NSS 3.16.4 release notes¶
Network Security Services (NSS) 3.16.4 is a patch release for NSS 3.16. The bug fixes in NSS 3.16.4 are described in the “Bugs Fixed” section below.
The HG tag is NSS_3_16_4_RTM. NSS 3.16.4 requires NSPR 4.10.6 or newer.
NSS 3.16.4 source distributions are available on ftp.mozilla.org for secure HTTPS download:
This release consists primarily of CA certificate changes as listed below, and includes a small number of bug fixes.
The following 1024-bit root CA certificate was restored to allow more time to develop a better transition strategy for affected sites. It was removed in NSS 3.16.3 release notes, but discussion in the mozilla.dev.security.policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers.
CN = GTE CyberTrust Global Root
SHA1 Fingerprint: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74
In NSS 3.16.3 release notes, the 1024-bit “Entrust.net Secure Server Certification Authority” root CA certificate (SHA1 Fingerprint: 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39) was removed. In NSS 3.16.4, a 2048-bit intermediate CA certificate has been included, without explicit trust. The intention is to mitigate the effects of the previous removal of the 1024-bit Entrust.net root certificate, because many public Internet sites still use the “USERTrust Legacy Secure Server CA” intermediate certificate that is signed by the 1024-bit Entrust.net root certificate. The inclusion of the intermediate certificate is a temporary measure to allow those sites to function, by allowing them to find a trust path to another 2048-bit root CA certificate. The temporarily included intermediate certificate expires November 1, 2015.
This Bugzilla query returns all the bugs fixed in NSS 3.16.4: