44_1_release_notes: + +NSS 3.44.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.44.1 is a patch release for NSS 3.44. The bug fixes in NSS + 3.44.1 are described in the "Bugs Fixed" section below. It was released on 21 June 2019. + + The NSS team would like to recognize first-time contributors: Greg Rubin + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_44_1_RTM. NSS 3.44.1 requires NSPR 4.21 or newer. + + NSS 3.44.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.44.1: + +`New in NSS 3.44.1 <#new_in_nss_3.44.1>`__ +------------------------------------------ + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - + + .. container:: + + `1546229 `__ - Add IPSEC IKE support + to softoken + + - + + .. container:: + + Many new FIPS test cases (Note: This has increased the source archive by approximately 50 + megabytes for this release.) + +.. _bugs_fixed_in_nss_3.44.1: + +`Bugs fixed in NSS 3.44.1 <#bugs_fixed_in_nss_3.44.1>`__ +-------------------------------------------------------- + +.. container:: + + - + + .. container:: + + `1554336 `__ - Optimize away unneeded + loop in mpi.c + + - + + .. container:: + + `1515342 `__ - More thorough input + checking (`CVE-2019-11729) `__ + + - + + .. container:: + + `1540541 `__ - Don't unnecessarily + strip leading 0's from key material during PKCS11 import + (`CVE-2019-11719 `__) + + - + + .. container:: + + `1515236 `__ - Add a SSLKEYLOGFILE + enable/disable flag at `build.sh `__ + + - + + .. container:: + + `1473806 `__ - Fix + SECKEY_ConvertToPublicKey handling of non-RSA keys + + - + + .. container:: + + `1546477 `__ - Updates to testing for + FIPS validation + + - + + .. container:: + + `1552208 `__ - Prohibit use of + RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 + (`CVE-2019-11727 `__) + + - + + .. container:: + + `1551041 `__ - Unbreak build on GCC < + 4.3 big-endian + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.44.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.44.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst new file mode 100644 index 0000000000..98a1c18ca8 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst @@ -0,0 +1,72 @@ +.. _mozilla_projects_nss_nss_3_44_2_release_notes: + +NSS 3.44.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.44.2 is a patch release for NSS 3.44. The bug fixes in NSS + 3.44.2 are described in the "Bugs Fixed" section below. It was released on 2 October 2019. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_44_2_RTM. NSS 3.44.2 requires NSPR 4.21 or newer. + + NSS 3.44.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_2_RTM/src/ + + Other releases are available in NSS Releases. + +.. _new_in_nss_3.44.2: + +`New in NSS 3.44.2 <#new_in_nss_3.44.2>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.44.2: + +`Bugs fixed in NSS 3.44.2 <#bugs_fixed_in_nss_3.44.2>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1582343 `__\ - Soft token MAC + verification not constant time + - `Bug 1577953 `__\ - Remove arbitrary + HKDF output limit by allocating space as needed + + This Bugzilla query returns all the bugs fixed in NSS 3.44.2: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.44.2 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.44.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.44.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__\ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst new file mode 100644 index 0000000000..7417c17d08 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst @@ -0,0 +1,76 @@ +.. _mozilla_projects_nss_nss_3_44_3_release_notes: + +NSS 3.44.3 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.44.3 is a patch release for NSS 3.44. The bug fixes in NSS + 3.44.3 are described in the "Bugs Fixed" section below. It was released on 19 November 2019. + + The NSS team would like to recognize first-time contributors: + + - Craig Disselkoen + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_44_3_RTM. NSS 3.44.3 requires NSPR 4.21 or newer. + + NSS 3.44.3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_3_RTM/src/ + + Other releases are available in NSS Releases. + +.. _new_in_nss_3.44.3: + +`New in NSS 3.44.3 <#new_in_nss_3.44.3>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.44.3: + +`Bugs fixed in NSS 3.44.3 <#bugs_fixed_in_nss_3.44.3>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1579060 `__ - Don't set the + CONSTRUCTED bit for issuerUniqueID and subjectUniqueID in mozilla::pkix + - `CVE-2019-11745 `__ - + EncryptUpdate should use maxout, not block size + + This Bugzilla query returns all the bugs fixed in NSS 3.44: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.44 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.44.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.44.3 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst new file mode 100644 index 0000000000..6828d3941a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst @@ -0,0 +1,69 @@ +.. _mozilla_projects_nss_nss_3_44_4_release_notes: + +NSS 3.44.4 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.44.4 on **19 May 2020**. This is a + security patch release. + + Thank you to Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at + Tampere University for reporting this issue. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_44_4_RTM. NSS 3.44.4 requires NSPR 4.21 or newer. + + NSS 3.44.4 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_4_RTM/src/ + + Other releases are available in :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.44.4: + +`New in NSS 3.44.4 <#new_in_nss_3.44.4>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.44.4: + +`Bugs fixed in NSS 3.44.4 <#bugs_fixed_in_nss_3.44.4>`__ +-------------------------------------------------------- + +.. container:: + + - `CVE-2020-12399 `__ - Force a + fixed length for DSA exponentiation + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.44.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.44.4 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst new file mode 100644 index 0000000000..d23d48e5fe --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst @@ -0,0 +1,146 @@ +.. _mozilla_projects_nss_nss_3_44_release_notes: + +NSS 3.44 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.44 on 10 May 2019, which is a minor + release. + + The NSS team would like to recognize first-time contributors: Kevin Jacobs, David Carlier, + Alexander Scheel, and Edouard Oger. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_44_RTM. NSS 3.44 requires NSPR 4.21 or newer. + + NSS 3.44 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_44_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.44: + +`New in NSS 3.44 <#new_in_nss_3.44>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: New Functions + :name: new_functions + + - *in lib/certdb/cert.h* + + - **CERT_GetCertificateDer** - Access the DER-encoded form of a CERTCertificate. + +.. _notable_changes_in_nss_3.44: + +`Notable Changes in NSS 3.44 <#notable_changes_in_nss_3.44>`__ +-------------------------------------------------------------- + +.. container:: + + - It is now possible to build NSS as a static library (Bug + `1543545 `__) + - Initial support for building for iOS. + +.. _bugs_fixed_in_nss_3.44: + +`Bugs fixed in NSS 3.44 <#bugs_fixed_in_nss_3.44>`__ +---------------------------------------------------- + +.. container:: + + - `1501542 `__ - Implement CheckARMSupport + for Android + - `1531244 `__ - Use \__builtin_bswap64 in + crypto_primitives.h + - `1533216 `__ - CERT_DecodeCertPackage() + crash with Netscape Certificate Sequences + - `1533616 `__ - + sdb_GetAttributeValueNoLock should make at most one sql query, rather than one for each + attribute + - `1531236 `__ - Provide accessor for + CERTCertificate.derCert + - `1536734 `__ - + lib/freebl/crypto_primitives.c assumes a big endian machine + - `1532384 `__ - In NSS test certificates, + use @example.com (not @bogus.com) + - `1538479 `__ - Post-Handshake messages + after async server authentication break when using record layer separation + - `1521578 `__ - x25519 support in + pk11pars.c + - `1540205 `__ - freebl build fails with + -DNSS_DISABLE_CHACHAPOLY + - `1532312 `__ - post-handshake auth + doesn't interoperate with OpenSSL + - `1542741 `__ - certutil -F crashes with + segmentation fault + - `1546925 `__ - Allow preceding text in + try comment + - `1534468 `__ - Expose ChaCha20 primitive + - `1418944 `__ - Quote CC/CXX variables + passed to nspr + - `1543545 `__ - Allow to build NSS as a + static library + - `1487597 `__ - Early data that arrives + before the handshake completes can be read afterwards + - `1548398 `__ - freebl_gtest not building + on Linux/Mac + - `1548722 `__ - Fix some Coverity + warnings + - `1540652 `__ - softoken/sdb.c: Logically + dead code + - `1549413 `__ - Android log lib is not + included in build + - `1537927 `__ - IPsec usage is too + restrictive for existing deployments + - `1549608 `__ - Signature fails with dbm + disabled + - `1549848 `__ - Allow building NSS for + iOS using gyp + - `1549847 `__ - NSS's SQLite compilation + warnings make the build fail on iOS + - `1550041 `__ - freebl not building on + iOS simulator + - `1542950 `__ - MacOS cipher test + timeouts + + This Bugzilla query returns all the bugs fixed in NSS 3.44: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.44 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.44 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.44 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst new file mode 100644 index 0000000000..8b3e37b3a3 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst @@ -0,0 +1,224 @@ +.. _mozilla_projects_nss_nss_3_45_release_notes: + +NSS 3.45 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.45 on **5 July 2019**, which is a + minor release. + + The NSS team would like to recognize first-time contributors: + + - Bastien Abadie + - Christopher Patton + - Jeremie Courreges-Anglas + - Marcus Burghardt + - Michael Shigorin + - Tomas Mraz + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_45_RTM. NSS 3.45 requires NSPR 4.21 or newer. + + NSS 3.45 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_45_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.45: + +`New in NSS 3.45 <#new_in_nss_3.45>`__ +-------------------------------------- + +.. _new_functionality: + +`New Functionality <#new_functionality>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: New Functions + :name: new_functions + + - in *pk11pub.h*: + + - **PK11_FindRawCertsWithSubject** - Finds all certificates on the given slot with the given + subject distinguished name and returns them as DER bytes. If no such certificates can be + found, returns SECSuccess and sets ``*results`` to NULL. If a failure is encountered while + fetching any of the matching certificates, SECFailure is returned and ``*results`` will be + NULL. + +.. _notable_changes_in_nss_3.45: + +`Notable Changes in NSS 3.45 <#notable_changes_in_nss_3.45>`__ +-------------------------------------------------------------- + +.. container:: + + - `Bug 1540403 `__ - Implement Delegated + Credentials + (`draft-ietf-tls-subcerts `__) + + - This adds a new experimental function: **SSL_DelegateCredential** + - **Note**: In 3.45, ``selfserv`` does not yet support delegated credentials. See `Bug + 1548360 `__. + - **Note**: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 + will set ``SSLChannelInfo.authKeyBits`` to that of the delegated credential for better + policy enforcement. See `Bug + 1563078 `__. + + - `Bug 1550579 `__ - Replace ARM32 + Curve25519 implementation with one from + `fiat-crypto `__ + - `Bug 1551129 `__ - Support static + linking on Windows + - `Bug 1552262 `__ - Expose a function + **PK11_FindRawCertsWithSubject** for finding certificates with a given subject on a given slot + - `Bug 1546229 `__ - Add IPSEC IKE support + to softoken + - `Bug 1554616 `__ - Add support for the + Elbrus lcc compiler (<=1.23) + - `Bug 1543874 `__ - Expose an external + clock for SSL + + - This adds new experimental functions: **SSL_SetTimeFunc**, **SSL_CreateAntiReplayContext**, + **SSL_SetAntiReplayContext**, and **SSL_ReleaseAntiReplayContext**. + - The experimental function **SSL_InitAntiReplay** is removed. + + - `Bug 1546477 `__ - Various changes in + response to the ongoing FIPS review + + - Note: The source package size has increased substantially due to the new FIPS test vectors. + This will likely prompt follow-on work, but please accept our apologies in the meantime. + +.. _certificate_authority_changes: + +`Certificate Authority Changes <#certificate_authority_changes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The following CA certificates were **Removed**: + + - `Bug 1552374 `__ - CN = Certinomis - + Root CA + + - SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158 + +.. _bugs_fixed_in_nss_3.45: + +`Bugs fixed in NSS 3.45 <#bugs_fixed_in_nss_3.45>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1540541 `__ - Don't unnecessarily + strip leading 0's from key material during PKCS11 import + (`CVE-2019-11719 `__) + + - `Bug 1515342 `__ - More thorough input + checking (`CVE-2019-11729) `__ + + - + + .. container:: + + `Bug 1552208 `__ - Prohibit use of + RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 + (`CVE-2019-11727 `__) + + - `Bug 1227090 `__ - Fix a potential + divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis) + + - `Bug 1227096 `__ - Fix a potential + divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis) + + - `Bug 1509432 `__ - De-duplicate code + between mp_set_long and mp_set_ulong + + - `Bug 1515011 `__ - Fix a mistake with + ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might + have copied the unit test code verbatim + + - `Bug 1550022 `__ - Ensure nssutil3 gets + built on Android + + - `Bug 1528174 `__ - ChaCha20Poly1305 + should no longer modify output length on failure + + - `Bug 1549382 `__ - Don't leak in PKCS#11 + modules if C_GetSlotInfo() returns error + + - `Bug 1551041 `__ - Fix builds using GCC + < 4.3 on big-endian architectures + + - + + .. container:: + + `Bug 1554659 `__ - Add versioning to + OpenBSD builds to fix link time errors using NSS + + - `Bug 1553443 `__ - Send session ticket + only after handshake is marked as finished + + - `Bug 1550708 `__ - Fix gyp scripts on + Solaris SPARC so that libfreebl_64fpu_3.so builds + + - `Bug 1554336 `__ - Optimize away + unneeded loop in mpi.c + + - `Bug 1559906 `__ - fipstest: use + CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism + + - `Bug 1558126 `__ - + TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible + + - `Bug 1555207 `__ - + HelloRetryRequestCallback return code for rejecting 0-RTT + + - `Bug 1556591 `__ - Eliminate races in + uses of PK11_SetWrapKey + + - `Bug 1558681 `__ - Stop using a global + for anti-replay of TLS 1.3 early data + + - `Bug 1561510 `__ - Fix a bug where + removing -arch XXX args from CC didn't work + + - `Bug 1561523 `__ - Add a string for the + new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION + + This Bugzilla query returns all the bugs fixed in NSS 3.45: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.45 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.45 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.45 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst new file mode 100644 index 0000000000..a7a3c1e09e --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst @@ -0,0 +1,72 @@ +.. _mozilla_projects_nss_nss_3_46_1_release_notes: + +NSS 3.46.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.46.1 is a patch release for NSS 3.46. The bug fixes in NSS + 3.46.1 are described in the "Bugs Fixed" section below. It was released on 2 October 2019. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_46_1_RTM. NSS 3.46.1 requires NSPR 4.22 or newer. + + NSS 3.46.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_46_1_RTM/src/ + + Other releases are available in NSS Releases. + +.. _new_in_nss_3.46.1: + +`New in NSS 3.46.1 <#new_in_nss_3.46.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.46.1: + +`Bugs fixed in NSS 3.46.1 <#bugs_fixed_in_nss_3.46.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1582343 `__\ - Soft token MAC + verification not constant time + - `Bug 1577953 `__\ - Remove arbitrary + HKDF output limit by allocating space as needed + + This Bugzilla query returns all the bugs fixed in NSS 3.46.1: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.46.1 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.46.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.46.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__\ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst new file mode 100644 index 0000000000..f1a13d7c54 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst @@ -0,0 +1,219 @@ +.. _mozilla_projects_nss_nss_3_46_release_notes: + +NSS 3.46 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.46 on **30 August 2019**, which is a + minor release. + + The NSS team would like to recognize first-time contributors: + + - Giulio Benetti + - Louis Dassy + - Mike Kaganski + - xhimanshuz + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_46_RTM. NSS 3.46 requires NSPR 4.22 or newer. + + NSS 3.46 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_46_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.46: + +`New in NSS 3.46 <#new_in_nss_3.46>`__ +-------------------------------------- + +.. container:: + + This release contains no significant new functionality, but concentrates on providing improved + performance, stability, and security. Of particular note are significant improvements to AES-GCM + performance on ARM. + +.. _notable_changes_in_nss_3.46: + +`Notable Changes in NSS 3.46 <#notable_changes_in_nss_3.46>`__ +-------------------------------------------------------------- + +.. container:: + +.. _certificate_authority_changes: + +`Certificate Authority Changes <#certificate_authority_changes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The following CA certificates were **Removed**: + + - `Bug 1574670 `__ - Remove expired + Class 2 Primary root certificate + + - SHA-256 Fingerprint: 0F993C8AEF97BAAF5687140ED59AD1821BB4AFACF0AA9A58B5D57A338A3AFBCB + + - `Bug 1574670 `__ - Remove expired + UTN-USERFirst-Client root certificate + + - SHA-256 Fingerprint: 43F257412D440D627476974F877DA8F1FC2444565A367AE60EDDC27A412531AE + + - `Bug 1574670 `__ - Remove expired + Deutsche Telekom Root CA 2 root certificate + + - SHA-256 Fingerprint: B6191A50D0C3977F7DA99BCDAAC86A227DAEB9679EC70BA3B0C9D92271C170D3 + + - `Bug 1566569 `__ - Remove Swisscom + Root CA 2 root certificate + + - SHA-256 Fingerprint: F09B122C7114F4A09BD4EA4F4A99D558B46E4C25CD81140D29C05613914C3841 + +.. _upcoming_changes_to_default_tls_configuration: + +`Upcoming changes to default TLS configuration <#upcoming_changes_to_default_tls_configuration>`__ +-------------------------------------------------------------------------------------------------- + +.. container:: + + The next NSS team plans to make two changes to the default TLS configuration in NSS 3.47, which + will be released in October: + + - `TLS 1.3 `__ will be the default maximum TLS + version. See `Bug 1573118 `__ for + details. + - `TLS extended master secret `__ will be enabled + by default, where possible. See `Bug + 1575411 `__ for details. + +.. _bugs_fixed_in_nss_3.46: + +`Bugs fixed in NSS 3.46 <#bugs_fixed_in_nss_3.46>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1572164 `__ - Don't unnecessarily + free session in NSC_WrapKey + - `Bug 1574220 `__ - Improve controls + after errors in tstcln, selfserv and vfyserv cmds + - `Bug 1550636 `__ - Upgrade SQLite in NSS + to a 2019 version + - `Bug 1572593 `__ - Reset advertised + extensions in ssl_ConstructExtensions + - `Bug 1415118 `__ - NSS build with + ./build.sh --enable-libpkix fails + - `Bug 1539788 `__ - Add length checks for + cryptographic primitives + (`CVE-2019-17006 `__) + - `Bug 1542077 `__ - mp_set_ulong and + mp_set_int should return errors on bad values + - `Bug 1572791 `__ - Read out-of-bounds in + DER_DecodeTimeChoice_Util from SSLExp_DelegateCredential + - `Bug 1560593 `__ - Cleanup.sh script + does not set error exit code for tests that "Failed with core" + - `Bug 1566601 `__ - Add Wycheproof test + vectors for AES-KW + - `Bug 1571316 `__ - curve25519_32.c:280: + undefined reference to \`PR_Assert' when building NSS 3.45 on armhf-linux + - `Bug 1516593 `__ - Client to generate + new random during renegotiation + - `Bug 1563258 `__ - fips.sh fails due to + non-existent "resp" directories + - `Bug 1561598 `__ - Remove + -Wmaybe-uninitialized warning in pqg.c + - `Bug 1560806 `__ - Increase softoken + password max size to 500 characters + - `Bug 1568776 `__ - Output paths relative + to repository in NSS coverity + - `Bug 1453408 `__ - modutil -changepw + fails in FIPS mode if password is an empty string + - `Bug 1564727 `__ - Use a PSS SPKI when + possible for delegated credentials + - `Bug 1493916 `__ - fix ppc64 inline + assembler for clang + - `Bug 1561588 `__ - Remove + -Wmaybe-uninitialized warning in p7env.c + - `Bug 1561548 `__ - Remove + -Wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c + - `Bug 1512605 `__ - Incorrect alert + description after unencrypted Finished msg + - `Bug 1564715 `__ - Read /proc/cpuinfo + when AT_HWCAP2 returns 0 + - `Bug 1532194 `__ - Remove or fix + -DDEBUG_$USER from make builds + - `Bug 1565577 `__ - Visual Studio's + cl.exe -? hangs on Windows x64 when building nss since changeset + 9162c654d06915f0f15948fbf67d4103a229226f + - `Bug 1564875 `__ - Improve rebuilding + with build.sh + - `Bug 1565243 `__ - Support TC_OWNER + without email address in nss taskgraph + - `Bug 1563778 `__ - Increase maxRunTime + on Mac taskcluster Tools, SSL tests + - `Bug 1561591 `__ - Remove + -Wmaybe-uninitialized warning in tstclnt.c + - `Bug 1561587 `__ - Remove + -Wmaybe-uninitialized warning in lgattr.c + - `Bug 1561558 `__ - Remove + -Wmaybe-uninitialized warning in httpserv.c + - `Bug 1561556 `__ - Remove + -Wmaybe-uninitialized warning in tls13esni.c + - `Bug 1561332 `__ - ec.c:28 warning: + comparison of integers of different signs: 'int' and 'unsigned long' + - `Bug 1564714 `__ - Print certutil + commands during setup + - `Bug 1565013 `__ - HACL image builder + times out while fetching gpg key + - `Bug 1563786 `__ - Update hacl-star + docker image to pull specific commit + - `Bug 1559012 `__ - Improve GCM + perfomance using PMULL2 + - `Bug 1528666 `__ - Correct resumption + validation checks + - `Bug 1568803 `__ - More tests for client + certificate authentication + - `Bug 1564284 `__ - Support profile + mobility across Windows and Linux + - `Bug 1573942 `__ - Gtest for pkcs11.txt + with different breaking line formats + - `Bug 1575968 `__ - Add strsclnt option + to enforce the use of either IPv4 or IPv6 + - `Bug 1549847 `__ - Fix NSS builds on iOS + - `Bug 1485533 `__ - Enable NSS_SSL_TESTS + on taskcluster + + This Bugzilla query returns all the bugs fixed in NSS 3.46: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.46 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.46 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.46 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst new file mode 100644 index 0000000000..93c78b5261 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst @@ -0,0 +1,78 @@ +.. _mozilla_projects_nss_nss_3_47_1_release_notes: + +NSS 3.47.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.47.1 is a patch release for NSS 3.47. The bug fixes in NSS + 3.47.1 are described in the "Bugs Fixed" section below. It was released on 19 November 2019. + + The NSS team would like to recognize first-time contributors: + + - Craig Disselkoen + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_47_1_RTM. NSS 3.47.1 requires NSPR 4.23 or newer. + + NSS 3.47.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_47_1_RTM/src/ + + Other releases are available in NSS Releases. + +.. _new_in_nss_3.47.1: + +`New in NSS 3.47.1 <#new_in_nss_3.47.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.47.1: + +`Bugs fixed in NSS 3.47.1 <#bugs_fixed_in_nss_3.47.1>`__ +-------------------------------------------------------- + +.. container:: + + - `CVE-2019-11745 `__ - + EncryptUpdate should use maxout, not block size + - `Bug 1590495 `__ - Fix a crash that + could be caused by client certificates during startup + - `Bug 1589810 `__ - Fix compile-time + warnings from uninitialized variables in a perl script + + This Bugzilla query returns all the bugs fixed in NSS 3.47: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.47 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.47.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.47.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst new file mode 100644 index 0000000000..57ffce14a3 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst @@ -0,0 +1,179 @@ +.. _mozilla_projects_nss_nss_3_47_release_notes: + +NSS 3.47 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.47 on **18 October 2019**, which is a + minor release. + + The NSS team would like to recognize first-time contributors: + + - Christian Weisgerber + - Deian Stefan + - Jenine + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_47_RTM. NSS 3.47 requires NSPR 4.23 or newer. + + NSS 3.47 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_47_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _upcoming_changes_to_default_tls_configuration: + +`Upcoming changes to default TLS configuration <#upcoming_changes_to_default_tls_configuration>`__ +-------------------------------------------------------------------------------------------------- + +.. container:: + + The next NSS team plans to make two changes to the default TLS configuration in NSS 3.48, which + will be released in early December: + + - `TLS 1.3 `__ will be the default maximum TLS + version. See `Bug 1573118 `__ for + details. + - `TLS extended master secret `__ will be enabled + by default, where possible. See `Bug + 1575411 `__ for details. + +.. _notable_changes_in_nss_3.47: + +`Notable Changes in NSS 3.47 <#notable_changes_in_nss_3.47>`__ +-------------------------------------------------------------- + +.. container:: + + - `Bug 1152625 `__ - Support AES HW + acceleration on ARMv8 + - `Bug 1267894 `__ - Allow per-socket + run-time ordering of the cipher suites presented in ClientHello + - `Bug 1570501 `__ - Add CMAC to FreeBL + and PKCS #11 libraries + +.. _bugs_fixed_in_nss_3.47: + +`Bugs fixed in NSS 3.47 <#bugs_fixed_in_nss_3.47>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1459141 `__ - Make softoken CBC + padding removal constant time + - `Bug 1589120 `__ - More CBC padding + tests + - `Bug 1465613 `__ - Add ability to + distrust certificates issued after a certain date for a specified root cert + - `Bug 1588557 `__ - Bad debug statement + in tls13con.c + - `Bug 1579060 `__ - mozilla::pkix tag + definitions for issuerUniqueID and subjectUniqueID shouldn't have the CONSTRUCTED bit set + - `Bug 1583068 `__ - NSS 3.47 should pick + up fix from bug 1575821 (NSPR 4.23) + - `Bug 1152625 `__ - Support AES HW + acceleration on ARMv8 + - `Bug 1549225 `__ - Disable DSA signature + schemes for TLS 1.3 + - `Bug 1586947 `__ - + PK11_ImportAndReturnPrivateKey does not store nickname for EC keys + - `Bug 1586456 `__ - Unnecessary + conditional in pki3hack, pk11load and stanpcertdb + - `Bug 1576307 `__ - Check mechanism param + and param length before casting to mechanism-specific structs + - `Bug 1577953 `__ - Support longer (up to + RFC maximum) HKDF outputs + - `Bug 1508776 `__ - Remove refcounting + from sftk_FreeSession (CVE-2019-11756) + - `Bug 1494063 `__ - Support TLS Exporter + in tstclnt and selfserv + - `Bug 1581024 `__ - Heap overflow in NSS + utility "derdump" + - `Bug 1582343 `__ - Soft token MAC + verification not constant time + - `Bug 1578238 `__ - Handle invald tag + sizes for CKM_AES_GCM + - `Bug 1576295 `__ - Check all bounds when + encrypting with SEED_CBC + - `Bug 1580286 `__ - NSS rejects TLS 1.2 + records with large padding with SHA384 HMAC + - `Bug 1577448 `__ - Create additional + nested S/MIME test messages for Thunderbird + - `Bug 1399095 `__ - Allow nss-try to be + used to test NSPR changes + - `Bug 1267894 `__ - libSSL should allow + selecting the order of cipher suites in ClientHello + - `Bug 1581507 `__ - Fix unportable grep + expression in test scripts + - `Bug 1234830 `__ - [CID 1242894][CID + 1242852] unused values + - `Bug 1580126 `__ - Fix build failure on + aarch64_be while building freebl/gcm + - `Bug 1385039 `__ - Build NSPR tests as + part of NSS continuous integration + - `Bug 1581391 `__ - Fix build on + OpenBSD/arm64 after bug #1559012 + - `Bug 1581041 `__ - mach-commands -> + mach-completion + - `Bug 1558313 `__ - Code bugs found by + clang scanners. + - `Bug 1542207 `__ - Limit policy check on + signature algorithms to known algorithms + - `Bug 1560329 `__ - drbg: add continuous + self-test on entropy source + - `Bug 1579290 `__ - ASAN builds should + disable LSAN while building + - `Bug 1385061 `__ - Build NSPR tests with + NSS make; Add gyp parameters to build/run NSPR tests + - `Bug 1577359 `__ - Build atob and btoa + for Thunderbird + - `Bug 1579036 `__ - Confusing error when + trying to export non-existent cert with pk12util + - `Bug 1578626 `__ - [CID 1453375] UB: + decrement nullptr. + - `Bug 1578751 `__ - Ensure a consistent + style for pk11_find_certs_unittest.cc + - `Bug 1570501 `__ - Add CMAC to FreeBL + and PKCS #11 libraries + - `Bug 657379 `__ - NSS uses the wrong OID + for signatureAlgorithm field of signerInfo in CMS for DSA and ECDSA + - `Bug 1576664 `__ - Remove -mms-bitfields + from mingw NSS build. + - `Bug 1577038 `__ - add + PK11_GetCertsFromPrivateKey to return all certificates with public keys matching a particular + private key + + This Bugzilla query returns all the bugs fixed in NSS 3.47: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.47 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.47 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.47 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst new file mode 100644 index 0000000000..220abe8586 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst @@ -0,0 +1,71 @@ +.. _mozilla_projects_nss_nss_3_48_1_release_notes: + +NSS 3.48.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.48.1 is a patch release for NSS 3.48. The bug fixes in NSS + 3.48.1 are described in the "Bugs Fixed" section below. It was released on **13 January 2020**. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_48_1_RTM. NSS 3.48.1 requires NSPR 4.23 or newer. + + NSS 3.48.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_48_1_RTM/src/ + + Other releases are available in :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.48.1: + +`New in NSS 3.48.1 <#new_in_nss_3.48.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.48.1: + +`Bugs fixed in NSS 3.48.1 <#bugs_fixed_in_nss_3.48.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1606992 `__ - Cache the most recent + PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF + iteration counts. + + This Bugzilla query returns all the bugs fixed in NSS 3.48: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.48 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.48.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.48.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst new file mode 100644 index 0000000000..fb1b02370e --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst @@ -0,0 +1,178 @@ +.. _mozilla_projects_nss_nss_3_48_release_notes: + +NSS 3.48 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.48 on **5 December 2019**, which is a + minor release. + + The NSS team would like to recognize first-time contributors: + + - Craig Disselkoen + - Giulio Benetti + - Lauri Kasanen + - Tom Prince + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_48_RTM. NSS 3.48 requires NSPR 4.24 or newer. + + NSS 3.48 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_48_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.48: + +`Notable Changes in NSS 3.48 <#notable_changes_in_nss_3.48>`__ +-------------------------------------------------------------- + +.. container:: + + - `TLS 1.3 `__ is the default maximum TLS + version. See `Bug 1573118 `__ for + details. + - `TLS extended master secret `__ is enabled by + default, where possible. See `Bug + 1575411 `__ for details. + - The master password PBE now uses 10,000 iterations by default when using the default sql + (key4.db) storage. Because using an iteration count higher than 1 with the legacy dbm + (key3.db) storage creates files that are incompatible with previous versions of NSS, + applications that wish to enable it for key3.db are required to set environment variable + NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment variable + NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count than the library's default, + or NSS_MAX_MP_PBE_ITERATION_COUNT to request a lower iteration count for test environments. + See `Bug 1562671 `__ for details. + +.. _certificate_authority_changes: + +`Certificate Authority Changes <#certificate_authority_changes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The following CA certificates were Added: + + - `Bug 1591178 `__ - Entrust Root + Certification Authority - G4 Cert + + - SHA-256 Fingerprint: DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88 + +.. _upcoming_changes_in_nss_3.49: + +`Upcoming Changes in NSS 3.49 <#upcoming_changes_in_nss_3.49>`__ +---------------------------------------------------------------- + +.. container:: + + - The legacy DBM database, **libnssdbm**, will no longer be built by default. See `Bug + 1594933 `__ for details. + +.. _bugs_fixed_in_nss_3.48: + +`Bugs fixed in NSS 3.48 <#bugs_fixed_in_nss_3.48>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1600775 `__ - Require NSPR 4.24 for + NSS 3.48 + - `Bug 1593401 `__ - Fix race condition in + self-encrypt functions + - `Bug 1599545 `__ - Fix assertion and add + test for early Key Update + - `Bug 1597799 `__ - Fix a crash in + nssCKFWObject_GetAttributeSize + - `Bug 1591178 `__ - Add Entrust Root + Certification Authority - G4 certificate to NSS + - `Bug 1590001 `__ - Prevent negotiation + of versions lower than 1.3 after HelloRetryRequest + - `Bug 1596450 `__ - Added a simplified + and unified MAC implementation for HMAC and CMAC behind PKCS#11 + - `Bug 1522203 `__ - Remove an old Pentium + Pro performance workaround + - `Bug 1592557 `__ - Fix PRNG + known-answer-test scripts + - `Bug 1586176 `__ - EncryptUpdate should + use maxout not block size (CVE-2019-11745) + - `Bug 1593141 `__ - add \`notBefore\` or + similar "beginning-of-validity-period" parameter to + mozilla::pkix::TrustDomain::CheckRevocation + - `Bug 1591363 `__ - Fix a PBKDF2 memory + leak in NSC_GenerateKey if key length > MAX_KEY_LEN (256) + - `Bug 1592869 `__ - Use ARM NEON for + ctr_xor + - `Bug 1566131 `__ - Ensure SHA-1 fallback + disabled in TLS 1.2 + - `Bug 1577803 `__ - Mark PKCS#11 token as + friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN + - `Bug 1566126 `__ - POWER GHASH Vector + Acceleration + - `Bug 1589073 `__ - Use of new + PR_ASSERT_ARG in certdb.c + - `Bug 1590495 `__ - Fix a crash in + PK11_MakeCertFromHandle + - `Bug 1591742 `__ - Ensure DES IV length + is valid before usage from PKCS#11 + - `Bug 1588567 `__ - Enable mozilla::pkix + gtests in NSS CI + - `Bug 1591315 `__ - Update NSC_Decrypt + length in constant time + - `Bug 1562671 `__ - Increase NSS MP KDF + default iteration count, by default for modern key4 storage, optionally for legacy key3.db + storage + - `Bug 1590972 `__ - Use -std=c99 rather + than -std=gnu99 + - `Bug 1590676 `__ - Fix build if ARM + doesn't support NEON + - `Bug 1575411 `__ - Enable TLS extended + master secret by default + - `Bug 1590970 `__ - SSL_SetTimeFunc has + incomplete coverage + - `Bug 1590678 `__ - Remove + -Wmaybe-uninitialized warning in tls13esni.c + - `Bug 1588244 `__ - NSS changes for + Delegated Credential key strength checks + - `Bug 1459141 `__ - Add more CBC padding + tests that missed NSS 3.47 + - `Bug 1590339 `__ - Fix a memory leak in + btoa.c + - `Bug 1589810 `__ - fix uninitialized + variable warnings from certdata.perl + - `Bug 1573118 `__ - Enable TLS 1.3 by + default in NSS + + This Bugzilla query returns all the bugs fixed in NSS 3.48: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.48 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.48 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.48 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst new file mode 100644 index 0000000000..a76dbf274a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst @@ -0,0 +1,71 @@ +.. _mozilla_projects_nss_nss_3_49_1_release_notes: + +NSS 3.49.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.49.1 is a patch release for NSS 3.49. The bug fixes in NSS + 3.49.1 are described in the "Bugs Fixed" section below. It was released on **13 January 2020**. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_49_1_RTM. NSS 3.49.1 requires NSPR 4.24 or newer. + + NSS 3.49.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_49_1_RTM/src/ + + Other releases are available in :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.49.1: + +`New in NSS 3.49.1 <#new_in_nss_3.49.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.49.1: + +`Bugs fixed in NSS 3.49.1 <#bugs_fixed_in_nss_3.49.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1606992 `__ - Cache the most recent + PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF + iteration counts. + + This Bugzilla query returns all the bugs fixed in NSS 3.49: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.49 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.49.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.49.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst new file mode 100644 index 0000000000..70e3627438 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst @@ -0,0 +1,76 @@ +.. _mozilla_projects_nss_nss_3_49_2_release_notes: + +NSS 3.49.2 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.49.2 is a patch release for NSS 3.49. The bug fixes in NSS + 3.49.2 are described in the "Bugs Fixed" section below. It was released on **23 January 2020**. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_49_2_RTM. NSS 3.49.2 requires NSPR 4.24 or newer. + + NSS 3.49.2 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_49_2_RTM/src/ + + Other releases are available in :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.49.2: + +`New in NSS 3.49.2 <#new_in_nss_3.49.2>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.49.2: + +`Bugs fixed in NSS 3.49.2 <#bugs_fixed_in_nss_3.49.2>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1606992 `__ - Cache the most + recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased + KDF iteration counts. NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also + relevant for older NSS databases. + - `Bug 1608327 `__ - Fix compilation + problems with NEON-specific code in freebl + - `Bug 1608895 `__ - Fix a taskcluster + issue with Python 2 / Python 3 + + This Bugzilla query returns all the bugs fixed in NSS 3.49: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.49 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.49.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.49.2 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst new file mode 100644 index 0000000000..b1679fdcd1 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst @@ -0,0 +1,103 @@ +.. _mozilla_projects_nss_nss_3_49_release_notes: + +NSS 3.49 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.49 on **3 January 2020**, which is a + minor release. + + The NSS team would like to recognize first-time contributors: + + - Alex Henrie + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_49_RTM. NSS 3.49 requires NSPR 4.24 or newer. + + NSS 3.49 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_49_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.49: + +`Notable Changes in NSS 3.49 <#notable_changes_in_nss_3.49>`__ +-------------------------------------------------------------- + +.. container:: + + - The legacy DBM database, **libnssdbm**, is no longer built by default when using gyp builds. + See `Bug 1594933 `__ for details. + +.. _bugs_fixed_in_nss_3.49: + +`Bugs fixed in NSS 3.49 <#bugs_fixed_in_nss_3.49>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1513586 `__ - Set downgrade + sentinel for client TLS versions lower than 1.2. + - `Bug 1606025 `__ - Remove + -Wmaybe-uninitialized warning in sslsnce.c + - `Bug 1606119 `__ - Fix PPC HW Crypto + build failure + - `Bug 1605545 `__ - Memory leak in + Pk11Install_Platform_Generate + - `Bug 1602288 `__ - Fix build failure due + to missing posix signal.h + - `Bug 1588714 `__ - Implement + CheckARMSupport for Win64/aarch64 + - `Bug 1585189 `__ - NSS database uses + 3DES instead of AES to encrypt DB entries + - `Bug 1603257 `__ - Fix UBSAN issue in + softoken CKM_NSS_CHACHA20_CTR initialization + - `Bug 1590001 `__ - Additional HRR Tests + (CVE-2019-17023) + - `Bug 1600144 `__ - Treat ClientHello + with message_seq of 1 as a second ClientHello + - `Bug 1603027 `__ - Test that ESNI is + regenerated after HelloRetryRequest + - `Bug 1593167 `__ - Intermittent + mis-reporting potential security risk SEC_ERROR_UNKNOWN_ISSUER + - `Bug 1535787 `__ - Fix + automation/release/nss-release-helper.py on MacOS + - `Bug 1594933 `__ - Disable building DBM + by default + - `Bug 1562548 `__ - Improve GCM + perfomance on aarch32 + + This Bugzilla query returns all the bugs fixed in NSS 3.49: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.49 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.49 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.49 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst new file mode 100644 index 0000000000..bc910ee41b --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst @@ -0,0 +1,120 @@ +.. _mozilla_projects_nss_nss_3_50_release_notes: + +NSS 3.50 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.50 on **7 February 2020**, which is a + minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_50_RTM. NSS 3.50 requires NSPR 4.25 or newer. + + NSS 3.50 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_50_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.50: + +`Notable Changes in NSS 3.50 <#notable_changes_in_nss_3.50>`__ +-------------------------------------------------------------- + +.. container:: + + - Verified primitives from HACL\* were updated, bringing performance improvements for several + platforms. + + - Note that Intel processors with SSE4 but without AVX are currently unable to use the + improved ChaCha20/Poly1305 due to a build issue; such platforms will fall-back to less + optimized algorithms. See `Bug 1609569 for + details. `__ + + - Updated DTLS 1.3 implementation to Draft-30. See `Bug 1599514 for + details. `__ + - Added NIST SP800-108 KBKDF - PKCS#11 implementation. See `Bug 1599603 for + details. `__ + +.. _bugs_fixed_in_nss_3.50: + +`Bugs fixed in NSS 3.50 <#bugs_fixed_in_nss_3.50>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1599514 `__ - Update DTLS 1.3 + implementation to Draft-30 + - `Bug 1603438 `__ - Fix native tools + build failure due to lack of zlib include dir if external + - `Bug 1599603 `__ - NIST SP800-108 KBKDF + - PKCS#11 implementation + - `Bug 1606992 `__ - Cache the most + recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased + KDF iteration counts. NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also + relevant for older NSS databases (also included in NSS 3.49.2) + - `Bug 1608895 `__ - Gyp builds on + taskcluster broken by Setuptools v45.0.0 (for lacking Python3) + - `Bug 1574643 `__ - Upgrade HACL\* + verified implementations of ChaCha20, Poly1305, and 64-bit Curve25519 + - `Bug 1608327 `__ - Two problems with + NEON-specific code in freebl + - `Bug 1575843 `__ - Detect AArch64 CPU + features on FreeBSD + - `Bug 1607099 `__ - Remove the buildbot + configuration + - `Bug 1585429 `__ - Add more HKDF test + vectors + - `Bug 1573911 `__ - Add more RSA test + vectors + - `Bug 1605314 `__ - Compare all 8 bytes + of an mp_digit when clamping in Windows assembly/mp_comba + - `Bug 1604596 `__ - Update Wycheproof + vectors and add support for CBC, P256-ECDH, and CMAC tests + - `Bug 1608493 `__ - Use AES-NI for + non-GCM AES ciphers on platforms with no assembly-optimized implementation, such as macOS. + - `Bug 1547639 `__ - Update zlib in NSS to + 1.2.11 + - `Bug 1609181 `__ - Detect ARM (32-bit) + CPU features on FreeBSD + - `Bug 1602386 `__ - Fix build on + FreeBSD/powerpc\* + - `Bug 1608151 `__ - Introduce + NSS_DISABLE_ALTIVEC + - `Bug 1612623 `__ - Depend on NSPR 4.25 + - `Bug 1609673 `__ - Fix a crash when NSS + is compiled without libnssdbm support, but the nssdbm shared object is available anyway. + + This Bugzilla query returns all the bugs fixed in NSS 3.50: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.50 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.50 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.50 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst new file mode 100644 index 0000000000..5ac0fedc33 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst @@ -0,0 +1,79 @@ +.. _mozilla_projects_nss_nss_3_51_1_release_notes: + +NSS 3.51.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.51.1 on **3 April 2020**. This is a + minor release focusing on functional bug fixes and low-risk patches only. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_51_1_RTM. NSS 3.51.1 requires NSPR 4.25 or newer. + + NSS 3.51.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_51_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.51.1: + +`Notable Changes in NSS 3.51.1 <#notable_changes_in_nss_3.51.1>`__ +------------------------------------------------------------------ + +.. container:: + + - `Bug 1617968 `__ - Update Delegated + Credentials implementation to draft-07. + +.. _bugs_fixed_in_nss_3.51.1: + +`Bugs fixed in NSS 3.51.1 <#bugs_fixed_in_nss_3.51.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1619102 `__ - Add workaround option + to include both DTLS and TLS versions in DTLS supported_versions. + - `Bug 1619056 `__ - Update README: TLS + 1.3 is not experimental anymore. + - `Bug 1618739 `__ - Don't assert fuzzer + behavior in SSL_ParseSessionTicket. + - `Bug 1618915 `__ - Fix UBSAN issue in + ssl_ParseSessionTicket. + - `Bug 1608245 `__ - Consistently handle + NULL slot/session. + - `Bug 1608250 `__ - broken fipstest + handling of KI_len. + - `Bug 1617968 `__ - Update Delegated + Credentials implementation to draft-07. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.51.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.51.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst new file mode 100644 index 0000000000..4eb0a40166 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst @@ -0,0 +1,103 @@ +.. _mozilla_projects_nss_nss_3_51_release_notes: + +NSS 3.51 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.51 on **6 March 2020**, which is a + minor release. + + The NSS team would like to recognize first-time contributors: + + - Dmitry Baryshkov + - Victor Tapia + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_51_RTM. NSS 3.51 requires NSPR 4.25 or newer. + + NSS 3.51 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_51_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.51: + +`Notable Changes in NSS 3.51 <#notable_changes_in_nss_3.51>`__ +-------------------------------------------------------------- + +.. container:: + + - Updated DTLS 1.3 implementation to Draft-34. See `Bug + 1608892 `__ for details. + +.. _bugs_fixed_in_nss_3.51: + +`Bugs fixed in NSS 3.51 <#bugs_fixed_in_nss_3.51>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1608892 `__ - Update DTLS 1.3 + implementation to draft-34. + - `Bug 1611209 `__ - Correct swapped + PKCS11 values of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL + - `Bug 1612259 `__ - Complete integration + of Wycheproof ECDH test cases + - `Bug 1614183 `__ - Check if PPC + \__has_include() + - `Bug 1614786 `__ - Fix a compilation + error for ‘getFIPSEnv’ "defined but not used" + - `Bug 1615208 `__ - Send DTLS version + numbers in DTLS 1.3 supported_versions extension to avoid an incompatibility. + - `Bug 1538980 `__ - SECU_ReadDERFromFile + calls strstr on a string that isn't guaranteed to be null-terminated + - `Bug 1561337 `__ - Correct a warning for + comparison of integers of different signs: 'int' and 'unsigned long' in + security/nss/lib/freebl/ecl/ecp_25519.c:88 + - `Bug 1609751 `__ - Add test for mp_int + clamping + - `Bug 1582169 `__ - Don't attempt to read + the fips_enabled flag on the machine unless NSS was built with FIPS enabled + - `Bug 1431940 `__ - Fix a null pointer + dereference in BLAKE2B_Update + - `Bug 1617387 `__ - Fix compiler warning + in secsign.c + - `Bug 1618400 `__ - Fix a OpenBSD/arm64 + compilation error: unused variable 'getauxval' + - `Bug 1610687 `__ - Fix a crash on + unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics + + This Bugzilla query returns all the bugs fixed in NSS 3.51: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.51 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.51 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.51 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst new file mode 100644 index 0000000000..8c2670a328 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst @@ -0,0 +1,69 @@ +.. _mozilla_projects_nss_nss_3_52_1_release_notes: + +NSS 3.52.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.52.1 on **19 May 2020**. This is a + security patch release. + + Thank you to Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at + Tampere University for reporting this issue. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_52_1_RTM. NSS 3.52.1 requires NSPR 4.25 or newer. + + NSS 3.52.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_52_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.52.1: + +`New in NSS 3.52.1 <#new_in_nss_3.52.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.52.1: + +`Bugs fixed in NSS 3.52.1 <#bugs_fixed_in_nss_3.52.1>`__ +-------------------------------------------------------- + +.. container:: + + - `CVE-2020-12399 `__ - Force a + fixed length for DSA exponentiation + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.52.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.52.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst new file mode 100644 index 0000000000..0936a87b4d --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst @@ -0,0 +1,158 @@ +.. _mozilla_projects_nss_nss_3_52_release_notes: + +NSS 3.52 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.52 on **1 May 2020**. + + The NSS team would like to recognize first-time contributors: + + - zhujianwei7 + - Hans Petter Jansson + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_52_RTM. NSS 3.52 requires NSPR 4.25 or newer. + + NSS 3.52 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_52_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.52: + +`Notable Changes in NSS 3.52 <#notable_changes_in_nss_3.52>`__ +-------------------------------------------------------------- + +.. container:: + + - `Bug 1603628 `__ - Update NSS to support + PKCS #11 v3.0. + + - Note: This change modifies the CK_GCM_PARAMS struct to include the ulIvBits field which, + prior to PKCS #11 v3.0, was ambiguously defined and not included in the NSS definition. If + an application is recompiled with NSS 3.52+, this field must be initialized to a value + corresponding to ulIvLen. Alternatively, defining NSS_PKCS11_2_0_COMPAT will yield the old + definition. See the bug for more information. + + - `Bug 1623374 `__ - Support new PKCS #11 + v3.0 Message Interface for AES-GCM and ChaChaPoly. + - `Bug 1612493 `__ - Integrate AVX2 + ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*. + +.. _bugs_fixed_in_nss_3.52: + +`Bugs fixed in NSS 3.52 <#bugs_fixed_in_nss_3.52>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1633498 `__ - Fix unused variable + 'getauxval' error on iOS compilation. + - `Bug 1630721 `__ - Add Softoken + functions for FIPS. + - `Bug 1630458 `__ - Fix problem of GYP + MSVC builds not producing debug symbol files. + - `Bug 1629663 `__ - Add IKEv1 Quick Mode + KDF. + - `Bug 1629661 `__ - MPConfig calls in SSL + initialize policy before NSS is initialized. + - `Bug 1629655 `__ - Support temporary + session objects in ckfw. + - `Bug 1629105 `__ - Add PKCS11 v3.0 + functions to module debug logger. + - `Bug 1626751 `__ - Fix error in + generation of fuzz32 docker image after updates. + - `Bug 1625133 `__ - Fix implicit + declaration of function 'getopt' error. + - `Bug 1624864 `__ - Allow building of + gcm-arm32-neon on non-armv7 architectures. + - `Bug 1624402 `__ - Fix compilation error + in Firefox Android. + - `Bug 1624130 `__ - Require + CK_FUNCTION_LIST structs to be packed. + - `Bug 1624377 `__ - Fix clang warning for + unknown argument '-msse4'. + - `Bug 1623374 `__ - Support new PKCS #11 + v3.0 Message Interface for AES-GCM and ChaChaPoly. + - `Bug 1623184 `__ - Fix freebl_cpuid for + querying Extended Features. + - `Bug 1622555 `__ - Fix argument parsing + in lowhashtest. + - `Bug 1620799 `__ - Introduce + NSS_DISABLE_GCM_ARM32_NEON to build on arm32 without NEON support. + - `Bug 1619102 `__ - Add workaround option + to include both DTLS and TLS versions in DTLS supported_versions. + - `Bug 1619056 `__ - Update README: TLS + 1.3 is not experimental anymore. + - `Bug 1618915 `__ - Fix UBSAN issue in + ssl_ParseSessionTicket. + - `Bug 1618739 `__ - Don't assert fuzzer + behavior in SSL_ParseSessionTicket. + - `Bug 1617968 `__ - Update Delegated + Credentials implementation to draft-07. + - `Bug 1617533 `__ - Update HACL\* + dependencies for libintvector.h + - `Bug 1613238 `__ - Add vector + accelerated SHA2 for POWER 8+. + - `Bug 1612493 `__ - Integrate AVX2 + ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*. + - `Bug 1612281 `__ - Maintain PKCS11 + C_GetAttributeValue semantics on attributes that lack NSS database columns. + - `Bug 1612260 `__ - Add Wycheproof RSA + test vectors. + - `Bug 1608250 `__ - broken fipstest + handling of KI_len. + - `Bug 1608245 `__ - Consistently handle + NULL slot/session. + - `Bug 1603801 `__ - Avoid dcache + pollution from sdb_measureAccess(). + - `Bug 1603628 `__ - Update NSS to support + PKCS #11 v3.0. + - `Bug 1561637 `__ - TLS 1.3 does not work + in FIPS mode. + - `Bug 1531906 `__ - Fix overzealous + assertion when evicting a cached sessionID or using external cache. + - `Bug 1465613 `__ - Fix issue where + testlib makefile build produced extraneous object files. + - `Bug 1619959 `__ - Properly handle + multi-block SEED ECB inputs. + - `Bug 1630925 `__ - Guard all instances + of NSSCMSSignedData.signerInfo to avoid a CMS crash + - `Bug 1571677 `__ - Name Constraints + validation: CN treated as DNS name even when syntactically invalid as DNS name + + This Bugzilla query returns all the bugs fixed in NSS 3.52: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.52 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.52 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.52 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst new file mode 100644 index 0000000000..1c9c93ca7b --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst @@ -0,0 +1,69 @@ +.. _mozilla_projects_nss_nss_3_53_1_release_notes: + +NSS 3.53.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.53.1 on **16 June 2020**. This is a + security patch release. + + Thank you to Sohaib ul Hassan, Billy Bob Brumley, and the Network and Information Security Group + (NISEC) at Tampere University for reporting this issue and providing a patch. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_53_1_RTM. NSS 3.53.1 requires NSPR 4.25 or newer. + + NSS 3.53.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_53_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _new_in_nss_3.53.1: + +`New in NSS 3.53.1 <#new_in_nss_3.53.1>`__ +------------------------------------------ + +.. container:: + + No new functionality is introduced in this release. + +.. _bugs_fixed_in_nss_3.53.1: + +`Bugs fixed in NSS 3.53.1 <#bugs_fixed_in_nss_3.53.1>`__ +-------------------------------------------------------- + +.. container:: + + - `CVE-2020-12402 `__ - Use + constant-time GCD and modular inversion in MPI. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.53.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.53.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst new file mode 100644 index 0000000000..d9605ca312 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst @@ -0,0 +1,128 @@ +.. _mozilla_projects_nss_nss_3_53_release_notes: + +NSS 3.53 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team released Network Security Services (NSS) 3.53 on **29 May 2020**. NSS 3.53 will be a + long-term support release, supporting Firefox 78 ESR. + + The NSS team would like to recognize first-time contributors: + + - Jan-Marek Glogowski + - Jeff Walden + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_53_RTM. NSS 3.53 requires NSPR 4.25 or newer. + + NSS 3.53 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_53_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.53: + +`Notable Changes in NSS 3.53 <#notable_changes_in_nss_3.53>`__ +-------------------------------------------------------------- + +.. container:: + + - When using the Makefiles, NSS can be built in parallel, speeding up those builds to more + similar performance as the build.sh/ninja/gyp system. (`Bug + 290526 `__) + - SEED is now moved into a new freebl directory freebl/deprecated (`Bug + 1636389 `__). + + - SEED will be disabled by default in a future release of NSS. At that time, users will need + to set the compile-time flag (`Bug + 1622033 `__) to disable that + deprecation in order to use the algorithm. + - Algorithms marked as deprecated will ultimately be removed. + + - Several root certificates in the Mozilla program now set the CKA_NSS_SERVER_DISTRUST_AFTER + attribute, which NSS consumers can query to further refine trust decisions. (`Bug + 1618404, `__ `Bug + 1621159 `__) If a builtin certificate + has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a + certificate that builtin issued, then clients can elect not to trust it. + + - This attribute provides a more graceful phase-out for certificate authorities than complete + removal from the root certificate builtin store. + +.. _bugs_fixed_in_nss_3.53: + +`Bugs fixed in NSS 3.53 <#bugs_fixed_in_nss_3.53>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1640260 `__ - Initialize PBE params + (ASAN fix) + - `Bug 1618404 `__ - Set + CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs + - `Bug 1621159 `__ - Set + CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC, GRCA, and SK ID root certs + - `Bug 1629414 `__ - PPC64: Correct + compilation error between VMX vs. VSX vector instructions + - `Bug 1639033 `__ - Fix various compile + warnings in NSS + - `Bug 1640041 `__ - Fix a null pointer in + security/nss/lib/ssl/sslencode.c:67 + - `Bug 1640042 `__ - Fix a null pointer in + security/nss/lib/ssl/sslsock.c:4460 + - `Bug 1638289 `__ - Avoid multiple + definitions of SHA{256,384,512}_\* symbols when linking libfreeblpriv3.so in Firefox on + ppc64le + - `Bug 1636389 `__ - Relocate deprecated + SEED algorithm + - `Bug 1637083 `__ - lib/ckfw: No such + file or directory. Stop. + - `Bug 1561331 `__ - Additional modular + inverse test + - `Bug 1629553 `__ - Rework and cleanup + gmake builds + - `Bug 1438431 `__ - Remove mkdepend and + "depend" make target + - `Bug 290526 `__ - Support parallel + building of NSS when using the Makefiles + - `Bug 1636206 `__ - HACL\* update after + changes in libintvector.h + - `Bug 1636058 `__ - Fix building NSS on + Debian s390x, mips64el, and riscv64 + - `Bug 1622033 `__ - Add option to build + without SEED + + This Bugzilla query returns all the bugs fixed in NSS 3.53: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.53 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.53 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.53 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst new file mode 100644 index 0000000000..3013238b22 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst @@ -0,0 +1,184 @@ +.. _mozilla_projects_nss_nss_3_54_release_notes: + +NSS 3.54 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.54 on **26 June 2020**, which is a + minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_54_RTM. NSS 3.54 requires NSPR 4.26 or newer. + + NSS 3.54 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_54_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.54: + +`Notable Changes in NSS 3.54 <#notable_changes_in_nss_3.54>`__ +-------------------------------------------------------------- + +.. container:: + + - Support for TLS 1.3 external pre-shared keys (`Bug + 1603042 `__). + - Use ARM Cryptography Extension for SHA256, when available. (`Bug + 1528113 `__). + +.. _certificate_authority_changes: + +`Certificate Authority Changes <#certificate_authority_changes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The following CA certificates were Added: + + - `Bug 1645186 `__ - certSIGN Root CA + G2 + + - SHA-256 Fingerprint: 657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305 + + - `Bug 1645174 `__ - e-Szigno Root CA + 2017 + + - SHA-256 Fingerprint: BEB00B30839B9BC32C32E4447905950641F26421B15ED089198B518AE2EA1B99 + + - `Bug 1641716 `__ - Microsoft ECC Root + Certificate Authority 2017 + + - SHA-256 Fingerprint: 358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02 + + - `Bug 1641716 `__ - Microsoft RSA Root + Certificate Authority 2017 + + - SHA-256 Fingerprint: C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0 + + - The following CA certificates were Removed: + + - `Bug 1645199 `__ - AddTrust Class 1 + CA Root + + - SHA-256 Fingerprint: + 8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7 + + - `Bug 1645199 `__ - AddTrust External + CA Root + + - SHA-256 Fingerprint: + 687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2 + + - `Bug 1641718 `__ - LuxTrust Global + Root 2 + + - SHA-256 Fingerprint: 54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5 + + - `Bug 1639987 `__ - Staat der + Nederlanden Root CA - G2 + + - SHA-256 Fingerprint: 668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F + + - `Bug 1618402 `__ - Symantec Class 2 + Public Primary Certification Authority - G4 + + - SHA-256 Fingerprint: FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592 + + - `Bug 1618402 `__ - Symantec Class 1 + Public Primary Certification Authority - G4 + + - SHA-256 Fingerprint: 363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF + + - `Bug 1618402 `__ - VeriSign Class 3 + Public Primary Certification Authority - G3 + + - SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244 + + - A number of certificates had their Email trust bit disabled. See `Bug + 1618402 `__ for a complete list. + +.. _bugs_fixed_in_nss_3.54: + +`Bugs fixed in NSS 3.54 <#bugs_fixed_in_nss_3.54>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1528113 `__ - Use ARM Cryptography + Extension for SHA256. + - `Bug 1603042 `__ - Add TLS 1.3 external + PSK support. + - `Bug 1642802 `__ - Add uint128 support + for HACL\* curve25519 on Windows. + - `Bug 1645186 `__ - Add "certSIGN Root CA + G2" root certificate. + - `Bug 1645174 `__ - Add Microsec's + "e-Szigno Root CA 2017" root certificate. + - `Bug 1641716 `__ - Add Microsoft's + non-EV root certificates. + - `Bug 1621151 `__ - Disable email trust + bit for "O=Government Root Certification Authority; C=TW" root. + - `Bug 1645199 `__ - Remove AddTrust root + certificates. + - `Bug 1641718 `__ - Remove "LuxTrust + Global Root 2" root certificate. + - `Bug 1639987 `__ - Remove "Staat der + Nederlanden Root CA - G2" root certificate. + - `Bug 1618402 `__ - Remove Symantec root + certificates and disable email trust bit. + - `Bug 1640516 `__ - NSS 3.54 should + depend on NSPR 4.26. + - `Bug 1642146 `__ - Fix undefined + reference to \`PORT_ZAlloc_stub' in seed.c. + - `Bug 1642153 `__ - Fix infinite + recursion building NSS. + - `Bug 1642638 `__ - Fix fuzzing assertion + crash. + - `Bug 1642871 `__ - Enable + SSL_SendSessionTicket after resumption. + - `Bug 1643123 `__ - Support + SSL_ExportEarlyKeyingMaterial with External PSKs. + - `Bug 1643557 `__ - Fix numerous compile + warnings in NSS. + - `Bug 1644774 `__ - SSL gtests to use + ClearServerCache when resetting self-encrypt keys. + - `Bug 1645479 `__ - Don't use + SECITEM_MakeItem in secutil.c. + - `Bug 1646520 `__ - Stricter enforcement + of ASN.1 INTEGER encoding. + + This Bugzilla query returns all the bugs fixed in NSS 3.54: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.54 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.54 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.54 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst new file mode 100644 index 0000000000..4da2a6b20a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst @@ -0,0 +1,135 @@ +.. _mozilla_projects_nss_nss_3_55_release_notes: + +NSS 3.55 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.55 on **24 July 2020**, which is a + minor release. + + The NSS team would like to recognize first-time contributors: + + - Danh + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_55_RTM. NSS 3.55 requires NSPR 4.27 or newer. + + NSS 3.55 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_55_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.55: + +`Notable Changes in NSS 3.55 <#notable_changes_in_nss_3.55>`__ +-------------------------------------------------------------- + +.. container:: + + - P384 and P521 elliptic curve implementations are replaced with verifiable implementations from + `Fiat-Crypto `__ and + `ECCKiila `__. Special thanks to the Network and + Information Security Group (NISEC) at Tampere University. + - PK11_FindCertInSlot is added. With this function, a given slot can be queried with a + DER-Encoded certificate, providing performance and usability improvements over other + mechanisms. See `Bug 1649633 `__ for + more details. + - DTLS 1.3 implementation is updated to draft-38. See `Bug + 1647752 `__ for details. + - NSPR dependency updated to 4.27. + +.. _known_issues: + +`Known Issues <#known_issues>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - On some platforms, using the Makefile builds fails to locate seccomon.h; ensure you are using + make all rather than just make. Another potential workaround is to use the gyp-based build.sh + script. If this affects you, please help us narrow down the cause in `Bug + 1653975. `__ + +.. _bugs_fixed_in_nss_3.55: + +`Bugs fixed in NSS 3.55 <#bugs_fixed_in_nss_3.55>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1631583 `__ (CVE-2020-6829, + CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from + `Fiat-Crypto `__ and + `ECCKiila `__. + - `Bug 1649487 `__ - Move overzealous + assertion in VFY_EndWithSignature. + - `Bug 1631573 `__ (CVE-2020-12401) - + Remove unnecessary scalar padding. + - `Bug 1636771 `__ (CVE-2020-12403) - + Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly + enforce tag length. + - `Bug 1649648 `__ - Don't memcpy zero + bytes (sanitizer fix). + - `Bug 1649316 `__ - Don't memcpy zero + bytes (sanitizer fix). + - `Bug 1649322 `__ - Don't memcpy zero + bytes (sanitizer fix). + - `Bug 1653202 `__ - Fix initialization + bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED. + - `Bug 1646594 `__ - Fix AVX2 detection in + makefile builds. + - `Bug 1649633 `__ - Add + PK11_FindCertInSlot to search a given slot for a DER-encoded certificate. + - `Bug 1651520 `__ - Fix slotLock race in + NSC_GetTokenInfo. + - `Bug 1647752 `__ - Update DTLS 1.3 + implementation to draft-38. + - `Bug 1649190 `__ - Run cipher, sdr, and + ocsp tests under standard test cycle in CI. + - `Bug 1649226 `__ - Add Wycheproof ECDSA + tests. + - `Bug 1637222 `__ - Consistently enforce + IV requirements for DES and 3DES. + - `Bug 1067214 `__ - Enforce minimum + PKCS#1 v1.5 padding length in RSA_CheckSignRecover. + - `Bug 1643528 `__ - Fix compilation error + with -Werror=strict-prototypes. + - `Bug 1646324 `__ - Advertise PKCS#1 + schemes for certificates in the signature_algorithms extension. + - `Bug 1652331 `__ - Update NSS 3.55 NSPR + version to 4.27. + + This Bugzilla query returns all the bugs fixed in NSS 3.55: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.55 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.55 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.55 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst new file mode 100644 index 0000000000..3f00a41cc8 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst @@ -0,0 +1,98 @@ +.. _mozilla_projects_nss_nss_3_56_release_notes: + +NSS 3.56 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.56 on **21 August 2020**, which is a + minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_56_RTM. NSS 3.56 requires NSPR 4.28 or newer. + + NSS 3.56 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_56_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.56: + +`Notable Changes in NSS 3.56 <#notable_changes_in_nss_3.56>`__ +-------------------------------------------------------------- + +.. container:: + + - NSPR dependency updated to 4.28. + - The known issue where Makefile builds failed to locate seccomon.h was fixed in `Bug + 1653975 `__. + +.. _bugs_fixed_in_nss_3.56: + +`Bugs fixed in NSS 3.56 <#bugs_fixed_in_nss_3.56>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1650702 `__ - Support SHA-1 HW + acceleration on ARMv8 + - `Bug 1656981 `__ - Use MPI comba and + mulq optimizations on x86-64 MacOS. + - `Bug 1654142 `__ - Add CPU feature + detection for Intel SHA extension. + - `Bug 1648822 `__ - Add stricter + validation of DH keys in FIPS mode. + - `Bug 1656986 `__ - Properly detect arm64 + during GYP build architecture detection. + - `Bug 1652729 `__ - Add build flag to + disable RC2 and relocate to lib/freebl/deprecated. + - `Bug 1656429 `__ - Correct RTT estimate + used in 0-RTT anti-replay. + - `Bug 1588941 `__ - Send empty + certificate message when scheme selection fails. + - `Bug 1652032 `__ - Fix failure to build + in Windows arm64 makefile cross-compilation. + - `Bug 1625791 `__ - Fix deadlock issue in + nssSlot_IsTokenPresent. + - `Bug 1653975 `__ - Fix 3.53 regression + by setting "all" as the default makefile target. + - `Bug 1659792 `__ - Fix broken libpkix + tests with unexpired PayPal cert. + - `Bug 1659814 `__ - Fix interop.sh + failures with newer tls-interop commit and dependencies. + - `Bug 1656519 `__ - Update NSPR + dependency to 4.28. + + This Bugzilla query returns all the bugs fixed in NSS 3.56: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.56 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.56 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.56 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst new file mode 100644 index 0000000000..685f83cb4a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst @@ -0,0 +1,151 @@ +.. _mozilla_projects_nss_nss_3_57_release_notes: + +NSS 3.57 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.57 on **18 September 2020**, which is + a minor release. + + The NSS team would like to recognize first-time contributors: + + - Khem Raj + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_57_RTM. NSS 3.57 requires NSPR 4.29 or newer. + + NSS 3.57 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_57_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.57: + +`Notable Changes in NSS 3.57 <#notable_changes_in_nss_3.57>`__ +-------------------------------------------------------------- + +.. container:: + + - NSPR dependency updated to 4.29. + +.. _certificate_authority_changes: + +`Certificate Authority Changes <#certificate_authority_changes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The following CA certificates were Added: + + - `Bug 1663049 `__ - CN=Trustwave + Global Certification Authority + + - SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 + + - `Bug 1663049 `__ - CN=Trustwave + Global ECC P256 Certification Authority + + - SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 + + - `Bug 1663049 `__ - CN=Trustwave + Global ECC P384 Certification Authority + + - SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 + + - The following CA certificates were Removed: + + - `Bug 1651211 `__ - CN=EE + Certification Centre Root CA + + - SHA-256 Fingerprint: + 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 + + - `Bug 1656077 `__ - O=Government Root + Certification Authority; C=TW + + - SHA-256 Fingerprint: + 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 + + - Trust settings for the following CA certificates were Modified: + + - `Bug 1653092 `__ - CN=OISTE WISeKey + Global Root GA CA + + - Websites (server authentication) trust bit removed. + +.. _bugs_fixed_in_nss_3.57: + +`Bugs fixed in NSS 3.57 <#bugs_fixed_in_nss_3.57>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1651211 `__ - Remove EE + Certification Centre Root CA certificate. + - `Bug 1653092 `__ - Turn off Websites + Trust Bit for OISTE WISeKey Global Root GA CA. + - `Bug 1656077 `__ - Remove Taiwan + Government Root Certification Authority certificate. + - `Bug 1663049 `__ - Add SecureTrust's + Trustwave Global root certificates to NSS. + - `Bug 1659256 `__ - AArch64 AES + optimization shouldn't be enabled with gcc 4.8. + - `Bug 1651834 `__ - Fix Clang static + analyzer warnings. + - `Bug 1661378 `__ - Fix Build failure + with Clang 11. + - `Bug 1659727 `__ - Fix mpcpucache.c + invalid output constraint on Linux/ARM. + - `Bug 1662738 `__ - Only run + freebl_fips_RNG_PowerUpSelfTest when linked with NSPR. + - `Bug 1661810 `__ - Fix Crash @ + arm_aes_encrypt_ecb_128 when building with Clang 11. + - `Bug 1659252 `__ - Fix Make build with + NSS_DISABLE_DBM=1. + - `Bug 1660304 `__ - Add POST tests for + KDFs as required by FIPS. + - `Bug 1663346 `__ - Use 64-bit + compilation on e2k architecture. + - `Bug 1605922 `__ - Account for negative + sign in mp_radix_size. + - `Bug 1653641 `__ - Cleanup inaccurate + DTLS comments, code review fixes. + - `Bug 1660372 `__ - NSS 3.57 should + depend on NSPR 4.29 + - `Bug 1660734 `__ - Fix Makefile typos. + - `Bug 1660735 `__ - Fix Makefile typos. + + This Bugzilla query returns all the bugs fixed in NSS 3.57: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.57 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.57 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.57 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst new file mode 100644 index 0000000000..0dda20b4af --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst @@ -0,0 +1,76 @@ +.. _mozilla_projects_nss_nss_3_58_release_notes: + +NSS 3.58 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.58 on **16 October 2020**, which is a + minor release. + + The NSS team would like to recognize first-time contributors: + + - Ricky Stewart + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_58_RTM. NSS 3.58 requires NSPR 4.29 or newer. + + NSS 3.58 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_58_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _bugs_fixed_in_nss_3.58: + +`Bugs fixed in NSS 3.58 <#bugs_fixed_in_nss_3.58>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1641480 `__ (CVE-2020-25648) - + Tighten CCS handling for middlebox compatibility mode. + - `Bug 1631890 `__ - Add support for + Hybrid Public Key Encryption + (`draft-irtf-cfrg-hpke `__) support. + - `Bug 1657255 `__ - Add CI tests that + disable SHA1/SHA2 ARM crypto extensions. + - `Bug 1668328 `__ - Handle spaces in the + Python path name when using gyp on Windows. + - `Bug 1667153 `__ - Add + PK11_ImportDataKey for data object import. + - `Bug 1665715 `__ - Pass the embedded SCT + list extension (if present) to TrustDomain::CheckRevocation instead of the notBefore value. + + This Bugzilla query returns all the bugs fixed in NSS 3.58: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.58 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.58 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.58 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst new file mode 100644 index 0000000000..7434379560 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst @@ -0,0 +1,57 @@ +.. _mozilla_projects_nss_nss_3_59_1_release_notes: + +NSS 3.59.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.59.1 on **18 December 2020**, which + is a patch release for NSS 3.59. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_59_1_RTM. NSS 3.59.1 requires NSPR 4.29 or newer. + + NSS 3.59.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_59_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _bugs_fixed_in_nss_3.59.1: + +`Bugs fixed in NSS 3.59.1 <#bugs_fixed_in_nss_3.59.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1679290 `__ - Fix potential + deadlock with certain third-party PKCS11 modules. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.59.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.59.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst new file mode 100644 index 0000000000..96490dda30 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst @@ -0,0 +1,108 @@ +.. _mozilla_projects_nss_nss_3_59_release_notes: + +NSS 3.59 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.59 on **13 November 2020**, which is + a minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_59_RTM. NSS 3.59 requires NSPR 4.29 or newer. + + NSS 3.59 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_59_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.59: + +`Notable Changes in NSS 3.59 <#notable_changes_in_nss_3.59>`__ +-------------------------------------------------------------- + +.. container:: + + - Exported two existing functions from libnss, CERT_AddCertToListHeadWithData and + CERT_AddCertToListTailWithData + +.. _build_requirements: + +`Build Requirements <#build_requirements>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - NSS will soon require GCC 4.8 or newer. Gyp-based builds will stop supporting older GCC + versions in the next release, NSS 3.60 planned for December, followed later by the make-based + builds. Users of older GCC versions can continue to use the make-based build system while they + upgrade to newer versions of GCC. + +.. _bugs_fixed_in_nss_3.59: + +`Bugs fixed in NSS 3.59 <#bugs_fixed_in_nss_3.59>`__ +---------------------------------------------------- + +.. container:: + + - `Bug 1607449 `__ - Lock + cert->nssCertificate to prevent a potential data race + - `Bug 1672823 `__ - Add Wycheproof test + cases for HMAC, HKDF, and DSA + - `Bug 1663661 `__ - Guard against NULL + token in nssSlot_IsTokenPresent + - `Bug 1670835 `__ - Support enabling and + disabling signatures via Crypto Policy + - `Bug 1672291 `__ - Resolve libpkix OCSP + failures on SHA1 self-signed root certs when SHA1 signatures are disabled. + - `Bug 1644209 `__ - Fix broken + SelectedCipherSuiteReplacer filter to solve some test intermittents + - `Bug 1672703 `__ - Tolerate the first + CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord + - `Bug 1666891 `__ - Support key + wrap/unwrap with RSA-OAEP + - `Bug 1667989 `__ - Fix gyp linking on + Solaris + - `Bug 1668123 `__ - Export + CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss + - `Bug 1634584 `__ - Set + CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA + - `Bug 1663091 `__ - Remove unnecessary + assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys + when using NSS debug builds + - `Bug 1670839 `__ - Use ARM crypto + extension for AES, SHA1 and SHA2 on MacOS. + + This Bugzilla query returns all the bugs fixed in NSS 3.59: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.59 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.59 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.59 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst new file mode 100644 index 0000000000..a524dba2df --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst @@ -0,0 +1,58 @@ +.. _mozilla_projects_nss_nss_3_60_1_release_notes: + +NSS 3.60.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team released Network Security Services (NSS) 3.60.1 on **4 January 2021**, which is a + patch release for NSS 3.60. + +.. _distribution_information: + +`Distribution information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_60_1_RTM. NSS 3.60.1 requires NSPR 4.29 or newer. + + NSS 3.60.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_60_1_RTM/src/ + + Other releases are available at :ref:`mozilla_projects_nss_nss_releases#past_releases`. + +.. _bugs_fixed_in_nss_3.60.1: + +`Bugs fixed in NSS 3.60.1 <#bugs_fixed_in_nss_3.60.1>`__ +-------------------------------------------------------- + +.. container:: + + - `Bug 1682863 `__ - Fix remaining hang + issues with slow third-party PKCS #11 tokens. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.60.1 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.60.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report at + `bugzilla.mozilla.org `__ under the NSS + product. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst new file mode 100644 index 0000000000..579124030a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst @@ -0,0 +1,144 @@ +.. _mozilla_projects_nss_nss_3_60_release_notes: + +NSS 3.60 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team has released Network Security Services (NSS) 3.60 on **11 December 2020**, which is + a minor release. + + The NSS team would like to recognize first-time contributors: + + - yogesh + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_60_RTM. NSS 3.60 requires NSPR 4.29 or newer. + + NSS 3.60 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_60_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _notable_changes_in_nss_3.60: + +`Notable Changes in NSS 3.60 <#notable_changes_in_nss_3.60>`__ +-------------------------------------------------------------- + +.. container:: + + - TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the + ESNI (draft-ietf-tls-esni-01). See `bug + 1654332 `__ for more information. + +.. _certificate_authority_changes: + +`Certificate Authority Changes <#certificate_authority_changes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - The following CA certificates were added: + + - `Bug 1678166 `__ - NAVER Global Root + Certification Authority + + - SHA-256 Fingerprint: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265 + + - The following CA certificates were removed in `bug + 1670769 `__: + + - GeoTrust Global CA + + - SHA-256 Fingerprint: + FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A + + - GeoTrust Primary Certification Authority + + - SHA-256 Fingerprint: 37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C + + - GeoTrust Primary Certification Authority - G3 + + - SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4 + + - thawte Primary Root CA + + - SHA-256 Fingerprint: 8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F + + - thawte Primary Root CA - G3 + + - SHA-256 Fingerprint: 4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C + + - VeriSign Class 3 Public Primary Certification Authority - G4 + + - SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79 + + - VeriSign Class 3 Public Primary Certification Authority - G5 + + - SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF + + - thawte Primary Root CA - G2 + + - SHA-256 Fingerprint: A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557 + + - GeoTrust Universal CA + + - SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912 + + - GeoTrust Universal CA 2 + + - SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B + +.. _bugs_fixed_in_nss_3.60: + +`Bugs fixed in NSS 3.60 <#bugs_fixed_in_nss_3.60>`__ +---------------------------------------------------- + +.. container:: + + - Bug 1654332 - Implement Encrypted Client Hello (draft-ietf-tls-esni-08) in NSS. + - Bug 1678189 - Update CA list version to 2.46. + - Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS. + - Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS. + - Bug 1678384 - Add a build flag to allow building nssckbi-testlib in m-c. + - Bug 1570539 - Remove -X alt-server-hello option from tstclnt. + - Bug 1675523 - Fix incorrect pkcs11t.h value CKR_PUBLIC_KEY_INVALID. + - Bug 1642174 - Fix PowerPC ABI version 1 build failure. + - Bug 1674819 - Fix undefined shift in fuzzer mode. + - Bug 1678990 - Fix ARM crypto extensions detection on macOS. + - Bug 1679290 - Fix lock order inversion and potential deadlock with libnsspem. + - Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey. + + This Bugzilla query returns all the bugs fixed in NSS 3.60: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.60 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.60 shared libraries are backward compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.60 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report with + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst new file mode 100644 index 0000000000..1fa1e7c44a --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst @@ -0,0 +1,65 @@ +.. _mozilla_projects_nss_nss_3_61_release_notes: + +NSS 3.61 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team released Network Security Services (NSS) 3.61 on **22 January 2021**, which is a + minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_61_RTM. NSS 3.61 requires NSPR 4.29 or newer. + + NSS 3.61 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_61_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _bugs_fixed_in_nss_3.61: + +`Bugs fixed in NSS 3.61 <#bugs_fixed_in_nss_3.61>`__ +---------------------------------------------------- + +.. container:: + + - Bug 1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain + conditions. + - Bug 1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. + - Bug 1651411 - Improve constant-timeness in RSA operations. + - Bug 1677207 - Upgrade Google Test version to latest release. + - Bug 1654332 - Add aarch64-make target to nss-try. + + This Bugzilla query returns all the bugs fixed in NSS 3.61: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.61 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.61 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.61 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report on + `bugzilla.mozilla.org `__ (product NSS). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst new file mode 100644 index 0000000000..c5296c1de0 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst @@ -0,0 +1,84 @@ +.. _mozilla_projects_nss_nss_3_62_release_notes: + +NSS 3.62 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + The NSS team released Network Security Services (NSS) 3.62 on **19 February 2021**, which is a + minor release. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_62_RTM. NSS 3.62 requires NSPR 4.29 or newer. + + NSS 3.62 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_62_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _bugs_fixed_in_nss_3.62: + +`Bugs fixed in NSS 3.62 <#bugs_fixed_in_nss_3.62>`__ +---------------------------------------------------- + +.. container:: + + - Bug 1688374 - Fix parallel build NSS-3.61 with make. + - Bug 1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable". + - Bug 1690583 - Fix CH padding extension size calculation. + - Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail. + - Bug 1690421 - Install packaged libabigail in docker-builds image. + - Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. + - Bug 1674819 - Fixup a51fae403328, enum type may be signed. + - Bug 1681585 - Add ECH support to selfserv. + - Bug 1681585 - Update ECH to Draft-09. + - Bug 1678398 - Add Export/Import functions for HPKE context. + - Bug 1678398 - Update HPKE to draft-07. + + This Bugzilla query returns all the bugs fixed in NSS 3.62: + + https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.62 + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.62 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.62 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report on + `bugzilla.mozilla.org `__ (product NSS). + +`Notes <#notes>`__ +------------------ + +.. container:: + + Due to changes to MDN, we have been notified that the NSS documentation will have to move off of + MDN. It is not fully clear yet, but the proposed solution is to move the documentation in-tree + (nss/docs), to the md/sphinx format, and have it either rendered as a sub-section of the Firefox + source docs or as a standalone website. More information will follow in the NSS 3.63 notes. + + Regarding the Release day, in order to organize release process better and avoid issues, we will + likely move the release day to Thursdays. Please take a look at the release calendar for the + exact dates. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst new file mode 100644 index 0000000000..a7a32b7e03 --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst @@ -0,0 +1,66 @@ +.. _mozilla_projects_nss_nss_3_63_1_release_notes: + +NSS 3.63.1 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.63.1 was released on **6 April 2021**. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_63_1_RTM. NSS 3.63.1 requires NSPR 4.30 or newer. + + NSS 3.63.1 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_63_1_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _bugs_fixed_in_nss_3.63.1: + +`Bugs fixed in NSS 3.63.1 <#bugs_fixed_in_nss_3.63.1>`__ +-------------------------------------------------------- + +.. container:: + + - REVERTING Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and + 'Global Chambersign Root - 2008’. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.63.1 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.63.1 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report on + `bugzilla.mozilla.org `__ (product NSS). + +`Notes <#notes>`__ +------------------ + +.. container:: + + This version of NSS contains a minor update to the root CAs due to a delay in deprecation. + + This revert is temporary in order to prevent breaking websites with Firefox 88 and the change has + been reinstated in NSS 3.64 for Firefox 89. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst new file mode 100644 index 0000000000..e1f157409d --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst @@ -0,0 +1,90 @@ +.. _mozilla_projects_nss_nss_3_63_release_notes: + +NSS 3.63 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.63 was released on **18 March 2021**. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_63_RTM. NSS 3.63 requires NSPR 4.30 or newer. + + NSS 3.63 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_63_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _bugs_fixed_in_nss_3.63: + +`Bugs fixed in NSS 3.63 <#bugs_fixed_in_nss_3.63>`__ +---------------------------------------------------- + +.. container:: + + - Bug 1688374 - Fix parallel build NSS-3.61 with make. + - Bug 1697380 - Make a clang-format run on top of helpful contributions. + - Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build + isses with GCC 4.8. + - Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. + - Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build + isses with GCC 4.8. + - Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. + - Bug 1696800 - HACL\* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. + - Bug 1694214 - tstclnt can't enable middlebox compat mode. + - Bug 1694392 - NSS does not work with PKCS #11 modules not supporting profiles. + - Bug 1685880 - Minor fix to prevent unused variable on early return. + - Bug 1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. + - Bug 1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA + list version 2.48. + - Bug 1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and + 'Global Chambersign' roots. + - Bug 1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. + - Bug 1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. + - Bug 1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. + - Bug 1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. + - Bug 1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root + cert in NSS. + - Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global + Chambersign Root - 2008’. + - Bug 1694291 - Tracing fixes for ECH. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.63 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.63 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report on + `bugzilla.mozilla.org `__ (product NSS). + +`Notes <#notes>`__ +------------------ + +.. container:: + + This version of NSS contains a significant update to the root CAs. + + Discussions about moving the documentation are still ongoing. (See discussion in the 3.62 release + notes.) \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst b/security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst new file mode 100644 index 0000000000..a3c605e4cc --- /dev/null +++ b/security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst @@ -0,0 +1,69 @@ +.. _mozilla_projects_nss_nss_3_64_release_notes: + +NSS 3.64 release notes +====================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.64 was released on **15 April 2021**. + +.. _distribution_information: + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_64_RTM. NSS 3.64 requires NSPR 4.30 or newer. + + NSS 3.64 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_64_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_nss_releases`. + +.. _bugs_fixed_in_nss_3.64: + +`Bugs fixed in NSS 3.64 <#bugs_fixed_in_nss_3.64>`__ +---------------------------------------------------- + +.. container:: + + - Bug 1705286 - Properly detect mips64. + - Bug 1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. + - Bug 1698320 - replace \__builtin_cpu_supports("vsx") with ppc_crypto_support() for clang. + - Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.64 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A + program linked with older NSS 3.x shared libraries will work with NSS 3.64 shared libraries + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + to the functions listed in NSS Public Functions will remain compatible with future versions of + the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report on + `bugzilla.mozilla.org `__ (product NSS). + +`Notes <#notes>`__ +------------------ + +.. container:: + + This version of NSS contains a number of contributions for "unsupported platforms". We would like + to thank the authors and the reviewers for their contributions to NSS. + + Discussions about moving the documentation are still ongoing. (See discussion in the 3.62 release + notes.) \ No newline at end of file -- cgit v1.2.3