<div class="container">
<h1>Recommended update for mozilla-nspr, mozilla-nss</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-RU-2025:02217-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-07-03T12:18:36Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1081723">bsc#1081723</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224113">bsc#1224113</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 12 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that has two fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for mozilla-nspr, mozilla-nss fixes the following issues:</p>
<p>mozilla-nspr was updated to version 4.36:</p>
<ul>
<li>renamed the prwin16.h header to prwin.h</li>
<li>configure was updated from 2.69 to 2.71</li>
<li>various build, test and automation script fixes</li>
<li>major parts of the source code were reformatted</li>
</ul>
<p>mozilla-nss was updated to NSS 3.112:</p>
<ul>
<li>Fix alias for mac workers on try</li>
<li>ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault</li>
<li>ABI/API break in ssl certificate processing</li>
<li>remove unnecessary assertion in sec_asn1d_init_state_based_on_template</li>
<li>update taskgraph to v14.2.1</li>
<li>Workflow for automation of the release on GitHub when pushing a tag</li>
<li>fix faulty assertions in SEC_ASN1DecoderUpdate</li>
<li>Renegotiations should use a fresh ECH GREASE buffer</li>
<li>update taskgraph to v14.1.1</li>
<li>Partial fix for ACVP build CI job</li>
<li>Initialize find in sftk_searchDatabase</li>
<li>Add clang-18 to extra builds</li>
<li>Fault tolerant git fetch for fuzzing</li>
<li>Tolerate intermittent failures in ssl_policy_pkix_ocsp</li>
<li>fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set</li>
<li>fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls</li>
<li>Remove Cryptofuzz CI version check</li>
</ul>
<p>update to NSS 3.111:</p>
<ul>
<li>FIPS changes need to be upstreamed: force ems policy</li>
<li>Turn off Websites Trust Bit from CAs</li>
<li>Update nssckbi version following April 2025 Batch of Changes</li>
<li>Disable SMIME ‘trust bit’ for GoDaddy CAs</li>
<li>Replaced deprecated sprintf function with snprintf in dbtool.c</li>
<li>Need up update NSS for PKCS 3.1</li>
<li>avoid leaking localCert if it is already set in ssl3_FillInCachedSID</li>
<li>Decrease ASAN quarantine size for Cryptofuzz in CI</li>
<li>selfserv: Add support for zlib certificate compression</li>
</ul>
<p>Update to NSS 3.110:</p>
<ul>
<li>FIPS changes need to be upstreamed: force ems policy</li>
<li>Prevent excess allocations in sslBuffer_Grow</li>
<li>Remove Crl templates from ASN1 fuzz target</li>
<li>Remove CERT_CrlTemplate from ASN1 fuzz target</li>
<li>Fix memory leak in NSS_CMSMessage_IsSigned</li>
<li>NSS policy updates</li>
<li>Improve locking in nssPKIObject_GetInstances</li>
<li>Fix race in sdb_GetMetaData</li>
<li>Fix member access within null pointer</li>
<li>Increase smime fuzzer memory limit</li>
<li>Enable resumption when using custom extensions</li>
<li>change CN of server12 test certificate</li>
<li>Part 2: Add missing check in
NSS_CMSDigestContext_FinishSingle</li>
<li>Part 1: Fix smime UBSan errors</li>
<li>FIPS changes need to be upstreamed: updated key checks</li>
<li>Don't build libpkix in static builds</li>
<li>handle <code>-p all</code> in try syntax</li>
<li>fix opt-make builds to actually be opt</li>
<li>fix opt-static builds to actually be opt</li>
<li>Remove extraneous assert</li>
</ul>
<p>Update to NSS 3.109:</p>
<ul>
<li>Call BL_Init before RNG_RNGInit() so that special
SHA instructions can be used if available</li>
<li>NSS policy updates - fix inaccurate key policy issues</li>
<li>SMIME fuzz target</li>
<li>ASN1 decoder fuzz target</li>
<li>Part 2: Revert “Extract testcases from ssl gtests
for fuzzing”</li>
<li>Add fuzz/README.md</li>
<li>Part 4: Fix tstclnt arguments script</li>
<li>Extend pkcs7 fuzz target</li>
<li>Extend certDN fuzz target</li>
<li>revert changes to HACL* files from bug 1866841</li>
<li>Part 3: Package frida corpus script</li>
<li>update to NSS 3.108</li>
<li>libclang-16 -> libclang-19</li>
<li>Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1</li>
<li>Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2</li>
<li>Remove SwissSign Silver CA – G2</li>
<li>Add D-Trust 2023 TLS Roots to NSS</li>
<li>fix fips test failure on windows</li>
<li>change default sensitivity of KEM keys</li>
<li>Part 1: Introduce frida hooks and script</li>
<li>add missing arm_neon.h include to gcm.c</li>
<li>ci: update windows workers to win2022</li>
<li>strip trailing carriage returns in tools tests</li>
<li>work around unix/windows path translation issues
in cert test script</li>
<li>ci: let the windows setup script work without $m</li>
<li>detect msys</li>
<li>add a specialized CTR_Update variant for AES-GCM</li>
<li>NSS policy updates</li>
<li>FIPS changes need to be upstreamed: FIPS 140-3 RNG</li>
<li>FIPS changes need to be upstreamed: Add SafeZero</li>
<li>FIPS changes need to be upstreamed - updated POST</li>
<li>Segmentation fault in SECITEM_Hash during pkcs12 processing</li>
<li>Extending NSS with LoadModuleFromFunction functionality</li>
<li>Ensure zero-initialization of collectArgs.cert</li>
<li>pkcs7 fuzz target use CERT_DestroyCertificate</li>
<li>Fix actual underlying ODR violations issue</li>
<li>mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens</li>
<li>don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set</li>
<li>Fix memory leak in pkcs7 fuzz target</li>
<li>Set -O2 for ASan builds in CI</li>
<li>Change branch of tlsfuzzer dependency</li>
<li>Run tests in CI for ASan builds with detect_odr_violation=1</li>
<li>Fix coverage failure in CI</li>
<li>Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch</li>
<li>Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround</li>
<li>Part 3: Restructure fuzz/</li>
<li>Extract testcases from ssl gtests for fuzzing</li>
<li>Force Cryptofuzz to use NSS in CI</li>
<li>Fix Cryptofuzz on 32 bit in CI</li>
<li>Update Cryptofuzz repository link</li>
<li>fix build error from 9505f79d</li>
<li>simplify error handling in get_token_objects_for_cache</li>
<li>nss doc: fix a warning</li>
<li>pkcs12 fixes from RHEL need to be picked up</li>
</ul>
<p>Update to NSS 3.107:</p>
<ul>
<li>Remove MPI fuzz targets.</li>
<li>Remove globals <code>lockStatus</code> and <code>locksEverDisabled</code>.</li>
<li>Enable PKCS8 fuzz target.</li>
<li>Integrate Cryptofuzz in CI.</li>
<li>Part 2: Set tls server target socket options in config class</li>
<li>Part 1: Set tls client target socket options in config class</li>
<li>Support building with thread sanitizer.</li>
<li>set nssckbi version number to 2.72.</li>
<li>remove Websites Trust Bit from Entrust Root
Certification Authority - G4.</li>
<li>remove Security Communication RootCA3 root cert.</li>
<li>remove SecureSign RootCA11 root cert.</li>
<li>Add distrust-after for TLS to Entrust Roots.</li>
<li>update expected error code in pk12util pbmac1 tests.</li>
<li>Use random tstclnt args with handshake collection script</li>
<li>Remove extraneous assert in ssl3gthr.c.</li>
<li>Adding missing release notes for NSS_3_105.</li>
<li>Enable the disabled mlkem tests for dtls.</li>
<li>NSS gtests filter cleans up the constucted buffer
before the use.</li>
<li>Make ssl_SetDefaultsFromEnvironment thread-safe.</li>
<li>Remove short circuit test from ssl_Init.</li>
</ul>
<p>Update to NSS 3.106:</p>
<ul>
<li>NSS 3.106 should be distributed with NSPR 4.36.</li>
<li>pk12util: improve error handling in p12U_ReadPKCS12File.</li>
<li>Correctly destroy bulkkey in error scenario.</li>
<li>PKCS7 fuzz target, r=djackson,nss-reviewers.</li>
<li>Extract certificates with handshake collection script.</li>
<li>Specify len_control for fuzz targets.</li>
<li>Fix memory leak in dumpCertificatePEM.</li>
<li>Fix UBSan errors for SECU_PrintCertificate and
SECU_PrintCertificateBasicInfo.</li>
<li>add new error codes to mozilla::pkix for Firefox to use.</li>
<li>allow null phKey in NSC_DeriveKey.</li>
<li>Only create seed corpus zip from existing corpus.</li>
<li>Use explicit allowlist for for KDF PRFS.</li>
<li>Increase optimization level for fuzz builds.</li>
<li>Remove incorrect assert.</li>
<li>Use libFuzzer options from fuzz/options/*.options in CI.</li>
<li>Polish corpus collection for automation.</li>
<li>Detect new and unfuzzed SSL options.</li>
<li>PKCS12 fuzzing target.</li>
</ul>
<p>Update to NSS 3.105:</p>
<ul>
<li>Allow importing PKCS#8 private EC keys missing public key</li>
<li>UBSAN fix: applying zero offset to null pointer in sslsnce.c</li>
<li>set KRML_MUSTINLINE=inline in makefile builds</li>
<li>Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys</li>
<li>override default definition of KRML_MUSTINLINE</li>
<li>libssl support for mlkem768x25519</li>
<li>support for ML-KEM-768 in softoken and pk11wrap</li>
<li>Add Libcrux implementation of ML-KEM 768 to FreeBL</li>
<li>Avoid misuse of ctype(3) functions</li>
<li>part 2: run clang-format</li>
<li>part 1: upgrade to clang-format 13</li>
<li>clang-format fuzz</li>
<li>DTLS client message buffer may not empty be on retransmit</li>
<li>Optionally print config for TLS client and server
fuzz target</li>
<li>Fix some simple documentation issues in NSS.</li>
<li>improve performance of NSC_FindObjectsInit when
template has CKA_TOKEN attr</li>
<li>define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN</li>
</ul>
<p>Update to NSS 3.104:</p>
<ul>
<li>Copy original corpus to heap-allocated buffer</li>
<li>Fix min ssl version for DTLS client fuzzer</li>
<li>Remove OS2 support just like we did on NSPR</li>
<li>clang-format NSS improvements</li>
<li>Adding basicutil.h to use HexString2SECItem function</li>
<li>removing dirent.c from build</li>
<li>Allow handing in keymaterial to shlibsign to make
the output reproducible</li>
<li>remove nec4.3, sunos4, riscos and SNI references</li>
<li>remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix</li>
<li>remove mentions of WIN95</li>
<li>remove mentions of WIN16</li>
<li>More explicit directory naming</li>
<li>Add more options to TLS server fuzz target</li>
<li>Add more options to TLS client fuzz target</li>
<li>Use OSS-Fuzz corpus in NSS CI</li>
<li>set nssckbi version number to 2.70.</li>
<li>Remove Email Trust bit from ACCVRAIZ1 root cert.</li>
<li>Remove Email Trust bit from certSIGN ROOT CA.</li>
<li>Add Cybertrust Japan Roots to NSS.</li>
<li>Add Taiwan CA Roots to NSS.</li>
<li>remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber</li>
<li>Fix tstclnt CI build failure</li>
<li>vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow</li>
<li>Enable all supported protocol versions for UDP</li>
<li>Actually use random PSK hash type</li>
<li>Initialize NSS DB once</li>
<li>Additional ECH cipher suites and PSK hash types</li>
<li>Automate corpus file generation for TLS client Fuzzer</li>
<li>Fix crash with UNSAFE_FUZZER_MODE</li>
<li>clang-format shlibsign.c</li>
</ul>
<p>Update to NSS 3.103:</p>
<ul>
<li>move list size check after lock acquisition in sftk_PutObjectToList.</li>
<li>Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,</li>
<li>Follow-up to fix test for presence of file nspr.patch.</li>
<li>Adjust libFuzzer size limits</li>
<li>Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk</li>
<li>Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION</li>
<li>FIPS: Enforce approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).</li>
</ul>
<p>update to NSS 3.102.1:</p>
<ul>
<li>ChaChaXor to return after the function</li>
</ul>
<p>update to NSS 3.102:</p>
<ul>
<li>Add Valgrind annotations to freebl Chacha20-Poly1305.</li>
<li>missing sqlite header.</li>
<li>GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.</li>
<li>improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.</li>
<li>
<p>correct length of raw SPKI data before printing in pp utility.</p>
</li>
<li>
<p>Make NSS-build reproducible, use key from openssl (bsc#1081723)</p>
</li>
<li>
<p>FIPS: Exclude the SHA-1 hash from SLI approval.</p>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2025-2217=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-2217=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS (aarch64 ppc64le s390x x86_64)
<ul>
<li>mozilla-nss-tools-3.112-58.130.1</li>
<li>libsoftokn3-3.112-58.130.1</li>
<li>mozilla-nss-3.112-58.130.1</li>
<li>mozilla-nss-certs-3.112-58.130.1</li>
<li>mozilla-nspr-4.36-19.32.1</li>
<li>mozilla-nss-debuginfo-3.112-58.130.1</li>
<li>mozilla-nss-sysinit-3.112-58.130.1</li>
<li>mozilla-nss-sysinit-debuginfo-3.112-58.130.1</li>
<li>mozilla-nss-certs-debuginfo-3.112-58.130.1</li>
<li>mozilla-nspr-devel-4.36-19.32.1</li>
<li>mozilla-nss-tools-debuginfo-3.112-58.130.1</li>
<li>libsoftokn3-debuginfo-3.112-58.130.1</li>
<li>libfreebl3-debuginfo-3.112-58.130.1</li>
<li>mozilla-nspr-debugsource-4.36-19.32.1</li>
<li>mozilla-nspr-debuginfo-4.36-19.32.1</li>
<li>mozilla-nss-devel-3.112-58.130.1</li>
<li>mozilla-nss-debugsource-3.112-58.130.1</li>
<li>libfreebl3-3.112-58.130.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS (s390x x86_64)
<ul>
<li>mozilla-nspr-32bit-4.36-19.32.1</li>
<li>libfreebl3-32bit-3.112-58.130.1</li>
<li>mozilla-nss-32bit-3.112-58.130.1</li>
<li>mozilla-nss-sysinit-debuginfo-32bit-3.112-58.130.1</li>
<li>libsoftokn3-debuginfo-32bit-3.112-58.130.1</li>
<li>mozilla-nspr-debuginfo-32bit-4.36-19.32.1</li>
<li>mozilla-nss-certs-debuginfo-32bit-3.112-58.130.1</li>
<li>mozilla-nss-sysinit-32bit-3.112-58.130.1</li>
<li>libfreebl3-debuginfo-32bit-3.112-58.130.1</li>
<li>libsoftokn3-32bit-3.112-58.130.1</li>
<li>mozilla-nss-certs-32bit-3.112-58.130.1</li>
<li>mozilla-nss-debuginfo-32bit-3.112-58.130.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
<ul>
<li>libsoftokn3-3.112-58.130.1</li>
<li>mozilla-nspr-4.36-19.32.1</li>
<li>mozilla-nss-sysinit-3.112-58.130.1</li>
<li>mozilla-nss-32bit-3.112-58.130.1</li>
<li>mozilla-nss-sysinit-debuginfo-3.112-58.130.1</li>
<li>mozilla-nss-sysinit-debuginfo-32bit-3.112-58.130.1</li>
<li>libsoftokn3-debuginfo-32bit-3.112-58.130.1</li>
<li>mozilla-nspr-debuginfo-4.36-19.32.1</li>
<li>libsoftokn3-32bit-3.112-58.130.1</li>
<li>mozilla-nss-debugsource-3.112-58.130.1</li>
<li>mozilla-nss-debuginfo-32bit-3.112-58.130.1</li>
<li>mozilla-nss-tools-3.112-58.130.1</li>
<li>mozilla-nss-3.112-58.130.1</li>
<li>mozilla-nss-debuginfo-3.112-58.130.1</li>
<li>mozilla-nss-certs-debuginfo-32bit-3.112-58.130.1</li>
<li>mozilla-nspr-debuginfo-32bit-4.36-19.32.1</li>
<li>libsoftokn3-debuginfo-3.112-58.130.1</li>
<li>libfreebl3-debuginfo-32bit-3.112-58.130.1</li>
<li>mozilla-nss-certs-3.112-58.130.1</li>
<li>mozilla-nspr-32bit-4.36-19.32.1</li>
<li>mozilla-nss-tools-debuginfo-3.112-58.130.1</li>
<li>mozilla-nspr-debugsource-4.36-19.32.1</li>
<li>libfreebl3-32bit-3.112-58.130.1</li>
<li>mozilla-nss-certs-debuginfo-3.112-58.130.1</li>
<li>mozilla-nspr-devel-4.36-19.32.1</li>
<li>libfreebl3-debuginfo-3.112-58.130.1</li>
<li>libfreebl3-3.112-58.130.1</li>
<li>mozilla-nss-sysinit-32bit-3.112-58.130.1</li>
<li>mozilla-nss-devel-3.112-58.130.1</li>
<li>mozilla-nss-certs-32bit-3.112-58.130.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1081723">https://bugzilla.suse.com/show_bug.cgi?id=1081723</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1224113">https://bugzilla.suse.com/show_bug.cgi?id=1224113</a>
</li>
</ul>
</div>