File _patchinfo of Package patchinfo.12010
<patchinfo incident="12010">
<issue tracker="bnc" id="1141322">VUL-1: CVE-2019-11727: mozilla-nss: A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequ</issue>
<category>recommended</category>
<rating>moderate</rating>
<packager>MSirringhaus</packager>
<description>
This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.45 (bsc#1141322) :
* New function in pk11pub.h: PK11_FindRawCertsWithSubject
* The following CA certificates were Removed:
CN = Certinomis - Root CA (bmo#1552374)
* Implement Delegated Credentials (draft-ietf-tls-subcerts) (bmo#1540403)
This adds a new experimental function SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials (See bmo#1548360).
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement (See bmo#1563078).
* Replace ARM32 Curve25519 implementation with one from fiat-crypto (bmo#1550579)
* Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot (bmo#1552262)
* Add IPSEC IKE support to softoken (bmo#1546229)
* Add support for the Elbrus lcc compiler (<=1.23) (bmo#1554616)
* Expose an external clock for SSL (bmo#1543874)
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
* Various changes in response to the ongoing FIPS review (bmo#1546477)
Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime.
mozilla-nspr was updated to version 4.21
* Changed prbit.h to use builtin function on aarch64.
* Removed Gonk/B2G references.
</description>
<summary>Recommended update for mozilla-nspr, mozilla-nss</summary>
</patchinfo>