NSS 3.98 release notes

Introduction

Network Security Services (NSS) 3.98 was released on 15th February 2024*.

Distribution Information

The HG tag is NSS_3_98_RTM. NSS 3.98 requires NSPR 4.35 or newer.

NSS 3.98 source distributions are available on ftp.mozilla.org for secure HTTPS download:

Other releases are available Releases.

Changes in NSS 3.98

  • Bug 1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS.

  • Bug 1879513 - Certificate Compression: enabling the check that the compression was advertised.

  • Bug 1831552 - Move Windows workers to nss-1/b-win2022-alpha.

  • Bug 1879945 - Remove Email trust bit from OISTE WISeKey Global Root GC CA.

  • Bug 1877344 - Replace distutils.spawn.find_executable with shutil.which within mach in nss.

  • Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression.

  • Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation.

  • Bug 1875356 - Add valgrind annotations to freebl kyber operations for constant-time execution tests.

  • Bug 1870673 - Set nssckbi version number to 2.66.

  • Bug 1874017 - Add Telekom Security roots.

  • Bug 1873095 - Add D-Trust 2022 S/MIME roots.

  • Bug 1865450 - Remove expired Security Communication RootCA1 root.

  • Bug 1876179 - move keys to a slot that supports concatenation in PK11_ConcatSymKeys.

  • Bug 1876800 - remove unmaintained tls-interop tests.

  • Bug 1874937 - bogo: add support for the -ipv6 and -shim-id shim flags.

  • Bug 1874937 - bogo: add support for the -curves shim flag and update Kyber expectations.

  • Bug 1874937 - bogo: adjust expectation for a key usage bit test.

  • Bug 1757758 - mozpkix: add option to ignore invalid subject alternative names.

  • Bug 1841029 - Fix selfserv not stripping publicname: from -X value.

  • Bug 1876390 - take ownership of ecckilla shims.

  • Bug 1874458 - add valgrind annotations to freebl/ec.c.

  • Bug 864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip.

  • Bug 1875965 - Update zlib to 1.3.1.

Compatibility

NSS 3.98 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with this new version of the shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.

Feedback

Bugs discovered should be reported by filing a bug report on bugzilla.mozilla.org (product NSS).