CVE-2023-6135 nss: vulnerable to Minerva side-channel information leak
- Pick up validated constant time implementations of p256, p384, and p521
from upsream
- More Fips indicator changes
Otherwise, we would have to enumerate all the test plans
in `gating.yaml`. Without separate reporting, we could
simply use `osci.brew-build.tier0.functional`.
Related: rhbz#2209764
Related: rhbz#2211937
Packages lacked dist tag in their version tag after the
92cf70d
move `%patch<num>` from deprecate format to `%patch -P<num>`
Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
Fix regression issue in FIPS mode. We need to return a non-locking return
code if the user supplied DH parameters are invalid, rather than a blocking
code we return if the underlying NSS math engine blows up.
- Fix typo that prevented the validation program from building.
- add the validation program to nss-tools.
- Fix issue with NSS_FIPS_MODULE_ID where it wasn't detecting builds on RHEL9
Rebase to NSS 3.71: (changes since NSS 3.67)
Network Security Services (NSS) 3.71 was released on 30 September 2021.
The HG tag is NSS_3_71_RTM. This version of NSS requires NSPR 4.32 or newer.
NSS 3.71 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_71_RTM/src/>
Changes:
- Bug 1717716 - Set nssckbi version number to 2.52.
- Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
- Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported
- Bug 1717707 - Add HARICA Client ECC Root CA 2021.
- Bug 1717707 - Add HARICA Client RSA Root CA 2021.
- Bug 1717707 - Add HARICA TLS ECC Root CA 2021.
- Bug 1717707 - Add HARICA TLS RSA Root CA 2021.
- Bug 1728394 - Add TunTrust Root CA certificate to NSS.
-------------------------------------
Network Security Services (NSS) 3.70 was released on 4 September 2021.
The HG tag is NSS_3_70_RTM. This version of NSS requires NSPR 4.32 or newer.
NSS 3.70 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_70_RTM/src/>
Changes:
- Documentation: release notes for NSS 3.70.
- Documentation: release notes for NSS 3.69.1.
- Bug 1726022 - Update test case to verify fix.
- Bug 1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
- Bug 1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
- Formatting for lib/util
- Bug 1681975 - Avoid using a lookup table in nssb64d.
- Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
- Bug 1714579 - Change default value of enableHelloDowngradeCheck to true.
- Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc
- Bug 1726022 - Cache additional PBE entries.
- Bug 1709750 - Read HPKE vectors from official JSON.
- Documentation: update for NSS 3.69 release.
Network Security Services (NSS) 3.69 was released on 5 August 2021.
The HG tag is NSS_3_69_RTM. NSS 3.69 requires NSPR 4.32 or newer.
NSS 3.69 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_69_RTM/src/>
Bugs fixed:
- Bug 1722613 - Disable DTLS 1.0 and 1.1 by default
- Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC
- Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms.
- Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures.
- Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports.
- Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
- Bug 1720232 - SQLite calls could timeout in starvation situations.
- Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67
- Bug 1709817 - Import the NSS documentation from MDN in nss/doc.
- Bug 1720227 - NSS using a tempdir to measure sql performance not active
Network Security Services (NSS) 3.68 ESR was released on 8 July 2021.
The HG tag is NSS_3_68_RTM. NSS 3.68 requires NSPR 4.32 or newer.
NSS 3.68 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_68_RTM/src/>
Bugs fixed:
- Bug 1713562 - Fix test leak.
- Bug 1717452 - NSS 3.68 should depend on NSPR 4.32.
- Bug 1693206 - Implement PKCS8 export of ECDSA keys.
- Bug 1712883 - DTLS 1.3 draft-43.
- Bug 1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
- Bug 1713562 - Validate ECH public names.
- Bug 1717610 - Add function to get seconds from epoch from pkix::Time.
Krenzelok Frantisek
Robert Relyea
Stanislav Zidek
Alexander Sosedkin
Peter Leitmann
Florian Weimer
Mohan Boddu