NSS 3.46 release notes¶
The NSS team has released Network Security Services (NSS) 3.46 on 30 August 2019, which is a minor release.
The NSS team would like to recognize first-time contributors:
The HG tag is NSS_3_46_RTM. NSS 3.46 requires NSPR 4.22 or newer.
NSS 3.46 source distributions are available on ftp.mozilla.org for secure HTTPS download:
Other releases are available Release notes for recent versions of NSS.
New in NSS 3.46¶
This release contains no significant new functionality, but concentrates on providing improved performance, stability, and security. Of particular note are significant improvements to AES-GCM performance on ARM.
Upcoming changes to default TLS configuration¶
The next NSS team plans to make two changes to the default TLS configuration in NSS 3.47, which will be released in October:
TLS 1.3 will be the default maximum TLS version. See Bug 1573118 for details.
TLS extended master secret will be enabled by default, where possible. See Bug 1575411 for details.
Bugs fixed in NSS 3.46¶
Bug 1572164 - Don’t unnecessarily free session in NSC_WrapKey
Bug 1574220 - Improve controls after errors in tstcln, selfserv and vfyserv cmds
Bug 1550636 - Upgrade SQLite in NSS to a 2019 version
Bug 1572593 - Reset advertised extensions in ssl_ConstructExtensions
Bug 1415118 - NSS build with ./build.sh –enable-libpkix fails
Bug 1539788 - Add length checks for cryptographic primitives (CVE-2019-17006)
Bug 1542077 - mp_set_ulong and mp_set_int should return errors on bad values
Bug 1572791 - Read out-of-bounds in DER_DecodeTimeChoice_Util from SSLExp_DelegateCredential
Bug 1560593 - Cleanup.sh script does not set error exit code for tests that “Failed with core”
Bug 1566601 - Add Wycheproof test vectors for AES-KW
Bug 1571316 - curve25519_32.c:280: undefined reference to `PR_Assert’ when building NSS 3.45 on armhf-linux
Bug 1516593 - Client to generate new random during renegotiation
Bug 1563258 - fips.sh fails due to non-existent “resp” directories
Bug 1561598 - Remove -Wmaybe-uninitialized warning in pqg.c
Bug 1560806 - Increase softoken password max size to 500 characters
Bug 1568776 - Output paths relative to repository in NSS coverity
Bug 1453408 - modutil -changepw fails in FIPS mode if password is an empty string
Bug 1564727 - Use a PSS SPKI when possible for delegated credentials
Bug 1493916 - fix ppc64 inline assembler for clang
Bug 1561588 - Remove -Wmaybe-uninitialized warning in p7env.c
Bug 1561548 - Remove -Wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c
Bug 1512605 - Incorrect alert description after unencrypted Finished msg
Bug 1564715 - Read /proc/cpuinfo when AT_HWCAP2 returns 0
Bug 1532194 - Remove or fix -DDEBUG_$USER from make builds
Bug 1565577 - Visual Studio’s cl.exe -? hangs on Windows x64 when building nss since changeset 9162c654d06915f0f15948fbf67d4103a229226f
Bug 1564875 - Improve rebuilding with build.sh
Bug 1565243 - Support TC_OWNER without email address in nss taskgraph
Bug 1563778 - Increase maxRunTime on Mac taskcluster Tools, SSL tests
Bug 1561591 - Remove -Wmaybe-uninitialized warning in tstclnt.c
Bug 1561587 - Remove -Wmaybe-uninitialized warning in lgattr.c
Bug 1561558 - Remove -Wmaybe-uninitialized warning in httpserv.c
Bug 1561556 - Remove -Wmaybe-uninitialized warning in tls13esni.c
Bug 1561332 - ec.c:28 warning: comparison of integers of different signs: ‘int’ and ‘unsigned long’
Bug 1564714 - Print certutil commands during setup
Bug 1565013 - HACL image builder times out while fetching gpg key
Bug 1563786 - Update hacl-star docker image to pull specific commit
Bug 1559012 - Improve GCM perfomance using PMULL2
Bug 1528666 - Correct resumption validation checks
Bug 1568803 - More tests for client certificate authentication
Bug 1564284 - Support profile mobility across Windows and Linux
Bug 1573942 - Gtest for pkcs11.txt with different breaking line formats
Bug 1575968 - Add strsclnt option to enforce the use of either IPv4 or IPv6
Bug 1549847 - Fix NSS builds on iOS
Bug 1485533 - Enable NSS_SSL_TESTS on taskcluster
This Bugzilla query returns all the bugs fixed in NSS 3.46:
NSS 3.46 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.46 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report with bugzilla.mozilla.org (product NSS).