On 01/13/2013 02:51 AM, Sergey Emantayev wrote:
Hi all,
We are using NSS 3.12.5 in our security project. I'm interested in applying the
fix of CVE-2011-3389 in this version. Due to the project requirement we are
obligated to use a FIPS certified NSS module so we cannot move to NSS 3.13
there this issue is originally fixed.
Looking to the bug notes https://bugzilla.mozilla.org/show_bug.cgi?id=665814 I
found two code patches:
1. patch to add empty application data records by Adam Langley
https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=541137
2. patch v11: Prevent chosen plaintext attacks on CBC mode, on by default by
Brian Smith (:bsmith)
https://bug665814.bugzilla.mozilla.org/attachment.cgi?id=563777
You can pick up NSS 3.13 while still using NSS 3.12.5 softoken. This is
what Red Hat ships in RHEL (well actually we ship NSS-SOFTOKEN 3.12.9,
which just got its FIPS cert last year, and in 6.4 we are shipping it
with NSS 3.14).
That would be most reliable.
Are both patches enough to back port the fix to 3.12.5 or if not even possible
to any other 3.12.x version?
Thanks& regards,
Sergey Emantayev
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
