1.. _mozilla_projects_nss_nss_3_19_release_notes: 2 3NSS 3.19 release notes 4====================== 5 6`Introduction <#introduction>`__ 7-------------------------------- 8 9.. container:: 10 11 The NSS team has released Network Security Services (NSS) 3.19, which is a minor 12 security release. 13 14.. _distribution_information: 15 16`Distribution Information <#distribution_information>`__ 17-------------------------------------------------------- 18 19.. container:: 20 21 The HG tag is NSS_3_19_RTM. NSS 3.19 requires NSPR 4.10.8 or newer. 22 23 NSS 3.19 source distributions are available on ftp.mozilla.org for secure HTTPS download: 24 25 - Source tarballs: 26 https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_RTM/src/ 27 28.. _security_fixes_in_nss_3.19: 29 30`Security Fixes in NSS 3.19 <#security_fixes_in_nss_3.19>`__ 31------------------------------------------------------------ 32 33.. container:: 34 35 - `Bug 1086145 <https://bugzilla.mozilla.org/show_bug.cgi?id=1086145>`__ / 36 `CVE-2015-2721 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2721>`__ - Fixed a 37 bug related to the ordering of TLS handshake messages. This was also known 38 as `SMACK <https://www.smacktls.com/>`__. 39 40.. _new_in_nss_3.19: 41 42`New in NSS 3.19 <#new_in_nss_3.19>`__ 43-------------------------------------- 44 45.. container:: 46 47.. _new_functionality: 48 49`New Functionality <#new_functionality>`__ 50~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 51 52.. container:: 53 54 - For some certificates, such as root CA certificates that don't embed any constraints, NSS 55 might impose additional constraints such as name constraints. A new API 56 (`CERT_GetImposedNameConstraints <http://mxr.mozilla.org/nss/ident?i=CERT_GetImposedNameConstraints>`__) has 57 been added that allows one to lookup imposed constraints. 58 - It is possible to override the directory 59 (`SQLITE_LIB_DIR <https://bugzilla.mozilla.org/show_bug.cgi?id=1138820>`__) in which the NSS 60 build system will look for the sqlite library. 61 62 .. rubric:: New Functions 63 :name: new_functions 64 65 - *in cert.h* 66 67 - **CERT_GetImposedNameConstraints** - Check if any imposed constraints exist for the given 68 certificate, and if found, return the constraints as encoded certificate extensions. 69 70.. _notable_changes_in_nss_3.19: 71 72`Notable Changes in NSS 3.19 <#notable_changes_in_nss_3.19>`__ 73-------------------------------------------------------------- 74 75.. container:: 76 77 - The SSL 3 protocol has been disabled by default. 78 - NSS now more strictly validates TLS extensions and will fail a handshake that contains 79 malformed extensions (`bug 753136 <https://bugzilla.mozilla.org/show_bug.cgi?id=753136>`__). 80 - In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm in order to be 81 compatible with TLS servers that use certificates with a SHA512 signature (`bug 82 1155922 <https://bugzilla.mozilla.org/show_bug.cgi?id=1155922>`__). 83 84.. _bugs_fixed_in_nss_3.19: 85 86`Bugs fixed in NSS 3.19 <#bugs_fixed_in_nss_3.19>`__ 87---------------------------------------------------- 88 89.. container:: 90 91 This Bugzilla query returns all the bugs fixed in NSS 3.19: 92 93 https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.19 94 95`Acknowledgements <#acknowledgements>`__ 96---------------------------------------- 97 98.. container:: 99 100 The NSS development team would like to thank Karthikeyan Bhargavan from 101 `INRIA <http://inria.fr/>`__ for responsibly disclosing the issue in `bug 102 1086145 <https://bugzilla.mozilla.org/show_bug.cgi?id=1086145>`__. 103 104`Compatibility <#compatibility>`__ 105---------------------------------- 106 107.. container:: 108 109 NSS 3.19 shared libraries are backward compatible with all older NSS 3.x shared libraries. A 110 program linked with older NSS 3.x shared libraries will work with NSS 3.19 shared libraries 111 without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs 112 to the functions listed in NSS Public Functions will remain compatible with future versions of 113 the NSS shared libraries. 114 115`Feedback <#feedback>`__ 116------------------------ 117 118.. container:: 119 120 Bugs discovered should be reported by filing a bug report with 121 `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).