nss-3.12.10-17.0.1.AXS4, nss-util-3.12.10-2.AXS4, nspr-4.8.8-3.AXS4, nss-softokn-3.12.9-11.AXS4

NSPR provides platform independence for non-GUI operating system facilities. These facilities include threads, thread synchronization, normal file and network I/O, interval timing and calendar time, basic memory management (malloc and free) and shared library linking.
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Network Security Services Softoken Cryptographic Module
Utilities for Network Security Services and the Softoken module
Security issues fixed with this release:
- The Malaysia-based Digicert Sdn. Bhd. subordinate Certificate Authority (CA) issued HTTPS certificates with weak keys. This update renders any HTTPS certificates signed by that CA as untrusted for all uses (SSL, S/MIME, and code signing). This only applies to applications using the NSS Builtin Object Token. Application using the NSS library but not the NSS Builtin Object Token are not targeted.
Fixed bugs:
- A problem where applications could not use multiple SSL client certificates in the same process had been re-introduced with the recent changes to NSS. A new patch has been added, fixing this bug.
- Fixed an infinite loop leading to a stack overflow in the CMS message decoder: it would lose the pointer to enveloped data contained in a CMS encoded message when decoding it.
- The CMS routines failed to verify signed data when the SignerInfo object was using a subjectKeyID extension to indicate the signer: it returned the following:
signer 0 status = SigningCertNotFound
cmsutil: problem decoding: Unrecognized Object Identifier.
This has been fixed and the verification now succeeds.
- Due to insufficient permissions, when running debug builds, the pen module sometimes terminated with a segmentation fault when trying to write its log. This has been fixed.
- Fixed the generateCRMFRequest tool: it could not produce an RSA key larger than 2048.
- On 64-bit CPUs with native AES instruction support, the intel_aes_decrypt_cbc_256() function failed with the message data mismatch when input and output buffers were the same. This has been fixed.
- Updated the health tests for deterministic random bit generator (DRBG) to meet FIPS requirements.
- On NSS initialization even if the module loader was not adding any persistent certificate or module databases, it incorrectly initialized the PKCS#11 module: trying to synchronize usernames and passwords on an IPA server with data on an Active Directory server would then fail with the error {'desc': Can't contact LDAP server}. This has been fixed.
Enhancements:
- Added support for pluggable ECC (Error-Correcting Code) memory.
- The nss-softokn, nss-util, nss, and nspr libraries have been built with partial RELRO support (-Wl,-z,relro).