* Updated DTLS 1.3 implementation to Draft-34. See Bug 1608892 for details.
Bugs fixed in NSS 3.51
* Bug 1608892 - Update DTLS 1.3 implementation to draft-34.
* Bug 1611209 - Correct swapped PKCS11 values of CKM_AES_CMAC and
* Bug 1612259 - Complete integration of Wycheproof ECDH test cases
* Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>)
* Bug 1614786 - Fix a compilation error for ‘getFIPSEnv’ "defined but not
* Bug 1615208 - Send DTLS version numbers in DTLS 1.3 supported_versions
extension to avoid an incompatibility.
* Bug 1538980 - SECU_ReadDERFromFile calls strstr on a string that isn't
guaranteed to be null-terminated
* Bug 1561337 - Correct a warning for comparison of integers of different
signs: 'int' and 'unsigned long' in
* Bug 1609751 - Add test for mp_int clamping
* Bug 1582169 - Don't attempt to read the fips_enabled flag on the machine
unless NSS was built with FIPS enabled
* Bug 1431940 - Fix a null pointer dereference in BLAKE2B_Update
* Bug 1617387 - Fix compiler warning in secsign.c
* Bug 1618400 - Fix a OpenBSD/arm64 compilation error: unused variable
* Bug 1610687 - Fix a crash on unaligned CMACContext.aes.keySchedule when
using AES-NI intrinsics
This Bugzilla query returns all the bugs fixed in NSS 3.51:
NSS 3.51 shared libraries are backward compatible with all older NSS 3.x
shared libraries. A program linked with older NSS 3.x shared libraries will
work with NSS 3.51 shared libraries without recompiling or relinking.
Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report with
bugzilla.mozilla.org (product NSS).
Red Hat Planning would like to know the estimate for when the NSS
targetted for ESR will be released. We are working on the theory it will
be end of May (balancing time for PKCS #11 3.0 changes versus when ESR
needs a new NSS). Planning wants me to confirm that with mozilla,
On Thursday, March 26, 2020 at 9:01:57 AM UTC-7, Robert Relyea wrote:
> Red Hat Planning would like to know the estimate for when the NSS
> targetted for ESR will be released. We are working on the theory it will
> be end of May (balancing time for PKCS #11 3.0 changes versus when ESR
> needs a new NSS). Planning wants me to confirm that with mozilla,
> particularly JC.
This comes at a very apropos time, as just yesterday we were discussing a similar topic re: reducing risk around the pandemic.
I am happy to give a longer bake time for the NSS for ESR 78. My proposal is as follows:
That Firefox 76 (currently in Nightly) move to a point release of NSS 3.51, specifically 3.51.1, including only non-risky changes that have happened since we released 3.51. This gives us more time to test for issues that might occur due to the HACL* and PKCS11 updates.
Firefox 77 then would see the release of NSS 3.52, which is the current NSS trunk.
After Firefox 77, we'd version bump NSS mainline to 3.53 as expected, but keep Firefox 78 (an ESR release) on NSS 3.52, and potentially make a point release 3.52.1 for Firefox 78 with only low-risk changes.
After that, we return to our new "normal" cadence, of NSS 3.53 shipping with Firefox 79.
In effect that would give us 3 cycles / 12 weeks of time working on NSS 3.52 before it ships as an ESR release.
If this seems rational to you, we'll update the NSS Release Versions wiki  to draw this out a bit more visually and take any other comments.