Opened 7 days ago
Closed 6 days ago
New minor version.
Bug 1683710 - Add a means to disable ALPN, r=bbeurdouche
We've recently learned the value of ALPN and SNI when it comes to protecting
against cross-protocol attacks. However, some protocols don't have ALPN yet.
For servers that terminate connections for those connections, validating that
the client has not offered ALPN provides a way to protect against cross-protocol
attacks. If the cross-protocol attack uses a protocol that does include ALPN,
being able to reject those connections safely reduces exposure.
This modifies SSL_SetNextProtoNego() to accept a zero-length buffer as an
argument. Previously, this would have crashed. Now it causes the server to
reject a handshake if ALPN is offered by the client.
It was always possible to implement this by passing a function that always
returns SECFailure to SSL_SetNextProtoCallback(). This approach has the
advantage that the server generates a no_application_protocol alert, which is
not something that user-provided code can do.
Differential Revision: https://phabricator.services.mozilla.com/D110887
Looks like a security fix.
More changes here:
Bug 1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). r=beurdouche
Bug 1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. r=bbeurdouche
Bug 1566124 - Fix counter increase in ppc-gcm-wrap.c r=bbeurdouche
Bug 1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte r=beurdouche
No CVE yet, so I don't quite want to promote it to elevated.
Fixed at commit 6bc3d8cbf6b972f73cf71eb83871a64b733081e8
Update to ristretto-0.11.0.
Update to vlc-3.0.15.
Update to gnumeric-1.12.50.
Update to goffice-0.10.50.
Update to libpcap-1.10.1.
Update to libksba-1.6.0.
Update to nss-3.67.
Powered by Trac 1.5.3.dev0
By Edgewall Software
© 1998-2021 Gerard Beekmans.