corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1992388 - Release NSS 3.112.2 for ESR. r=jschanck a=RyanVM. UPGRADE_NSS_RELEASE

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D267406
This commit is contained in:
Dennis Jackson
2025-10-03 20:08:40 +00:00
committed by rvandermeulen@mozilla.com
parent a5e7b10758
commit a7d47931c4
10 changed files with 179 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
security/nss/doc/rst/releases/index.rst
View File

@@ -1,19 +1,20 @@
.. _mozilla_projects_nss_releases: .. _mozilla_projects_nss_releases:
Releases Release Notes
======== =============
.. toctree:: .. toctree::
:maxdepth: 0 :maxdepth: 0
:glob: :glob:
:hidden: :hidden:
nss_3_112_2.rst
nss_3_112_1.rst
nss_3_112.rst nss_3_112.rst
nss_3_111.rst nss_3_111.rst
nss_3_110.rst nss_3_110.rst
nss_3_109.rst nss_3_109.rst
nss_3_108.rst nss_3_108.rst
nss_3_101_3.rst
nss_3_107.rst nss_3_107.rst
nss_3_106.rst nss_3_106.rst
nss_3_105.rst nss_3_105.rst
@@ -21,6 +22,8 @@ Releases
nss_3_103.rst nss_3_103.rst
nss_3_102_1.rst nss_3_102_1.rst
nss_3_102.rst nss_3_102.rst
nss_3_101_4.rst
nss_3_101_3.rst
nss_3_101_2.rst nss_3_101_2.rst
nss_3_101_1.rst nss_3_101_1.rst
nss_3_101.rst nss_3_101.rst
@@ -88,27 +91,6 @@ Releases
**NSS 3.112** is the latest version of NSS. **NSS 3.112** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_release_notes` Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_release_notes`
**NSS 3.101.3 (ESR)** is the latest ESR version of NSS. **NSS 3.112.2 (ESR)** is the latest ESR version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes` Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_2_release_notes`
.. container::
Changes in 3.112 included in this release:
- Bug 1963792 - Fix alias for mac workers on try.
- Bug 1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault.
- Bug 1931930 - ABI/API break in ssl certificate processing
- Bug 1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template.
- Bug 1965754 - update taskgraph to v14.2.1.
- Bug 1964358 - Workflow for automation of the release on GitHub when pushing a tag
- Bug 1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate
- Bug 1934877 - Renegotiations should use a fresh ECH GREASE buffer.
- Bug 1951396 - update taskgraph to v14.1.1
- Bug 1962503 - Partial fix for ACVP build CI job
- Bug 1961827 - Initialize find in sftk_searchDatabase.
- Bug 1963121 - Add clang-18 to extra builds.
- Bug 1963044 - Fault tolerant git fetch for fuzzing.
- Bug 1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp.
- Bug 1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set.
- Bug 1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls.
- Bug 1963102 - Remove Cryptofuzz CI version check

72
security/nss/doc/rst/releases/nss_3_112_2.rst Normal file
View File

@@ -0,0 +1,72 @@
.. _mozilla_projects_nss_nss_3_112_2_release_notes:
NSS 3.112.2 release notes
========================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.112.2 was released on *3 October 2025**.
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_112_2_RTM. NSS 3.112.2 requires NSPR 4.36 or newer.
NSS 3.112.2 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_112_2_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.112.2:
`Changes in NSS 3.112.2 <#changes_in_nss_3.112.2>`__
------------------------------------------------------------------
.. container::
- Bug 1970079 - Prevent leaks during pkcs12 decoding.
- Bug 1988046 - SEC_ASN1Decode* should ensure it has read as many bytes as each length field indicates.
- Bug 1992218 - fix memory leak in secasn1decode_unittest.cc.
- Bug 1988913 - Add OISTE roots.
- Bug 1976051 - Add runbook for certdata.txt changes.
- Bug 1991666 - dbtool: close databases before shutdown.
- Bug 1956754 - don't flush base64 when buffer is null.
- Bug 1989541 - Set `use_pkcs5_pbkd2_params2_only=1` for fuzzing builds.
- Bug 1989480 - mozilla::pkix: recognize the qcStatements extension for QWACs.
- Bug 1980465 - Fix a big-endian-problematic cast in zlib calls.
- Bug 1962321 - Revert removing out/ directory after ossfuzz build.
- Bug 1988524 - Add Cryptofuzz to OSS-Fuzz build.
- Bug 1984704 - Add PKCS#11 trust tests.
- Bug 1983308 - final disable dsa patch cert.sh.
- Bug 1983320 - ml-dsa: move tls 1.3 to use streaming signatures.
- Bug 1983320 - ml-dsa: Prep Create a FindOidTagByString function.
- Bug 1983320 - ml-dsa: softoken changes.
- Bug 1983320 - ml-dsa: der key decode.
- Bug 1983320 - ml-dsa: Prep colapse the overuse of keyType outside of pk11wrap and cryptohi.
- Bug 1983320 - ml-dsa: Prep Create a CreateSignatureAlgorithmID function.
- Bug 1983308 - disable DSA in NSS script tests.
- Bug 1983308 - Disabling of some algorithms: generic cert.sh.
- Bug 1981046 - Need to update to new mechanisms.
- Bug 1983320 - Add ML-DSA public key printing support in NSS command-line utilities.
- Bug 1986802 - note embedded scts before revocation checks are performed.
- Bug 1983320 - Add support for ML-DSA keys and mechanisms in PKCS#11 interface.
- Bug 1983320 - Add support for ML-DSA key type and public key structure.
- Bug 1983320 - Enable ML-DSA integration via OIDs support and SECMOD flag.
- Bug 1983308 - disable kyber.
- Bug 1965329 - Implement PKCS #11 v3.2 PQ functions (use verify signature).
- Bug 1983308 - Disable dsa - gtests.
- Bug 1983313 - make group and scheme support in test tools generic.
- Bug 1983770 - Create GH workflow to automatically close PRs.
- Bug 1983308 - Disable dsa - base code.
- Bug 1983308 - Disabling of some algorithms: remove dsa from pk11_mode.
- Bug 1983308 - Disable seed and RC2 bug fixes.
- Bug 1982742 - restore support for finding certificates by decoded serial number.
- Bug 1984165 - avoid CKR_BUFFER_TO_SMALL error in trust lookups.

1
security/nss/gtests/der_gtest/der_gtest.gyp
View File

@@ -14,6 +14,7 @@
'der_getint_unittest.cc', 'der_getint_unittest.cc',
'der_quickder_unittest.cc', 'der_quickder_unittest.cc',
'p12_import_unittest.cc', 'p12_import_unittest.cc',
'secasn1decode_unittest.cc',
'<(DEPTH)/gtests/common/gtests.cc' '<(DEPTH)/gtests/common/gtests.cc'
], ],
'dependencies': [ 'dependencies': [

86
security/nss/gtests/der_gtest/secasn1decode_unittest.cc Normal file
View File

@@ -0,0 +1,86 @@
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 et sw=2 tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
* You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "gtest/gtest.h"
#include "scoped_ptrs_util.h"
#include "nss.h"
#include "prerror.h"
#include "secasn1.h"
#include "secasn1t.h"
#include "secerr.h"
#include "secport.h"
class SECASN1DecodeTest : public ::testing::Test {};
struct Item {
SECItem value;
};
const SEC_ASN1Template ItemTemplate[] = {
{SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Item)}, {0}};
static const SEC_ASN1Template ItemsTemplate[] = {
{SEC_ASN1_SEQUENCE_OF, 0, ItemTemplate}, {0}};
struct Container {
struct Item** items;
};
const SEC_ASN1Template ContainerTemplate[] = {
{SEC_ASN1_SEQUENCE, 0, NULL, sizeof(struct Container)},
{SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 0,
offsetof(struct Container, items), ItemsTemplate},
{0}};
// clang-format off
const unsigned char kEndOfContentsInDefiniteLengthContext[] = {
0x30, 0x06,
0xa0, 0x04,
0x30, 0x00,
0x00, 0x00, // EOC in definite length context
};
// clang-format on
TEST_F(SECASN1DecodeTest, EndOfContentsInDefiniteLengthContext) {
ScopedPLArenaPool pool(PORT_NewArena(1024));
struct Container* decoded = reinterpret_cast<struct Container*>(
PORT_ArenaZAlloc(pool.get(), sizeof(struct Container)));
SEC_ASN1DecoderContext* ctx =
SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate);
ASSERT_TRUE(ctx);
ASSERT_EQ(
SEC_ASN1DecoderUpdate(
ctx,
reinterpret_cast<const char*>(kEndOfContentsInDefiniteLengthContext),
sizeof(kEndOfContentsInDefiniteLengthContext)),
SECFailure);
ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER);
}
// clang-format off
const unsigned char kContentsTooShort[] = {
0x30, 0x06,
0xa0, 0x04,
0x30, 0x00, // There should be two more bytes after this
};
// clang-format on
TEST_F(SECASN1DecodeTest, ContentsTooShort) {
ScopedPLArenaPool pool(PORT_NewArena(1024));
struct Container* decoded = reinterpret_cast<struct Container*>(
PORT_ArenaZAlloc(pool.get(), sizeof(struct Container)));
SEC_ASN1DecoderContext* ctx =
SEC_ASN1DecoderStart(pool.get(), decoded, ContainerTemplate);
ASSERT_TRUE(ctx);
ASSERT_EQ(
SEC_ASN1DecoderUpdate(
ctx,
reinterpret_cast<const char*>(kContentsTooShort),
sizeof(kContentsTooShort)),
SECFailure);
ASSERT_EQ(PR_GetError(), SEC_ERROR_BAD_DER);
}

4
security/nss/lib/nss/nss.h
View File

@@ -22,10 +22,10 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/ */
#define NSS_VERSION "3.112.1" _NSS_CUSTOMIZED #define NSS_VERSION "3.112.2" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3 #define NSS_VMAJOR 3
#define NSS_VMINOR 112 #define NSS_VMINOR 112
#define NSS_VPATCH 1 #define NSS_VPATCH 2
#define NSS_VBUILD 0 #define NSS_VBUILD 0
#define NSS_BETA PR_FALSE #define NSS_BETA PR_FALSE

1
security/nss/lib/pkcs12/p12d.c
View File

@@ -826,6 +826,7 @@ sec_pkcs12_decoder_asafes_notify(void *arg, PRBool before, void *dest,
safeContentsCtx->safeContentsA1Dcx = NULL; safeContentsCtx->safeContentsA1Dcx = NULL;
} }
cinfo = SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx); cinfo = SEC_PKCS7DecoderFinish(p12dcx->currentASafeP7Dcx);
SEC_ASN1DecoderClearFilterProc(p12dcx->aSafeA1Dcx);
p12dcx->currentASafeP7Dcx = NULL; p12dcx->currentASafeP7Dcx = NULL;
if (!cinfo) { if (!cinfo) {
p12dcx->errorValue = PORT_GetError(); p12dcx->errorValue = PORT_GetError();

4
security/nss/lib/softoken/softkver.h
View File

@@ -17,10 +17,10 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/ */
#define SOFTOKEN_VERSION "3.112.1" SOFTOKEN_ECC_STRING #define SOFTOKEN_VERSION "3.112.2" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 112 #define SOFTOKEN_VMINOR 112
#define SOFTOKEN_VPATCH 1 #define SOFTOKEN_VPATCH 2
#define SOFTOKEN_VBUILD 0 #define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE #define SOFTOKEN_BETA PR_FALSE

4
security/nss/lib/util/nssutil.h
View File

@@ -19,10 +19,10 @@
* The format of the version string should be * The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/ */
#define NSSUTIL_VERSION "3.112.1" #define NSSUTIL_VERSION "3.112.2"
#define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 112 #define NSSUTIL_VMINOR 112
#define NSSUTIL_VPATCH 1 #define NSSUTIL_VPATCH 2
#define NSSUTIL_VBUILD 0 #define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE #define NSSUTIL_BETA PR_FALSE

15
security/nss/lib/util/secasn1d.c
View File

@@ -2398,25 +2398,10 @@ sec_asn1d_absorb_child(sec_asn1d_state *state)
* consumed should be what was left pending. * consumed should be what was left pending.
*/ */
if (state->pending != state->child->consumed) { if (state->pending != state->child->consumed) {
if (state->pending < state->child->consumed) {
PORT_SetError(SEC_ERROR_BAD_DER); PORT_SetError(SEC_ERROR_BAD_DER);
state->top->status = decodeError; state->top->status = decodeError;
return; return;
} }
/*
* Okay, this is a hack. It *should* be an error whether
* pending is too big or too small, but it turns out that
* we had a bug in our *old* DER encoder that ended up
* counting an explicit header twice in the case where
* the underlying type was an ANY. So, because we cannot
* prevent receiving these (our own certificate server can
* send them to us), we need to be lenient and accept them.
* To do so, we need to pretend as if we read all of the
* bytes that the header said we would find, even though
* we actually came up short.
*/
state->consumed += (state->pending - state->child->consumed);
}
state->pending = 0; state->pending = 0;
} }

4
security/nss/moz.yaml
View File

@@ -9,8 +9,8 @@ origin:
description: nss description: nss
url: https://hg-edge.mozilla.org/projects/nss url: https://hg-edge.mozilla.org/projects/nss
release: 808e051ea9ce632e910c449a5b60d152e3017572 (2025-08-22T02:48:54Z). release: ea8a7bf26efdf7cb8b5fc8a02f0c779404509277 (2025-10-03T12:46:03Z).
revision: 808e051ea9ce632e910c449a5b60d152e3017572 revision: ea8a7bf26efdf7cb8b5fc8a02f0c779404509277
license: MPL-2.0 license: MPL-2.0
license-file: COPYING license-file: COPYING