File _patchinfo of Package patchinfo.39516
<patchinfo incident="39516">
<issue tracker="bnc" id="1224113">[FIPS 140-3] [NSS] Consider adding the CKM_ECDH1_COFACTOR_DERIVE to the approved mechanisms list.</issue>
<issue tracker="bnc" id="1081723">mozilla-nss package does not build reproducibly from shlibsign</issue>
<packager>cgrobertson</packager>
<rating>moderate</rating>
<category>recommended</category>
<summary>Recommended update for mozilla-nspr, mozilla-nss</summary>
<description>This update for mozilla-nspr, mozilla-nss fixes the following issues:
mozilla-nss was updated to NSS 3.112:
* Fix alias for mac workers on try
* ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
* ABI/API break in ssl certificate processing
* remove unnecessary assertion in sec_asn1d_init_state_based_on_template
* update taskgraph to v14.2.1
* Workflow for automation of the release on GitHub when pushing a tag
* fix faulty assertions in SEC_ASN1DecoderUpdate
* Renegotiations should use a fresh ECH GREASE buffer
* update taskgraph to v14.1.1
* Partial fix for ACVP build CI job
* Initialize find in sftk_searchDatabase
* Add clang-18 to extra builds
* Fault tolerant git fetch for fuzzing
* Tolerate intermittent failures in ssl_policy_pkix_ocsp
* fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
* fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
* Remove Cryptofuzz CI version check
Update to NSS 3.111:
* FIPS changes need to be upstreamed: force ems policy
* Turn off Websites Trust Bit from CAs
* Update nssckbi version following April 2025 Batch of Changes
* Disable SMIME ‘trust bit’ for GoDaddy CAs
* Replaced deprecated sprintf function with snprintf in dbtool.c
* Need up update NSS for PKCS 3.1
* avoid leaking localCert if it is already set in ssl3_FillInCachedSID
* Decrease ASAN quarantine size for Cryptofuzz in CI
* selfserv: Add support for zlib certificate compression
Update to NSS 3.110:
* FIPS changes need to be upstreamed: force ems policy
* Prevent excess allocations in sslBuffer_Grow
* Remove Crl templates from ASN1 fuzz target
* Remove CERT_CrlTemplate from ASN1 fuzz target
* Fix memory leak in NSS_CMSMessage_IsSigned
* NSS policy updates
* Improve locking in nssPKIObject_GetInstances
* Fix race in sdb_GetMetaData
* Fix member access within null pointer
* Increase smime fuzzer memory limit
* Enable resumption when using custom extensions
* change CN of server12 test certificate
* Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle
* Part 1: Fix smime UBSan errors
* FIPS changes need to be upstreamed: updated key checks
* Don't build libpkix in static builds
* handle `-p all` in try syntax
* fix opt-make builds to actually be opt
* fix opt-static builds to actually be opt
* Remove extraneous assert
Update to NSS 3.109:
* Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available
* NSS policy updates - fix inaccurate key policy issues
* SMIME fuzz target
* ASN1 decoder fuzz target
* Part 2: Revert “Extract testcases from ssl gtests
for fuzzing”
* Add fuzz/README.md
* Part 4: Fix tstclnt arguments script
* Extend pkcs7 fuzz target
* Extend certDN fuzz target
* revert changes to HACL* files from bug 1866841
* Part 3: Package frida corpus script
Update to NSS 3.108:
* libclang-16 -> libclang-19
* Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* Remove SwissSign Silver CA – G2
* Add D-Trust 2023 TLS Roots to NSS
* fix fips test failure on windows
* change default sensitivity of KEM keys
* Part 1: Introduce frida hooks and script
* add missing arm_neon.h include to gcm.c
* ci: update windows workers to win2022
* strip trailing carriage returns in tools tests
* work around unix/windows path translation issues
in cert test script
* ci: let the windows setup script work without $m
* detect msys
* add a specialized CTR_Update variant for AES-GCM
* NSS policy updates
* FIPS changes need to be upstreamed: FIPS 140-3 RNG
* FIPS changes need to be upstreamed: Add SafeZero
* FIPS changes need to be upstreamed - updated POST
* Segmentation fault in SECITEM_Hash during pkcs12 processing
* Extending NSS with LoadModuleFromFunction functionality
* Ensure zero-initialization of collectArgs.cert
* pkcs7 fuzz target use CERT_DestroyCertificate
* Fix actual underlying ODR violations issue
* mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* Fix memory leak in pkcs7 fuzz target
* Set -O2 for ASan builds in CI
* Change branch of tlsfuzzer dependency
* Run tests in CI for ASan builds with detect_odr_violation=1
* Fix coverage failure in CI
* Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* Part 3: Restructure fuzz/
* Extract testcases from ssl gtests for fuzzing
* Force Cryptofuzz to use NSS in CI
* Fix Cryptofuzz on 32 bit in CI
* Update Cryptofuzz repository link
* fix build error from 9505f79d
* simplify error handling in get_token_objects_for_cache
* nss doc: fix a warning
* pkcs12 fixes from RHEL need to be picked up
Update to NSS 3.107:
* Remove MPI fuzz targets.
* Remove globals `lockStatus` and `locksEverDisabled`.
* Enable PKCS8 fuzz target.
* Integrate Cryptofuzz in CI.
* Part 2: Set tls server target socket options in config class
* Part 1: Set tls client target socket options in config class
* Support building with thread sanitizer.
* set nssckbi version number to 2.72.
* remove Websites Trust Bit from Entrust Root
Certification Authority - G4.
* remove Security Communication RootCA3 root cert.
* remove SecureSign RootCA11 root cert.
* Add distrust-after for TLS to Entrust Roots.
* update expected error code in pk12util pbmac1 tests.
* Use random tstclnt args with handshake collection script
* Remove extraneous assert in ssl3gthr.c.
* Adding missing release notes for NSS_3_105.
* Enable the disabled mlkem tests for dtls.
* NSS gtests filter cleans up the constucted buffer
before the use.
* Make ssl_SetDefaultsFromEnvironment thread-safe.
* Remove short circuit test from ssl_Init.
Update to NSS 3.106:
* NSS 3.106 should be distributed with NSPR 4.36.
* pk12util: improve error handling in p12U_ReadPKCS12File.
* Correctly destroy bulkkey in error scenario.
* PKCS7 fuzz target, r=djackson,nss-reviewers.
* Extract certificates with handshake collection script.
* Specify len_control for fuzz targets.
* Fix memory leak in dumpCertificatePEM.
* Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.
* add new error codes to mozilla::pkix for Firefox to use.
* allow null phKey in NSC_DeriveKey.
* Only create seed corpus zip from existing corpus.
* Use explicit allowlist for for KDF PRFS.
* Increase optimization level for fuzz builds.
* Remove incorrect assert.
* Use libFuzzer options from fuzz/options/\*.options in CI.
* Polish corpus collection for automation.
* Detect new and unfuzzed SSL options.
* PKCS12 fuzzing target.
Update to NSS 3.105:
* Allow importing PKCS#8 private EC keys missing public key
* UBSAN fix: applying zero offset to null pointer in sslsnce.c
* set KRML_MUSTINLINE=inline in makefile builds
* Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
* override default definition of KRML_MUSTINLINE
* libssl support for mlkem768x25519
* support for ML-KEM-768 in softoken and pk11wrap
* Add Libcrux implementation of ML-KEM 768 to FreeBL
* Avoid misuse of ctype(3) functions
* part 2: run clang-format
* part 1: upgrade to clang-format 13
* clang-format fuzz
* DTLS client message buffer may not empty be on retransmit
* Optionally print config for TLS client and server
fuzz target
* Fix some simple documentation issues in NSS.
* improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr
* define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
Update to NSS 3.104:
* Copy original corpus to heap-allocated buffer
* Fix min ssl version for DTLS client fuzzer
* Remove OS2 support just like we did on NSPR
* clang-format NSS improvements
* Adding basicutil.h to use HexString2SECItem function
* removing dirent.c from build
* Allow handing in keymaterial to shlibsign to make
the output reproducible
* remove nec4.3, sunos4, riscos and SNI references
* remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* remove mentions of WIN95
* remove mentions of WIN16
* More explicit directory naming
* Add more options to TLS server fuzz target
* Add more options to TLS client fuzz target
* Use OSS-Fuzz corpus in NSS CI
* set nssckbi version number to 2.70.
* Remove Email Trust bit from ACCVRAIZ1 root cert.
* Remove Email Trust bit from certSIGN ROOT CA.
* Add Cybertrust Japan Roots to NSS.
* Add Taiwan CA Roots to NSS.
* remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* Fix tstclnt CI build failure
* vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* Enable all supported protocol versions for UDP
* Actually use random PSK hash type
* Initialize NSS DB once
* Additional ECH cipher suites and PSK hash types
* Automate corpus file generation for TLS client Fuzzer
* Fix crash with UNSAFE_FUZZER_MODE
* clang-format shlibsign.c
Update to NSS 3.103:
* move list size check after lock acquisition in sftk_PutObjectToList.
* Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* Follow-up to fix test for presence of file nspr.patch.
* Adjust libFuzzer size limits
* Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Make the rpms reproducible,
by using a hardcoded, static key to generate the checksums (*.chk-files)
- FIPS: enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
Update to NSS 3.102.1:
* ChaChaXor to return after the function
Update to NSS 3.102:
* Add Valgrind annotations to freebl Chacha20-Poly1305.
* missing sqlite header.
* GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
* correct length of raw SPKI data before printing in pp utility.
- Make NSS-build reproducible
Use key from openssl (bsc#1081723)
- FIPS: exclude the SHA-1 hash from SLI approval.
mozilla-nspr was updated to version 4.36:
* renamed the prwin16.h header to prwin.h
* configure was updated from 2.69 to 2.71
* various build, test and automation script fixes
* major parts of the source code were reformatted
</description>
</patchinfo>
