Bug 1963097 - Update to NSS 3.112. r=jschanck

Differential Revision: https://phabricator.services.mozilla.com/D250924
2025-05-23 18:46:00 +00:00
parent 20bcd70f17
commit dc4a862060
6 changed files with 80 additions and 31 deletions
--- a/security/nss/doc/rst/releases/index.rst
+++ b/security/nss/doc/rst/releases/index.rst
@@ -8,6 +8,8 @@ Releases
   :glob:
   :hidden:

+   nss_3_112.rst
+   nss_3_111.rst
   nss_3_110.rst
   nss_3_109.rst
   nss_3_108.rst
@@ -83,33 +85,30 @@ Releases

 .. note::

-   **NSS 3.110** is the latest version of NSS.
-   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_110_release_notes`
+   **NSS 3.112** is the latest version of NSS.
+   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_112_release_notes`

   **NSS 3.101.3 (ESR)** is the latest ESR version of NSS.
   Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes`

 .. container::

-   Changes in 3.110 included in this release:
+   Changes in 3.112 included in this release:

-   - Bug 1930806 - FIPS changes need to be upstreamed: force ems policy.
-   - Bug 1954724 - Prevent excess allocations in sslBuffer_Grow.
-   - Bug 1953429 - Remove Crl templates from ASN1 fuzz target.
-   - Bug 1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target.
-   - Bug 1952855 - Fix memory leak in NSS_CMSMessage_IsSigned.
-   - Bug 1930807 - NSS policy updates.
-   - Bug 1951161 - Improve locking in nssPKIObject_GetInstances.
-   - Bug 1951394 - Fix race in sdb_GetMetaData.
-   - Bug 1951800 - Fix member access within null pointer.
-   - Bug 1950077 - Increase smime fuzzer memory limit.
-   - Bug 1949677 - Enable resumption when using custom extensions.
-   - Bug 1952568 - change CN of server12 test certificate.
-   - Bug 1949118 - Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle.
-   - Bug 1949118 - Part 1: Fix smime UBSan errors.
-   - Bug 1930806 - FIPS changes need to be upstreamed: updated key checks.
-   - Bug 1951491 - Don't build libpkix in static builds.
-   - Bug 1951395 - handle `-p all` in try syntax.
-   - Bug 1951346 - fix opt-make builds to actually be opt.
-   - Bug 1951346 - fix opt-static builds to actually be opt.
-   - Bug 1916439 - Remove extraneous assert.
+   - Bug 1963792 - Fix alias for mac workers on try.
+   - Bug 1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault.
+   - Bug 1931930 - ABI/API break in ssl certificate processing
+   - Bug 1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template.
+   - Bug 1965754 - update taskgraph to v14.2.1.
+   - Bug 1964358 - Workflow for automation of the release on GitHub when pushing a tag
+   - Bug 1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate
+   - Bug 1934877 - Renegotiations should use a fresh ECH GREASE buffer.
+   - Bug 1951396 - update taskgraph to v14.1.1
+   - Bug 1962503 - Partial fix for ACVP build CI job
+   - Bug 1961827 - Initialize find in sftk_searchDatabase.
+   - Bug 1963121 - Add clang-18 to extra builds.
+   - Bug 1963044 - Fault tolerant git fetch for fuzzing.
+   - Bug 1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp.
+   - Bug 1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set.
+   - Bug 1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls.
+   - Bug 1963102 - Remove Cryptofuzz CI version check
--- a/security/nss/doc/rst/releases/nss_3_112.rst
+++ b/security/nss/doc/rst/releases/nss_3_112.rst
@@ -0,0 +1,50 @@
+.. _mozilla_projects_nss_nss_3_112_release_notes:
+
+NSS 3.112 release notes
+========================
+
+`Introduction <#introduction>`__
+--------------------------------
+
+.. container::
+
+   Network Security Services (NSS) 3.112 was released on *23 May 2025**.
+
+`Distribution Information <#distribution_information>`__
+--------------------------------------------------------
+
+.. container::
+
+   The HG tag is NSS_3_112_RTM. NSS 3.112 requires NSPR 4.36 or newer. The latest version of NSPR is 4.36.
+
+   NSS 3.112 source distributions are available on ftp.mozilla.org for secure HTTPS download:
+
+   -  Source tarballs:
+      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_112_RTM/src/
+
+   Other releases are available :ref:`mozilla_projects_nss_releases`.
+
+.. _changes_in_nss_3.112:
+
+`Changes in NSS 3.112 <#changes_in_nss_3.112>`__
+------------------------------------------------------------------
+
+.. container::
+
+   - Bug 1963792 - Fix alias for mac workers on try.
+   - Bug 1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault.
+   - Bug 1931930 - ABI/API break in ssl certificate processing
+   - Bug 1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template.
+   - Bug 1965754 - update taskgraph to v14.2.1.
+   - Bug 1964358 - Workflow for automation of the release on GitHub when pushing a tag
+   - Bug 1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate
+   - Bug 1934877 - Renegotiations should use a fresh ECH GREASE buffer.
+   - Bug 1951396 - update taskgraph to v14.1.1
+   - Bug 1962503 - Partial fix for ACVP build CI job
+   - Bug 1961827 - Initialize find in sftk_searchDatabase.
+   - Bug 1963121 - Add clang-18 to extra builds.
+   - Bug 1963044 - Fault tolerant git fetch for fuzzing.
+   - Bug 1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp.
+   - Bug 1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set.
+   - Bug 1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls.
+   - Bug 1963102 - Remove Cryptofuzz CI version check
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -22,12 +22,12 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION "3.112" _NSS_CUSTOMIZED " Beta"
+#define NSS_VERSION "3.112" _NSS_CUSTOMIZED
 #define NSS_VMAJOR 3
 #define NSS_VMINOR 112
 #define NSS_VPATCH 0
 #define NSS_VBUILD 0
-#define NSS_BETA PR_TRUE
+#define NSS_BETA PR_FALSE

 #ifndef RC_INVOKED

--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -17,11 +17,11 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define SOFTOKEN_VERSION "3.112" SOFTOKEN_ECC_STRING " Beta"
+#define SOFTOKEN_VERSION "3.112" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR 3
 #define SOFTOKEN_VMINOR 112
 #define SOFTOKEN_VPATCH 0
 #define SOFTOKEN_VBUILD 0
-#define SOFTOKEN_BETA PR_TRUE
+#define SOFTOKEN_BETA PR_FALSE

 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,12 +19,12 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
 */
-#define NSSUTIL_VERSION "3.112 Beta"
+#define NSSUTIL_VERSION "3.112"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 112
 #define NSSUTIL_VPATCH 0
 #define NSSUTIL_VBUILD 0
-#define NSSUTIL_BETA PR_TRUE
+#define NSSUTIL_BETA PR_FALSE

 SEC_BEGIN_PROTOS

--- a/security/nss/moz.yaml
+++ b/security/nss/moz.yaml
@@ -9,8 +9,8 @@ origin:
  description: nss
  url: https://hg-edge.mozilla.org/projects/nss

-  release: 091af6a9930bd41ada8694bb4487cb8dac62e9c1 (2025-05-19T14:42:09Z).
-  revision: 091af6a9930bd41ada8694bb4487cb8dac62e9c1
+  release: 1e1bcffeb9e087080bf28f546919f62900e18ef6 (2025-05-23T13:07:49Z).
+  revision: 1e1bcffeb9e087080bf28f546919f62900e18ef6

  license: MPL-2.0
  license-file: COPYING