The NSS team has released Network Security Services (NSS) 3.46 on 30 August 2019, which is a minor release.
The NSS team would like to recognize first-time contributors: Giulio Benetti, Louis Dassy, Mike Kaganski, and xhimanshuz. The HG tag is NSS_3_46_RTM. NSS 3.46 requires NSPR 4.22 or newer. NSS 3.46 source distributions are available on ftp.mozilla.org for secure HTTPS download: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_46_RTM/src/ Notable Changes: * The following CA certificates were Removed: - 1574670 - Remove expired Class 2 Primary root certificate - 1574670 - Remove expired UTN-USERFirst-Client root certificat - 1574670 - Remove expired Deutsche Telekom Root CA 2 root certificate - 1566569 - Remove Swisscom Root CA 2 root certificate * Significant improvements to AES-GCM performance on ARM Bugs fixed in NSS 3.46: * 1572164 - Don't unnecessarily free session in NSC_WrapKey * 1574220 - Improve controls after errors in tstcln, selfserv and vfyserv cmds * 1550636 - Upgrade SQLite in NSS to a 2019 version * 1572593 - Reset advertised extensions in ssl_ConstructExtensions * 1415118 - NSS build with ./build.sh --enable-libpkix fails * 1539788 - Add length checks for cryptographic primitives * 1542077 - mp_set_ulong and mp_set_int should return errors on bad values * 1572791 - Read out-of-bounds in DER_DecodeTimeChoice_Util from SSLExp_DelegateCredential * 1560593 - Cleanup.sh script does not set error exit code for tests that "Failed with core" * 1566601 - Add Wycheproof test vectors for AES-KW * 1571316 - curve25519_32.c:280: undefined reference to `PR_Assert' when building NSS 3.45 on armhf-linux * 1516593 - Client to generate new random during renegotiation * 1563258 - fips.sh fails due to non-existent "resp" directories * 1561598 - Remove -Wmaybe-uninitialized warning in pqg.c * 1560806 - Increase softoken password max size to 500 characters * 1568776 - Output paths relative to repository in NSS coverity * 1453408 - modutil -changepw fails in FIPS mode if password is an empty string * 1564727 - Use a PSS SPKI when possible for delegated credentials * 1493916 - fix ppc64 inline assembler for clang * 1561588 - Remove -Wmaybe-uninitialized warning in p7env.c * 1561548 - Remove -Wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c * 1512605 - Incorrect alert description after unencrypted Finished msg * 1564715 - Read /proc/cpuinfo when AT_HWCAP2 returns 0 * 1532194 - Remove or fix -DDEBUG_$USER from make builds * 1565577 - Visual Studio's cl.exe -? hangs on Windows x64 when building nss since changeset 9162c654d06915f0f15948fbf67d4103a229226f * 1564875 - Improve rebuilding with build.sh * 1565243 - Support TC_OWNER without email address in nss taskgraph * 1563778 - Increase maxRunTime on Mac taskcluster Tools, SSL tests * 1561591 - Remove -Wmaybe-uninitialized warning in tstclnt.c * 1561587 - Remove -Wmaybe-uninitialized warning in lgattr.c * 1561558 - Remove -Wmaybe-uninitialized warning in httpserv.c * 1561556 - Remove -Wmaybe-uninitialized warning in tls13esni.c * 1561332 - ec.c:28 warning: comparison of integers of different signs: 'int' and 'unsigned long' * 1564714 - Print certutil commands during setup * 1565013 - HACL image builder times out while fetching gpg key * 1563786 - Update hacl-star docker image to pull specific commit * 1559012 - Improve GCM perfomance using PMULL2 * 1528666 - Correct resumption validation checks * 1568803 - More tests for client certificate authentication * 1564284 - Support profile mobility across Windows and Linux * 1573942 - Gtest for pkcs11.txt with different breaking line formats * 1575968 - Add strsclnt option to enforce the use of either IPv4 or IPv6 * 1549847 - Fix NSS builds on iOS * 1485533 - Enable NSS_SSL_TESTS on taskcluster This Bugzilla query returns all the bugs fixed in NSS 3.46: https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.46 Please refer to the release notes for the complete list of changes: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.46_release_notes -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
