nss-3.67

[Bruce Dubbs]

New minor version.

[Douglas R. Reno]

Bug 1683710 - Add a means to disable ALPN, r=bbeurdouche

We've recently learned the value of ALPN and SNI when it comes to protecting
against cross-protocol attacks.  However, some protocols don't have ALPN yet.
For servers that terminate connections for those connections, validating that
the client has not offered ALPN provides a way to protect against cross-protocol
attacks.  If the cross-protocol attack uses a protocol that does include ALPN,
being able to reject those connections safely reduces exposure.

This modifies SSL_SetNextProtoNego() to accept a zero-length buffer as an
argument.  Previously, this would have crashed.  Now it causes the server to
reject a handshake if ALPN is offered by the client.

It was always possible to implement this by passing a function that always
returns SECFailure to SSL_SetNextProtoCallback(). This approach has the
advantage that the server generates a no_application_protocol alert, which is
not something that user-provided code can do.

Differential Revision: https://phabricator.services.mozilla.com/D110887

Looks like a security fix.

More changes here:

Bug 1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). r=beurdouche
Bug 1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. r=bbeurdouche
Bug 1566124 - Fix counter increase in ppc-gcm-wrap.c r=bbeurdouche
Bug 1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte r=beurdouche

No CVE yet, so I don't quite want to promote it to elevated.

[Bruce Dubbs]

Fixed at commit 6bc3d8cbf6b972f73cf71eb83871a64b733081e8

Package updates.
    Update to ristretto-0.11.0.
    Update to vlc-3.0.15.
    Update to gnumeric-1.12.50.
    Update to goffice-0.10.50.
    Update to libpcap-1.10.1.
    Update to libksba-1.6.0.
    Update to nss-3.67.

[Bruce Dubbs]

Milestone renamed