NSS 3.119 Release
10 views
Skip to first unread message
John Schanck
Dec 4, 2025, 11:20:29 PM (20 hours ago) Dec 4
to dev-tec...@mozilla.org
Network Security Services (NSS) 3.119 was released on 4 December 2025.
The HG tag is NSS_3_119_RTM. This version of NSS requires NSPR 4.38 or newer. The latest version of NSPR is 4.38.2.
NSS 3.119 source distributions are available on ftp.mozilla.org for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_119_RTM/src/>
Changes:
- Bug 1983320 - Fix ml-dsa return value for SECKEY_PrivateKeyStrengthInBits.
- Bug 1986352 - Make sure we don't accept ECH if the HRR cookie is ill-formatted.
- Bug 2002246 - Add a pkcs12 fuzzer with crypto stubbed out.
- Bug 2003314 - handle errors while setting sanitizers cflags in build.
- Bug 1986912 - Ignore IVs for AES KW.
- Bug 2003286 - Update Cryptofuzz version.
- Bug 2001932 - Fix incorrect logic for SNI selection when ECH is available but disabled.
- Bug 1975855 - fix forwarding of sqlite_libs in sqlite.gyp.
- Bug 1999204 - fix CPU_ARCH setting for arm64 makefile builds.
- Bug 1998094 - remove unused calcThreads variable from cmd/rsaperf.
- Bug 1978348 - Solving the incorrect tests introduced by extending EKU.
- Bug 1972054 - Memory leaks in pkcs12 and pkcs7 decoders.
- Bug 1978348 - Extending parsing with Microsoft Document Signing EKU.
- Bug 1978348 - Extending parsing with Adobe Document Signing EKU.
- Bug 1978348 - Extending pkix parsing with document signing EKUs.
- Bug 2000737 - fix compilation failure on ia32.
- Bug 2000737 - use hardware x64 GCM in static builds.
- Bug 2000737 - separate ppc sha512 library from ppc gcm library.
- Bug 2000737 - simplify cross-compilation from build.sh.
- Bug 1724353 - use clang's integrated assembler.
- Bug 2000737 - remove unused MP_IS_LITTLE_ENDIAN defines.
- Bug 2000737 - fix logic for disabling altivec in gyp builds.
- Bug 1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
- Bug 1972825 - Add TLS interoperability tests with openssl and gnutls.
- Bug 1314849 - Ensure we don't send a DTLS1.3 cookie after DTLS1.2 HelloVerifyRequest.
- Bug 1965329 - add failure checks to pk11_mergeTrust() .
- Bug 1999517 - pk11wrap selects incorrect slot for CKM_ML_KEM*.
NSS 3.119 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with this new version of the shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report at <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>
Release notes are available at <https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.
The HG tag is NSS_3_119_RTM. This version of NSS requires NSPR 4.38 or newer. The latest version of NSPR is 4.38.2.
NSS 3.119 source distributions are available on ftp.mozilla.org for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_119_RTM/src/>
Changes:
- Bug 1983320 - Fix ml-dsa return value for SECKEY_PrivateKeyStrengthInBits.
- Bug 1986352 - Make sure we don't accept ECH if the HRR cookie is ill-formatted.
- Bug 2002246 - Add a pkcs12 fuzzer with crypto stubbed out.
- Bug 2003314 - handle errors while setting sanitizers cflags in build.
- Bug 1986912 - Ignore IVs for AES KW.
- Bug 2003286 - Update Cryptofuzz version.
- Bug 2001932 - Fix incorrect logic for SNI selection when ECH is available but disabled.
- Bug 1975855 - fix forwarding of sqlite_libs in sqlite.gyp.
- Bug 1999204 - fix CPU_ARCH setting for arm64 makefile builds.
- Bug 1998094 - remove unused calcThreads variable from cmd/rsaperf.
- Bug 1978348 - Solving the incorrect tests introduced by extending EKU.
- Bug 1972054 - Memory leaks in pkcs12 and pkcs7 decoders.
- Bug 1978348 - Extending parsing with Microsoft Document Signing EKU.
- Bug 1978348 - Extending parsing with Adobe Document Signing EKU.
- Bug 1978348 - Extending pkix parsing with document signing EKUs.
- Bug 2000737 - fix compilation failure on ia32.
- Bug 2000737 - use hardware x64 GCM in static builds.
- Bug 2000737 - separate ppc sha512 library from ppc gcm library.
- Bug 2000737 - simplify cross-compilation from build.sh.
- Bug 1724353 - use clang's integrated assembler.
- Bug 2000737 - remove unused MP_IS_LITTLE_ENDIAN defines.
- Bug 2000737 - fix logic for disabling altivec in gyp builds.
- Bug 1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
- Bug 1972825 - Add TLS interoperability tests with openssl and gnutls.
- Bug 1314849 - Ensure we don't send a DTLS1.3 cookie after DTLS1.2 HelloVerifyRequest.
- Bug 1965329 - add failure checks to pk11_mergeTrust() .
- Bug 1999517 - pk11wrap selects incorrect slot for CKM_ML_KEM*.
NSS 3.119 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with this new version of the shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report at <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>
Release notes are available at <https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.
Reply all
Reply to author
Forward
0 new messages