1.. _mozilla_projects_nss_nss_3_12_4_release_notes: 2 3NSS 3.12.4 release notes 4======================== 5 6.. container:: 7 8 .. code:: notranslate 9 10 2009-08-20 11 12 *Newsgroup:*\ `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__ 13 .. rubric:: Introduction 14 :name: Introduction 15 16 Network Security Services (NSS) 3.12.4 is a patch release for NSS 3.12. The bug fixes in NSS 17 3.12.4 are described in the "`Bugs Fixed <#bugsfixed>`__" section below. 18 19 NSS 3.12.4 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1. 20 21 .. rubric:: Distribution Information 22 :name: Distribution_Information 23 24 This release is built from the source, at the CVS repository rooted at cvs.mozilla.org:/cvsroot, 25 with the CVS tag ``NSS_3_12_4_RTM``. 26 27 NSS 3.12.4 requires `NSPR 4.8 <https://www.mozilla.org/projects/nspr/release-notes/>`__. This is 28 not a hard requirement. Our QA tested NSS 3.12.4 with NSPR 4.8, but it should work with NSPR 29 4.7.1 or later. 30 31 You can check out the source from CVS by 32 33 .. note:: 34 35 cvs co -r NSPR_4_8_RTM NSPR 36 cvs co -r NSS_3_12_4_RTM NSS 37 38 See the `Documentation <#docs>`__ section for the build instructions. 39 40 NSS 3.12.4 source is also available on ``ftp.mozilla.org`` for secure HTTPS download: 41 42 - Source tarball: 43 https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/src/. 44 45 .. rubric:: Major changes in NSS 3.12.4 46 :name: Major_changes_in_NSS_3.12.4 47 48 - NSS 3.12.4 is the version that we submitted to NIST for FIPS 140-2 validation. 49 Currently NSS 3.12.4 is in the "Review Pending" state in the FIPS 140-2 pre-validation 50 list at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf 51 - Added CRL Distribution Point support (see cert.h). 52 **CERT_DecodeCRLIssuingDistributionPoint** 53 **CERT_FindCRLIssuingDistPointExten** 54 - The old documentation of the expression matching syntax rules was 55 incorrect, and the new corrected documentation is as follows for 56 public nssutil functions (see portreq.h): 57 58 - **PORT_RegExpValid** 59 - **PORT_RegExpSearch** 60 - **PORT_RegExpCaseSearch** 61 62 - These functions will match a string with a shell expression. The expressions 63 accepted are based loosely on the expressions accepted by zsh. 64 Expected return values: 65 66 - NON_SXP if exp is a standard string 67 - INVALID_SXP if exp is a shell expression, but invalid 68 - VALID_SXP if exp is a valid shell expression 69 70 Expression matching rules: 71 72 - \* matches anything 73 - ? matches one character 74 - \\ will escape a special character 75 - $ matches the end of the string 76 - Bracketed expressions: 77 [abc] matches one occurrence of a, b, or c. 78 [^abc] matches any character except a, b, or c. 79 To be matched between [ and ], these characters must be escaped: \\ ] 80 No other characters need be escaped between brackets. 81 Unnecessary escaping is permitted. 82 - [a-z] matches any character between a and z, inclusive. 83 The two range-definition characters must be alphanumeric ASCII. 84 If one is upper case and the other is lower case, then the ASCII 85 non-alphanumeric characters between Z and a will also be in range. 86 - [^a-z] matches any character except those between a and z, inclusive. 87 These forms cannot be combined, e.g [a-gp-z] does not work. 88 - Exclusions: 89 As a top level, outter-most expression only, the expression 90 foo~bar will match the expression foo, provided it does not also 91 match the expression bar. Either expression or both may be a union. 92 Except between brackets, any unescaped ~ is an exclusion. 93 At most one exclusion is permitted. 94 Exclusions cannot be nested (contain other exclusions). 95 example: \*~abc will match any string except abc 96 - Unions: 97 (foo|bar) will match either the expression foo, or the expression bar. 98 At least one '|' separator is required. More are permitted. 99 Expressions inside unions may not include unions or exclusions. 100 Inside a union, to be matched and not treated as a special character, 101 these characters must be escaped: \\ ( \| ) [ ~ except when they occur 102 inside a bracketed expression, where only \\ and ] require escaping. 103 104 - New functions in the nss shared library: 105 106 - PK11_IsInternalKeySlot (see pk11pub.h) 107 - SECMOD_OpenNewSlot (see pk11pub.h) 108 109 - New error codes (see secerr.h): 110 111 - SEC_ERROR_BAD_INFO_ACCESS_METHOD 112 - SEC_ERROR_CRL_IMPORT_FAILED 113 114 - New OIDs (see secoidt.h) 115 116 - SEC_OID_X509_ANY_POLICY 117 118 - The nssckbi PKCS #11 module's version changed to 1.75. 119 - Obsolete code for Win16 has been removed. 120 - Support for OpenVMS has been removed. 121 122 .. rubric:: Bugs Fixed 123 :name: Bugs_Fixed 124 125 The following bugs have been fixed in NSS 3.12.4. 126 127 - `Bug 321755 <https://bugzilla.mozilla.org/show_bug.cgi?id=321755>`__: implement 128 crlDistributionPoint extension in libPKIX 129 - `Bug 391434 <https://bugzilla.mozilla.org/show_bug.cgi?id=391434>`__: avoid multiple 130 encoding/decoding of PKIX_PL_OID to and from ascii string 131 - `Bug 405297 <https://bugzilla.mozilla.org/show_bug.cgi?id=405297>`__: Problems building 132 nss/lib/ckfw/capi/ with MingW GCC 133 - `Bug 420991 <https://bugzilla.mozilla.org/show_bug.cgi?id=420991>`__: libPKIX returns wrong 134 NSS error code 135 - `Bug 427135 <https://bugzilla.mozilla.org/show_bug.cgi?id=427135>`__: Add super-H (sh3,4) 136 architecture support 137 - `Bug 431958 <https://bugzilla.mozilla.org/show_bug.cgi?id=431958>`__: Improve DES and SHA512 138 for x86_64 platform 139 - `Bug 433791 <https://bugzilla.mozilla.org/show_bug.cgi?id=433791>`__: Win16 support should be 140 deleted from NSS 141 - `Bug 449332 <https://bugzilla.mozilla.org/show_bug.cgi?id=449332>`__: SECU_ParseCommandLine 142 does not validate its inputs 143 - `Bug 453735 <https://bugzilla.mozilla.org/show_bug.cgi?id=453735>`__: When using cert9 144 (SQLite3) DB, set or change master password fails 145 - `Bug 463544 <https://bugzilla.mozilla.org/show_bug.cgi?id=463544>`__: warning: passing enum\* 146 for an int\* argument in pkix_validate.c 147 - `Bug 469588 <https://bugzilla.mozilla.org/show_bug.cgi?id=469588>`__: Coverity errors reported 148 for softoken 149 - `Bug 470055 <https://bugzilla.mozilla.org/show_bug.cgi?id=470055>`__: 150 pkix_HttpCertStore_FindSocketConnection reuses closed socket 151 - `Bug 470070 <https://bugzilla.mozilla.org/show_bug.cgi?id=470070>`__: Multiple object leaks 152 reported by tinderbox 153 - `Bug 470479 <https://bugzilla.mozilla.org/show_bug.cgi?id=470479>`__: IO timeout during cert 154 fetching makes libpkix abort validation. 155 - `Bug 470500 <https://bugzilla.mozilla.org/show_bug.cgi?id=470500>`__: Firefox 3.1b2 Crash 156 Report [[@ nssutil3.dll@0x34c0 ] 157 - `Bug 482742 <https://bugzilla.mozilla.org/show_bug.cgi?id=482742>`__: Enable building util 158 independently of the rest of nss 159 - `Bug 483653 <https://bugzilla.mozilla.org/show_bug.cgi?id=483653>`__: unable to build 160 certutil.exe for fennec/wince 161 - `Bug 485145 <https://bugzilla.mozilla.org/show_bug.cgi?id=485145>`__: Miscellaneous crashes in 162 signtool on Windows 163 - `Bug 485155 <https://bugzilla.mozilla.org/show_bug.cgi?id=485155>`__: NSS_ENABLE_PKIX_VERIFY=1 164 causes sec_error_unknown_issuer errors 165 - `Bug 485527 <https://bugzilla.mozilla.org/show_bug.cgi?id=485527>`__: Rename the \_X86\_ macro 166 in lib/freebl 167 - `Bug 485658 <https://bugzilla.mozilla.org/show_bug.cgi?id=485658>`__: vfychain -p reports 168 revoked cert 169 - `Bug 485745 <https://bugzilla.mozilla.org/show_bug.cgi?id=485745>`__: modify fipstest.c to 170 support CAVS 7.1 DRBG testing 171 - `Bug 486304 <https://bugzilla.mozilla.org/show_bug.cgi?id=486304>`__: cert7.db/cert8.db 172 corruption when importing a large certificate (>64K) 173 - `Bug 486405 <https://bugzilla.mozilla.org/show_bug.cgi?id=486405>`__: Allocator mismatches in 174 pk12util.c 175 - `Bug 486537 <https://bugzilla.mozilla.org/show_bug.cgi?id=486537>`__: Disable execstack in 176 freebl x86_64 builds on Linux 177 - `Bug 486698 <https://bugzilla.mozilla.org/show_bug.cgi?id=486698>`__: Facilitate the building 178 of major components independently and in a chain manner by downstream distributions 179 - `Bug 486999 <https://bugzilla.mozilla.org/show_bug.cgi?id=486999>`__: Calling 180 SSL_SetSockPeerID a second time leaks the previous value 181 - `Bug 487007 <https://bugzilla.mozilla.org/show_bug.cgi?id=487007>`__: Make lib/jar conform to 182 NSS coding style 183 - `Bug 487162 <https://bugzilla.mozilla.org/show_bug.cgi?id=487162>`__: ckfw/capi build failure 184 on windows 185 - `Bug 487239 <https://bugzilla.mozilla.org/show_bug.cgi?id=487239>`__: nssutil.rc doesn't 186 compile on WinCE 187 - `Bug 487254 <https://bugzilla.mozilla.org/show_bug.cgi?id=487254>`__: sftkmod.c uses POSIX 188 file IO Functions on WinCE 189 - `Bug 487255 <https://bugzilla.mozilla.org/show_bug.cgi?id=487255>`__: sdb.c uses POSIX file IO 190 Functions on WinCE 191 - `Bug 487487 <https://bugzilla.mozilla.org/show_bug.cgi?id=487487>`__: CERT_NameToAscii reports 192 !Invalid AVA! whenever value exceeds 384 bytes 193 - `Bug 487736 <https://bugzilla.mozilla.org/show_bug.cgi?id=487736>`__: libpkix passes wrong 194 argument to DER_DecodeTimeChoice and crashes 195 - `Bug 487858 <https://bugzilla.mozilla.org/show_bug.cgi?id=487858>`__: Remove obsolete build 196 options MOZILLA_SECURITY_BUILD and MOZILLA_BSAFE_BUILD 197 - `Bug 487884 <https://bugzilla.mozilla.org/show_bug.cgi?id=487884>`__: object leak in libpkix 198 library upon error 199 - `Bug 488067 <https://bugzilla.mozilla.org/show_bug.cgi?id=488067>`__: PK11_ImportCRL reports 200 SEC_ERROR_CRL_NOT_FOUND when it fails to import a CRL 201 - `Bug 488350 <https://bugzilla.mozilla.org/show_bug.cgi?id=488350>`__: NSPR-free freebl 202 interface need to do post tests only in fips mode. 203 - `Bug 488396 <https://bugzilla.mozilla.org/show_bug.cgi?id=488396>`__: DBM needs to be FIPS 204 certifiable. 205 - `Bug 488550 <https://bugzilla.mozilla.org/show_bug.cgi?id=488550>`__: crash in certutil or pp 206 when printing cert with empty subject name 207 - `Bug 488992 <https://bugzilla.mozilla.org/show_bug.cgi?id=488992>`__: Fix 208 lib/freebl/win_rand.c warnings 209 - `Bug 489010 <https://bugzilla.mozilla.org/show_bug.cgi?id=489010>`__: stop exporting mktemp 210 and dbopen (again) 211 - `Bug 489287 <https://bugzilla.mozilla.org/show_bug.cgi?id=489287>`__: Resolve a few remaining 212 issues with NSS's new revocation flags 213 - `Bug 489710 <https://bugzilla.mozilla.org/show_bug.cgi?id=489710>`__: byteswap optimize for 214 MSVC++ 215 - `Bug 490154 <https://bugzilla.mozilla.org/show_bug.cgi?id=490154>`__: Cryptokey framework 216 requires module to implement GenerateKey when they support KeyPairGeneration 217 - `Bug 491044 <https://bugzilla.mozilla.org/show_bug.cgi?id=491044>`__: Remove support for VMS 218 (a.k.a., OpenVMS) from NSS 219 - `Bug 491174 <https://bugzilla.mozilla.org/show_bug.cgi?id=491174>`__: CERT_PKIXVerifyCert 220 reports wrong error code when EE cert is expired 221 - `Bug 491919 <https://bugzilla.mozilla.org/show_bug.cgi?id=491919>`__: cert.h doesn't have 222 valid functions prototypes 223 - `Bug 492131 <https://bugzilla.mozilla.org/show_bug.cgi?id=492131>`__: A failure to import a 224 cert from a P12 file leaves error code set to zero 225 - `Bug 492385 <https://bugzilla.mozilla.org/show_bug.cgi?id=492385>`__: crash freeing named CRL 226 entry on shutdown 227 - `Bug 493135 <https://bugzilla.mozilla.org/show_bug.cgi?id=493135>`__: bltest crashes if it 228 can't open the input file 229 - `Bug 493364 <https://bugzilla.mozilla.org/show_bug.cgi?id=493364>`__: can't build with 230 --disable-dbm option when not cross-compiling 231 - `Bug 493693 <https://bugzilla.mozilla.org/show_bug.cgi?id=493693>`__: SSE2 instructions for 232 bignum are not implemented on OS/2 233 - `Bug 493912 <https://bugzilla.mozilla.org/show_bug.cgi?id=493912>`__: sqlite3_reset should be 234 invoked in sdb_FindObjectsInit when error occurs 235 - `Bug 494073 <https://bugzilla.mozilla.org/show_bug.cgi?id=494073>`__: update RSA/DSA 236 powerupself tests to be compliant for 2011 237 - `Bug 494087 <https://bugzilla.mozilla.org/show_bug.cgi?id=494087>`__: Passing NULL as the 238 value of cert_pi_trustAnchors causes a crash in cert_pkixSetParam 239 - `Bug 494107 <https://bugzilla.mozilla.org/show_bug.cgi?id=494107>`__: During NSS_NoDB_Init(), 240 softoken tries but fails to load libsqlite3.so crash [@ @0x0 ] 241 - `Bug 495097 <https://bugzilla.mozilla.org/show_bug.cgi?id=495097>`__: sdb_mapSQLError returns 242 signed int 243 - `Bug 495103 <https://bugzilla.mozilla.org/show_bug.cgi?id=495103>`__: 244 NSS_InitReadWrite(sql:<dbdir>) causes NSS to look for sql:<dbdir>/libnssckbi.so 245 - `Bug 495365 <https://bugzilla.mozilla.org/show_bug.cgi?id=495365>`__: Add const to the 246 'nickname' parameter of SEC_CertNicknameConflict 247 - `Bug 495656 <https://bugzilla.mozilla.org/show_bug.cgi?id=495656>`__: 248 NSS_InitReadWrite(sql:<configdir>) leaves behind a pkcs11.txu file if libnssckbi.so is in 249 <configdir>. 250 - `Bug 495717 <https://bugzilla.mozilla.org/show_bug.cgi?id=495717>`__: Unable to compile 251 nss/cmd/certutil/keystuff.c on WinCE 252 - `Bug 496961 <https://bugzilla.mozilla.org/show_bug.cgi?id=496961>`__: provide truncated HMAC 253 support for testing tool fipstest 254 - `Bug 497002 <https://bugzilla.mozilla.org/show_bug.cgi?id=497002>`__: Lab required nspr-free 255 freebl changes. 256 - `Bug 497217 <https://bugzilla.mozilla.org/show_bug.cgi?id=497217>`__: The first random value 257 ever generated by the RNG should be discarded 258 - `Bug 498163 <https://bugzilla.mozilla.org/show_bug.cgi?id=498163>`__: assert if profile path 259 contains cyrillic chars. [[@isspace - secmod_argIsBlank - secmod_argHasBlanks - 260 secmod_formatPair - secmod_mkNewModuleSpec] 261 - `Bug 498509 <https://bugzilla.mozilla.org/show_bug.cgi?id=498509>`__: Produce debuggable 262 optimized builds for Mozilla on MacOSX 263 - `Bug 498511 <https://bugzilla.mozilla.org/show_bug.cgi?id=498511>`__: Produce debuggable 264 optimized NSS builds for Mozilla on Linux 265 - `Bug 499385 <https://bugzilla.mozilla.org/show_bug.cgi?id=499385>`__: DRBG Reseed function 266 needs to be tested on POST 267 - `Bug 499825 <https://bugzilla.mozilla.org/show_bug.cgi?id=499825>`__: utilrename.h is missing 268 from Solaris packages 269 - `Bug 502961 <https://bugzilla.mozilla.org/show_bug.cgi?id=502961>`__: Allocator mismatch in 270 pk11mode 271 - `Bug 502965 <https://bugzilla.mozilla.org/show_bug.cgi?id=502965>`__: Allocator mismatch in 272 sdrtest 273 - `Bug 502972 <https://bugzilla.mozilla.org/show_bug.cgi?id=502972>`__: Another allocator 274 mismatch in sdrtest 275 - `Bug 504398 <https://bugzilla.mozilla.org/show_bug.cgi?id=504398>`__: 276 pkix_pl_AIAMgr_GetHTTPCerts could crash if SEC_GetRegisteredHttpClient fails 277 - `Bug 504405 <https://bugzilla.mozilla.org/show_bug.cgi?id=504405>`__: pkix_pl_CrlDp_Create 278 will fail on alloc success because of a missing ! 279 - `Bug 504408 <https://bugzilla.mozilla.org/show_bug.cgi?id=504408>`__: pkix_pl_CrlDp_Create 280 will always fail if dp->distPointType != generalName 281 - `Bug 504456 <https://bugzilla.mozilla.org/show_bug.cgi?id=504456>`__: Exploitable heap 282 overflow in NSS shell expression (filename globbing) parsing 283 - `Bug 505559 <https://bugzilla.mozilla.org/show_bug.cgi?id=505559>`__: Need function to 284 identify the one and only default internal private key slot. 285 - `Bug 505561 <https://bugzilla.mozilla.org/show_bug.cgi?id=505561>`__: Need a generic function 286 a la SECMOD_OpenUserDB() that can be used on non-softoken modules. 287 - `Bug 505858 <https://bugzilla.mozilla.org/show_bug.cgi?id=505858>`__: NSS_RegisterShutdown can 288 return without unlocking nssShutdownList.lock 289 - `Bug 507041 <https://bugzilla.mozilla.org/show_bug.cgi?id=507041>`__: Invalid build options 290 for VC6 291 - `Bug 507228 <https://bugzilla.mozilla.org/show_bug.cgi?id=507228>`__: coreconf.dep doesn't 292 need to contain the NSS version number 293 - `Bug 507422 <https://bugzilla.mozilla.org/show_bug.cgi?id=507422>`__: crash [[@ PORT_FreeArena 294 - lg_mkSecretKeyRep] when PORT_NewArena fails 295 - `Bug 507482 <https://bugzilla.mozilla.org/show_bug.cgi?id=507482>`__: NSS 3.12.3 (and later) 296 doesn't build on AIX 5.1 297 - `Bug 507937 <https://bugzilla.mozilla.org/show_bug.cgi?id=507937>`__: pwdecrypt program 298 problems 299 - `Bug 508259 <https://bugzilla.mozilla.org/show_bug.cgi?id=508259>`__: Pk11mode crashed on 300 Linux2.4 301 - `Bug 508467 <https://bugzilla.mozilla.org/show_bug.cgi?id=508467>`__: libpkix ocsp checker 302 should use date argument to obtain the time for cert validity verification 303 - `Bug 510367 <https://bugzilla.mozilla.org/show_bug.cgi?id=510367>`__: Fix the UTF8 characters 304 in the nickname string for AC Raíz Certicamara S.A. 305 306 .. rubric:: Documentation 307 :name: Documentation 308 309 For a list of the primary NSS documentation pages on developer.mozilla.org, see NSS. New and 310 revised documents available since the release of NSS 3.12 include the following: 311 312 - :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions` 313 314 .. rubric:: Compatibility 315 :name: Compatibility 316 317 NSS 3.12.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A 318 program linked with older NSS 3.x shared libraries will work with NSS 3.12.4 shared libraries 319 without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs 320 to the functions listed in `NSS Public Functions </ref/nssfunctions.html>`__ will remain 321 compatible with future versions of the NSS shared libraries. 322 323 .. rubric:: Feedback 324 :name: Feedback 325 326 Bugs discovered should be reported by filing a bug report with `mozilla.org 327 Bugzilla <https://bugzilla.mozilla.org/>`__ (product NSS).