Hi all, We are using NSS 3.12.5 in our security project. I'm interested in applying the fix of CVE-2011-3389 in this version. Due to the project requirement we are obligated to use a FIPS certified NSS module so we cannot move to NSS 3.13 there this issue is originally fixed.
Looking to the bug notes https://bugzilla.mozilla.org/show_bug.cgi?id=665814 I found two code patches: 1. patch to add empty application data records by Adam Langley https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=541137 2. patch v11: Prevent chosen plaintext attacks on CBC mode, on by default by Brian Smith (:bsmith) https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=563777 Are both patches enough to back port the fix to 3.12.5 or if not even possible to any other 3.12.x version? Thanks & regards, Sergey Emantayev -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
