NSS 3.98 Release

54 views
Skip to first unread message

John Schanck

unread,
Feb 15, 2024, 5:40:41 PMFeb 15
to dev-tec...@mozilla.org
Dear all,

Network Security Services (NSS) 3.98 was tagged and released on
15th February 2024.

The HG tag is NSS_3_98_RTM. This version of NSS requires NSPR
4.35 or newer.

NSS 3.98 source distributions are available on ftp.mozilla.org
for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_98_RTM/src/>

Changes:

- Bug 1780432 - (CVE-2023-5388) Timing attack against RSA
decryption in TLS.
- Bug 1879513 - Certificate Compression: enabling the check
that the compression was advertised.
- Bug 1831552 - Move Windows workers to
nss-1/b-win2022-alpha.
- Bug 1879945 - Remove Email trust bit from OISTE WISeKey
Global Root GC CA.
- Bug 1877344 - Replace `distutils.spawn.find_executable`
with `shutil.which` within `mach` in `nss`.
- Bug 1548723 - Certificate Compression: Updating
nss_bogo_shim to support Certificate compression.
- Bug 1548723 - TLS Certificate Compression (RFC 8879)
Implementation.
- Bug 1875356 - Add valgrind annotations to freebl kyber
operations for constant-time execution tests.
- Bug 1870673 - Set nssckbi version number to 2.66.
- Bug 1874017 - Add Telekom Security roots.
- Bug 1873095 - Add D-Trust 2022 S/MIME roots.
- Bug 1865450 - Remove expired Security Communication RootCA1
root.
- Bug 1876179 - move keys to a slot that supports
concatenation in PK11_ConcatSymKeys.
- Bug 1876800 - remove unmaintained tls-interop tests.
- Bug 1874937 - bogo: add support for the -ipv6 and -shim-id
shim flags.
- Bug 1874937 - bogo: add support for the -curves shim flag
and update Kyber expectations.
- Bug 1874937 - bogo: adjust expectation for a key usage bit
test.
- Bug 1757758 - mozpkix: add option to ignore invalid subject
alternative names.
- Bug 1841029 - Fix selfserv not stripping `publicname:` from
-X value.
- Bug 1876390 - take ownership of ecckilla shims.
- Bug 1874458 - add valgrind annotations to freebl/ec.c.
- Bug 864039 - PR_INADDR_ANY needs PR_htonl before
assignment to inet.ip.
- Bug 1875965 - Update zlib to 1.3.1.

NSS 3.90.2 shared libraries are backwards-compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with this new version of the
shared libraries without recompiling or relinking. Furthermore,
applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.

Bugs discovered should be reported by filing a bug report at
<https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>

Release notes are available at
<https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.

Best,
John
Reply all
Reply to author
Forward
0 new messages