NSS update to 3.13.3 coming soon

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

NSS 3.13.3 has been relessed and it's built for Rawhide/F-17-alpha/F-16/F15.
A push to update-testing for f17 will be coming shortly - to f16/f15 som time later.

You can find the new features and bug fixes in NSS 3.13.2 and 3.13.3 with these Bugzilla queries:

https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.13.2&product=NSS

https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.13.3&product=NSS

and fixes for NSPR 4.9 with this query:
https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=4.9&product=NSPR

When we updated nss last, from to nss-3.13.1, a notable change was: https://bugzilla.mozilla.org/show_bug.cgi?id=665814

The NSS upstream announcement stated:
A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack
demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default.
to set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it.

This caused breakage connecting to various servers, due to servers temselvs and some client applications
We opted to reverse the sense of the fix's default and stated tht it was off and that if desired you
could set the SSL_CBC_RANDOM_IV SSL option to PR_TRUE to enable it.

This was done for the stable branches, F-16/15, while Rawhide had fix on by default.

Since then several fedora maintainers have either patched affected procts downstream or submitted
patches that were accepted by their respective upstreams. Some patches have yet to be accepted.
The last time I checked such was the case with OpenSSSL. Others we don't know yet.

Since F-17 is now Alpha and I have set the default to off like it is on F-16/15, Rawhide (f18) still has it on.
We would like to find what additional products will still break with this fix. If you can, could you set the
SSL_CBC_RANDOM_IV SSL option to PR_TRUE and try it and send us feedback on remaining sites or apps that syill break?
 
Thank you in advance,

Elio Maldonado


-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux