Bug 1875764 - land NSS NSS_3_98_RTM UPGRADE_NSS_RELEASE, r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D202013

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_98_BETA1
+NSS_3_98_RTM

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/doc/rst/releases/index.rst

@@ -8,6 +8,7 @@ Releases
    :glob:
    :hidden:
 
+   nss_3_98.rst
    nss_3_97.rst
    nss_3_96_1.rst
    nss_3_96.rst
@@ -62,29 +63,37 @@ Releases
 
 .. note::
 
-   **NSS 3.97** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_97_release_notes`
+   **NSS 3.98** is the latest version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_98_release_notes`
 
-   **NSS 3.90.1 (ESR)** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_1_release_notes`
+   **NSS 3.90.2 (ESR)** is the latest version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_2_release_notes`
 
 .. container::
 
-   Changes in 3.97 included in this release:
+   Changes in 3.98 included in this release:
 
-  - Bug 1875506 - make Xyber768d00 opt-in by policy.
-  - Bug 1871631 - add libssl support for xyber768d00.
-  - Bug 1871630 - add PK11_ConcatSymKeys.
-  - Bug 1775046 - add Kyber and a PKCS#11 KEM interface to softoken.
-  - Bug 1871152 - add a FreeBL API for Kyber.
-  - Bug 1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff.
-  - Bug 1826451 - part 1: add a script for vendoring kyber from pq-crystals repo.
-  - Bug 1835828 - Removing the calls to RSA Blind from loader.*
-  - Bug 1874111 - fix worker type for level3 mac tasks.
-  - Bug 1835828 - RSA Blind implementation.
-  - Bug 1869642 - Remove DSA selftests.
-  - Bug 1873296 - read KWP testvectors from JSON.
-  - Bug 1822450 - Backed out changeset dcb174139e4f
-  - Bug 1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation.
-  - Bug 1871219 - Wrap CC shell commands in gyp expansions.
+  - Bug 1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS.
+  - Bug 1879513 - Certificate Compression: enabling the check that the compression was advertised.
+  - Bug 1831552 - Move Windows workers to nss-1/b-win2022-alpha.
+  - Bug 1879945 - Remove Email trust bit from OISTE WISeKey Global Root GC CA.
+  - Bug 1877344 - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`.
+  - Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression.
+  - Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation.
+  - Bug 1875356 - Add valgrind annotations to freebl kyber operations for constant-time execution tests.
+  - Bug 1870673 - Set nssckbi version number to 2.66.
+  - Bug 1874017 - Add Telekom Security roots.
+  - Bug 1873095 - Add D-Trust 2022 S/MIME roots.
+  - Bug 1865450 - Remove expired Security Communication RootCA1 root.
+  - Bug 1876179 - move keys to a slot that supports concatenation in PK11_ConcatSymKeys.
+  - Bug 1876800 - remove unmaintained tls-interop tests.
+  - Bug 1874937 - bogo: add support for the -ipv6 and -shim-id shim flags.
+  - Bug 1874937 - bogo: add support for the -curves shim flag and update Kyber expectations.
+  - Bug 1874937 - bogo: adjust expectation for a key usage bit test.
+  - Bug 1757758 - mozpkix: add option to ignore invalid subject alternative names.
+  - Bug 1841029 - Fix selfserv not stripping `publicname:` from -X value.
+  - Bug 1876390 - take ownership of ecckilla shims.
+  - Bug 1874458 - add valgrind annotations to freebl/ec.c.
+  - Bug  864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip.
+  - Bug 1875965 - Update zlib to 1.3.1.
 

security/nss/doc/rst/releases/nss_3_90_2.rst

@@ -0,0 +1,56 @@
+.. _mozilla_projects_nss_nss_3_90_2_release_notes:
+
+NSS 3.90.2 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.90.2 was released on *15th February 2024**.
+
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_90_2_RTM. NSS 3.90.2 requires NSPR 4.35 or newer.
+
+   NSS 3.90.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_90_2_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.90.2:
+
+`Changes in NSS 3.90.2 <#changes_in_nss_3.90.2>`__
+--------------------------------------------------
+
+.. container::
+
+   - Bug 1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS.
+   - Bug 1867408 - add a defensive check for large ssl_DefSend return values.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.90.2 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

security/nss/doc/rst/releases/nss_3_98.rst

@@ -0,0 +1,76 @@
+.. _mozilla_projects_nss_nss_3_98_release_notes:
+
+NSS 3.98 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.98 was released on *15th February 2024**.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_98_RTM. NSS 3.98 requires NSPR 4.35 or newer.
+
+   NSS 3.98 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_98_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.98:
+
+`Changes in NSS 3.98 <#changes_in_nss_3.98>`__
+------------------------------------------------------------------
+
+.. container::
+
+  - Bug 1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS.
+  - Bug 1879513 - Certificate Compression: enabling the check that the compression was advertised.
+  - Bug 1831552 - Move Windows workers to nss-1/b-win2022-alpha.
+  - Bug 1879945 - Remove Email trust bit from OISTE WISeKey Global Root GC CA.
+  - Bug 1877344 - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`.
+  - Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression.
+  - Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation.
+  - Bug 1875356 - Add valgrind annotations to freebl kyber operations for constant-time execution tests.
+  - Bug 1870673 - Set nssckbi version number to 2.66.
+  - Bug 1874017 - Add Telekom Security roots.
+  - Bug 1873095 - Add D-Trust 2022 S/MIME roots.
+  - Bug 1865450 - Remove expired Security Communication RootCA1 root.
+  - Bug 1876179 - move keys to a slot that supports concatenation in PK11_ConcatSymKeys.
+  - Bug 1876800 - remove unmaintained tls-interop tests.
+  - Bug 1874937 - bogo: add support for the -ipv6 and -shim-id shim flags.
+  - Bug 1874937 - bogo: add support for the -curves shim flag and update Kyber expectations.
+  - Bug 1874937 - bogo: adjust expectation for a key usage bit test.
+  - Bug 1757758 - mozpkix: add option to ignore invalid subject alternative names.
+  - Bug 1841029 - Fix selfserv not stripping `publicname:` from -X value.
+  - Bug 1876390 - take ownership of ecckilla shims.
+  - Bug 1874458 - add valgrind annotations to freebl/ec.c.
+  - Bug  864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip.
+  - Bug 1875965 - Update zlib to 1.3.1.
+
+`Compatibility <#compatibility>`__
+----------------------------------
+
+.. container::
+
+   NSS 3.98 shared libraries are backwards-compatible with all older NSS 3.x shared
+   libraries. A program linked with older NSS 3.x shared libraries will work with
+   this new version of the shared libraries without recompiling or
+   relinking. Furthermore, applications that restrict their use of NSS APIs to the
+   functions listed in NSS Public Functions will remain compatible with future
+   versions of the NSS shared libraries.
+
+`Feedback <#feedback>`__
+------------------------
+
+.. container::
+
+   Bugs discovered should be reported by filing a bug report on
+   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

security/nss/lib/nss/nss.h

@@ -22,12 +22,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION "3.98" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.98" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 98
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_TRUE
+#define NSS_BETA PR_FALSE
 
 #ifndef RC_INVOKED
 

security/nss/lib/softoken/softkver.h

@@ -17,11 +17,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION "3.98" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.98" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 98
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_TRUE
+#define SOFTOKEN_BETA PR_FALSE
 
 #endif /* _SOFTKVER_H_ */

security/nss/lib/util/nssutil.h

@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.98 Beta"
+#define NSSUTIL_VERSION "3.98"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 98
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_TRUE
+#define NSSUTIL_BETA PR_FALSE
 
 SEC_BEGIN_PROTOS