NSS 3.13.3 has been relessed and it's built for Rawhide/F-17-alpha/F-16/F15. A push to update-testing for f17 will be coming shortly - to f16/f15 som time later.
You can find the new features and bug fixes in NSS 3.13.2 and 3.13.3 with these Bugzilla queries: https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.13.2&product=NSS https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.13.3&product=NSS and fixes for NSPR 4.9 with this query: https://bugzilla.mozilla.org/buglist.cgi?list_id=1496878&resolution=FIXED&classification=Components&query_format=advanced&target_milestone=4.9&product=NSPR When we updated nss last, from to nss-3.13.1, a notable change was: https://bugzilla.mozilla.org/show_bug.cgi?id=665814 The NSS upstream announcement stated: A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. to set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it. This caused breakage connecting to various servers, due to servers temselvs and some client applications We opted to reverse the sense of the fix's default and stated tht it was off and that if desired you could set the SSL_CBC_RANDOM_IV SSL option to PR_TRUE to enable it. This was done for the stable branches, F-16/15, while Rawhide had fix on by default. Since then several fedora maintainers have either patched affected procts downstream or submitted patches that were accepted by their respective upstreams. Some patches have yet to be accepted. The last time I checked such was the case with OpenSSSL. Others we don't know yet. Since F-17 is now Alpha and I have set the default to off like it is on F-16/15, Rawhide (f18) still has it on. We would like to find what additional products will still break with this fix. If you can, could you set the SSL_CBC_RANDOM_IV SSL option to PR_TRUE and try it and send us feedback on remaining sites or apps that syill break? Thank you in advance, Elio Maldonado -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
