commit 9b4e52ba15a25d629bd48db6c751784405ffe3f8
parent 457d28841be017165fe378819d460a2ccbbbfc88
Author: John M. Schanck <jschanck@mozilla.com>
Date: Fri, 5 Dec 2025 17:03:55 +0000
Bug 2000871 - upgrade NSS to NSS_3_119_RTM. r=nss-reviewers,nkulatova UPGRADE_NSS_RELEASE
Differential Revision: https://phabricator.services.mozilla.com/D275162
Diffstat:
9 files changed, 80 insertions(+), 18 deletions(-)
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
@@ -1 +1 @@
-NSS_3_119_BETA1
-\ No newline at end of file
+NSS_3_119_RTM
+\ No newline at end of file
diff --git a/security/nss/doc/rst/releases/index.rst b/security/nss/doc/rst/releases/index.rst
@@ -8,6 +8,7 @@ Release Notes
:glob:
:hidden:
+ nss_3_119.rst
nss_3_118_1.rst
nss_3_118.rst
nss_3_117.rst
@@ -97,9 +98,9 @@ Release Notes
.. note::
- **NSS 3.118.1** is the latest version of NSS.
- Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_118_1_release_notes`
+ **NSS 3.119** is the latest version of NSS.
+ Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_119_release_notes`
**NSS 3.112.2 (ESR)** is the latest ESR version of NSS.
- Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_1_release_notes`
+ Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_2_release_notes`
diff --git a/security/nss/doc/rst/releases/nss_3_119.rst b/security/nss/doc/rst/releases/nss_3_119.rst
@@ -0,0 +1,62 @@
+.. _mozilla_projects_nss_nss_3_119_release_notes:
+
+NSS 3.119 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+ Network Security Services (NSS) 3.119 was released on *4 December 2025**.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+ The HG tag is NSS_3_119_RTM. NSS 3.119 requires NSPR 4.38.2 or newer.
+
+ NSS 3.119 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+ - Source tarballs:
+ https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_119_RTM/src/
+
+ Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.119:
+
+`Changes in NSS 3.119 <#changes_in_nss_3.119>`__
+------------------------------------------------------------------
+
+.. container::
+
+ - Bug 1983320 - Fix ml-dsa return value for SECKEY_PrivateKeyStrengthInBits.
+ - No bug - clang format.
+ - Bug 1986352 - Make sure we don't accept ECH if the HRR cookie is ill-formatted.
+ - Bug 2002246: Add a pkcs12 fuzzer with crypto stubbed out.
+ - Bug 2003314 - handle errors while setting sanitizers cflags in build.
+ - Bug 1986912 - Ignore IVs for AES KW.
+ - Bug 2003286: Update Cryptofuzz version.
+ - Bug 2001932 - Fix incorrect logic for SNI selection when ECH is available but disabled.
+ - Bug 1975855 - fix forwarding of sqlite_libs in sqlite.gyp.
+ - Bug 1999204 - fix CPU_ARCH setting for arm64 makefile builds.
+ - Bug 1998094 - remove unused calcThreads variable from cmd/rsaperf.
+ - Bug 1978348 - Solving the incorrect tests introduced by extending EKU.
+ - Bug 1972054: Memory leaks in pkcs12 and pkcs7 decoders.
+ - Bug 1978348 - Extending parsing with Microsoft Document Signing EKU.
+ - Bug 1978348 - Extending parsing with Adobe Document Signing EKU.
+ - Bug 1978348 - Extending pkix parsing with document signing EKUs.
+ - Bug 2000737 - fix compilation failure on ia32.
+ - Bug 2000737 - use hardware x64 GCM in static builds.
+ - Bug 2000737 - separate ppc sha512 library from ppc gcm library.
+ - Bug 2000737 - simplify cross-compilation from build.sh.
+ - Bug 1724353 - use clang's integrated assembler.
+ - Bug 2000737 - remove unused MP_IS_LITTLE_ENDIAN defines.
+ - Bug 2000737 - fix logic for disabling altivec in gyp builds.
+ - Bug 1964722 - free digest objects in SEC_PKCS7DecoderFinish if they haven't already been freed.
+ - Bug 1972825 - Add TLS interoperability tests with openssl and gnutls.
+ - Bug 1314849 - Ensure we don't send a DTLS1.3 cookie after DTLS1.2 HelloVerifyRequest.
+ - Bug 1965329 - add failure checks to pk11_mergeTrust() .
+ - Bug 1999517 - pk11wrap selects incorrect slot for CKM_ML_KEM*.
+
diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c
@@ -1366,9 +1366,8 @@ SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
if (paramSetOid == SEC_OID_UNKNOWN) {
break;
}
- bitSize = SECKEY_MLDSAOidParamsToLen(paramSetOid,
- SECKEYPrivKeyType) *
- 8;
+ return SECKEY_MLDSAOidParamsToLen(paramSetOid, SECKEYPrivKeyType) *
+ 8;
break;
default:
break;
diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h
@@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.119" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.119" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 119
#define NSS_VPATCH 0
#define NSS_VBUILD 0
-#define NSS_BETA PR_TRUE
+#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED
diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c
@@ -1498,7 +1498,7 @@ SEC_PKCS12DecoderVerify(SEC_PKCS12DecoderContext *p12dcx)
}
#ifdef UNSAFE_FUZZER_MODE
return sec_pkcs12_decoder_unsafe_parity_outcome(p12dcx);
-#else /* UNSAFE_FUZZER_MODE */
+#else /* UNSAFE_FUZZER_MODE */
/* check the signature or the mac depending on the type of
* integrity used.
*/
diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h
@@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.119" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.119" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 119
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_TRUE
+#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */
diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
@@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.119 Beta"
+#define NSSUTIL_VERSION "3.119"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 119
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_TRUE
+#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS
diff --git a/security/nss/moz.yaml b/security/nss/moz.yaml
@@ -9,8 +9,8 @@ origin:
description: nss
url: https://hg-edge.mozilla.org/projects/nss
- release: 8c7bdebef8325c782fc5e1cce9a1940d326f1fb0 (2025-12-03T17:41:07Z).
- revision: 8c7bdebef8325c782fc5e1cce9a1940d326f1fb0
+ release: 2e158979a08f0a86d960f0fd89f878f25606a586 (2025-12-05T03:57:44Z).
+ revision: 2e158979a08f0a86d960f0fd89f878f25606a586
license: MPL-2.0
license-file: COPYING
@@ -42,4 +42,4 @@ updatebot:
- type: vendoring
enabled: true
frequency: 1 week
- blocking: 2000871
+ blocking: 2004184
