NSS version 3.12.5 has been released in source code form from the master upstream CVS repository with the CVS NSS_3_12_5_RTM.
Sun made NSS 3.12.5 publicly available as a binary patch for some platforms. See http://sunsolve.sun.com/search/document.do?assetkey=1-66-273350-1 The main reason this release was made at this time was to make available immediate relief for bug 526689, the recently discovered SSL/TLS renegotiation vulnerability. See https://bugzilla.mozilla.org/show_bug.cgi?id=526689 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555 The relief consists of disabling the vulnerable renegotiation feature of the SSL3/TLS protocol by default in both clients and servers, whether initiated by the process at the local or remote end of the connection. A new API has been introduced by which an application can re-enable that vulnerable renegotiation feature, if desired. Be aware that doing so makes the application vulnerable again. There is also a new environment variable that the user/admin may set that will re-enable renegotiation by default for any process that begins execution with that environment variable set. This allows the renegotiation feature to be re-enabled without any program changes, but again, doing so reintroduces the vulnerability to the attack. The new environment variable is NSS_SSL_ENABLE_RENEGOTIATION. Setting it to the value "1" will re-enable renegotiation. Setting it to the value "0" will leave renegotiation disabled (as it is by default). Release notes have not yet been published to the web site, but should become available this week. The full list of bug fixes and RFEs may be seen at this URL: https://bugzilla.mozilla.org/buglist.cgi?order=Assignee;resolution=FIXED;query_format=advanced;target_milestone=3.12.5;product=NSS -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
