The NSS team has released Network Security Services (NSS) 3.23, which is a minor release.
The following security-relevant bug has been resolved in NSS 3.23. Users are encouraged to upgrade immediately. * Bug 1245528 (CVE-2016-1950): Fixed a heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or execution of arbitrary code with the permissions of the user. New functionality: * ChaCha20/Poly1305 cipher and TLS cipher suites now supported (bug 917571, bug 1227905) * Experimental-only support TLS 1.3 1-RTT mode (draft-11). This code is not ready for production use. New Functions: * SSL_SetDowngradeCheckVersion - Set maximum version for new ServerRandom anti-downgrade mechanism Notable Changes: * The copy of SQLite shipped with NSS has been updated to version 3.10.2 (bug 1234698) * The list of TLS extensions sent in the TLS handshake has been reordered to improve compatibility of the Extended Master Secret feature with servers (bug 1243641) * The build time environment variable NSS_ENABLE_ZLIB has been renamed to NSS_SSL_ENABLE_ZLIB (Bug 1243872). * The build time environment variable NSS_DISABLE_CHACHAPOLY was added, which can be used to prevent compilation of the ChaCha20/Poly1305 code. * The following CA certificates were Removed - Staat der Nederlanden Root CA - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado - NetLock Kozjegyzoi (Class A) Tanusitvanykiado - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado - VeriSign Class 1 Public PCA – G2 - VeriSign Class 3 Public PCA - VeriSign Class 3 Public PCA – G2 - CA Disig * The following CA certificates were Added - SZAFIR ROOT CA2 - Certum Trusted Network CA 2 * The following CA certificate had the Email trust bit turned on - Actalis Authentication Root CA The full release notes, including the SHA256 fingerprints of the changed CA certificates, are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes The HG tag is NSS_3_23_RTM. NSS 3.23 requires NSPR 4.12 or newer. NSS 3.23 source distributions are available on ftp.mozilla.org for secure HTTPS download: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/ The NSS development team would like to thank security researcher Francis Gabriel for responsibly disclosing the issue in Bug 1245528. A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.23 -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
