NSS 3.48 release notes¶
The NSS team has released Network Security Services (NSS) 3.48 on 5 December 2019, which is a minor release.
The NSS team would like to recognize first-time contributors:
The HG tag is NSS_3_48_RTM. NSS 3.48 requires NSPR 4.24 or newer.
NSS 3.48 source distributions are available on ftp.mozilla.org for secure HTTPS download:
Other releases are available Release notes for recent versions of NSS.
The master password PBE now uses 10,000 iterations by default when using the default sql (key4.db) storage. Because using an iteration count higher than 1 with the legacy dbm (key3.db) storage creates files that are incompatible with previous versions of NSS, applications that wish to enable it for key3.db are required to set environment variable NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment variable NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count than the library’s default, or NSS_MAX_MP_PBE_ITERATION_COUNT to request a lower iteration count for test environments. See Bug 1562671 for details.
The legacy DBM database, libnssdbm, will no longer be built by default. See Bug 1594933 for details.
Bug 1600775 - Require NSPR 4.24 for NSS 3.48
Bug 1593401 - Fix race condition in self-encrypt functions
Bug 1599545 - Fix assertion and add test for early Key Update
Bug 1597799 - Fix a crash in nssCKFWObject_GetAttributeSize
Bug 1591178 - Add Entrust Root Certification Authority - G4 certificate to NSS
Bug 1590001 - Prevent negotiation of versions lower than 1.3 after HelloRetryRequest
Bug 1596450 - Added a simplified and unified MAC implementation for HMAC and CMAC behind PKCS#11
Bug 1522203 - Remove an old Pentium Pro performance workaround
Bug 1592557 - Fix PRNG known-answer-test scripts
Bug 1586176 - EncryptUpdate should use maxout not block size (CVE-2019-11745)
Bug 1593141 - add `notBefore` or similar “beginning-of-validity-period” parameter to mozilla::pkix::TrustDomain::CheckRevocation
Bug 1591363 - Fix a PBKDF2 memory leak in NSC_GenerateKey if key length > MAX_KEY_LEN (256)
Bug 1592869 - Use ARM NEON for ctr_xor
Bug 1566131 - Ensure SHA-1 fallback disabled in TLS 1.2
Bug 1577803 - Mark PKCS#11 token as friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN
Bug 1566126 - POWER GHASH Vector Acceleration
Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c
Bug 1590495 - Fix a crash in PK11_MakeCertFromHandle
Bug 1591742 - Ensure DES IV length is valid before usage from PKCS#11
Bug 1588567 - Enable mozilla::pkix gtests in NSS CI
Bug 1591315 - Update NSC_Decrypt length in constant time
Bug 1562671 - Increase NSS MP KDF default iteration count, by default for modern key4 storage, optionally for legacy key3.db storage
Bug 1590972 - Use -std=c99 rather than -std=gnu99
Bug 1590676 - Fix build if ARM doesn’t support NEON
Bug 1575411 - Enable TLS extended master secret by default
Bug 1590970 - SSL_SetTimeFunc has incomplete coverage
Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
Bug 1588244 - NSS changes for Delegated Credential key strength checks
Bug 1459141 - Add more CBC padding tests that missed NSS 3.47
Bug 1590339 - Fix a memory leak in btoa.c
Bug 1589810 - fix uninitialized variable warnings from certdata.perl
Bug 1573118 - Enable TLS 1.3 by default in NSS
This Bugzilla query returns all the bugs fixed in NSS 3.48:
NSS 3.48 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.48 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.