NSS 3.108 Release
73 views
Skip to first unread message
Dennis Jackson
Feb 11, 2025, 11:59:18 AMFeb 11
to dev-tec...@lists.mozilla.org
Network Security Services (NSS) 3.108 was released on 4th February 2025.
The HG tag is NSS_3_108_RTM. This version of NSS requires NSPR
4.35 or newer. The latest version of NSPR is 4.36.
NSS 3.108 source distributions are available on ftp.mozilla.org
for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_108_RTM/src/>
Changes:
- Bug 1923285 - libclang-16 -> libclang-19
- Bug 1939086 - Turn off Secure Email Trust Bit for Security Communication ECC RootCA1.
- Bug 1937332 - Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2.
- Bug 1915902 - Remove SwissSign Silver CA – G2.
- Bug 1938245 - Add D-Trust 2023 TLS Roots to NSS
- Bug 1942301 - fix fips test failure on windows.
- Bug 1935925 - change default sensitivity of KEM keys.
- Bug 1936001 - Part 1: Introduce frida hooks and script,
- Bug 1942350 - add missing arm_neon.h include to gcm.c.
- Bug 1831552 - ci: update windows workers to win2022 r=nss-reviewers,nkulatova NSS_3_108_BETA2
- Bug 1831552 - strip trailing carriage returns in tools tests r=nss-reviewers,nkulatova
- Bug 1880256 - work around unix/windows path translation issues in cert test script r=nss-reviewers,nkulatova
- Bug 1831552 - ci: let the windows setup script work without $m r=nss-reviewers,nkulatova
- Bug 1880255 - detect msys r=nss-reviewers,nkulatova
- Bug 1936680 - add a specialized CTR_Update variant for AES-GCM. r=nss-reviewers,keeler
- Bug 1930807 NSS policy updates - cavs NSS_3_108_BETA1
- Bug 1930806 FIPS changes need to be upstreamed: FIPS 140-3 RNG
- Bug 1930806 FIPS changes need to be upstreamed: Add SafeZero
- Bug 1930806 FIPS changes need to be upstreamed - updated POST
- Bug 1933031 Segmentation fault in SECITEM_Hash during pkcs12 processing
- Bug 1929922 - Extending NSS with LoadModuleFromFunction functionality r=keeler,nss-reviewers
- Bug 1935984 - Ensure zero-initialization of collectArgs.cert, r=djackson,nss-reviewers
- Bug 1934526 - pkcs7 fuzz target use CERT_DestroyCertificate, r=djackson,nss-reviewers
- Bug 1915898 - Fix actual underlying ODR violations issue, r=djackson,nss-reviewers
- Bug 1184059 - mozilla::pkix: allow reference ID labels to begin and/or end with hyphens r=jschanck
- Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set r=jschanck
- Bug 1934526 - Fix memory leak in pkcs7 fuzz target, r=djackson,nss-reviewers
- Bug 1934529 - Set -O2 for ASan builds in CI, r=djackson,nss-reviewers
- Bug 1934543 - Change branch of tlsfuzzer dependency, r=djackson,nss-reviewers
- Bug 1915898 - Run tests in CI for ASan builds with detect_odr_violation=1, r=djackson,nss-reviewers
- Bug 1934241 - Fix coverage failure in CI, r=djackson,nss-reviewers
- Bug 1934213 - Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch, r=djackson,nss-reviewers
- Bug 1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround, r=djackson,nss-reviewers
- Bug 1913677 - Part 3: Restructure fuzz/, r=djackson,nss-reviewers
- Bug 1931925 - Extract testcases from ssl gtests for fuzzing, r=djackson,nss-reviewers
- Bug 1923037 - Force Cryptofuzz to use NSS in CI, r=nss-reviewers,nkulatova
- Bug 1923037 - Fix Cryptofuzz on 32 bit in CI, r=nss-reviewers,nkulatova
- Bug 1933154 - Update Cryptofuzz repository link, r=nss-reviewers,nkulatova
- Bug 1926256 - fix build error from 9505f79d r=jschanck
- Bug 1926256 - simplify error handling in get_token_objects_for_cache. r=rrelyea
- Bug 1931973 - nss doc: fix a warning r=bbeurdouche
- Bug 1930797 pkcs12 fixes from RHEL need to be picked up.
NSS 3.108 shared libraries are backwards-compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with this new version of the
shared libraries without recompiling or relinking. Furthermore,
applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report at
<https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>
Release notes are available, after a short delay, at
<https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.
The HG tag is NSS_3_108_RTM. This version of NSS requires NSPR
4.35 or newer. The latest version of NSPR is 4.36.
NSS 3.108 source distributions are available on ftp.mozilla.org
for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_108_RTM/src/>
Changes:
- Bug 1923285 - libclang-16 -> libclang-19
- Bug 1939086 - Turn off Secure Email Trust Bit for Security Communication ECC RootCA1.
- Bug 1937332 - Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2.
- Bug 1915902 - Remove SwissSign Silver CA – G2.
- Bug 1938245 - Add D-Trust 2023 TLS Roots to NSS
- Bug 1942301 - fix fips test failure on windows.
- Bug 1935925 - change default sensitivity of KEM keys.
- Bug 1936001 - Part 1: Introduce frida hooks and script,
- Bug 1942350 - add missing arm_neon.h include to gcm.c.
- Bug 1831552 - ci: update windows workers to win2022 r=nss-reviewers,nkulatova NSS_3_108_BETA2
- Bug 1831552 - strip trailing carriage returns in tools tests r=nss-reviewers,nkulatova
- Bug 1880256 - work around unix/windows path translation issues in cert test script r=nss-reviewers,nkulatova
- Bug 1831552 - ci: let the windows setup script work without $m r=nss-reviewers,nkulatova
- Bug 1880255 - detect msys r=nss-reviewers,nkulatova
- Bug 1936680 - add a specialized CTR_Update variant for AES-GCM. r=nss-reviewers,keeler
- Bug 1930807 NSS policy updates - cavs NSS_3_108_BETA1
- Bug 1930806 FIPS changes need to be upstreamed: FIPS 140-3 RNG
- Bug 1930806 FIPS changes need to be upstreamed: Add SafeZero
- Bug 1930806 FIPS changes need to be upstreamed - updated POST
- Bug 1933031 Segmentation fault in SECITEM_Hash during pkcs12 processing
- Bug 1929922 - Extending NSS with LoadModuleFromFunction functionality r=keeler,nss-reviewers
- Bug 1935984 - Ensure zero-initialization of collectArgs.cert, r=djackson,nss-reviewers
- Bug 1934526 - pkcs7 fuzz target use CERT_DestroyCertificate, r=djackson,nss-reviewers
- Bug 1915898 - Fix actual underlying ODR violations issue, r=djackson,nss-reviewers
- Bug 1184059 - mozilla::pkix: allow reference ID labels to begin and/or end with hyphens r=jschanck
- Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set r=jschanck
- Bug 1934526 - Fix memory leak in pkcs7 fuzz target, r=djackson,nss-reviewers
- Bug 1934529 - Set -O2 for ASan builds in CI, r=djackson,nss-reviewers
- Bug 1934543 - Change branch of tlsfuzzer dependency, r=djackson,nss-reviewers
- Bug 1915898 - Run tests in CI for ASan builds with detect_odr_violation=1, r=djackson,nss-reviewers
- Bug 1934241 - Fix coverage failure in CI, r=djackson,nss-reviewers
- Bug 1934213 - Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch, r=djackson,nss-reviewers
- Bug 1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround, r=djackson,nss-reviewers
- Bug 1913677 - Part 3: Restructure fuzz/, r=djackson,nss-reviewers
- Bug 1931925 - Extract testcases from ssl gtests for fuzzing, r=djackson,nss-reviewers
- Bug 1923037 - Force Cryptofuzz to use NSS in CI, r=nss-reviewers,nkulatova
- Bug 1923037 - Fix Cryptofuzz on 32 bit in CI, r=nss-reviewers,nkulatova
- Bug 1933154 - Update Cryptofuzz repository link, r=nss-reviewers,nkulatova
- Bug 1926256 - fix build error from 9505f79d r=jschanck
- Bug 1926256 - simplify error handling in get_token_objects_for_cache. r=rrelyea
- Bug 1931973 - nss doc: fix a warning r=bbeurdouche
- Bug 1930797 pkcs12 fixes from RHEL need to be picked up.
NSS 3.108 shared libraries are backwards-compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with this new version of the
shared libraries without recompiling or relinking. Furthermore,
applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report at
<https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>
Release notes are available, after a short delay, at
<https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.
Reply all
Reply to author
Forward
0 new messages