Opened 3 years ago

Closed 3 years ago

#13840 closed enhancement (fixed)


Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:


New minor version.

Change History (4)

comment:1 by Douglas R. Reno, 3 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 3 years ago

Priority: normalhigh
Notable Changes in NSS 3.55

    P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto and ECCKiila. Special thanks to the Network and Information Security Group (NISEC) at Tampere University.
    PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. See Bug 1649633 for more details.
    DTLS 1.3 implementation is updated to draft-38. See Bug 1647752 for details.
    NSPR dependency updated to 4.27.

Known Issues

    On some platforms, using the Makefile builds fails to locate seccomon.h; a workaround is to use the gyp-based script. If this affects you, please help us narrow down the cause in Bug 1653975.

Bugs fixed in NSS 3.55

    Bug 1631583 (CVE-2020-6829, CVE-2020-12400)  - Replace P384 and P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
    Bug 1649487 - Move overzealous assertion in VFY_EndWithSignature.
    Bug 1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
    Bug 1636771 (CVE-2020-12403) - Explicitly disable multi-part ChaCha20 (which was not functioning correctly) and more strictly enforce tag length.
    Bug 1649648 - Don't memcpy zero bytes (sanitizer fix).
    Bug 1649316 - Don't memcpy zero bytes (sanitizer fix).
    Bug 1649322 - Don't memcpy zero bytes (sanitizer fix).
    Bug 1653202 - Fix initialization bug in blapitest when compiled with NSS_DISABLE_DEPRECATED_SEED.
    Bug 1646594 - Fix AVX2 detection in makefile builds.
    Bug 1649633 - Add PK11_FindCertInSlot to search a given slot for a DER-encoded certificate.
    Bug 1651520 - Fix slotLock race in NSC_GetTokenInfo.
    Bug 1647752 - Update DTLS 1.3 implementation to draft-38.
    Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
    Bug 1649226 - Add Wycheproof ECDSA tests.
    Bug 1637222 - Consistently enforce IV requirements for DES and 3DES.
    Bug 1067214 - Enforce minimum PKCS#1 v1.5 padding length in RSA_CheckSignRecover.
    Bug 1643528 - Fix compilation error with -Werror=strict-prototypes.
    Bug 1646324 - Advertise PKCS#1 schemes for certificates in the signature_algorithms extension.
    Bug 1652331 - Update NSS 3.55 NSPR version to 4.27.

This Bugzilla query returns all the bugs fixed in NSS 3.55:

This contains security fixes for CVE-2020-6829, CVE-2020-12400, CVE-2020-12401, and CVE-2020-12403

comment:3 by Douglas R. Reno, 3 years ago

Fixed at r23419

comment:4 by Douglas R. Reno, 3 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.