Context Navigation

← Previous Change
Ticket History
Next Change →

Changes between Initial Version and Version 5 of Ticket #7105

Timestamp:

02/03/2016 01:01:04 PM (8 years ago)

Author:

Fernando de Oliveira

Comment:

Fixed.

Thanks.

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #7105
- Property Owner changed from blfs-book@… to Fernando de Oliveira
- Property Status new → closed
- Property Resolution → fixed
- Property Priority normal → highest

Ticket #7105 – Description

-              initial
+              v5
+No explicit security info in the release notes (which are still a
+draft). That is the reason I did not tag as high priority, but will
+modify later, even after ticket is closed (if I remember), if the final
+upstream page includes any vulnerability being fixed.
+ == This release includes security fix ==
+'''CVE-2015-7575''' - Prevent MD5 Downgrade in TLS 1.2 Signatures.
+EDIT:
+''NSS 3.21 release notes'' has been updated, so I changed the priority
 [https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_RTM/src/nss-3.21.tar.gz]
 …
 [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes]
+Modified:
 {{{
 NSS 3.21 release notes
-by 3 contributors:
-    m_t kwilson kaie
 In This Article
+    DRAFT (remove line when document is finished)
+    Introduction
+    Distribution Information
+    New in NSS 3.21
+        New Functionality
+            New Functions
+            New Types
+            New Macros
+    Notable Changes in NSS 3.21
+    Bugs fixed in NSS 3.21
+    Compatibility
+    Feedback
+This article is in need of a technical review.
+This article is in need of an editorial review.
+DRAFT (remove line when document is finished)
+...
+    Security Fixes in NSS 3.21
+...
+-01-07, this page has been updated to include additional information
+about the release. The sections "Security Fixes" and "Acknowledgements"
+have been added.
 Introduction
 …
 The HG tag is NSS_3_21_RTM. NSS 3.21 requires NSPR 4.10.10 or newer.
+Security Fixes in NSS 3.21
+   • Bug 1158489 / CVE-2015-7575 - Prevent MD5 Downgrade in TLS 1.2
+     Signatures.
 New in NSS 3.21
 …
         ◦ NSS_OptionSet - sets NSS global options
         ◦ NSS_OptionGet - gets the current value of NSS global options
    • in secmod.h
         ◦ SECMOD_CreateModuleEx - Create a new SECMODModule structure
 …
           loaded. The difference with SECMOD_CreateModule is the new
           function handles NSS configuration parameter strings.
    • in ssl.h
         ◦ SSL_GetPreliminaryChannelInfo - obtains information about a
 …
         ◦ SSL_SignatureMaxCount - obtains the maximum number signature
           algorithms that can be configured with SSL_SignaturePrefSet
    • in utilpars.h
         ◦ NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks
 …
         ◦ CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for
           CKM_TLS_MAC
    • in sslt.h
         ◦ SSLHashType - identifies a hash function
 …
         ◦ NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and
           NSS_OptionGet to set or get the minimum DSA key size
    • in pkcs11t.h
         ◦ CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret
 …
         ◦ CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret
           for DH (and ECDH) cipher suites
+        ◦ CKM_TLS12_KEY_SAFE_DERIVE - ??? unused
+        ◦ CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for
+          additional PKCS#12 mechanisms for TLS 1.2 that are currently
+          unused in NSS.
         ◦ CKM_TLS_MAC - computes TLS Finished MAC
-        ◦ CKM_TLS_KDF - ??? unused
    • in secoidt.h
         ◦ NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are
           used in TLS key exchange
    • in sslerr.h
         ◦ SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to
 …
           receiving an extended master secret when previously not
           negotiated
    • in sslt.h
         ◦ SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable
 …
         ◦ CN = VeriSign Class 4 Public Primary Certification Authority -
           G3
         ◦     SHA1 Fingerprint:
               C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D
+             ▪ SHA1 Fingerprint:
+               C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D
         ◦ CN = UTN-USERFirst-Network Applications
         ◦     SHA1 Fingerprint:
 D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
+             ▪ SHA1 Fingerprint:
+D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
         ◦ CN = TC TrustCenter Universal CA III
         ◦     SHA1 Fingerprint:
 :56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
+             ▪ SHA1 Fingerprint:
+:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
         ◦ CN = A-Trust-nQual-03
         ◦     SHA-1 Fingerprint:
               D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
+             ▪ SHA-1 Fingerprint:
+               D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2
         ◦ CN = USERTrust Legacy Secure Server CA
         ◦     SHA-1 Fingerprint:
 C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48
+             ▪ SHA-1 Fingerprint:
+C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48
         ◦ Friendly Name: Digital Signature Trust Co. Global CA 1
         ◦     SHA-1 Fingerprint:
 :96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3
+             ▪ SHA-1 Fingerprint:
+:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3
         ◦ Friendly Name: Digital Signature Trust Co. Global CA 3
         ◦     SHA-1 Fingerprint:
               AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46
+             ▪ SHA-1 Fingerprint:
+               AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46
         ◦ CN = UTN - DATACorp SGC
         ◦     SHA-1 Fingerprint:
 :11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4
+             ▪ SHA-1 Fingerprint:
+:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4
         ◦ O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri
           A.Ş. (c) Kasım 2005
         ◦     SHA-1 Fingerprint:
               B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7
+             ▪ SHA-1 Fingerprint:
+               B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7
    • The following CA certificate had the Websites trust bit turned off
         ◦ OU = Equifax Secure Certificate Authority
         ◦     SHA1 Fingerprint:
               D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
+             ▪ SHA1 Fingerprint:
+               D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
    • The following CA certificates were Added
         ◦ CN = Certification Authority of WoSign G2
         ◦     SHA1 Fingerprint:
               FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
+             ▪ SHA1 Fingerprint:
+               FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
         ◦ CN = CA WoSign ECC Root
         ◦     SHA1 Fingerprint:
               D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
+             ▪ SHA1 Fingerprint:
+               D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
         ◦ CN = OISTE WISeKey Global Root GB CA
+        ◦     SHA1 Fingerprint:
+F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED
+             ▪ SHA1 Fingerprint:
+F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED
+   • The version number of the updated root CA list has been set to 2.6
 Bugs fixed in NSS 3.21
 This Bugzilla query returns all the bugs fixed in NSS 3.21
+This Bugzilla query returns all the bugs fixed in NSS 3.21:
 https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.21
+...
 Compatibility