SUSE-RU-2025:02217-1: moderate: Recommended update for mozilla-nspr, mozilla-nss

SLE-UPDATES null at suse.de
Thu Jul 3 16:30:21 UTC 2025



# Recommended update for mozilla-nspr, mozilla-nss

Announcement ID: SUSE-RU-2025:02217-1  
Release Date: 2025-07-03T12:18:36Z  
Rating: moderate  
References:

  * bsc#1081723
  * bsc#1224113

  
Affected Products:

  * SUSE Linux Enterprise High Performance Computing 12 SP5
  * SUSE Linux Enterprise Server 12 SP5
  * SUSE Linux Enterprise Server 12 SP5 LTSS
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  * SUSE Linux Enterprise Server for SAP Applications 12 SP5

  
  
An update that has two fixes can now be installed.

## Description:

This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nspr was updated to version 4.36:

  * renamed the prwin16.h header to prwin.h
  * configure was updated from 2.69 to 2.71
  * various build, test and automation script fixes
  * major parts of the source code were reformatted

mozilla-nss was updated to NSS 3.112:

  * Fix alias for mac workers on try
  * ensure all options can be configured with SSL_OptionSet and
    SSL_OptionSetDefault
  * ABI/API break in ssl certificate processing
  * remove unnecessary assertion in sec_asn1d_init_state_based_on_template
  * update taskgraph to v14.2.1
  * Workflow for automation of the release on GitHub when pushing a tag
  * fix faulty assertions in SEC_ASN1DecoderUpdate
  * Renegotiations should use a fresh ECH GREASE buffer
  * update taskgraph to v14.1.1
  * Partial fix for ACVP build CI job
  * Initialize find in sftk_searchDatabase
  * Add clang-18 to extra builds
  * Fault tolerant git fetch for fuzzing
  * Tolerate intermittent failures in ssl_policy_pkix_ocsp
  * fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
  * fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
  * Remove Cryptofuzz CI version check

update to NSS 3.111:

  * FIPS changes need to be upstreamed: force ems policy
  * Turn off Websites Trust Bit from CAs
  * Update nssckbi version following April 2025 Batch of Changes
  * Disable SMIME ‘trust bit’ for GoDaddy CAs
  * Replaced deprecated sprintf function with snprintf in dbtool.c
  * Need up update NSS for PKCS 3.1
  * avoid leaking localCert if it is already set in ssl3_FillInCachedSID
  * Decrease ASAN quarantine size for Cryptofuzz in CI
  * selfserv: Add support for zlib certificate compression

Update to NSS 3.110:

  * FIPS changes need to be upstreamed: force ems policy
  * Prevent excess allocations in sslBuffer_Grow
  * Remove Crl templates from ASN1 fuzz target
  * Remove CERT_CrlTemplate from ASN1 fuzz target
  * Fix memory leak in NSS_CMSMessage_IsSigned
  * NSS policy updates
  * Improve locking in nssPKIObject_GetInstances
  * Fix race in sdb_GetMetaData
  * Fix member access within null pointer
  * Increase smime fuzzer memory limit
  * Enable resumption when using custom extensions
  * change CN of server12 test certificate
  * Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle
  * Part 1: Fix smime UBSan errors
  * FIPS changes need to be upstreamed: updated key checks
  * Don't build libpkix in static builds
  * handle `-p all` in try syntax
  * fix opt-make builds to actually be opt
  * fix opt-static builds to actually be opt
  * Remove extraneous assert

Update to NSS 3.109:

  * Call BL_Init before RNG_RNGInit() so that special SHA instructions can be
    used if available
  * NSS policy updates - fix inaccurate key policy issues
  * SMIME fuzz target
  * ASN1 decoder fuzz target
  * Part 2: Revert “Extract testcases from ssl gtests for fuzzing”
  * Add fuzz/README.md
  * Part 4: Fix tstclnt arguments script
  * Extend pkcs7 fuzz target
  * Extend certDN fuzz target
  * revert changes to HACL* files from bug 1866841
  * Part 3: Package frida corpus script
  * update to NSS 3.108
  * libclang-16 -> libclang-19
  * Turn off Secure Email Trust Bit for Security Communication ECC RootCA1
  * Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global
    Root CA2
  * Remove SwissSign Silver CA – G2
  * Add D-Trust 2023 TLS Roots to NSS
  * fix fips test failure on windows
  * change default sensitivity of KEM keys
  * Part 1: Introduce frida hooks and script
  * add missing arm_neon.h include to gcm.c
  * ci: update windows workers to win2022
  * strip trailing carriage returns in tools tests
  * work around unix/windows path translation issues in cert test script
  * ci: let the windows setup script work without $m
  * detect msys
  * add a specialized CTR_Update variant for AES-GCM
  * NSS policy updates
  * FIPS changes need to be upstreamed: FIPS 140-3 RNG
  * FIPS changes need to be upstreamed: Add SafeZero
  * FIPS changes need to be upstreamed - updated POST
  * Segmentation fault in SECITEM_Hash during pkcs12 processing
  * Extending NSS with LoadModuleFromFunction functionality
  * Ensure zero-initialization of collectArgs.cert
  * pkcs7 fuzz target use CERT_DestroyCertificate
  * Fix actual underlying ODR violations issue
  * mozilla::pkix: allow reference ID labels to begin and/or end with hyphens
  * don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set
  * Fix memory leak in pkcs7 fuzz target
  * Set -O2 for ASan builds in CI
  * Change branch of tlsfuzzer dependency
  * Run tests in CI for ASan builds with detect_odr_violation=1
  * Fix coverage failure in CI
  * Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch
  * Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround
  * Part 3: Restructure fuzz/
  * Extract testcases from ssl gtests for fuzzing
  * Force Cryptofuzz to use NSS in CI
  * Fix Cryptofuzz on 32 bit in CI
  * Update Cryptofuzz repository link
  * fix build error from 9505f79d
  * simplify error handling in get_token_objects_for_cache
  * nss doc: fix a warning
  * pkcs12 fixes from RHEL need to be picked up

Update to NSS 3.107:

  * Remove MPI fuzz targets.
  * Remove globals `lockStatus` and `locksEverDisabled`.
  * Enable PKCS8 fuzz target.
  * Integrate Cryptofuzz in CI.
  * Part 2: Set tls server target socket options in config class
  * Part 1: Set tls client target socket options in config class
  * Support building with thread sanitizer.
  * set nssckbi version number to 2.72.
  * remove Websites Trust Bit from Entrust Root Certification Authority - G4.
  * remove Security Communication RootCA3 root cert.
  * remove SecureSign RootCA11 root cert.
  * Add distrust-after for TLS to Entrust Roots.
  * update expected error code in pk12util pbmac1 tests.
  * Use random tstclnt args with handshake collection script
  * Remove extraneous assert in ssl3gthr.c.
  * Adding missing release notes for NSS_3_105.
  * Enable the disabled mlkem tests for dtls.
  * NSS gtests filter cleans up the constucted buffer before the use.
  * Make ssl_SetDefaultsFromEnvironment thread-safe.
  * Remove short circuit test from ssl_Init.

Update to NSS 3.106:

  * NSS 3.106 should be distributed with NSPR 4.36.
  * pk12util: improve error handling in p12U_ReadPKCS12File.
  * Correctly destroy bulkkey in error scenario.
  * PKCS7 fuzz target, r=djackson,nss-reviewers.
  * Extract certificates with handshake collection script.
  * Specify len_control for fuzz targets.
  * Fix memory leak in dumpCertificatePEM.
  * Fix UBSan errors for SECU_PrintCertificate and
    SECU_PrintCertificateBasicInfo.
  * add new error codes to mozilla::pkix for Firefox to use.
  * allow null phKey in NSC_DeriveKey.
  * Only create seed corpus zip from existing corpus.
  * Use explicit allowlist for for KDF PRFS.
  * Increase optimization level for fuzz builds.
  * Remove incorrect assert.
  * Use libFuzzer options from fuzz/options/*.options in CI.
  * Polish corpus collection for automation.
  * Detect new and unfuzzed SSL options.
  * PKCS12 fuzzing target.

Update to NSS 3.105:

  * Allow importing PKCS#8 private EC keys missing public key
  * UBSAN fix: applying zero offset to null pointer in sslsnce.c
  * set KRML_MUSTINLINE=inline in makefile builds
  * Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
  * override default definition of KRML_MUSTINLINE
  * libssl support for mlkem768x25519
  * support for ML-KEM-768 in softoken and pk11wrap
  * Add Libcrux implementation of ML-KEM 768 to FreeBL
  * Avoid misuse of ctype(3) functions
  * part 2: run clang-format
  * part 1: upgrade to clang-format 13
  * clang-format fuzz
  * DTLS client message buffer may not empty be on retransmit
  * Optionally print config for TLS client and server fuzz target
  * Fix some simple documentation issues in NSS.
  * improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr
  * define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN

Update to NSS 3.104:

  * Copy original corpus to heap-allocated buffer
  * Fix min ssl version for DTLS client fuzzer
  * Remove OS2 support just like we did on NSPR
  * clang-format NSS improvements
  * Adding basicutil.h to use HexString2SECItem function
  * removing dirent.c from build
  * Allow handing in keymaterial to shlibsign to make the output reproducible
  * remove nec4.3, sunos4, riscos and SNI references
  * remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or
    reliantUnix
  * remove mentions of WIN95
  * remove mentions of WIN16
  * More explicit directory naming
  * Add more options to TLS server fuzz target
  * Add more options to TLS client fuzz target
  * Use OSS-Fuzz corpus in NSS CI
  * set nssckbi version number to 2.70.
  * Remove Email Trust bit from ACCVRAIZ1 root cert.
  * Remove Email Trust bit from certSIGN ROOT CA.
  * Add Cybertrust Japan Roots to NSS.
  * Add Taiwan CA Roots to NSS.
  * remove search by decoded serial in
    nssToken_FindCertificateByIssuerAndSerialNumber
  * Fix tstclnt CI build failure
  * vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow
  * Enable all supported protocol versions for UDP
  * Actually use random PSK hash type
  * Initialize NSS DB once
  * Additional ECH cipher suites and PSK hash types
  * Automate corpus file generation for TLS client Fuzzer
  * Fix crash with UNSAFE_FUZZER_MODE
  * clang-format shlibsign.c

Update to NSS 3.103:

  * move list size check after lock acquisition in sftk_PutObjectToList.
  * Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
  * Follow-up to fix test for presence of file nspr.patch.
  * Adjust libFuzzer size limits
  * Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
    SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
  * Add fuzzing support for SSL_ENABLE_GREASE and
    SSL_ENABLE_CH_EXTENSION_PERMUTATION
  * FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type
    (bsc#1224113).

update to NSS 3.102.1:

  * ChaChaXor to return after the function

update to NSS 3.102:

  * Add Valgrind annotations to freebl Chacha20-Poly1305.
  * missing sqlite header.
  * GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
  * correct length of raw SPKI data before printing in pp utility.

  * Make NSS-build reproducible, use key from openssl (bsc#1081723)

  * FIPS: Exclude the SHA-1 hash from SLI approval.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Server 12 SP5 LTSS  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2217=1

  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security  
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2217=1

## Package List:

  * SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
    * mozilla-nss-tools-3.112-58.130.1
    * libsoftokn3-3.112-58.130.1
    * mozilla-nss-3.112-58.130.1
    * mozilla-nss-certs-3.112-58.130.1
    * mozilla-nspr-4.36-19.32.1
    * mozilla-nss-debuginfo-3.112-58.130.1
    * mozilla-nss-sysinit-3.112-58.130.1
    * mozilla-nss-sysinit-debuginfo-3.112-58.130.1
    * mozilla-nss-certs-debuginfo-3.112-58.130.1
    * mozilla-nspr-devel-4.36-19.32.1
    * mozilla-nss-tools-debuginfo-3.112-58.130.1
    * libsoftokn3-debuginfo-3.112-58.130.1
    * libfreebl3-debuginfo-3.112-58.130.1
    * mozilla-nspr-debugsource-4.36-19.32.1
    * mozilla-nspr-debuginfo-4.36-19.32.1
    * mozilla-nss-devel-3.112-58.130.1
    * mozilla-nss-debugsource-3.112-58.130.1
    * libfreebl3-3.112-58.130.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS (s390x x86_64)
    * mozilla-nspr-32bit-4.36-19.32.1
    * libfreebl3-32bit-3.112-58.130.1
    * mozilla-nss-32bit-3.112-58.130.1
    * mozilla-nss-sysinit-debuginfo-32bit-3.112-58.130.1
    * libsoftokn3-debuginfo-32bit-3.112-58.130.1
    * mozilla-nspr-debuginfo-32bit-4.36-19.32.1
    * mozilla-nss-certs-debuginfo-32bit-3.112-58.130.1
    * mozilla-nss-sysinit-32bit-3.112-58.130.1
    * libfreebl3-debuginfo-32bit-3.112-58.130.1
    * libsoftokn3-32bit-3.112-58.130.1
    * mozilla-nss-certs-32bit-3.112-58.130.1
    * mozilla-nss-debuginfo-32bit-3.112-58.130.1
  * SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
    * libsoftokn3-3.112-58.130.1
    * mozilla-nspr-4.36-19.32.1
    * mozilla-nss-sysinit-3.112-58.130.1
    * mozilla-nss-32bit-3.112-58.130.1
    * mozilla-nss-sysinit-debuginfo-3.112-58.130.1
    * mozilla-nss-sysinit-debuginfo-32bit-3.112-58.130.1
    * libsoftokn3-debuginfo-32bit-3.112-58.130.1
    * mozilla-nspr-debuginfo-4.36-19.32.1
    * libsoftokn3-32bit-3.112-58.130.1
    * mozilla-nss-debugsource-3.112-58.130.1
    * mozilla-nss-debuginfo-32bit-3.112-58.130.1
    * mozilla-nss-tools-3.112-58.130.1
    * mozilla-nss-3.112-58.130.1
    * mozilla-nss-debuginfo-3.112-58.130.1
    * mozilla-nss-certs-debuginfo-32bit-3.112-58.130.1
    * mozilla-nspr-debuginfo-32bit-4.36-19.32.1
    * libsoftokn3-debuginfo-3.112-58.130.1
    * libfreebl3-debuginfo-32bit-3.112-58.130.1
    * mozilla-nss-certs-3.112-58.130.1
    * mozilla-nspr-32bit-4.36-19.32.1
    * mozilla-nss-tools-debuginfo-3.112-58.130.1
    * mozilla-nspr-debugsource-4.36-19.32.1
    * libfreebl3-32bit-3.112-58.130.1
    * mozilla-nss-certs-debuginfo-3.112-58.130.1
    * mozilla-nspr-devel-4.36-19.32.1
    * libfreebl3-debuginfo-3.112-58.130.1
    * libfreebl3-3.112-58.130.1
    * mozilla-nss-sysinit-32bit-3.112-58.130.1
    * mozilla-nss-devel-3.112-58.130.1
    * mozilla-nss-certs-32bit-3.112-58.130.1

## References:

  * https://bugzilla.suse.com/show_bug.cgi?id=1081723
  * https://bugzilla.suse.com/show_bug.cgi?id=1224113

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250703/d230d7cb/attachment.htm>


More information about the sle-updates mailing list