Changes between Initial Version and Version 5 of Ticket #7105
- Timestamp:
- 02/03/2016 01:01:04 PM (8 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #7105
- Property Owner changed from to
- Property Status new → closed
- Property Resolution → fixed
- Property Priority normal → highest
-
Ticket #7105 – Description
initial v5 1 No explicit security info in the release notes (which are still a 2 draft). That is the reason I did not tag as high priority, but will 3 modify later, even after ticket is closed (if I remember), if the final 4 upstream page includes any vulnerability being fixed. 1 == This release includes security fix == 2 3 '''CVE-2015-7575''' - Prevent MD5 Downgrade in TLS 1.2 Signatures. 4 5 EDIT: 6 7 ''NSS 3.21 release notes'' has been updated, so I changed the priority 5 8 6 9 [https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_RTM/src/nss-3.21.tar.gz] … … 11 14 12 15 [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes] 16 17 Modified: 13 18 14 19 {{{ 15 20 NSS 3.21 release notes 16 17 by 3 contributors:18 19 m_t kwilson kaie20 21 21 In This Article 22 22 23 DRAFT (remove line when document is finished) 24 Introduction 25 Distribution Information 26 New in NSS 3.21 27 New Functionality 28 New Functions 29 New Types 30 New Macros 31 Notable Changes in NSS 3.21 32 Bugs fixed in NSS 3.21 33 Compatibility 34 Feedback 35 36 This article is in need of a technical review. 37 38 This article is in need of an editorial review. 39 DRAFT (remove line when document is finished) 23 ... 24 Security Fixes in NSS 3.21 25 ... 26 27 2016-01-07, this page has been updated to include additional information 28 about the release. The sections "Security Fixes" and "Acknowledgements" 29 have been added. 30 40 31 Introduction 41 32 … … 46 37 47 38 The HG tag is NSS_3_21_RTM. NSS 3.21 requires NSPR 4.10.10 or newer. 39 40 Security Fixes in NSS 3.21 41 42 • Bug 1158489 / CVE-2015-7575 - Prevent MD5 Downgrade in TLS 1.2 43 Signatures. 48 44 49 45 New in NSS 3.21 … … 63 59 ◦ NSS_OptionSet - sets NSS global options 64 60 ◦ NSS_OptionGet - gets the current value of NSS global options 65 66 61 • in secmod.h 67 62 ◦ SECMOD_CreateModuleEx - Create a new SECMODModule structure … … 71 66 loaded. The difference with SECMOD_CreateModule is the new 72 67 function handles NSS configuration parameter strings. 73 74 68 • in ssl.h 75 69 ◦ SSL_GetPreliminaryChannelInfo - obtains information about a … … 82 76 ◦ SSL_SignatureMaxCount - obtains the maximum number signature 83 77 algorithms that can be configured with SSL_SignaturePrefSet 84 85 78 • in utilpars.h 86 79 ◦ NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks … … 109 102 ◦ CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for 110 103 CKM_TLS_MAC 111 112 104 • in sslt.h 113 105 ◦ SSLHashType - identifies a hash function … … 126 118 ◦ NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and 127 119 NSS_OptionGet to set or get the minimum DSA key size 128 129 120 • in pkcs11t.h 130 121 ◦ CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret … … 133 124 ◦ CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret 134 125 for DH (and ECDH) cipher suites 135 ◦ CKM_TLS12_KEY_SAFE_DERIVE - ??? unused 126 ◦ CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for 127 additional PKCS#12 mechanisms for TLS 1.2 that are currently 128 unused in NSS. 136 129 ◦ CKM_TLS_MAC - computes TLS Finished MAC 137 ◦ CKM_TLS_KDF - ??? unused138 139 130 • in secoidt.h 140 131 ◦ NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are 141 132 used in TLS key exchange 142 143 133 • in sslerr.h 144 134 ◦ SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to … … 154 144 receiving an extended master secret when previously not 155 145 negotiated 156 157 146 • in sslt.h 158 147 ◦ SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable … … 173 162 ◦ CN = VeriSign Class 4 Public Primary Certification Authority - 174 163 G3 175 ◦SHA1 Fingerprint:176 C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D164 ▪ SHA1 Fingerprint: 165 C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D 177 166 ◦ CN = UTN-USERFirst-Network Applications 178 ◦SHA1 Fingerprint:179 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1167 ▪ SHA1 Fingerprint: 168 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1 180 169 ◦ CN = TC TrustCenter Universal CA III 181 ◦SHA1 Fingerprint:182 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87170 ▪ SHA1 Fingerprint: 171 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87 183 172 ◦ CN = A-Trust-nQual-03 184 ◦SHA-1 Fingerprint:185 D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2173 ▪ SHA-1 Fingerprint: 174 D3:C0:63:F2:19:ED:07:3E:34:AD:5D:75:0B:32:76:29:FF:D5:9A:F2 186 175 ◦ CN = USERTrust Legacy Secure Server CA 187 ◦SHA-1 Fingerprint:188 7C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48176 ▪ SHA-1 Fingerprint: 177 7C:2F:91:E2:BB:96:68:A9:C6:F6:BD:10:19:2C:6B:52:5A:1B:BA:48 189 178 ◦ Friendly Name: Digital Signature Trust Co. Global CA 1 190 ◦SHA-1 Fingerprint:191 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3179 ▪ SHA-1 Fingerprint: 180 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3 192 181 ◦ Friendly Name: Digital Signature Trust Co. Global CA 3 193 ◦SHA-1 Fingerprint:194 AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46182 ▪ SHA-1 Fingerprint: 183 AB:48:F3:33:DB:04:AB:B9:C0:72:DA:5B:0C:C1:D0:57:F0:36:9B:46 195 184 ◦ CN = UTN - DATACorp SGC 196 ◦SHA-1 Fingerprint:197 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4185 ▪ SHA-1 Fingerprint: 186 58:11:9F:0E:12:82:87:EA:50:FD:D9:87:45:6F:4F:78:DC:FA:D6:D4 198 187 ◦ O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri 199 188 A.Ş. (c) Kasım 2005 200 ◦SHA-1 Fingerprint:201 B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7189 ▪ SHA-1 Fingerprint: 190 B4:35:D4:E1:11:9D:1C:66:90:A7:49:EB:B3:94:BD:63:7B:A7:82:B7 202 191 • The following CA certificate had the Websites trust bit turned off 203 192 ◦ OU = Equifax Secure Certificate Authority 204 ◦SHA1 Fingerprint:205 D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A193 ▪ SHA1 Fingerprint: 194 D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A 206 195 • The following CA certificates were Added 207 196 ◦ CN = Certification Authority of WoSign G2 208 ◦SHA1 Fingerprint:209 FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1197 ▪ SHA1 Fingerprint: 198 FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1 210 199 ◦ CN = CA WoSign ECC Root 211 ◦SHA1 Fingerprint:212 D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B200 ▪ SHA1 Fingerprint: 201 D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B 213 202 ◦ CN = OISTE WISeKey Global Root GB CA 214 ◦ SHA1 Fingerprint: 215 0F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED 203 ▪ SHA1 Fingerprint: 204 0F:F9:40:76:18:D3:D7:6A:4B:98:F0:A8:35:9E:0C:FD:27:AC:CC:ED 205 • The version number of the updated root CA list has been set to 2.6 216 206 217 207 Bugs fixed in NSS 3.21 218 208 219 This Bugzilla query returns all the bugs fixed in NSS 3.21 209 This Bugzilla query returns all the bugs fixed in NSS 3.21: 220 210 221 211 https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.21 212 213 ... 222 214 223 215 Compatibility