[dev-tech-crypto] NSS 3.121 Release
28 views
Skip to first unread message
Anna Weine
Feb 23, 2026, 12:36:48 PMFeb 23
to dev-tec...@mozilla.org
Network Security Services (NSS) 3.121 was released on 19 February 2026.
The HG tag is NSS_3_121_RTM. This version of NSS requires NSPR 4.38.2 or newer. The latest version of NSPR is 4.38.2.
NSS 3.121 source distributions are available on ftp.mozilla.org
for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_121_RTM/src/>
Changes:
- Bug 2017366 - update vendored zlib to v1.3.2.
- Bug 2012645 - Revert the unnecessary changes to intel-gcm-wrap.gyp.
- Bug 2012645 - Use C fallback for AES-GCM on MinGW builds.
- Bug 2005669 - fix ML-KEM PCT.
- Bug 2017008 - Extend NSS Fuzzing docs.
- Bug 2009552 - avoid integer overflow in platform-independent ghash.
- Bug 2003189 - Fix errant whitespace in OISTE Server Root RSA G1 nickname.
- Bug 2012313 - fix build with glibc-2.43 assignment discards 'const' qualifier from pointer.
- Bug 2013188 - add gcm.gyp dependency for Solaris SPARC builds.
- Bug 2010389 - Set nssckbi version to 2.84.
- Bug 2010389 - Add e-Szigno TLS Root CA 2023 to NSS.
- Bug 2005516 - allow manual selection of CPU_ARCH=x86_64 and ppc64 in coreconf/Darwin.mk.
- Bug 2009998 - Update cryptofuzz version.
- Bug 2001167: Paranoia assert.
- Bug 2000737 - Darwin compatibility for intel-aes.S and intel-gcm.S.
- Bug 2000737 - rename intel-{aes,gcm}.s to .S.
- Bug 2000737 - rename C files for platform-specific ghash implementations.
- Bug 2000737 - simplify compilation of platform-specific GCM and GHASH.
- Bug 2007911 - FORWARD_NULL null deref of worker in p7decode.c (sec_pkcs7_decoder_abort_digests).
- Bug 2008112 - Out-of-Bounds Read in ML-DSA Private Key Parsing (zero-length privateKey).
NSS 3.121 shared libraries are backwards-compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with this new version of the
shared libraries without recompiling or relinking. Furthermore,
applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report at
<https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>
Release notes are available at
<https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.
Best,
Anna
The HG tag is NSS_3_121_RTM. This version of NSS requires NSPR 4.38.2 or newer. The latest version of NSPR is 4.38.2.
NSS 3.121 source distributions are available on ftp.mozilla.org
for secure HTTPS download:
<https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_121_RTM/src/>
Changes:
- Bug 2017366 - update vendored zlib to v1.3.2.
- Bug 2012645 - Revert the unnecessary changes to intel-gcm-wrap.gyp.
- Bug 2012645 - Use C fallback for AES-GCM on MinGW builds.
- Bug 2005669 - fix ML-KEM PCT.
- Bug 2017008 - Extend NSS Fuzzing docs.
- Bug 2009552 - avoid integer overflow in platform-independent ghash.
- Bug 2003189 - Fix errant whitespace in OISTE Server Root RSA G1 nickname.
- Bug 2012313 - fix build with glibc-2.43 assignment discards 'const' qualifier from pointer.
- Bug 2013188 - add gcm.gyp dependency for Solaris SPARC builds.
- Bug 2010389 - Set nssckbi version to 2.84.
- Bug 2010389 - Add e-Szigno TLS Root CA 2023 to NSS.
- Bug 2005516 - allow manual selection of CPU_ARCH=x86_64 and ppc64 in coreconf/Darwin.mk.
- Bug 2009998 - Update cryptofuzz version.
- Bug 2001167: Paranoia assert.
- Bug 2000737 - Darwin compatibility for intel-aes.S and intel-gcm.S.
- Bug 2000737 - rename intel-{aes,gcm}.s to .S.
- Bug 2000737 - rename C files for platform-specific ghash implementations.
- Bug 2000737 - simplify compilation of platform-specific GCM and GHASH.
- Bug 2007911 - FORWARD_NULL null deref of worker in p7decode.c (sec_pkcs7_decoder_abort_digests).
- Bug 2008112 - Out-of-Bounds Read in ML-DSA Private Key Parsing (zero-length privateKey).
NSS 3.121 shared libraries are backwards-compatible with all
older NSS 3.x shared libraries. A program linked with older NSS
3.x shared libraries will work with this new version of the
shared libraries without recompiling or relinking. Furthermore,
applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible
with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report at
<https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>
Release notes are available at
<https://firefox-source-docs.mozilla.org/security/nss/releases/index.html>.
Best,
Anna
Reply all
Reply to author
Forward
0 new messages