SUSE-RU-2026:21392-1: moderate: Recommended update for mozilla-nss

SLE-UPDATES null at suse.de
Thu Apr 30 16:30:33 UTC 2026 


# Recommended update for mozilla-nss

Announcement ID: SUSE-RU-2026:21392-1  
Release Date: 2026-04-28T09:30:42Z  
Rating: moderate  
References:

  * jsc#PED-15633

  
Affected Products:

  * SUSE Linux Micro 6.2

  
  
An update that contains one feature can now be installed.

## Description:

This update for mozilla-nss fixes the following issues:

Changes in mozilla-nss:

Update to NSS 3.112.5:

  * reject DTLS 1.3 Server Hello after HVR without capping ss->vrange.max.
  * update to version 2.84 of builtins module.

  * Added "Suggests: p11-kit-nss-trust" to favor over mozilla-nss-certs (Jira:
    PED-15633)

Update to NSS 3.112.4:

  * improve error handling in PK11_ImportPrivateKeyInfoAndReturnKey.
  * Improving the allocation of S/MIME DecryptSymKey.
  * store email on subject cache_entry in NSS trust domain.
  * Heap use-after-free in cert_VerifyCertChainOld via dangling certsList[]
    entry on NameConstraints violation.
  * Improve size calculations in CMS content buffering.
  * avoid integer overflow while escaping RFC822 Names.
  * Reject excessively large ASN.1 SEQUENCE OF in quickder.
  * Deep copy profile data in CERT_FindSMimeProfile.
  * Improve input validation in DSAU signature decoding.
  * avoid integer overflow in RSA_EMSAEncodePSS.
  * RSA_EMSAEncodePSS should validate the length of mHash.
  * Add a maximum cert uncompressed len and tests.
  * Clarify extension negotiation mechanism for TLS Handshakes.
  * ensure permittedSubtrees don't match wildcards that could be outside the
    permitted tree.
  * Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag.
  * Remove invalid PORT_Free().
  * free digest objects in SEC_PKCS7DecoderFinish if they haven't already been
    freed.
  * make ss->ssl3.hs.cookie an owned-copy of the cookie.

Update to NSS 3.112.3:

  * avoid integer overflow in platform-independent ghash

  * Move NSS DB password hash away from SHA-1

Update to NSS 3.112.2:

  * Prevent leaks during pkcs12 decoding.
  * SEC_ASN1Decode* should ensure it has read as many bytes as each length field
    indicates

Update to NSS 3.112.1:

  * restore support for finding certificates by decoded serial number.

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.2  
    zypper in -t patch SUSE-SL-Micro-6.2-648=1

## Package List:

  * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    * libfreebl3-debuginfo-3.112.5-160000.1.1
    * libsoftokn3-3.112.5-160000.1.1
    * mozilla-nss-debugsource-3.112.5-160000.1.1
    * mozilla-nss-3.112.5-160000.1.1
    * mozilla-nss-tools-3.112.5-160000.1.1
    * mozilla-nss-tools-debuginfo-3.112.5-160000.1.1
    * libsoftokn3-debuginfo-3.112.5-160000.1.1
    * libfreebl3-3.112.5-160000.1.1
    * mozilla-nss-certs-3.112.5-160000.1.1
    * mozilla-nss-certs-debuginfo-3.112.5-160000.1.1
    * mozilla-nss-debuginfo-3.112.5-160000.1.1

## References:

  * https://jira.suse.com/browse/PED-15633

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260430/520e9494/attachment.htm>

More information about the sle-updates mailing list