[dev-tech-crypto] NSS 3.122 Release
11 views
Skip to first unread message
Anna Weine
Mar 24, 2026, 12:29:46 PM (10 days ago) Mar 24
to dev-tec...@mozilla.org
Network Security Services (NSS) 3.122 was released on 19 March 2026.
The HG tag is NSS_3_122_RTM. This version of NSS requires NSPR 4.38.2 or newer. The latest version of NSPR is 4.38.2.
NSS 3.122 source distributions are available on ftp.mozilla.org
for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_122_RTM/src/>
Changes:
- Bug 2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
- Bug 2023664 - run mach doc-lint from generate_release_doc.py.
- Bug 2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
- Bug 2020614 - tls13_CopyEchConfigs uses PR_LIST_TAIL instead of loop variable.
- Bug 2021911 - fix cipher spec count intermittent CI failures.
- Bug 2021913 - fix Mlkem768x25519ShareDamager intermittent CI failures.
- Bug 2023437 - lint the legacy documentation.
- Bug 2023437 - lint the NSS 3.112.3 release notes.
- Bug 2023437 - add a doc-lint CI job.
- Bug 2020224 - Add more useful coverage reports to CI and fail if new commit isn't tested.
- Bug 1472747 - wrong alert for malformed TLS 1.3 Finished.
- Bug 1916429 - Swap order of asserts and state check.
- Bug 2022149 - set correct value of unused curve parameters in tls13_HandleKeyShare.
- Bug 2017929 - GCM needs to check for various limits in FIPS mode.
- Bug 2017938 - Get Key Length not working from ED and Montgomery keys.
- Bug 2017927 - Not all ike modes are FIPS approved. Adjust the indicators when they aren't.
- Bug 2020721 - fix intermittent ssl.sh test failures on windows runners.
- Bug 2017918 - FIPS indicators on HKDF needs to be restricted to TLS usage.
- Bug 2017920 - Generate keys not getting indicators.
- Bug 2020612 - improve error handling in smime_init_once.
- Bug 1987288 - Detect CPU features on OpenBSD using elf_aux_info.
- Bug 2019357 - RSA_EMSAEncodePSS should validate the length of mHash.
- Bug 2020442 - more robustly distinguish SFTKSessionObject and SFTKTokenObjects.
- Bug 2019194 - fix missing .S file error in Solaris Makefile builds.
- Bug 2020486 - fix memory leak in NSC_GenerateKey error path.
- Bug 2020615 - Missing SECFailure return after FATAL_ERROR in tls13_HandleEncryptedExtensions.
- Bug 2020613 - release xmit buf lock on dtls13_MaybeSendKeyUpdate error paths.
- Bug 2020849 - release 1stHandshakeLock on SSL_ResetHandshake error path.
- Bug 2020188 - avoid null deref in mp_div_d sign normalization.
- Bug 2017945 - Temp private key lifecycle is broken.
- Bug 1851073 - protect rwSessionCount with slotLock.
- Bug 2019224 - Remove invalid PORT_Free().
- Bug 1828713 - Fix intermittent ClientGreaseKeyShare test failure.
- Bug 2018200 - Fix kCtxStr len passed to tls_SignOrVerifyUpdate.
- Bug 2019760 - patch upstream acvp-rust during checkout to avoid build failures.
- Bug 2019760 - update acvp Dockerfile.
- Bug 2017997 - CKA_PARAM_SET missing from the CK_ULONG list in softoken.
- Bug 2018000 - CKA_SEED missing from isPrivate in the database.
- Bug 2019717 - update abicheck expectation for __nss_InitLock.
- Bug 2019327 - taskcluster: set NSS_DISABLE_LIBPKIX=1 in test env for static builds.
- Bug 2019327 - tests: fix setup_policy to use ROOTCERTSFILE for root cert module path.
- Bug 2019327 - tests: fix selfserv/httpserv PID handling and wait exit code for MSYS_NT.
- Bug 2019327 - tests: add native_path helper for cross-platform path conversion.
- Bug 2019327 - tstclnt, strsclnt: avoid DNS lookup for loopback addresses on Windows.
- Bug 2019090 - avoid platform GCM for x64 iOS emulator builds.
- Bug 2012002 - remove lock instrumentation feature.
- Bug 2017923 - Move FIPS indicator structures out of fips_algorithms.h.
- Bug 2018064 - all.sh is failing in FIPS SSL test in main tree.
- Bug 1975973 - fix memory leaks in crmf tests.
- Bug 2012547 - fix unsatisfiable condition in lg_getTrust.
- Bug 2006218 - allow selfserv makefile build to use system zlib.
- Bug 2002247 - Add allocation limit to pkcs12 decoding.
- Bug 2012406 - Add text/html single-line example emails to NSS S/SMIME CMS tests.
NSS 3.122 shared libraries are backwards-compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with this new version of the
shared libraries without recompiling or relinking. Furthermore,
applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report at
<https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>
Release notes are available at
<https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.
Best,
Anna
The HG tag is NSS_3_122_RTM. This version of NSS requires NSPR 4.38.2 or newer. The latest version of NSPR is 4.38.2.
NSS 3.122 source distributions are available on ftp.mozilla.org
for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_122_RTM/src/>
Changes:
- Bug 2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree.
- Bug 2023664 - run mach doc-lint from generate_release_doc.py.
- Bug 2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
- Bug 2020614 - tls13_CopyEchConfigs uses PR_LIST_TAIL instead of loop variable.
- Bug 2021911 - fix cipher spec count intermittent CI failures.
- Bug 2021913 - fix Mlkem768x25519ShareDamager intermittent CI failures.
- Bug 2023437 - lint the legacy documentation.
- Bug 2023437 - lint the NSS 3.112.3 release notes.
- Bug 2023437 - add a doc-lint CI job.
- Bug 2020224 - Add more useful coverage reports to CI and fail if new commit isn't tested.
- Bug 1472747 - wrong alert for malformed TLS 1.3 Finished.
- Bug 1916429 - Swap order of asserts and state check.
- Bug 2022149 - set correct value of unused curve parameters in tls13_HandleKeyShare.
- Bug 2017929 - GCM needs to check for various limits in FIPS mode.
- Bug 2017938 - Get Key Length not working from ED and Montgomery keys.
- Bug 2017927 - Not all ike modes are FIPS approved. Adjust the indicators when they aren't.
- Bug 2020721 - fix intermittent ssl.sh test failures on windows runners.
- Bug 2017918 - FIPS indicators on HKDF needs to be restricted to TLS usage.
- Bug 2017920 - Generate keys not getting indicators.
- Bug 2020612 - improve error handling in smime_init_once.
- Bug 1987288 - Detect CPU features on OpenBSD using elf_aux_info.
- Bug 2019357 - RSA_EMSAEncodePSS should validate the length of mHash.
- Bug 2020442 - more robustly distinguish SFTKSessionObject and SFTKTokenObjects.
- Bug 2019194 - fix missing .S file error in Solaris Makefile builds.
- Bug 2020486 - fix memory leak in NSC_GenerateKey error path.
- Bug 2020615 - Missing SECFailure return after FATAL_ERROR in tls13_HandleEncryptedExtensions.
- Bug 2020613 - release xmit buf lock on dtls13_MaybeSendKeyUpdate error paths.
- Bug 2020849 - release 1stHandshakeLock on SSL_ResetHandshake error path.
- Bug 2020188 - avoid null deref in mp_div_d sign normalization.
- Bug 2017945 - Temp private key lifecycle is broken.
- Bug 1851073 - protect rwSessionCount with slotLock.
- Bug 2019224 - Remove invalid PORT_Free().
- Bug 1828713 - Fix intermittent ClientGreaseKeyShare test failure.
- Bug 2018200 - Fix kCtxStr len passed to tls_SignOrVerifyUpdate.
- Bug 2019760 - patch upstream acvp-rust during checkout to avoid build failures.
- Bug 2019760 - update acvp Dockerfile.
- Bug 2017997 - CKA_PARAM_SET missing from the CK_ULONG list in softoken.
- Bug 2018000 - CKA_SEED missing from isPrivate in the database.
- Bug 2019717 - update abicheck expectation for __nss_InitLock.
- Bug 2019327 - taskcluster: set NSS_DISABLE_LIBPKIX=1 in test env for static builds.
- Bug 2019327 - tests: fix setup_policy to use ROOTCERTSFILE for root cert module path.
- Bug 2019327 - tests: fix selfserv/httpserv PID handling and wait exit code for MSYS_NT.
- Bug 2019327 - tests: add native_path helper for cross-platform path conversion.
- Bug 2019327 - tstclnt, strsclnt: avoid DNS lookup for loopback addresses on Windows.
- Bug 2019090 - avoid platform GCM for x64 iOS emulator builds.
- Bug 2012002 - remove lock instrumentation feature.
- Bug 2017923 - Move FIPS indicator structures out of fips_algorithms.h.
- Bug 2018064 - all.sh is failing in FIPS SSL test in main tree.
- Bug 1975973 - fix memory leaks in crmf tests.
- Bug 2012547 - fix unsatisfiable condition in lg_getTrust.
- Bug 2006218 - allow selfserv makefile build to use system zlib.
- Bug 2002247 - Add allocation limit to pkcs12 decoding.
- Bug 2012406 - Add text/html single-line example emails to NSS S/SMIME CMS tests.
NSS 3.122 shared libraries are backwards-compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with this new version of the
shared libraries without recompiling or relinking. Furthermore,
applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report at
<https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>
Release notes are available at
<https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.
Best,
Anna
Reply all
Reply to author
Forward
0 new messages